The clock is real. Phase 2 of the CMMC implementation rule begins on November 10, 2026, and from that date forward, the Department of Defense intends to include Level 2 C3PAO assessment requirements in applicable solicitations and contracts as a condition of award. Contractors that handle Controlled Unclassified Information and want to compete for covered defense work need to be assessment-ready before the requirement appears on a contract they care about.
Most contractors who reach this page have already done the reading. The question is no longer what CMMC is. The question is what has to be done inside the actual environment, on the actual production floor, before a Third Party Assessment Organization arrives. That is the work this practice does.
Federal oversight and industry reporting have both raised concerns about assessment capacity, contractor readiness, and the ability of the ecosystem to absorb a large wave of Level 2 certification activity. The practical takeaway is straightforward. Contractors that finish readiness work earlier will be in a stronger position to schedule a C3PAO before the assessment market becomes crowded. Work started in mid-2026 has more scheduling room. Work delayed into 2027 may have to compete against a crowded assessment calendar.
What Waiting Costs
Every contractor reaches CMMC readiness on a timeline determined by three factors: how complete the existing IT and security posture is, how clearly the boundary of CMMC scope has been defined, and how quickly leadership can mobilize the work across IT, operations, and quality. For many mid-sized defense manufacturers and aerospace suppliers with an existing managed service provider relationship and a partial security baseline, the readiness path can take many months and, in complex environments, may stretch beyond a year. The timeline depends on scoping, remediation, documentation maturity, MSP involvement, and C3PAO scheduling capacity. Companies that begin the work in mid-2026 have room on the calendar. Companies that begin in late 2026 or 2027 may find that calendar much tighter.
The cost of waiting compounds in three directions. Contracts that require a current Level 2 certification will go to suppliers that already hold one. Primes that flow CMMC requirements down to subcontractors will discontinue work with suppliers that cannot demonstrate compliance. Companies that submitted SPRS scores under the older self-attestation regime now face False Claims Act exposure if those scores do not match the actual environment, and the MORSECORP settlement of 2025 confirmed that the exposure is real.
What Is At Stake
Contract eligibility. A contractor without a current Level 2 certification cannot be awarded a contract that requires it. The certificate is not optional, not negotiable, and not retroactive.
Supply chain position. Primes will not flow CUI to subs that cannot demonstrate handling capability. Losing supplier status means losing the work entirely.
False Claims Act exposure. An inaccurate SPRS score that supported a contract award is a material misrepresentation. Whistleblower actions and DoJ enforcement are now active in this space.
What This Practice Does
The work is onsite. A CyberAB Registered Practitioner Advanced walks the facility, examines the actual configuration of in-scope systems, reviews how the managed service provider and external service providers fit into the assessment scope, reconciles the SPRS score against the underlying assessment object inventory, identifies where Controlled Unclassified Information actually moves through the operation, and prepares the company and its staff for what an assessor will examine. The deliverable is an organized assessment evidence structure, a corrected System Security Plan, an updated POA&M where applicable, and the operational readiness needed to support a serious C3PAO assessment effort.
The work does not include software resale, GRC tool licensing, or compliance theater. A platform can help organize tasks and evidence, but it cannot walk the facility, interview staff, identify where CUI actually moves, or prepare the team for what an assessor will examine. The work also does not include the C3PAO assessment itself, which is performed by certified assessor organizations as a separate function within the CMMC ecosystem.
How an Engagement Starts
Initial Conversation
A thirty-minute discussion to understand your contracts, the data your company handles, the current state of the IT environment, and the timeline driving the work. By phone or video. Without charge.
Scoping Visit
A focused onsite diagnostic at your facility to confirm the boundary of CMMC scope, identify the most material gaps, and produce a written engagement description with timeline, deliverables, and cost. Typically one or two days onsite.
Readiness Engagement
The full readiness program runs from scope confirmation through documentation, remediation, evidence collection, and pre-assessment validation. Engagement duration depends on starting posture, scope complexity, and the pace at which the company can absorb the work. The objective is the same in every case. Walk into the C3PAO assessment knowing what the assessor will see and confident that the environment supports the score.
The First Conversation Is the One That Matters
It takes thirty minutes, it is conducted by phone or video, and it produces a clear answer about whether a readiness engagement is appropriate for your company and what the realistic path forward looks like.
Call to Start · 802-335-2662Who Should Make the Call
The contractors who benefit most from beginning now share one or more of the following situations. A prime contractor has asked about CMMC status in a recent communication, and the question now needs an answer. The company handles drawings, technical data, specifications, or other Controlled Unclassified Information, and the boundary of what falls inside CMMC scope has not been defined. An SPRS score has been submitted or is being prepared, and there is uncertainty about whether the score reflects the actual environment. A managed service provider has recommended a GRC platform, but leadership is not yet sure what specifically needs to be implemented or fixed. A C3PAO assessment is on the horizon, and the company wants to address known gaps before the assessor walks in.
If any of these describes your situation, the time to call is now. The contractors who finish readiness work earlier will book assessment time earlier. The ones who delay will work the same scope on a tighter schedule with fewer C3PAO options.
Engagement Structure and Rates
Engagements are normally structured as time and materials, with fixed-fee arrangements available for well-defined scopes such as a focused readiness diagnostic. Onsite readiness and implementation work is billed at $400 per hour, with travel billed at actual cost. Offsite work, including documentation review and remote consultation, is billed at $325 per hour. These rates reflect practitioner-led CMMC Level 2 readiness work, not software resale, template delivery, or generic advisory support.
The first conversation is without charge. Its purpose is to determine whether the situation calls for a focused diagnostic, a targeted remediation effort, or a broader readiness engagement.
Begin the Conversation Today
The first thirty minutes determine whether a readiness engagement is appropriate, what shape it should take, and how soon the work should begin. The conversation is direct, practitioner-to-executive, and without charge. The phone is the fastest path. Email works as well.
David Koran & Associates · davidkoran.com