How Long Does CMMC Prep Take? A Realistic Timeline

Cybersecurity Maturity Model Certification (CMMC) prep takes anywhere from a few weeks to 18 months, depending on which level you need and where your security posture stands today. Level 1 is a shorter engagement. Level 2 is a multi-phase process that most contractors underestimate.


This post lays out realistic timelines for both levels, walks through each prep phase, and explains what tends to push timelines out or pull them in. If you have a contract deadline, a recompete, or a prime contractor pushing you for a compliance status, this will help you figure out whether you have enough runway.


APT Security Management, based in North Charleston, South Carolina, works with defense contractors and their supply chains through CMMC Level 1 and Level 2 readiness. The timelines below reflect what we see across real engagements.

Level 1 Timeline: A Few Weeks to a Couple of Months

Level 1 covers 15 practices derived from FAR 52.204-21. These practices address basic cybersecurity hygiene: access controls, basic identification and authentication, media sanitization, physical protection, system and communications protection, and system integrity basics. For a small business that already does most of these things, the prep cycle is short.


A typical Level 1 engagement runs two to six weeks from kickoff to a signed affirmation in the Supplier Performance Risk System (SPRS). The process looks like this:

Scoping (a few days)

Confirm what systems handle Federal Contract Information (FCI) and establish the assessment boundary. For a small subcontractor, this is often one or two internal systems and a cloud service provider.

Gap check (one to two weeks)

Work through each of the 15 practices against your current environment. Most small businesses have a handful of gaps, usually around documentation, media handling, or access controls.

Remediation (varies)

Quick wins close in a few days. If you are missing multi-factor authentication on accounts that touch FCI, or if you have no documented process for sanitizing media before disposal, those take longer. Most Level 1 gaps close within two to three weeks.

Documentation and attestation (a few days)

Pull together evidence of the implemented practices, confirm your environment reflects what you are about to attest to, and have a senior official affirm compliance in SPRS.

What stretches this timeline: no documentation at all, significant gaps in access controls, or no internal owner to drive the work. What shortens it: a small, well-managed environment where most of the 15 practices are already implemented but not written down.


If you are unsure whether you need Level 1 or Level 2, the CMMC Readiness Quickcheck is a free tool that walks you through your current posture and flags your biggest gaps.

Level 2 Timeline: 6 to 18 Months

Level 2 aligns to the 110 security requirements in NIST Special Publication 800-171 Rev 2. It applies to contractors who handle Controlled Unclassified Information (CUI). Most Level 2 contractors require a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) before they can hold a CMMC Level 2 certification.


Six to 18 months is a real range, not a conservative guess. Where you land depends on your starting maturity, the size and complexity of your environment, and how much remediation you have to do.


A contractor with an existing NIST 800-171 System Security Plan (SSP), most controls implemented, and an internal security lead can realistically complete Level 2 prep in six to nine months. A contractor starting with no SSP, no formal control documentation, and a complex environment with cloud and on-premises systems mixed together should expect 12 to 18 months.


The phases below reflect how Level 2 prep actually unfolds.

The Level 2 Prep Phases

Phase 1: Scoping (Two to Four Weeks)

Before you can assess anything, you need to know what is in scope. This means identifying all systems that store, process, or transmit CUI, categorizing your assets under the five CMMC asset categories, and documenting your system boundary.


Scoping mistakes are common and expensive. Including too many systems makes the remediation lift larger than it needs to be. Scoping out systems that should be in scope creates certification risk. The CMMC Asset Categorizer is a free tool that walks you through the five asset categories under 32 CFR Part 170 and helps you classify your systems correctly.

Phase 2: Gap Assessment (Two to Six Weeks)

A gap assessment maps your current environment against all 110 Level 2 practices and documents where you meet requirements, where you partially meet them, and where you have no coverage. The output is a written report with control-by-control findings and a prioritized remediation roadmap.


The timeline depends on how well-documented your environment is going into it. A contractor with an existing SSP and documented policies can move through a gap assessment faster than one starting from scratch.


If you want to understand what the assessment process involves before you buy one, the post What to Expect From a CMMC Gap Assessment walks through the workflow in detail.

Phase 3: Documentation (Four to Eight Weeks, Often Overlapping With Remediation)

Your SSP and Plan of Action and Milestones (POA&M) are two of the most important deliverables in the Level 2 process. The SSP documents your system boundary, assets, data flows, user roles, and a control-by-control implementation narrative for all 110 practices. The POA&M tracks open gaps with owners, remediation plans, and target dates.


Both documents are typically built or rebuilt in parallel with technical remediation, but they take real time to do correctly. A weak SSP is one of the most common reasons companies hit problems during a C3PAO assessment. The SSP Scaffolder generates a structured SSP scaffold pre-populated with the NIST 800-171 control structure, which gives you a starting point that matches the expected format. The POA&M Builder works the same way for your open gaps.

Phase 4: Technical Remediation (Varies Widely)

This is usually the longest phase and the hardest to estimate in advance. You are implementing or reconfiguring security controls to close the gaps the assessment found. Common remediation work includes: deploying or configuring endpoint protection, enabling and tuning audit logging, implementing network segmentation, hardening configurations, setting up multi-factor authentication across all CUI-touching accounts, and deploying or replacing email security.


