PlainAudit
Start assessment

How Long Does CMMC Certification Take? 12-18 Months by Starting Maturity

security audit preparationcmmc timelinecertification roadmap

How long does CMMC certification take? The honest answer for a defense contractor starting from baseline IT practices is 12–18 months from kickoff to a passed C3PAO assessment — with substantial variation depending on starting maturity, scope strategy, and whether you already hold SOC 2 or ISO 27001. This post walks the realistic timeline by starting condition, the five phases the time actually goes into, and the three places contractors lose months they didn’t plan to.

Quick read If you have no existing security framework: plan 12–18 months. If you have SOC 2 Type II or ISO 27001 certification already: 6–12 months. If you have a mature ISMS plus operational documentation: 4–6 months. None of these include the C3PAO scheduling lead time, which adds another 2–6 months on top.

The 12–18-Month Baseline Timeline

For a defense contractor starting from typical small-business IT — some firewalls, basic antivirus, no formal documentation, no compliance certifications — the published industry timeline is 12–18 months. That breaks into five phases:

  1. Months 1–3: Scope and gap assessment. Identify what CUI you handle, define the assessment boundary (enterprise vs. enclave), and complete a structured gap analysis against all 110 NIST 800-171 Rev 2 requirements. Typical output: 40–70 identified gaps for a 15–125 person contractor.
  2. Months 3–9: High-impact remediation. Close the 5-point and 3-point gaps first — these cannot be POA&M’d. This is the heaviest spend phase: technology purchases (MFA, EDR, SIEM, FIPS-validated encryption), policy development (30+ documents), and process implementation.
  3. Months 9–12: Documentation and evidence collection. System Security Plan (60–150 pages), policies per control family, configuration baselines, network and CUI data flow diagrams, asset inventory, training records. Most of the documentation effort happens here because evidence has to reflect implemented controls — not aspirational ones.
  4. Months 12–15: Mock assessment and remediation. A consultant-led or internal mock assessment using the same Examine/Interview/Test methods the C3PAO will use. Findings get remediated; the SSP gets updated to match what the mock found.
  5. Months 15–18: C3PAO selection, scheduling, and assessment. C3PAO availability is the wildcard. Authorized C3PAOs are listed on the CyberAB Marketplace, and the most established ones book out 6–9 months in advance.

The DoD CIO CMMC page publishes the program timeline and authorized assessor pathway, but it doesn’t set per-organization preparation timelines — those depend entirely on your starting condition.

How Starting Maturity Compresses the Timeline

The single largest variable is what you already have. Contractors who hold an existing framework can transfer documentation and controls:

  • SOC 2 Type II: roughly 40–60% control overlap with NIST 800-171. Most of the audit and accountability, access control, and risk assessment work is already done. Saves 4–6 months. New work concentrates on the CMMC-specific items: CUI marking and handling, configuration management at the depth NIST requires, and incident reporting to the DoD within 72 hours.
  • ISO 27001 certified: approximately 80% control overlap. The ISMS framework already requires the document architecture (SSP-equivalent, policies per control family, evidence collection). Saves 4–6 months, sometimes more. New work focuses on the CMMC-specific items above plus alignment to NIST 800-171’s organization-of-controls (rather than ISO’s Annex A grouping).
  • FedRAMP authorized: substantial control overlap, especially for cloud-hosted enclaves. The FedRAMP boundary often serves as the CMMC enclave with minor scope adjustments. Saves 6–9 months in the cloud-only case.
  • No existing framework: full 12–18 months. Baseline IT typically has firewalls and basic antivirus — that’s 5–10 of the 110 controls. The other 100+ are net-new work.

If you’re uncertain which level you actually need to certify at, the CUI vs. FCI determination is the first decision — Level 1 (17 controls, self-assessment) and Level 2 (110 controls, often C3PAO) are different timelines entirely.

Where the Months Actually Go

Compliance leaders consistently underestimate three buckets of work:

Policy documentation: 2–4 months on its own

Thirty policy documents, each requiring drafting, internal review, executive approval, and version control. The drafting itself can be fast (a week per policy with templates), but the review/approval cycles run weeks — especially in organizations where the “senior official’’ who signs off on policies has a full-time operational role. Policies cannot be back-dated convincingly. Assessors check policy content against actual system behavior during the Test phase, and they check review/approval dates against the timeline.

Evidence collection: 90 days of log retention is the floor

For audit and accountability controls, assessors want to see at least 90 days of actual logs — not a screenshot of a logging tool. That means you can’t enable logging two weeks before the assessment and have evidence ready. Most contractors discover this constraint late and have to schedule the C3PAO around the log-retention window. Plan to enable production logging at least 6 months before the assessment date.

