Six to twelve months is the honest industry baseline — but it’s built from seven stages with very different dynamics. Here’s where the time goes, and where it doesn’t have to.
For most organizations, 6–12 months from a standing start to certification — and that's before C3PAO scheduling, which can add months of queue time. The biggest variables are how much remediation your environment needs and how long documentation and evidence preparation takes. The first is irreducible engineering work. The second is where modern tooling collapses weeks into hours.
"How long does CMMC certification take?" has an honest answer and a useful answer. The honest answer is "it depends on your starting posture." The useful answer is a stage-by-stage breakdown with realistic durations, so you can locate your own organization in each one. Here's that breakdown.
| Stage | Typical duration | What happens |
|---|---|---|
| 1. Scoping | 2–6 weeks | Define the CUI boundary: which systems, people, and facilities process or store CUI. Enclave vs. enterprise-wide is the decision that drives every downstream cost. |
| 2. Gap assessment | 2–4 weeks | Score your environment against all 110 NIST SP 800-171 requirements (320 assessment objectives). Produces your SPRS score and remediation backlog. |
| 3. Remediation | 2–9 months | Implement missing controls. The widest variable in the entire timeline — mature environments need weeks, greenfield ones need most of a year. |
| 4. Documentation & evidence | Weeks–months (traditionally) | Build the System Security Plan, write policies and procedures for every control family, collect evidence, and link it to requirements in an assessor-ready package. |
| 5. C3PAO scheduling | 1–6 months (queue) | Engage an assessor, execute agreements, and wait for a slot. With ~103 C3PAOs serving ~80,000 organizations, the queue is now a real planning input. |
| 6. The assessment | 1–3 weeks | Artifact examination, personnel interviews, and demonstration of controls in operation. |
| 7. POA&M closeout (if conditional) | Up to 180 days | If you score ≥80% (88 of 110 MET) with only POA&M-eligible gaps, you get conditional status and 180 days to close items, then a closeout assessment. |
Remediation gets the budget attention because it's visible engineering work — new tooling, network segmentation, MFA rollouts. Its duration is mostly a function of your starting posture, and there's no shortcut for genuinely missing controls.
Documentation and evidence is the stage that blindsides teams. The assessment doesn't grade what you've implemented — it grades what you can prove. That means a System Security Plan covering the full scope, written policies and procedures for 110 requirements across 14 control families, and evidence artifacts mapped to each one. Organizations routinely report this consuming weeks to months of staff time, usually from the same senior people who are doing the remediation work — which is how stage 4 quietly extends stage 3.
You can't compress remediation that involves real infrastructure change, and you can't compress the C3PAO's calendar. The compressible stages are 2 and 4 — assessment and evidence — because they're fundamentally information processing: mapping what exists against what's required, and producing the documentation that proves it.
That's where the gap between traditional and AI-assisted approaches is widest. A federal-focused technology company with fewer than 50 employees completed its entire CMMC Level 2 evidence workstream — uploading existing evidence, generating customized policy templates, and reviewing every evidence-to-control link — in 18 hours using PRISM. The same workstream consumes weeks to months in a manual engagement. The full case study breaks down where those 18 hours went.
Work backward from your earliest CUI contract award date after November 10, 2026 (see our Phase 2 deadline explainer for how to find that date). Reserve 1–6 months for the C3PAO queue, then fit stages 1–4 in front of it. If the arithmetic says you should have started last quarter, conditional status (88/110, 180-day closeout) may be your realistic path — but it still requires most of the work done.
PRISM’s AI document analysis and 2,623-requirement crosswalk turn the evidence workstream from months of staff time into a review task.