Defense contractors have been required to meet the 110 controls in NIST SP 800-171 since 2016. And since 2020, they’ve known CMMC was coming to enforce those requirements. Still, many have held off—waiting for clarity on when enforcement would begin, what documentation would be required, and how assessments would actually work.

That uncertainty is now over.

The Department of Defense finalized the CMMC framework in December 2024 and assessments have ramped up since January of this year. In addition, contracting officers will begin inserting CMMC requirements into new awards, renewals, and contract modifications in Q4 of this year.

In our recent CMMC Clarified: Insights from Hundreds of Assessment webinar, compliance leaders from PreVeil, Sentar and Forvis Mazars—two leading C3PAOs—shared hard-won lessons from the first year of real-world CMMC assessments. The takeaway? Contractors that start early, limit their scope, and get help from experienced partners are the ones hitting 110.

The CMMC Timeline Is Real—and It’s Tight

CFR 32 became effective in December 2024, legally establishing CMMC. CFR 48, the companion rule that enables CMMC to be written into contracts, is expected to take effect as early as October 2025.

Once CFR 48 is live, there’s no more buffer. Contracting officers can insert CMMC requirements into new contracts, recompetes, and extensions at any time.

If your team is still waiting for “final confirmation,” you’re already behind.

CMMC timeline

POA&Ms Are No Longer a Mystery

The rules around POA&Ms (Plans of Action and Milestones) are now locked down. Only one-point controls are eligible. Contractors must already be 80% compliant to use a POA&M—meaning they have hit 88/110—and they only will have 180 days to close the gap, including reassessment time.

As Steve Pratt, CISO at Sentar, put it:

You can’t wait until day 179 to call your C3PAO and ask them to come back. That 180-day clock includes your reassessment.

Scoping Is Your Leverage—Use It Wisely

Reducing your scope is the most powerful way to lower your assessment burden. Virtual Desktop Infrastructure (VDI) is now officially recognized as a valid strategy for taking endpoints out of scope if implemented properly.

But MSPs (Managed Service Providers) remain a potential pitfall. If your MSP can access CUI, they’re in scope. That means they either need their own Level 2 certification or you’ll have to fund a second, full-blown assessment of their systems.

As Tom Tolerton, Principal at Forvis Mazars, warned:

If your MSP touches CUI and isn’t certified, guess what? You’re now paying for two assessments.

Smart contractors are proactively defining technical and contractual boundaries—keeping MSPs away from CUI and safely classified as “security protection assets.”

Documentation Will Make or Break You

Even contractors with strong technical environments are failing assessments because of poor documentation.

The System Security Plan (SSP) is the centerpiece of the assessment process. It must be accurate, consistent, and aligned with real-world configurations. Referencing policies is fine—but if those references are outdated, vague, or contradictory, you’ll lose points fast.

Documentation should tell a unified story. That means your SSP, network diagrams, policies, procedures, and evidence all need to line up. A mismatch between documents and implementation will raise red flags with assessors regardless of your actual security posture.

Don’t Guess—Test Yourself First

Contractors nervous about the formal assessment process are increasingly turning to mock assessments. These dry runs, offered by many C3PAOs, simulate the real thing—highlighting weaknesses in documentation, scope, and evidence handling before they become disqualifying.

The C3PAOs made it clear: mock assessments don’t include consulting or remediation advice. But they will show you exactly where you fall short, giving you time to correct the issues without the pressure of a live assessment.

In short, mock assessments can give you the clarity and confidence you might otherwise be lacking.

The Bottleneck Is Already Here

Today, there are fewer than 80 authorized C3PAOs. Meanwhile, over 70,000 contractors are expected to require Level 2 certification by late 2026.

Many assessors are already booked well into 2026. And remember—certifications expire every three years. That means even companies who pass now will be back in line soon, highlighting the consistent and growing demand for assessors’ services..

If you wait until CFR 48 becomes effective to schedule your assessment, you may not find an open slot. 

Compliance Isn’t Optional Anymore

Even without CMMC, DFARS 7012 still requires you to implement the 110 controls in NIST SP 800-171. The only thing CMMC adds is third-party validation—and there are real consequences for falling short.

The baseline hasn’t changed since 2016. What’s new is the accountability.

— Steve Pratt, Sentar

If you have a 7012 clause in your contract, you’re already on the hook whether you’ve started preparing or not.

Need a faster path to 110?

PreVeil’s proven solution has been used by 30+ defense contractors and C3PAOs to achieve perfect 110 scores in CMMC assessments. Learn how we can help you get started on your compliance journey: