Fortinetics
← Insights · CMMC · · · 8 min read

CMMC Level 2 timeline: what 6 to 9 months actually looks like

A month-by-month breakdown of a realistic CMMC Level 2 engagement — from kickoff through C3PAO assessment. Includes which activities happen in parallel, which are sequential, where timelines most commonly slip, and how the CMMC Phase 2 November 2026 deadline changes the math.

Realistic CMMC Level 2 engagement timeline with parallel tracks Nine-month CMMC Level 2 engagement broken out into four parallel workstreams: Technical, Policy, Evidence, and Assessor coordination. Implementation dominates months two through five; evidence capture runs continuously as a byproduct of operations; C3PAO assessment fills the final six weeks. PLATE INS-01 · CMMC L2 · REALISTIC TIMELINE 9 MO. · 4 TRACKS · PARALLEL MO 01 MO 02 MO 03 MO 04 MO 05 MO 06 MO 07 MO 08 MO 09 TECHNICAL Boundary + architecture design Implementation Hardening POLICY Inventory current policies Draft + align to CMMC practices Approvals + publish EVIDENCE Evidence plan Continuous capture (as-byproduct) SSP + POA&M Dry run ASSESSOR Book slot C3PAO assessment Cert UNDERESTIMATED Continuous evidence First-time teams plan evidence as a sprint near the end. C3PAO expects it to have been captured continuously, with source traceability. Retrofitting months of evidence is where timelines slip by 4–8 weeks.
Fig. · Nine-month CMMC Level 2 engagement with four parallel tracks. Evidence capture runs continuously — retrofit is where timelines slip.

Updated June 2026 — The CMMC Phase 2 cliff is November 10, 2026 — now about five months out. DoD estimates ~76,600 organizations need Level 2 certification; only ~1,042 had completed certification as of May 2026 (~1.4% readiness). The capacity arithmetic is now the dominant practitioner narrative: ~103 authorized C3PAOs against the ~76,600 contractor population — industry reporting cites wait times exceeding 18 months for new clients by Q3 2026. Self-assessment will no longer satisfy DFARS 252.204-7021 for most CUI-handling subcontractors after the Phase 2 date. June 2026 trade press explicitly reframed the program from “planning” to “enforcement” — primes are flowing CMMC requirements down on tight deadlines, contracting officers signal at solicitation. DOJ’s False Claims Act enforcement adds a separate risk to false SPRS self-attestations: six new cyber-fraud settlements in FY26 to date, on top of seven in 2025 (+156% YoY). Our Q2 2026 compliance landscape briefing covers the full picture with the June 5 mid-Q2 update.

“How long does CMMC Level 2 actually take?” is one of the two most common questions on our first call. The answer we give — six to nine months for a team that is prepared and supported — is accurate but abstract. This article is the specific version. Month-by-month, what happens, where time gets spent, and where engagements slip when they slip.

If you are inside the window to CMMC Phase 2 (November 10, 2026, at the time of writing), the arithmetic is straightforward. Today minus November 10, 2026, minus nine months for the engagement, minus six weeks for C3PAO scheduling and audit, minus two weeks of buffer. If your target contract-award date is after November 10, 2026, and your engagement hasn’t started yet, the runway is already tight. This article will help you understand why, and what parts of the nine months are compressible if you need to move faster.

The timeline below reflects what we actually run in CMMC Level 2 engagements. Not a theoretical calendar — the real one.

Month 0 — Engagement design

Before the clock officially starts, two weeks of pre-work shapes the entire engagement:

  • Discovery interviews with the CISO or equivalent, IT lead, HR/people ops, legal, and the product/engineering leads whose systems touch CUI
  • Environment walk-through — cloud tenants, network diagram, identity systems, endpoint fleet, existing security tooling
  • Evidence inventory — what policies, procedures, and technical artifacts already exist
  • Scope definition — what’s in, what’s out, and why. This is the most important deliverable; it determines the size of the assessment surface

At the end of month 0, you have a scoping document that defines exactly what the C3PAO will assess. It covers the systems in scope, the data types handled, the users in scope, the boundary definition, and the specific controls that apply. If this document is ambiguous, the rest of the engagement is ambiguous.

Months 1–2 — Architecture and gap analysis

The first two months are heavy on analysis and design. Implementation starts in parallel but most of the time goes to thinking.

