This article includes insights from our Director of Information Security, Brian Brunelle, who leads CMMC readiness engagements for defense contractors. He works directly with executive teams, IT, and security stakeholders to define CUI scope, remediate control gaps, and prepare organizations for C3PAO assessment.
Beginning in Q4 2026, many Department of Defense (DoD) contracts will require a formal CMMC Level 2 certification performed by a C3PAO. For defense contractors handling Controlled Unclassified Information (CUI), that means implementing and validating all 110 security requirements from NIST SP 800-171 R2 and proving compliance during an independent assessment.
Many defense contractors are now realizing that they are behind the ball on achieving CMMC compliance. Most contractors need 6–8 months to prepare for CMMC Level 2 certification. Preparation includes defining CUI scope, conducting a structured gap assessment against NIST SP 800-171 R2, implementing technical and procedural controls, collecting evidence, and preparing for an independent C3PAO audit.
If you’re behind or just getting started, it can feel overwhelming. That’s why this guide breaks the CMMC Level 2 readiness process into clear, timeline-based phases. Each phase includes expert insights on what to watch for from Brian Brunelle, GraVoc’s Director of Information Security, who works hands-on with our defense clients preparing for CMMC.
Wherever you are in your CMMC Level 2 compliance process, this readiness guide will help you prioritize the right actions and reduce the risk of losing DoD business.
If you're still determining which CMMC level applies to your contracts, review our guide to CMMC levels and requirements.
Weeks 1–4: Define CUI scope and ownership
Before evaluating controls, you need structural clarity.
Start with three questions: Who owns CMMC readiness internally?; What systems are in scope?; How is Controlled Unclassified Information (CUI) handled?
Defining the CUI Boundary
This phase is about clearly understanding:
- Where CUI is stored
- How it moves
- Which systems process or transmit it
- Which vendors connect to it
Reducing scope can reduce assessment complexity, but only if the boundary is defensible.
Confirm In-Scope Platforms and Providers
You should also validate:
- SaaS, IaaS, and PaaS environments
- Managed service providers
- Security tooling dependencies
- Assumed shared responsibility divisions
Many readiness issues later trace back to early cloud assumptions that were never validated.
By the end of this phase, you should have:
- A named CMMC program owner
- A documented CUI boundary
- A confirmed inventory of in-scope systems
Insights from our Director of Information Security, Brian Brunelle
- While there will be a CMMC program owner, you will need coordination across departments and business functions. CMMC involves IT/technical security, physical security, personnel security, vendor/third-party risk management, and development teams (if applicable). You should assign a team with the requisite skill set and institutional knowledge to support the CMMC effort.
- Be mindful of setting CUI scope/boundaries. Be intentional about defining your CUI boundary. Implementing CMMC company-wide may not be the most efficient path depending on your business operations. Reducing scope, when defensible, can lower cost and complexity.
Weeks 5–8: Conduct a CMMC gap assessment
Most organizations believe they’re ‘mostly compliant.’
A structured gap assessment typically reveals a more nuanced picture.
This phase evaluates your environment the way a C3PAO will — not whether controls exist, but whether they operate consistently and can be defended under scrutiny.
A Strong Gap Assessment Asks:
- Is the control functioning as intended?
- Does documentation reflect reality?
- Are processes repeatable or dependent on key individuals?
- Can objective evidence be produced quickly?
Cloud Shared Responsibility Review
If you use cloud services, this becomes critical.
You must clearly define:
- What the provider is responsible for
- What remains your responsibility
- What documentation supports that division
Align the System Security Plan (SSP)
Your SSP must describe what is implemented today.
One of the most common findings in readiness reviews is documentation that reflects intended state, not operational reality.
By the end of this phase, you should have:
- A realistic view of readiness gaps
- A prioritized remediation roadmap
- Clear responsibility boundaries
- An SSP aligned with the environment
If you’re unsure whether your current scope or documentation would hold up under assessment conditions, this is typically the point where an external readiness review adds significant value.
