Skip to content
Contract Compliance

C3PAO Wait Times for CMMC Level 2: Get on a List Before Phase 2

Josef Kamara Josef Kamara · · 11 min read · Updated May 20, 2026

C3PAO wait times are running 4 to 6 months. There are approximately 97–103 accredited C3PAOs (Certified Third-Party Assessor Organizations) as of early 2026 — verify the current count at cyberab.org — serving the ~80,000 OSCs (Organizations Seeking CMMC) projected by the 32 CFR 170 Regulatory Impact Analysis to need Level 2 certification across the full CMMC rollout through November 2028, of which approximately 76,000 (the ~95% subset handling CUI) require C3PAO assessment. Phase 2 begins November 10, 2026, with phased demand growing through Phase 4. The math is unforgiving. If you have not requested a quote, you are already late.

The short answer: Find C3PAOs (CMMC Third-Party Assessor Organizations) through the Cyber AB Marketplace, search by your state, and send a request for quote this week. C3PAO wait times run 4 to 6 months. You need to be on a schedule before mid-2026 if you want to be certified before Phase 2 contracts start flowing. Expect to pay $40,000 to $80,000 for a typical small-business assessment (estimate).

What a C3PAO Actually Does

For most CMMC Level 2 contracts (those involving CUI on prioritized programs), an accredited C3PAO is the only organization authorized to conduct the assessment on behalf of DoD (the Department of Defense). Self-assessment is permitted on a small subset of Level 2 contracts that DoD specifically designates as non-prioritized per 32 CFR 170.16; if your contract includes DFARS 252.204-7021 with a Level 2 requirement, assume you need a C3PAO unless your contracting officer documents otherwise. You cannot hire a general IT firm or even a top cybersecurity consultant to certify you. The assessment must be conducted by an accredited C3PAO.

Here is how the network works, start to finish:

  1. Cyber AB accredits the C3PAO. Cyber AB (the Cybersecurity Maturity Model Certification Accreditation Body) is the non-profit body DoD authorized to accredit assessor organizations. No Cyber AB accreditation, no legal authority to assess. Cyber AB maintains the public list of accredited C3PAOs on its marketplace.
  2. The C3PAO assigns CCAs and CCPs to your assessment. CCAs (Certified CMMC Assessors) are the credentialed individuals who actually conduct your assessment. CCPs (Certified CMMC Professionals) support the process. A C3PAO is the organization; CCAs are the people inside it who do the work.
  3. The assessment package goes back to Cyber AB. After your assessment is complete, the C3PAO submits the results to Cyber AB for validation. This step can add weeks to the timeline.
  4. Results post to SPRS. SPRS (Supplier Performance Risk System) is the DoD portal where your certification status is recorded. Contracting officers check SPRS to verify compliance before awarding contracts that include DFARS 252.204-7021 (the Defense Federal Acquisition Regulation Supplement clause that requires CMMC compliance).

One more term to know: POA&M stands for Plan of Actions and Milestones. It is a documented list of security controls you have not yet implemented, along with your plan to implement them. C3PAOs will look at your POA&M as part of the assessment process.

The 80-vs-80,000 Problem

Cyber AB’s published marketplace showed approximately 97–103 accredited C3PAOs as of early 2026 (verify the current count at cyberab.org before publishing, as accreditations are added monthly — the count crossed 100 in early 2026).

DoD’s own regulatory impact analysis for the 32 CFR Part 170 final rule estimates that more than 80,000 defense contractors handle CUI (Controlled Unclassified Information) and will require CMMC Level 2 certification. That is a roughly 1,000-to-1 ratio of contractors to C3PAOs.

Not every C3PAO operates at national scale. Many focus on specific regions or industries. Some specialize in manufacturing, others in IT services. And each C3PAO can only schedule so many assessments per quarter based on how many credentialed CCAs it has on staff.