Gap analysis against NIST 800-171 Rev 2. All 110 controls across 14 families assessed against current state. For each control, one of three outcomes:

  • Implemented — evidence exists, control is satisfied
  • Partially implemented — control mechanism is in place but evidence collection is weak, or coverage is incomplete
  • Not implemented — control is missing entirely

Typical first-engagement gap analysis shows 40–60 controls fully implemented, 30–50 partially, and 10–25 missing. The gap analysis output becomes the POA&M (Plan of Action & Milestones) that drives the rest of the engagement.

Target architecture design. The enclave, network segmentation, identity, endpoint controls, logging pipeline, and evidence generation mechanisms. If the current state is far from the target, the architecture phase is longer. For companies that already have a substantial cloud-native infrastructure, this is often closer to a refinement than a redesign.

Policy library scaffolding. The set of policies the assessment will require — Access Control Policy, Incident Response Plan, Configuration Management Policy, System Security Plan, etc. First drafts are produced, scoped to the organization’s specific reality (not template dumps).

At the end of month 2: a concrete implementation plan for the remaining months, with every control traced to a specific implementation owner and a target completion date.

Months 3–5 — Implementation

This is the longest phase and where most organizations either stay on schedule or slip. The work itself:

Technical implementation of missing controls:

  • MFA deployed on every CUI-touching system
  • Centralized logging (SIEM) capturing required event types with appropriate retention
  • Endpoint hardening (STIG-aligned baselines, EDR, application allowlisting)
  • Network segmentation for CUI-bearing systems
  • Access review workflows and approval routing
  • Configuration management — baselines documented and enforced
  • Cryptographic modules validated (FIPS 140-2/140-3) and configured

Policy and procedure finalization — first-draft policies from month 2 are refined against implementation reality. Procedures that detail how policies are executed get written. Training materials produced.

Evidence pipeline stand-up — the operational mechanisms that produce audit-ready evidence as a byproduct of normal work. This is the difference between a team that passes at 110/110 and a team that passes at 95/110 with findings. For each control, we define the evidence artifact, the operation that produces it, and the repository where it lives.

Where engagements slip in this phase:

  • Dependencies on other business initiatives (e.g., an HRIS migration that blocks personnel security control implementation)
  • Third-party tooling procurement delays (e.g., SIEM vendor evaluation + procurement taking longer than budgeted)
  • Discovery of missed systems — a CUI-touching system that was scoped out but turns out to be in scope after a deeper look
  • Executive attention drift as other business priorities reassert

Building buffer into this phase is wise. A month 3–5 plan that assumes no slippage is a month 3–6 reality.

Month 6 — Documentation and dry-run assembly

With implementation substantially complete, month 6 focuses on packaging for assessment:

System Security Plan (SSP) finalization. The SSP is the central document describing how each of the 110 controls is implemented. Every control gets a specific, verifiable description — not “we implement access control,” but “access control is implemented via Entra ID conditional access policies, configured to require MFA for all users with access to the CUI VLAN or production systems; access reviews are conducted quarterly by the IT manager using Entra access review workflows.”

POA&M finalization. Any open gaps documented with remediation plans, timelines, and risk acceptance where appropriate. The POA&M is expected to be nonzero — assessors are realistic — but it should demonstrate active management.

Evidence package assembly. Every control’s evidence artifacts organized and labeled. Access review reports, change management records, vulnerability scan results, training completion records, incident response tabletop reports, etc. A well-organized evidence package accelerates the assessment; a disorganized one extends it.

Internal dry-run assessment. Before the real C3PAO shows up, we walk through the full assessment internally — ideally with a reviewer who was not the implementation lead. Every finding in the dry-run is a finding that would have cost points in the real assessment. These get closed before the real one.

Months 7–8 — C3PAO assessment

The C3PAO engagement itself typically spans six to eight weeks from kickoff to final report:

  • Weeks 1–2: Assessment planning with the C3PAO, evidence room provisioned, initial document review. The C3PAO reads the SSP, POA&M, and policy library ahead of site work.
  • Weeks 3–4: On-site (or virtual) assessment. Interviews, system demonstrations, evidence reviews. This is the intensive phase where your team is supporting the assessor’s inquiries. Expect 4–8 hours per day of involvement from key personnel during this window.
  • Weeks 5–6: Findings review. The C3PAO drafts findings; your team responds with clarifications, additional evidence, or remediation evidence for minor gaps. Most findings are closable within the assessment window if the underlying implementation is solid.
  • Weeks 7–8: Final report preparation and submission to DoD.

For a prepared organization, C3PAO assessment adds weeks, not months. For an underprepared one, findings cascade and require re-engagement, which can stretch this phase considerably.

