Practitioner-Reviewed Updated April 2026 ~12 min read

Your CMMC Compliance Timeline: An Honest Look at the Full Journey

Q: Do I need GCC High for CMMC compliance?

If you handle CUI in Microsoft 365 or any cloud environment, you need FedRAMP Moderate-equivalent infrastructure. GCC High is the standard path for Microsoft shops. If you're on standard Microsoft 365 commercial, your email and files are not in a compliant environment for CUI — that's a gap you'll need to close before your assessment.

Q: What if my C3PAO has a 4-month wait?

Schedule early — ideally at the beginning of Phase 3, not the end. You can book an assessment slot before your evidence collection window is complete, as long as you'll have 90+ days of evidence by the actual assessment date. With only about 92 authorized C3PAOs serving 80,000+ companies, the scheduling backlog is real. Don't wait until your evidence is perfect to get in line.

Our documentation package is step one. Here's the complete picture — no sugarcoating.

The Reality Check

Most CMMC vendors — us included — focus on their piece of the puzzle. Here's the full picture that nobody wants to put on a sales page.

Getting CMMC Level 2 certified requires three things:

Documentation that describes your security controls — that's what we do.
Technical implementation of those controls in your actual environment — that's your IT team or MSP.
Running evidence that proves your controls have been operating for months — that's time, and you can't buy it or automate it.

A C3PAO assessor doesn't just read your SSP. They interview your people, inspect your systems, and review months of evidence. If your audit logs only go back 6 weeks, that's a finding. If your employees can't describe the incident response process, that's a finding. Documentation alone doesn't pass an assessment — but you can't pass without it.

The DoD's official estimate puts average Level 2 compliance cost at around $104,000 for small businesses. Most practitioners who work with actual small contractors think that's optimistic. Real-world figures, particularly for companies that need GCC High migration, run higher.

The Full Timeline

Here's how a typical CMMC Level 2 journey plays out. Your actual timeline depends on how many technical gaps you're starting with.

Phase 1

Documentation

Weeks 1–2

MyCMMC handles this

Complete the MyCMMC intake assessment (1–2 hours)
Receive your full documentation package (delivered instantly after intake)
Practitioner review of your SSP, policies, and gap analysis (3–5 business days)
Sign your SSP and policies with the included signature blocks
Review your POA&M — this becomes your remediation roadmap

This used to take consultants 3–6 months and cost $30K–$80K in billable hours. We do it in 15 minutes of your time, with practitioner review included, and cover 322 assessment objectives vs. the 110 most consultants address.

Phase 2

Gap Remediation

Weeks 2–8

Your MSP / IT team

Review your gap analysis and POA&M — this tells you exactly what's missing
Work with your MSP or IT team to close technical gaps
Common gaps for small shops: MFA on all accounts, SIEM/log management, network segmentation, endpoint detection, encrypted file transfer
If you handle CUI in Microsoft 365 commercial: migrate to GCC High
Document all changes as you go — you'll need this for evidence

Budget: $5K–$50K depending on how many controls you're missing. Your gap analysis gives you the exact scope — take it to your MSP and get a fixed-price quote. We don't do this part.

Phase 3

Evidence Collection

Weeks 8–20

Your team — can't be skipped

Once controls are implemented, you need to run them and collect proof
Minimum 90 days: audit logs, access reviews, vulnerability scans — dated and continuous
Training records showing annual security awareness training completed for all staff
Documented incident response tabletop exercise
Policy reviews signed and dated (your documents come with signature blocks)
Screenshot evidence of configurations matching your SSP
Patch management logs showing vulnerabilities remediated within policy timeframes

A shop that tries to schedule a C3PAO assessment with 6 weeks of evidence will likely fail — or get a conditional certification that requires remediation before the clock runs out. This is the part most vendors don't tell you about, because they can't sell it to you.

Phase 4

Pre-Assessment Verification

Weeks 20–21

MyCMMC supports this

Complete the MyCMMC 42-item verification workflow — this is your internal audit
Walk your facility: does physical security match what the SSP describes?
Pull your evidence binder: do you have 90+ days of continuous logs?
Confirm every employee can describe their security responsibilities
Verify every system in scope matches the SSP boundary
Check that all policies have current signatures

Think of this as your dress rehearsal. If your verification turns up gaps, better to find them now than during the assessment. Done-With-You customers get mock assessment interview prep and staff talking points to go deeper.

Phase 5

C3PAO Assessment

Weeks 22–26+

C3PAO conducts

Schedule early: current wait times are 2–4 months — only ~92 authorized C3PAOs for 80,000+ companies
Book your slot during Phase 3, not after — you can schedule before your evidence window is complete
The assessment itself takes 3–5 days on site
Assessor reviews your documentation, interviews staff, inspects systems, reviews evidence binder
Results: Pass, Conditional Pass (with POA&M items to close), or Fail
Assessment fee: $20,000–$50,000 paid directly to the C3PAO

If your C3PAO identifies a material documentation deficiency in anything MyCMMC generated and your practitioner reviewed, our Assessment-Ready Guarantee covers remediation at no cost.

Not sure where you stand? The free readiness check takes 15 minutes and tells you your current CMMC posture, your biggest gaps, and which package makes sense for your situation.