Phase 2 of CMMC implementation begins November 10, 2026. That is when DoD will start requiring CMMC Level 2 certification in new solicitations and options exercises at scale. Contractors who are not certified by then will not be eligible to receive those contracts.

C3PAO wait times are running 4 to 6 months from initial RFQ (request for quote) to certification. With Phase 2 starting November 2026, the last realistic window to start is approximately April to May 2026. That window is closing now.

How to Find C3PAOs Near You

The Cyber AB Marketplace is the authoritative source. Go to cyberab.org/Catalog/CMMC-Marketplace and follow these steps:

  1. Search by state. The marketplace includes a location filter. Start with your own state, then expand to neighboring states. Many C3PAOs conduct remote portions of assessments, so geography matters less than availability and price.
  2. Check active status. Look for C3PAOs listed as “Active” or “Accredited.” Some listings reflect organizations in process. You want a fully accredited C3PAO with the authority to conduct assessments today.
  3. Review their capability description. Some C3PAOs specialize in certain sectors (defense manufacturing, software, IT services). If your business is in a specific sector, look for assessors with relevant experience.
  4. Check CCA staffing. A C3PAO is only as capable as its credentialed assessors. Ask directly how many CCAs are on staff and their current availability. A C3PAO with two CCAs can only run so many concurrent assessments.
  5. Contact at least three C3PAOs. Pricing, timelines, and approach vary. Getting multiple quotes protects you from paying above market and gives you options if one firm is fully booked.

Do not limit your search to the largest or most visible names. Smaller regional C3PAOs often have better availability and are more responsive to small business clients.

The RFQ Email: What to Send

Send this email to each C3PAO on your short list. Fill in the bracketed fields with your specifics. Keep it clean and factual. C3PAOs receive a lot of vague inquiries. The more specific your email, the faster they will respond with a real quote.

Subject: CMMC Level 2 Assessment RFQ -- [Your Company Name]

Hello,

We are requesting a quote for a CMMC Level 2 assessment for [Company Name],
a [state] company providing [brief description of services] to the Department
of Defense under NAICS [your NAICS code(s)].

Key details:

- Contract type: [Prime / Subcontractor]
- Prime contractor(s): [Name if subcontractor]
- CUI scope: We handle CUI in [describe: email, files, engineering drawings, etc.]
- CMMC Level required: Level 2 (110 controls per NIST SP 800-171)
- Approximate number of employees: [number]
- IT environment: [Cloud-based / On-premise / Hybrid] -- [number] endpoints
- External service providers (MSPs, cloud platforms): [list if any]
- Current SPRS score: [score, or "not yet submitted"]
- SSP status: [Complete / In progress / Not started]
- POA&M items remaining: [number, or "none"]
- Target certification date: Before November 2026 (CMMC Phase 2)

We are requesting:
1. Your available assessment windows for Q2-Q3 2026
2. Estimated total cost (assessment only)
3. Whether you offer a pre-assessment readiness review and at what cost
4. Your CCA staffing model for an engagement of our size

We are contacting multiple C3PAOs and aim to select one within two weeks.

Please reply to [your email] or call [phone number].

Thank you,
[Your Name]
[Title]
[Company]
[Phone]

Attach your SSP (System Security Plan) table of contents or a one-page summary of your CUI environment if you have one ready. It signals that you are a serious prospect and speeds up the quoting process. Do not send your full SSP in the initial inquiry.

Five Questions to Ask Before Signing

Before you sign an engagement agreement with any C3PAO, get clear answers to these five questions. They separate prepared assessors from ones who will create problems later.

