What is CMMC and who needs to comply?

CMMC (Cybersecurity Maturity Model Certification) is a DoD requirement for all defense contractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC compliance is mandatory with full enforcement expected by November 2026.

What is the difference between CMMC Level 1 and Level 2?

CMMC Level 1 covers 17 basic practices for contractors handling FCI. CMMC Level 2 covers 110 practices aligned with NIST SP 800-171 for contractors handling CUI. Level 2 requires a third-party C3PAO assessment.

How long does CMMC Level 2 certification take?

CMMC Level 2 certification typically takes 6 to 18 months. The process includes gap assessment (4-6 weeks), remediation (3-12 months), and C3PAO assessment scheduling (3-6 month wait times currently).

What is a C3PAO and why does it matter?

A C3PAO (Certified Third-Party Assessment Organization) is a DoD-approved firm authorized to conduct CMMC Level 2 assessments. C3PAO slots are booking 3-6 months in advance ahead of the 2026 deadline.

What happens if a defense contractor misses the CMMC deadline?

Defense contractors who have not achieved required CMMC certification will be ineligible to bid on or continue performing DoD contracts requiring that CMMC level. New contracts will include CMMC as mandatory contract clauses.

By Acreus Editorial

Your 2026 CMMC Roadmap: What You Need to Do Before November

The DoD’s CMMC Phase 1 rollout is not a pilot program anymore. As of late 2024, DFARS clause 252.204-7021 began appearing in contracts for defense contractors handling Controlled Unclassified Information (CUI). DoD acquisition policy now requires Level 1 self-assessments and Level 2 self-assessments or C3PAO certifications — depending on the contract — to be completed and entered into the Supplier Performance Risk System (SPRS) before award. The deadline that matters most for most contractors: November 2026, the point at which Phase 1 requirements are expected to be fully enforced across active contracts.

That’s roughly eight months from now. Eight months sounds like enough time. It isn’t — not if you’re starting from zero.

This post walks through the four stages every defense contractor needs to complete before that deadline, with realistic timelines based on public CMMC program data and contractor-reported experiences. If you already know you’re behind, take the CMMC Readiness Assessment to benchmark where you stand before reading further.

The Four-Stage CMMC Roadmap

Stage 1: Gap Assessment (4–8 Weeks)

Before anything else, a contractor needs to know exactly where they stand against NIST SP 800-171 — the 110-control framework that underpins CMMC Level 2. This is the gap assessment, and it produces two outputs: a current SPRS score and a prioritized remediation list.

A gap assessment is not optional, and it’s not something to estimate informally. Organizations that attempt to self-score without a structured process routinely underestimate their gaps by 30–50 controls. The DoD’s own assessment methodology, documented in the NIST SP 800-171A assessment guide, requires documented evidence — not just attestation — for each control.

What the gap assessment covers: – Review of the current System Security Plan (SSP) — or creation of one if it doesn’t exist – Control-by-control evaluation against the 800-171 requirements – Identification of POA&M items (Plan of Action & Milestones) — controls not yet met – Initial SPRS score calculation: starts at 110, deducts points per unmet control per DoD’s weighting table

Realistic timeline: 4 weeks for a small organization (under 50 CUI users) with an existing SSP; 6–8 weeks for mid-size or organizations starting from scratch. External assessors typically quote 4–6 weeks for scoping through final report delivery. A detailed breakdown of what the gap assessment process looks like covers scope definition, documentation review, and what to expect from the deliverable.

The output you need: A documented SPRS score you can defend, and a POA&M you can execute against.

Stage 3: Documentation (4–8 Weeks, Concurrent with Remediation)

CMMC assessors don’t just verify that controls are implemented — they verify that controls are documented, trained against, and evidenced. Organizations that complete remediation without building the documentation package fail assessments at the same rate as organizations that skipped remediation entirely.

Required documentation for a Level 2 assessment: – System Security Plan (SSP): Describes the environment, the CUI boundary, and how each of the 110 controls is met – Plan of Action & Milestones (POA&M): Documents any controls not yet fully implemented, with target completion dates and responsible parties – Policies and procedures: Control-specific written policies across all 14 domains – Evidence artifacts: Screenshots, configuration exports, access logs, training records — anything an assessor needs to validate a control claim

The SSP is the centerpiece. A credible SSP for a small contractor runs 80–150 pages. Organizations that use SSP templates without customizing them to their actual environment are flagged immediately by DIBCAC assessors. The SSP must describe your environment — your network topology, your CUI flows, your user population — not a generic template environment.

Timeline note: Documentation can and should run concurrently with late-stage remediation. Start drafting the SSP at the end of the gap assessment, update it as controls are closed, and plan for a 2–4 week documentation sprint before the assessment date to finalize evidence packages.

Building Your Timeline Backward from November

If the enforcement deadline is November 2026, work backward:

Stage	Duration	Latest Start
Stage 4: Assessment	4–6 weeks	August 2026
Stage 3: Documentation sprint	4 weeks	July 2026
Stage 2: Remediation	3–9 months	October 2025 – April 2026
Stage 1: Gap Assessment	4–8 weeks	Now

The math is unforgiving. An organization that starts its gap assessment in April 2026 has eliminated its margin entirely. A 9-month remediation timeline (common for organizations starting from scratch) requires beginning remediation no later than February 2026 — which means the gap assessment needed to be complete in January.

If you’re reading this in Q1 2026 and haven’t started: the path to November is narrow but not closed. A focused gap assessment completed in 4 weeks, followed by aggressive remediation of the highest-weighted controls, can still yield a defensible SPRS score and a Level 2 assessment slot before the deadline — but only if remediation starts immediately.

This content is for informational purposes only and does not constitute legal, compliance, or cybersecurity advice. Consult qualified professionals for guidance specific to your organization.<\/em><\/p><\/div>

References: NIST SP 800-171