Skip to content

CMMC collection · Get certified

The CMMC certification process, step by step

From determining your level to passing the C3PAO assessment and staying certified: the full path, how long it takes, and what happens on assessment day.

What is the CMMC certification process?
The CMMC certification process is the sequence a contractor follows from first reading the requirement to holding a certificate: determine your level, scope your environment, close the gaps, document everything, pass the assessment, and keep the controls operating. For Level 2 with a C3PAO, plan the journey in quarters.

The eight steps to certification

  1. 1Determine your level. Read your contracts and clauses; establish whether you handle CUI or only FCI.
  2. 2Scope the boundary. Find where CUI lives, categorize assets, and decide whether an enclave shrinks the problem.
  3. 3Assess the gap. Score yourself against all 320 assessment objectives — honestly. This number goes to SPRS.
  4. 4Remediate. Close gaps in weighted order: five-point controls first, documentation alongside.
  5. 5Document. Finalize the SSP, POA&M, and the policies and procedures that match real practice.
  6. 6Book the assessment. Engage a C3PAO while remediation is finishing — queues run months long.
  7. 7Pass the assessment. Evidence review, interviews, and technical validation against every objective in scope.
  8. 8Stay certified. Annual affirmations, continuous evidence, POA&M closeout within 180 days if conditional, re-assessment every three years.

How long does each stage take?

The honest answer: remediation is the variable. Scoping and gap assessment are measured in weeks; remediation runs from a few months (mature IT, small scope) to a year or more (flat networks, CUI everywhere, no MFA). The stage contractors forget to budget is the queue: C3PAO lead times stretched to six-to-nine months in early 2026, which is why booking belongs in the middle of your plan, not the end. Our C3PAO backlog article covers the scheduling math.

What happens during the assessment?

A Level 2 assessment typically runs across one to two weeks of sessions. The team reviews your SSP and scoping first, then works through the objectives in scope three ways: examining artifacts, interviewing people, and testing controls. Findings are scored objective by objective; you see where things stand as the assessment progresses, and the result — certified, conditional, or not yet — follows from the final score and which controls remain open.

What happens after you certify?

  • Annual affirmations — a senior official reaffirms continuing compliance every year; this is a legal representation, not a formality.
  • POA&M closeout — conditional certifications must close remaining items within 180 days, verified by the assessor.
  • Evidence upkeep — controls must keep running and producing artifacts; re-assessment is a re-proof, not a memory test.
  • Triennial re-assessment — the full cycle repeats every three years.

Frequently asked questions

How long does CMMC certification take end to end?

For a first-time Level 2 contractor: typically months of remediation depending on your gaps, plus C3PAO scheduling lead time that ran six to nine months in early 2026. Treat a year as the planning horizon; well-prepared organizations compress it, unprepared ones exceed it.

What happens if the assessor finds a failed control?

It depends on which control and how many. Score 80%+ with only POA&M-eligible items open and you can certify conditionally, closing the rest within 180 days. Fall below that line — or fail a non-POA&M-eligible control — and you remediate and re-assess.

Who in my company gets interviewed?

Expect interviews across tiers: executives on responsibility and resourcing, IT and security staff on implementation, and everyday users on practice — how they handle CUI, report incidents, and follow the rules the SSP claims exist.

Is the certificate transferable across contracts?

Yes — a Level 2 certification covers the assessed scope, not a single contract. Any DoD work whose CUI footprint falls inside that assessed boundary can rely on it for the three-year term, subject to your annual affirmations.

Free 30-minute readiness call

Walk into your CMMC assessment ready.

Book a 30-minute readiness call with a Fortwise advisor. No high-pressure sales — just a clear read on where you stand and what it takes to certify.

  • Confirm which CMMC level your contracts actually require
  • Pinpoint the gaps most likely to fail your assessment
  • Leave with a clear, prioritized path to certification

One-on-one with a CMMC advisor · No obligation · We never store your CUI