The CMMC deadline isn't theoretical anymore. Phase 1 of the rollout kicked in on November 10, 2025. Level 2 C3PAO assessments are already gating new contract awards. If you're treating cybersecurity as a checkbox, you're already behind.
This isn't a drill. The DoD CMMC program has entered active enforcement, and prime contractors are starting to flow down certification requirements to their entire supply chain. By the time Phase 3 arrives in late 2027, virtually every contract that involves CUI will require a certified Level 2 status before award.
Here's the five-step playbook our team uses to get defense contractors ready — the actions that actually move the needle, not the ones that fill a PowerPoint.
Step 1: Confirm Your Required Level
Before anything else, you need to know which level your contracts will require. Read your current and anticipated contract flow-downs. Look for DFARS 252.204-7012, 252.204-7019, 252.204-7020, and the new -7021 CMMC clause.
- Level 1 — if you only handle Federal Contract Information (FCI). 17 practices. Annual self-assessment.
- Level 2 — if you receive or process Controlled Unclassified Information (CUI). 110 practices aligned to NIST SP 800-171. C3PAO assessment for most contracts.
- Level 3 — for the highest-risk programs. Adds NIST 800-172 controls. Government-led assessment.
Most prime contractor subs and manufacturing shops land at Level 2. If you're unsure, start with our free self-assessment — it will tell you where you stand in about fifteen minutes.
Step 2: Lock Down Your SSP and POA&M
Your System Security Plan is the single most important document the assessor will read. It defines your authorization boundary, your CUI enclave, your asset inventory, and how every 800-171 control is implemented in your environment.
Generic SSPs get rejected. Yours needs to:
- Define the boundary precisely — which endpoints, servers, SaaS tools, cloud services, and physical spaces are in-scope.
- Include accurate network diagrams showing CUI data flows from ingest to destruction.
- Document each of the 110 controls with the specific technology, process, or policy satisfying it.
- Identify which controls are inherited from a cloud provider (e.g., Microsoft GCC High or AWS GovCloud) and which you own.
Your Plan of Action & Milestones catalogs every gap with a remediation owner and target date. In CMMC Level 2, only a limited set of controls can be deferred via POA&M — and only for 180 days. Plan accordingly.
Step 3: Implement All 110 Controls — With Evidence
This is where most contractors stall. The practices are not abstract. Each one needs a working implementation plus artifacts that prove it.
C3PAO assessors score every practice as MET, NOT MET, or NOT APPLICABLE. There is no "partially met" at Level 2. One NOT MET critical control blocks certification for up to 180 days or forces a full re-assessment.
Concrete actions by control family:
- Access Control (AC): Multi-factor authentication on every CUI system, privileged account separation, session timeouts, least-privilege role definitions.
- Audit & Accountability (AU): Centralized logging, 90+ days of retention, alerting rules, quarterly log review evidence.
- Configuration Management (CM): Hardened baselines aligned to CIS or DISA STIGs, change control tickets, software whitelisting.
- Incident Response (IR): Documented IR plan, tabletop exercise within the last twelve months, reporting path to DoD per DFARS 7012.
- System & Communications Protection (SC): FIPS 140-2 validated encryption for CUI at rest and in transit, network segmentation around the enclave.
Step 4: Build Continuous Monitoring Into Operations
CMMC is a three-year certification, but you are required to submit an annual affirmation that your controls remain in place. That means continuous monitoring has to be part of how you operate — not something you stand up the week before the next audit.
At minimum: automated vulnerability scanning, patch compliance reporting, privileged user activity monitoring, endpoint detection and response, and a documented review cadence for logs, user access, and configuration drift. If you have an MSP or internal SOC, they need to be feeding evidence to your compliance owner monthly.
Our CMMC Compliance Services include a continuous monitoring playbook that maps directly to evidence demands assessors see. Treat monitoring as muscle memory and you'll never scramble before an affirmation deadline again.
Step 5: Run a Mock Assessment
You do not want your first real assessment experience to be the one that decides your contracts. Hire a consultant or qualified internal team to run a mock assessment that simulates the C3PAO evaluator methodology — document review, technical inspection, staff interviews, and evidence sampling.
A cyber risk assessment focused on CMMC readiness will surface the weak spots that a checklist won't. Plan for at least two dry runs before booking the actual C3PAO engagement.
A Realistic Timeline
If you're starting today and you're working from a decent NIST 800-171 baseline, six to nine months is a defensible minimum to Level 2 certification. If you're starting from scratch — no SSP, no policies, no logging, no MFA — plan on twelve to eighteen months.
Contracts aren't waiting. Prime contractors are already asking subs for self-assessment scores submitted to the Supplier Performance Risk System (SPRS) and target C3PAO dates. If you can't answer, you lose the bid.
Common Mistakes That Kill Assessments
- Over-scoping the boundary. Putting your entire corporate network in-scope instead of isolating a CUI enclave. Every extra endpoint is another control to prove.
- Treating the SSP as a template exercise. Copy-pasted SSPs fall apart in assessor interviews.
- Ignoring shared-responsibility inheritance. Assuming Microsoft 365 GCC High covers controls it doesn't (like account management and data handling).
- Weak training evidence. You need attendance records and content proof, not just a calendar invite.
- Skipping the mock. It is the single highest-ROI step in the entire program.
If you want a structured path to certification — scoping, gap analysis, remediation, evidence, and mock — talk to our team. And if you want to see how you'll stack up first, read our companion piece on what to look for in a CMMC consultant.