If your environment already has endpoint protection and email security in place, for example through Sophos or Proofpoint, that is months of work you do not have to do. The technical controls are already running; you are validating configuration against CMMC requirements and filling documentation gaps, not doing a full deployment from zero. A contractor starting with a clean slate takes significantly longer.


Network segmentation under Fortinet, or configuring audit logging against CMMC requirements, takes weeks or months depending on your current network architecture. These are not checklist items. They are engineering changes.

Phase 5: Evidence Collection and Operational Discipline (Ongoing Through Prep)

A C3PAO does not just look at your policies and tools. They verify that the controls are working and that you can show it. Evidence includes configuration screenshots, access logs, patch histories, training records, and documented procedures that reflect your actual environment, not a template.


Evidence collection should start early and run alongside every other phase. Contractors who treat it as a last step before the assessment routinely discover gaps in their documentation that add weeks to the timeline.

Phase 6: Pre-Assessment Readiness Check (Two to Four Weeks)

Before you book a C3PAO, a readiness check confirms your documentation and evidence package is in good shape, your SSP accurately reflects your environment, and you have addressed your highest-severity gaps. This step is about finding problems before a paying assessor does.

Phase 7: C3PAO Assessment Booking and Assessment (Four to Eight Weeks From Booking)

Authorized C3PAOs are listed through the Cyber AB, which remains the official CMMC accreditation body. The individual assessors who staff those teams (CMMC Certified Professionals and CMMC Certified Assessors) are now credentialed through ISACA, which took over the assessor certification role in April 2026. Their availability varies, and assessment slots fill up, so book early. A formal Level 2 assessment typically runs two to four weeks for the actual assessment work, but getting on the schedule can add a month or two to your overall timeline.

What Stretches the Timeline

These are the most common reasons contractors take longer than expected:

No documentation baseline

If you have never written an SSP, do not have a formal policy set, and cannot produce evidence of control implementation, you are starting from zero on documentation. That adds months.

Complex or mixed environments

On-premises servers, remote workers, cloud services, and a managed service provider all in the same scope means more assets to categorize, more data flows to document, and more controls to verify.

No dedicated internal owner

CMMC prep requires consistent internal attention. When it is being managed by an IT lead doing it on the side, work slows down, evidence collection lags, and remediation stalls.

Slow vendor procurement

If your gap assessment reveals you need to deploy new security tooling, procurement, licensing, implementation, and configuration all take time. This is especially true for network changes.

Contractor saw DFARS 252.204-7021 for the first time recently

DFARS 252.204-7021 is the contract clause that places CMMC requirements on new solicitations, effective November 10, 2025. If you are seeing this clause on a new award or recompete and did not know CMMC was required, your timeline is already running. There is no grace period built into the clause itself.

What Shortens the Timeline

Existing NIST 800-171 work

If you have already done a NIST 800-171 self-assessment, have a current SSP, and have been tracking your SPRS score, a significant portion of the Level 2 documentation work is already done. You are updating and verifying, not building from zero.

A dedicated internal lead

A staff member or contractor whose primary job is driving CMMC prep moves things faster than one doing it as a side project.

Security tools already deployed and configured

Endpoint protection, email security, and network controls already running in your environment mean the technical remediation phase is primarily verification and documentation rather than deployment.

A clean, well-scoped environment

Fewer in-scope systems and a well-defined CUI boundary means less to assess, less to document, and less to remediate.

You can get a rough read on where your environment stands right now using the free SPRS Score Calculator, which walks you through your NIST 800-171 practice status and calculates an estimated SPRS score. A very negative score means more remediation work and more time.

When to Start

For Level 1: start now. The timeline is short enough that delay is rarely strategic, and Level 1 self-attestation renews annually. If you handle FCI under a DoD contract, you should be able to attest at any time.


For Level 2: start 12 to 18 months before your contract requirement date, and sooner if your prime is pressing you for status. If you have a recompete on the horizon and you have not started, get a gap assessment on the calendar. The assessment tells you where you are and gives you a realistic estimate of how long remediation will take. You cannot plan a timeline you have not scoped.


If you are not sure what level your contract requires, the post Level 1 or Level 2? How to Tell Which Your Contract Requires walks through the determination. And if you are still figuring out whether CMMC applies to your company at all, start with Do I Need CMMC? A Quick Checklist for Subcontractors and Suppliers.

What to Do Next

The most useful first step for most contractors is a gap assessment. It tells you what you actually need to fix, how significant the lift is, and how long remediation will realistically take given your current environment. Without it, any timeline estimate is a guess.


APT offers gap assessments for both Level 1 and Level 2. The CMMC Gap Assessment page has details on what the deliverable includes and how to request pricing. If you want to talk through your situation before committing to anything, a free 30-minute consultation is the right starting point.

Talk Through Your Situation With APT

If you have a contract deadline or a prime pushing you for compliance status, a free 30-minute consultation can help you figure out where you stand and what a realistic timeline looks like for your environment. There is no commitment involved.

Book a Free Consultation