How long the CMMC process takes for your organization depends on which compliance level you need to achieve. Every level has distinct certification and assessment processes. The higher the compliance level, the more time and money it will cost you to achieve it.
Level 1 requires a self-assessment signed by a senior organization official.
Level 2 requires assessment by a CMMC Third-Party Assessment Organization (C3PAO), an independent entity certified by the government to perform such assessments.
Level 3 requires a direct assessment by DoD.
CMMC Gap Analysis
The first phase lays out shortcomings in your cybersecurity posture and IT infrastructure that will preclude you from achieving CMMC compliance.
The next phase involves remediation for the issues found in phase 1. Such fixes may be applied to software, hardware, policies, or practices.
Phase 3 is meant to verify the efficacy of the remediations performed in phase 2, and prepares you for the final assessment.
The final phase is the actual assessment that officially determines if your organization can achieve CMMC compliance.