CMMC certification timeline: how long does it take?
If you are planning CMMC certification, the most common question after “which level?” is how long it will take. Timelines vary widely based on scope, starting maturity, and assessor availability.
This guide covers:
- Factors that expand or compress your schedule
- Typical ranges for Level 1, 2, and 3
- A practical phase-by-phase plan from kickoff to SPRS
Related guides:
- CMMC resource collection
- CMMC certification checklist
- C3PAO guide
- Practical guide to CMMC requirements
GIF via GIPHY
Key takeaways
- Level 1 can often be achieved in weeks to a few months if scope is narrow and practices are largely in place.
- Level 2 commonly takes 6–12+ months including gap remediation and C3PAO lead time.
- Level 3 typically adds months for 800-172 work and DIBCAC scheduling after final Level 2.
- C3PAO capacity after the Nov 2025 rollout can extend booking windows.
What drives your timeline
| Factor | Impact |
|---|---|
| Scope size | More systems and locations = more controls and evidence |
| Starting maturity | Greenfield vs. existing 800-171 program |
| POA&M volume | Large gap lists extend remediation |
| Tooling | Manual evidence slows assessment prep |
| Assessor availability | C3PAO queues may add 60–120+ days |
Typical timelines by CMMC level
| Level | Typical total time | Notes |
|---|---|---|
| 1 | 1–3 months | Self-assessment + SPRS |
| 2 | 6–12+ months | Gap assessment, SSP, remediation, assessment |
| 3 | 12–18+ months | Level 2 final + 800-172 + DIBCAC |
Mature organizations with prior NIST SP 800-171 programs may move faster; fragmented environments often take longer.
Phase-by-phase schedule
- Scoping (2–4 weeks): Define CUI/FCI boundaries, asset inventory, data flows.
- Gap assessment (4–8 weeks): Map practices, score SPRS baseline.
- Remediation (2–6+ months): Close gaps; maintain POA&M with owners.
- Pre-assessment (2–4 weeks): Mock interviews, evidence packaging.
- Assessment (2–6 weeks): C3PAO or self-assessment per contract.
- Closeout & SPRS (1–2 weeks): Submit results; plan annual affirmation.
Start early—contract clauses tied to the November 2025 rollout increase demand on assessors.
Accelerate readiness with SecureSlate
SecureSlate shortens evidence collection and POA&M tracking so remediation and assessment prep run in parallel.
FAQ
Can we certify before a contract requires CMMC?
Yes—many organizations certify proactively to avoid award delays when clauses appear.
Does conditional Level 2 count as “done”?
Conditional status may be acceptable per contract rules, but POA&M items must close within allowed timelines—often 180 days.
Disclaimer (legal note)
Timelines are illustrative, not guarantees. Your assessor, scope, and contract terms determine actual schedules.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