Network diagram and CUI flow diagram accuracy: weeks of cleanup

A network diagram that doesn’t match the actual network fails the Test phase. Contractors typically have aspirational diagrams from a year-ago architecture project that no longer reflect added cloud services, new contractors with VPN access, or the shared printer that bridges the CUI enclave and the main network. Reconciling the diagram to reality is a discovery exercise that uncovers other gaps — usually scope-related — and adds 4–8 weeks late in the timeline.

C3PAO Scheduling Adds Months to CMMC Certification

The 12–18-month timeline assumes you can engage a C3PAO when you’re ready. In 2026 that assumption increasingly breaks. As Phase 2 enforcement (November 2026) approaches, demand for C3PAO assessments is rising faster than authorized capacity. Established C3PAOs are booking 6–9 months out; some are quoting longer.

Practical implications:

  • Start C3PAO selection 9–12 months before your target assessment date — not after preparation is complete.
  • Verify authorization status on the CyberAB Marketplace. The CyberAB is the only authoritative source — vendor claims of “CMMC-ready’’ or “CMMC consultancy’’ are not C3PAO authorization.
  • Plan for a 1–2 week assessment week itself, typically 3–5 days on-site or hybrid, plus 1–2 weeks for report finalization and certification decision.
  • If you’re conditionally certified (SPRS ≥ 88 with 1-point POA&M items), all POA&M items must close within 180 days of the assessment — or certification is revoked.

Self-Assessment Path: Faster, Different Risk

For non-prioritized Level 2 acquisitions in Phase 1 (current through Phase 2 trigger), self-assessment is still permitted. Timeline drops to 6–12 months because you skip the C3PAO scheduling lag and the assessment-week effort — but the senior-official affirmation still carries False Claims Act liability for misstatement. The pre-Phase-2 self-assessment path is shorter, not easier. Many contractors choose self-assessment now to maintain contract eligibility during Phase 1, then pursue C3PAO certification during 2026–2027 as Phase 2 obligations land. The trade-off between paths is structural enough to warrant its own walkthrough — see CMMC self-assessment vs. C3PAO.

Where the 12–18 Months Comes From: A Phase-by-Phase Cost-of-Time View

One way to see why the timeline runs this long is to add up the unavoidable serial dependencies:

  • Gap assessment: 4–8 weeks (can’t parallelize — you need the gap list before remediation planning)
  • 5-point and 3-point remediation: 16–28 weeks (technology procurement, configuration, validation cycles)
  • Documentation: 8–16 weeks (review/approval cycles bottleneck on senior official availability)
  • Evidence ripening (90+ days of logs minimum): 12+ weeks (you can’t shortcut log history)
  • Mock assessment + remediation: 4–8 weeks
  • C3PAO scheduling lag: 24–36 weeks
  • Assessment week + report: 3–5 weeks

Sum: roughly 70–115 weeks — about 16–26 months — if everything is fully serial. Parallel work compresses this to the published 12–18 month range. The C3PAO scheduling lag is the longest single dependency and the one most contractors underestimate.

What to Do This Week If You’re Starting Now

  1. Take a structured readiness self-assessment. The output is the gap count and estimated SPRS score that anchor every subsequent plan. Our CMMC readiness quiz walks the 14 control domains in about 15 minutes.
  2. Decide on scope strategy. Enterprise vs. enclave is the early decision with the largest cost impact — it can change total cost and timeline by 2×.
  3. Get on a C3PAO’s schedule before preparation is complete. If you wait until you’re ready to book, you’ll add 6–9 months at the end.

The contractors who hit 12 months instead of 18 are the ones who started C3PAO scheduling at month 3, not month 12. Time on the calendar is the cheapest resource you have — spend it.

Disclaimer Timeline ranges in this post reflect published industry experience and the DoD CMMC program structure. Actual preparation time depends on organizational maturity, scope, and resource allocation. Specific C3PAO scheduling and assessment outcomes are determined by CyberAB-authorized C3PAOs — not by readiness tools or guidance content.

Related tools

CMMC Readiness Quiz

Estimate your SPRS score and CMMC Level 2 readiness across all 14 NIST 800-171 control domains.

CMMC L2 Assessment Kit

The CMMC Level 2 documentation kit for small defense contractors who want to drive their own self-assessment. 14 NIST 800-171 policies, SSP, POA&M, SPRS worksheet, and mapping matrix. $249.

← More cmmc level 2 readiness guides