Month 9 — Remediation buffer or next-steps planning

In a well-run engagement, month 9 is where you either:

  • Close remaining POA&M items that were left open during assessment (if any)
  • Begin continuous monitoring operations — the first month after certification is when you prove the program operates at steady state, not just at assessment time
  • Plan for surveillance and re-certification — three-year certification cycles with interim surveillance; the schedule for those is set now

The compressed path — when you need to move faster

Six to nine months is the comfortable timeline. Some organizations have less runway. The levers we pull when a client genuinely needs to compress:

  • Parallel implementation — more contractors deployed to work on different control families simultaneously. Costs more, moves faster.
  • Skip to the gap analysis of what’s critical — defer non-critical controls to POA&M rather than implementing in the primary window. Pass the assessment with more POA&M items than ideal, remediate after certification.
  • Accelerate policy finalization — use more existing templates, less customization. Costs some quality but saves time.
  • Earlier C3PAO scheduling — book the C3PAO window before implementation is fully complete, creating a hard deadline that forces prioritization.

Compressed engagements are 4–5 months and noticeably more stressful. The quality of the resulting certification is typically fine; the quality of life during the engagement is not.

The extended path — when the environment is messier

Some organizations need more time:

  • Multi-site, multi-entity structures — scope and evidence pipeline design takes longer
  • Legacy infrastructure — on-premises systems without modern logging or IAM add significant retrofit work
  • Existing CUI handling without documentation — working backward from what’s in production to document actual state adds month 1–2 scope
  • Parallel pursuit with other frameworks — if you are doing CMMC + ISO 27001 or CMMC + SOC 2, the engagement is longer but per-framework cost is lower

Nine months stretches to 12 in these cases, and that is acceptable as long as the runway allows.

FAQ

Q: Can we do CMMC Level 2 self-assessment instead of hiring a C3PAO? For limited scopes — contracts where the DoD Prime is willing to accept self-assessment — yes. The technical work is identical. The difference is who signs the certificate. For most defense subcontractors targeting CUI-handling contracts, C3PAO assessment is required.

Q: What does the November 10, 2026 deadline actually mean for my timeline? Beginning on that date, new DoD contracts with CUI clauses include a requirement that the subcontractor hold a current CMMC Level 2 certificate at contract award. Flow-down from primes applies. If your target contract is on or after that date, your certificate needs to be in hand on the day of award — which means starting the engagement at least nine months earlier, plus buffer.

Q: How does the CMMC Level 2 timeline interact with a FedRAMP or SOC 2 program we’re also running? Most controls overlap. A well-designed multi-framework program shares evidence pipeline, policies, and control implementations between frameworks. The incremental time for adding CMMC onto an existing SOC 2 program is typically 2–3 months rather than a full 6–9 months. See our CMMC practice and SOC 2 practice for how we run these in combination.

Q: What if we fail the C3PAO assessment? You don’t fail — you receive a score. CMMC Level 2 is scored out of 110 points, with 88 or higher generally considered passing. Findings below that threshold result in a POA&M with mandatory remediation before full certification. Our engagement model targets 110/110; our track record is consistent with that.

Q: Do we need to be in a SCIF for Level 2? No. CMMC Level 2 is about protecting Controlled Unclassified Information, not classified. SCIFs are for classified work (SECRET, Top Secret). CUI is unclassified. Our SCIF and SAPF practice is a separate pillar for organizations that also need classified facility work.

When to engage

If your target contract-award date is more than 12 months out, you have time to plan carefully and pick an optimal path. If it is 9–12 months out, you are on a normal timeline but should start now. If it is less than 9 months out, engage immediately and expect the compressed path. Under 6 months, the conversation becomes about risk management and what’s achievable — not every timeline is achievable, and honest scoping matters more than optimism.

Our CMMC Level 2 engagement model is built around this reality. If you want to see where you stand before committing, the CMMC Level 2 readiness quiz is the fastest honest assessment we can offer.

Related reading: what assessors actually look for at Level 2 · seven CUI enclave architectural mistakes · DFARS 252.204-7012 72-hour reporting · AI coming to CMMC and DFARS — NDAA Section 1513

Related reading
CMMC · 11 min read

AI is coming to CMMC and DFARS: NDAA Section 1513, the June 2026 AI Executive Order, and what defense contractors should prepare for

CMMC · 8 min read

CMMC Level 2: What assessors actually look for — and what they quietly ignore

Next step

Ready to talk?

Book a scoping conversation. Thirty minutes. Honest scoping of your current posture and target.

Book a scoping call →