Insights from our Director of Information Security, Brian Brunelle
Be mindful of any CUI stored in third-party managed or hosted apps. You will have to account for the vendor risk as well as ensure safeguards around the CUI are maintained, regardless of where the data lives.
Weeks 9–12: Early remediation and architecture decisions
Most organizations believe With gaps identified, remediation begins.
Leadership should be asking:
- Is the current architecture viable for Level 2?
- Does CUI need further segmentation?
- Are layered controls sufficient — or is redesign required?
- Is a platform change justified?
Delaying architectural decisions often leads to rework later.
Early Remediation Typically Focuses On:
- MFA enforcement consistency
- Logging enablement and retention
- Configuration hardening
- Access governance formalization
- Policy updates that match how the environment actually operates
Evidence collection should begin here, not during assessment week.
Insights from our Director of Information Security, Brian Brunelle
- Integrate control enhancements thoughtfully into existing business processes. Avoid the mindset that “security is a barrier.” With CMMC, information security enables your organization to operate—it must align with and support operations. Strike the right balance between technical and procedural controls to achieve the desired operational state.
- Ensure there is clear, auditable evidence that each control operates as intended. A policy stating that a control exists is not enough. Identify the specific sources of evidence and confirm that documentation is available to substantiate control statements.
Weeks 12–20: Continue remediation and select a C3PAO
Once scope is stable and remediation is progressing, it’s time to prepare for assessment scheduling. C3PAO lead times can affect certification timelines, so early research matters.
On the Assessment Side:
- Identify authorized Level 2 assessors
- Confirm experience with environments similar to yours
- Understand documentation expectations
- Evaluate scheduling availability
Internally, continue:
- Closing moderate-risk gaps
- Validating vendor-provided evidence
- Finalizing shared responsibility documentation
- Re-testing controls as they mature
Insights from our Director of Information Security, Brian Brunelle
Ensure you give enough lead time to fully remediate all gaps. Staff need time to adjust to new technical controls and to fully implement new procedural controls. Your CMMC team may have multiple change initiatives happening concurrently, while keeping up with existing job duties. Set realistic timelines and ensure you have the appropriate support available.
Weeks 21–24: Evidence validation and interview preparation
CMMC assessments validate controls through:
- Documentation
- Interviews
- Technical observation
All three carry equal weight.
At this stage, you should be:
- Spot-checking evidence
- Testing live log retrieval
- Validating SSP-to-environment alignment
- Preparing control owners for interviews
Insights from our Director of Information Security, Brian Brunelle
CMMC is an ongoing effort, ensure control owners understand recurring responsibilities.
Weeks 25–28: Mock audit and final assessment scheduling
Before formal assessment, many organizations conduct a mock audit.
This simulates real conditions and stress-tests:
- Evidence retrieval
- Documentation accuracy
- Operational consistency
- Responsibility assumptions
Nearly every mock audit uncovers at least one issue that would have resulted in a formal finding. This is also when assessment dates are finalized and final remediation adjustments are made.
Weeks 29–32: Final preparation and CMMC assessment execution
Preparation includes:
- Locking documentation versions
- Confirming evidence currency
- Rehearsing high-risk interview areas
- Aligning executive messaging
If the prior phases were handled deliberately, assessment week should feel controlled.
Insights from our Director of Information Security, Brian Brunelle
If prior phases are executed fully, this should be the easiest step in the process as the CMMC program will be functioning as designed and individuals are cognizant of their responsibilities.
CMMC 2.0 Level 2 FAQ
How long does CMMC Level 2 preparation take?
Most organizations require 6–8 months to prepare for CMMC Level 2. Timelines depend on CUI scope, architectural complexity, and current alignment with NIST SP 800-171.
Is CMMC Level 2 required for all DoD contractors?
No. Level 2 applies to contractors that store, process, or transmit Controlled Unclassified Information (CUI) for the Department of Defense. Contractors without CUI may only require Level 1.
What happens if we fail a CMMC Level 2 assessment?
Certification is withheld until gaps are remediated. Delays can affect eligibility for certain DoD contract awards, which is why many contractors conduct a readiness or gap assessment first.