Take the Free Readiness Check →

Where MyCMMC Fits

We handle Phase 1 and support Phase 4. That's the documentation and the verification. Phases 2 and 3 are on you and your IT team.

Here's why that still saves you $30K+: documentation is the most labor-intensive part of the process. It's what consultants spend 80–100 hours on. We do it in 15 minutes with better coverage — 322 assessment objectives vs. the 110 most consultants address. That frees up your budget for the technical implementation work that actually matters.

"We write the blueprint. Your MSP builds the house. The C3PAO does the inspection."

— How to think about the three parts of CMMC compliance

What we don't do: we don't deploy your SIEM, configure your MFA, segment your network, or migrate you to GCC High. We don't go on site. We don't run your evidence collection. Those are technical tasks that require hands in your environment — and a good MSP will handle them more cost-effectively than a CMMC consultant billing $250/hour.

Honest Cost Breakdown

Here's the full picture of what CMMC Level 2 actually costs — not just the documentation piece.

Phase	Cost Range	Who Does It
Documentation (MyCMMC)	$7,500–$25,000	MyCMMC
Technical remediation	$5,000–$50,000	Your MSP / IT team
GCC High migration (if needed)	$10,000–$30,000	Microsoft partner / MSP
Evidence collection tools	$0–$5,000	Your IT team
C3PAO assessment fee	$20,000–$50,000	C3PAO (direct)
Total realistic range	$42,500–$160,000	—

Yes, the total is still significant. But compare that to the $200K–$300K that consultants quote for full-service CMMC engagements. We cut the documentation cost by 75%. The rest is technical work that has to happen regardless of who writes the SSP.

If you're on the lower end — small company, relatively few technical gaps, no GCC High migration needed — you're looking at $42K–$60K total. If you're mid-size with a messy environment and Microsoft 365 commercial today, plan for $100K–$160K.

Why Companies Fail Their Assessment

Based on C3PAO assessment data and industry reports, these are the top reasons contractors don't pass the first time.

SSP doesn't match reality

The documentation says one thing, the environment shows another. The assessor walks into a room full of unmanaged personal laptops while the SSP describes a fully segmented, managed network. Our verification workflow specifically catches this — it walks you through checking every documented control against your actual setup.

Insufficient evidence

Controls were implemented last month; assessor wants 90 days of logs. Time is the only fix — there's no workaround. This is why starting your evidence clock as soon as controls are implemented matters, and why you should schedule your C3PAO slot before Phase 3 is over.

Scoping errors

CUI found on systems not included in the SSP boundary. An employee's personal laptop has some CUI files, a shared drive that wasn't scoped turns out to store contract documents. Our intake process walks you through boundary definition specifically to prevent this.

Employee knowledge gaps

Staff can't describe the controls they're supposed to follow. Assessors will interview your people — not just your IT lead. If your admin assistant doesn't know what CUI is or how to handle it, that's a finding. Done-With-You customers get mock assessment interview prep for this exact scenario.

Missing or undated signatures

The SSP and policies exist but nobody signed them — or the signatures predate your last revision. Our documents come with signature blocks on every deliverable. It's a 5-minute task that too many companies skip under time pressure before the assessment.

Common Questions

Can I get certified in 90 days?

Technically possible if your controls are already fully implemented and running. For most small contractors starting from scratch or with significant gaps, 5–7 months is more realistic. The evidence collection phase requires a minimum 90-day window — that's the constraint you can't compress. If you're starting that clock on day one, your fastest path to certification is about 4 months.

What if I can't afford the full journey?

Start with our Roadmap tier ($1,500) to understand your gaps and build a realistic budget. The gap analysis tells you exactly which technical controls are missing, which lets you scope the remediation work before committing. Many contractors find their technical gap is smaller than they feared — or larger, in which case it's better to know now than 3 months into a consultant engagement.

Do I need GCC High?

If you handle CUI in the cloud, you need FedRAMP Moderate-equivalent infrastructure. GCC High is the standard path for Microsoft shops. If you're on standard Microsoft 365 commercial right now, your email and OneDrive files are not in a compliant environment for CUI handling — that's a gap you'll need to close before your assessment. Your intake will identify this, and your gap analysis will tell you what it requires to fix.

What if my C3PAO has a 4-month wait?

Schedule early — ideally at the start of Phase 3, not the end. You can (and should) book an assessment slot before your evidence collection window is complete, as long as you'll have 90+ days of evidence by the actual assessment date. A 4-month wait isn't a problem if you schedule it while you're still collecting evidence. It becomes a problem if you wait until you're ready and then get in line.

What if my assessment finds deficiencies?

You don't automatically lose your contract. A Conditional Certification is possible if you have a credible Plan of Action and Milestones (POA&M) for remaining gaps — the DoD generally allows 180 days to remediate. The key is that your POA&M has to be specific and time-bound. If any MyCMMC-generated documentation is identified as deficient by your C3PAO, our Assessment-Ready Guarantee covers remediation at no cost.

Start with your documentation

Take the free readiness check. We'll tell you where you stand, what your gaps are, and which package makes sense for your situation. No email required to start.

Take the Free Readiness Check →

Takes 15 minutes · Completely free · No consultant will call you