What to Know About the CMMC Process and Timeline

How long the CMMC process takes for your organization depends on which compliance level you need to achieve. Every level has distinct certification and assessment processes. The higher the compliance level, the more time and money it will cost you to achieve it.

In Short:

  • Level 1 requires a self-assessment signed by a senior organization official.

  • Level 2 requires assessment by a CMMC Third-Party Assessment Organization (C3PAO), an independent entity certified by the government to perform such assessments.

  • Level 3 requires a direct assessment by DoD.

Examples of CUI img

What happens at each phase of the CMMC Certification Process?

get certified img

CMMC Gap Analysis

The first phase lays out shortcomings in your cybersecurity posture and IT infrastructure that will preclude you from achieving CMMC compliance.

get certified img

CMMC Implementation

The next phase involves remediation for the issues found in phase 1. Such fixes may be applied to software, hardware, policies, or practices.

get certified img

CMMC Pre-Assessment

Phase 3 is meant to verify the efficacy of the remediations performed in phase 2, and prepares you for the final assessment.

get certified img

CMMC Assessment

The final phase is the actual assessment that officially determines if your organization can achieve CMMC compliance.