  1. How many CCAs will be assigned to our assessment, and what are their backgrounds? Ask for the specific people, not just the number. A CCA with a manufacturing background and a CCA with a software background bring different depth to different environments. You want someone who understands your work.
  2. Are you current on OSCAL submission? OSCAL (Open Security Controls Assessment Language) is the machine-readable format Cyber AB uses to receive assessment packages. C3PAOs that are not current on OSCAL tooling create delays at submission. Ask directly whether they submit via OSCAL and how long their submission-to-results timeline has been running recently.
  3. What is included in the assessment fee, and what triggers additional charges? Some C3PAOs charge a flat fee. Others charge by day or by the number of assets assessed. Get a clear scope statement. Common add-ons include travel, additional interview sessions, and POA&M review. Know what you are buying.
  4. Do you offer a pre-assessment readiness review, and do you recommend it? A pre-assessment is an informal review that identifies gaps before the formal assessment starts. Not all C3PAOs offer it. For companies that have not been through a Level 2 assessment before, it often pays for itself by reducing the number of deficiencies found during the formal assessment.
  5. What happens if we fail practices during the assessment? Ask about their process when a gap is found. Do they give you time to remediate during the assessment? What goes into the final report to Cyber AB? How do conditional certifications work? Understanding their process before you start prevents surprises mid-assessment.

Four Readiness Milestones C3PAOs Check Before Scheduling

Most C3PAOs will not schedule a formal assessment unless your business has cleared four basic readiness milestones. Trying to schedule before you hit these is a common mistake that wastes time and money.

Milestone 1: All 110 controls implemented or documented in a POA&M. NIST SP 800-171 (National Institute of Standards and Technology Special Publication 800-171) lists 110 security requirements for protecting CUI. Each control must be fully implemented or covered by a POA&M with a credible remediation date. A C3PAO will not assess what does not exist.

Milestone 2: A current SPRS self-assessment on file. Your SPRS score comes from your NIST 800-171 self-assessment. A score of 110 means all controls are implemented. A lower score is acceptable, but you need a documented self-assessment and a credible POA&M. C3PAOs want evidence that you have been tracking your own posture honestly.

Milestone 3: A documented System Security Plan. Your SSP (System Security Plan) describes how your organization protects CUI. It covers your system boundary, hardware and software inventory, user roles, and how each control is implemented. The SSP is the first document a CCA reviews. If it is not complete, the assessment cannot begin.

Milestone 4: At least one internal readiness walk-through complete. Before the formal assessment, walk through your environment against the 110 controls at least once. This catches documentation gaps and scope boundary questions that are far cheaper to fix before assessment day than after. Your C3PAO may offer a formal pre-assessment review as a paid service.

Get to all four milestones before you schedule. An assessment you enter underprepared costs the same as one you enter ready. Your probability of passing does not.

C3PAO Wait Times: Cost and Duration

Assessment cost: The 32 CFR Part 170 final rule regulatory impact analysis provides cost estimates for CMMC assessments. For small businesses, third-party assessments are estimated at $40,000 to $80,000 (estimate). That range covers the formal assessment only and excludes travel, pre-assessment reviews, and remediation support. Larger organizations with complex IT environments should expect quotes above this range.

Factors that drive quote variation:

  • Number of assets in scope (endpoints, servers, cloud instances)
  • Number of people who access CUI
  • Whether your IT environment is entirely cloud-based or includes on-premise infrastructure
  • Number of external service providers (MSPs, cloud platforms) that need to be assessed as part of your boundary
  • Geographic location and whether the assessors must travel to your site

Timeline: From the day you send your first RFQ to the day your certification posts in SPRS, plan for 4 to 6 months. That timeline breaks down roughly as follows:

  • Weeks 1-3: RFQ sent, quotes received, C3PAO selected, engagement agreement signed
  • Weeks 4-8: Pre-assessment readiness review (if conducted), SSP review, scope finalization
  • Weeks 9-16: Formal assessment conducted (on-site and remote sessions)
  • Weeks 17-24: Assessment package compiled, submitted to Cyber AB, Cyber AB review, results posted to SPRS

The Cyber AB submission-to-results step can add 4 to 8 weeks to the back end of the timeline, and that window may lengthen as Phase 2 approaches and submission volume rises. Build the buffer in now.

Frequently Asked Questions

What is the difference between a C3PAO and a CCA?

