The clock is ticking. Contractual enforcement of CMMC begins November 10, 2025. If you’re handling CUI on DoD contracts, that’s not a future problem, it’s a today problem. Most DIB contractors need 12-18 months to reach Level 2 certification readiness, which means companies starting now are already cutting it close.
Here’s what many contractors miss: CMMC isn’t just about passing an assessment. It’s about fundamentally restructuring how you handle defense data. The typical Level 2 preparation timeline tells the story:
Months 0-2: You’re not implementing controls yet, you’re figuring out what CUI you actually have. Contract analysis, data flow mapping, and rapid gap assessments reveal the true scope. Most companies discover CUI in places they never expected: email attachments, shared drives, even personal devices. Your initial System Security Plan (SSP) captures this reality.
Months 2-8: The heavy lifting begins. Identity hardening with multi-factor authentication and admin separation. Vulnerability management cadence. Encryption implementation. Backup and restore procedures. Each of the 110 NIST 800-171 practices requires not just implementation, but documented procedures and evidence collection.
Months 9-12: Validation and evidence preparation. This isn’t paperwork, it’s proving your controls work under scrutiny. Pre-assessment checks, SSP finalization, and POA&M closure for any remaining gaps.
The POA&M Reality Check
The January 2026 FAQ clarifies what experienced consultants already knew: critical requirements cannot be deferred to POA&Ms. These must be fully implemented before certification. While limited POA&Ms may be permitted for non-critical practices at Level 2, treating them as your primary strategy is planning to fail.
Cloud Complications
If you’re using cloud services for CUI, add complexity. Services must meet FedRAMP Moderate or equivalent authorization. The choice between Microsoft GCC and GCC High isn’t just technical, it’s about data residency, compliance inheritance, and contractual alignment. Making the wrong choice early means expensive migration later.
Scoping: Your First Make-or-Break Decision
Effective scoping starts with data, not systems. The CMMC Scoping Guide, Level 2 emphasizes identifying all CUI touchpoints before defining your assessment boundary. Every system that processes, stores, or transmits CUI must be evaluated for asset categorization: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, or Out-of-Scope.
The companies that succeed segment early, creating isolated CUI enclaves that minimize their assessment scope without compromising operations. Those that don’t face exponentially higher costs and complexity.
The Bottom Line
November 10, 2025 isn’t a deadline, it’s when contracts start requiring CMMC compliance. Given the 12-18 month preparation timeline, contractors who haven’t started their gap assessment by early 2025 risk losing contract eligibility.
The worst time to discover you’ve scoped incorrectly or underestimated your CUI footprint? During a C3PAO assessment. Before you commit resources to remediation, validate your assumptions about what data you have and where it lives. That clarity shapes everything that follows.
Don’t get to Phase 1 and realize your entire approach needs rethinking. If you’re unsure whether your current understanding of CUI scope will survive assessment scrutiny, now is the time to verify, not after you’ve built your compliance program on shaky foundations. Start with a scoping conversation at simplafi.us.