For Incident Response

Cyber Intel

Call: 702-347-0000

Email: IR@bladeone.com

Contact

CMMC Level 2 Certification: A Realistic 12-Month Timeline

by | Oct 22, 2025 | Cyber News

The Clock is Ticking for Defense Contractors

With CMMC (Cybersecurity Maturity Model Certification) requirements rolling out in contracts, defense contractors (OSC – Organization Seeking Certification) face a critical deadline. Level 2 certification, required for handling CUI (Controlled Unclassified Information), is not a simple checklist; it’s a comprehensive transformation of your security posture.

Based on our experience guiding contractors through this process, a 12-month timeline is aggressive but achievable if well-managed.

Phase 1: Months 1-3 – Scoping and Gap Analysis

Goal: Understand exactly where you stand against NIST 800-171/CMMC Level 2 practices.

  1. Define the CUI Boundary: You cannot protect what you haven’t identified. Map the flow of CUI through your systems. Reduce scope where possible to save costs.
  2. Conduct a Gap Assessment: Honest assessment against all 110 controls. This is not the time for optimism; if a control isn’t fully implemented and documented, it’s a gap.
  3. Develop the SPRS Score: Calculate your current Supplier Performance Risk System score.

Phase 2: Months 4-7 – Remediation and Documentation

Goal: Close technical gaps and formalize policies.

  1. Technical Remediation: Implement MFA, FIPS-validated encryption, log management, and other technical controls.
  2. Policy and Procedure Writing: CMMC requires that you not only do the security practice but also have a policy saying you will do it and a procedure showing how you do it.
  3. System Security Plan (SSP): Draft your SSP. This is your “living document” describing how every requirement is met.

Phase 3: Months 8-10 – Operational Maturity and POA&Ms

Goal: Demonstrate that controls are working over time.

  1. Evidence Collection: Auditors need to see that controls have been in place for a period of time. Collect logs, tickets, and meeting minutes.
  2. Plan of Action and Milestones (POA&M): For any non-critical gaps remaining, create a strict POA&M.

Critical POA&M Limitations:

  • All 5-point weighted controls must be 100% implemented (no POA&M)
  • Examples: MFA (3.5.3), FIPS-validated cryptography (3.13.11), access control (3.1.1)
  • All POA&M items must be remediated within 180 days of assessment
    1. Training: Ensure all staff are trained on the new policies and procedures.

Phase 4: Months 11-12 – Pre-Assessment and the C3PAO Audit

Goal: Verify readiness and cross the finish line.

  1. Mock Assessment: Have a third party (not your implementer) conduct a mock audit to catch last-minute issues.
  2. Select a C3PAO: Engage a Certified Third-Party Assessor Organization early. Their schedules fill up fast.
  3. The Assessment: Be prepared for a rigorous examination. Have your SSP and evidence ready and organized.

The Reality Check

Twelve months assumes you have dedicated resources and budget. Many organizations take 18-24 months. The key is to start now.

Need help navigating the CMMC maze? Contact our CMMC Registered Practitioners for a gap analysis.

Written by Kevin Sutton

Principal Security Consultant over 30 years of IT and cybersecurity expertise spanning Fortune 100 companies and global enterprises. CISSP since 2003 and CISA since 2005, with deep experience securing critical infrastructure across Energy, Aviation, Healthcare, Finance, and Retail industries.
More Posts by Kevin

Related Posts