A C3PAO (Certified Third-Party Assessor Organization) is the company authorized to conduct CMMC assessments. A CCA (Certified CMMC Assessor) is the individual within that company who holds the credential to actually perform the assessment. You contract with the C3PAO. The C3PAO assigns CCAs to your engagement. Both the organization and the individuals must hold current Cyber AB credentials.

Can I do a CMMC Level 2 self-assessment instead of hiring a C3PAO?

No, not for most DoD contracts. CMMC Level 2 requires a third-party assessment by an accredited C3PAO for contracts that involve CUI on prioritized programs. Self-assessment is permitted only for CMMC Level 1 (15 practices derived from FAR 52.204-21 basic safeguarding requirements) and for a small subset of Level 2 contracts specifically designated by DoD as non-prioritized. If your contract includes DFARS 252.204-7021 with a Level 2 requirement, assume you need a C3PAO unless your contracting officer confirms otherwise.

How long is a CMMC Level 2 certification valid?

A CMMC Level 2 certification is valid for three years from the CMMC Status Date associated with the assessment under 32 CFR 170.17(a)(1) (the date Cyber AB posts the results to SPRS). After three years, you must go through a full reassessment. Annual affirmations are required in years one and two to confirm that your security posture has not materially changed since the initial assessment.

What happens if my SPRS score is below zero when I contact a C3PAO?

A negative SPRS score means your self-assessment identified deficiencies against the 110 NIST 800-171 controls. That does not disqualify you from starting the assessment process, but it does mean you have remediation work ahead. Most C3PAOs will want to see a credible POA&M and evidence that you are actively working toward full implementation before they schedule your formal assessment. A score of zero or below at the time of the formal assessment will likely result in a conditional certification or a failed assessment, depending on the nature and number of gaps.

What is OSCAL and why does it matter?

OSCAL (Open Security Controls Assessment Language) is the machine-readable format Cyber AB uses to receive assessment packages. C3PAOs current on OSCAL tooling submit faster and hit fewer processing delays. Ask any C3PAO you evaluate whether they submit via OSCAL and what their recent submission-to-results turnaround has been. It is a real differentiator on your timeline.

Can a C3PAO also help me get ready for the assessment?

Some C3PAOs offer pre-assessment readiness consulting or gap analysis as a separate service from the formal assessment. Others maintain a strict separation between consulting and assessment to avoid conflicts of interest. Ask each C3PAO you contact whether they offer readiness support, and if not, whether they can recommend a Registered Practitioner Organization (RPO) that can help you prepare. RPOs are separate from C3PAOs but also listed in the Cyber AB Marketplace.

What if I miss the Phase 2 deadline?

CMMC Phase 2 begins November 10, 2026. After that date, new DoD solicitations will require CMMC Level 2 certification. If you are not certified, you cannot bid on or perform work under those contracts. Existing contracts are not retroactively terminated, but options exercises and modifications may trigger the requirement. The sooner you start, the more schedule buffer you have.

New to the CMMC process? Start with CMMC Certification for Small Businesses for a complete breakdown of what certification costs and requires. Two companion guides are coming: one covering the full Phase 2 timeline contract by contract, and one breaking down every CMMC Level 2 cost line item for small businesses.

C3PAO CMMC CMMC assessment timeline CUI Cyber AB DFARS 7021 Level 2 Phase 2 small business contractors
Josef Kamara

Written by

Josef Kamara

CPA, CISSP, CISA. Former Big Four auditor (KPMG, BDO). Specializing in government contracting compliance, cybersecurity, and audit readiness.

All articles

More on Contract Compliance

CMMC Enclave Approach: Is It Right for Your Small Business?

13 min read

Average SPRS Score: What Your Prime Sees and How to Fix It

12 min read

CMMC Phase 2 Deadline November 2026: What Small DIB Contractors Must Do Now

14 min read

New to government contracting?

Our Start Here guide walks you through everything from SAM registration to your first proposal, step by step.

Start your journey