The Math Does Not Work
The Cyber AB (formerly the CMMC Accreditation Body) has authorized approximately 100 C3PAOs — Certified Third-Party Assessor Organizations — to conduct CMMC Level 2 assessments. The Defense Industrial Base (DIB) includes roughly 80,000 organizations that handle CUI and will eventually need Level 2 certification.
Each C3PAO assessment takes 1-3 weeks of on-site and documentation review work, depending on organization size and scope. Even assuming every C3PAO operates at maximum throughput, the capacity to certify the entire DIB does not exist within any reasonable timeframe.
This is not speculation. It is arithmetic.
What the Bottleneck Looks Like Right Now
As of Q1 2026, the situation is:
- Wait times for C3PAO assessments are 12-18+ months from initial engagement to final report
- Assessment costs range from $75,000 to $150,000+ for mid-size manufacturers, depending on scope complexity and number of sites
- Assessor availability is concentrated among the largest C3PAOs, creating uneven geographic coverage
- Small and mid-size manufacturers are disproportionately impacted — they lack the procurement leverage to jump the queue
| Factor | Current Reality (Q1 2026) |
|---|---|
| Authorized C3PAOs | ~100 |
| DIB organizations needing Level 2 | ~80,000 |
| Average assessment duration | 1-3 weeks |
| Typical wait time (engagement to report) | 12-18+ months |
| Assessment cost (mid-size manufacturer) | $75,000 - $150,000+ |
| Assessment cost (small manufacturer, single site) | $40,000 - $75,000 |
| Maximum POA&M allowance | 20% of objectives, 180-day close-out |
The Cyber AB is working to authorize more C3PAOs and certified assessors, but accrediting new assessor organizations is itself a multi-month process. The bottleneck will not clear before the October 2026 Phase 2 deadline.
What This Means for Small Manufacturers
If you are a 50-person machine shop making precision parts for a defense prime, you face a specific set of problems:
-
You cannot self-assess your way out. Phase 2 requires C3PAO certification for contracts involving CUI. Self-assessment is only sufficient for Level 1 (FCI only) or the limited category of non-critical Level 2 programs.
-
You are competing with larger contractors for assessor time. A Tier 1 defense contractor with a $500M annual DoD revenue gets priority over a $5M subcontractor. That is how procurement works.
-
Assessment costs are a significant percentage of your revenue. A $100K assessment bill against $5M in annual revenue is 2%. Against a $1M subcontract, it is 10%.
-
Your prime is going to ask. Starting in Phase 2, primes will require proof of CMMC certification from their supply chain. If you cannot show it, they will find a supplier who can.
How to Use the Waiting Period
The wait for your C3PAO assessment is not dead time. It is your remediation window. The worst outcome is getting to the front of the queue and failing the assessment — that resets the clock and doubles the cost.
Here is how to use the 12-18 months productively:
Step 1: Define Your CUI Boundary
Map every system, network segment, and physical location that stores, processes, or transmits CUI. This is the single most impactful decision in your CMMC program because it determines the assessment scope.
A smaller, well-defined boundary means:
- Fewer controls to implement
- Fewer systems to document
- Lower assessment cost
- Faster assessment timeline
Isolating CUI into a defined enclave — rather than letting it flow across your entire network — is both a security best practice and a cost optimization.
Step 2: Close the Hard Gaps First
Do not start with the easy controls. Start with the ones that take the longest to implement:
- Network segmentation between IT and OT environments (SC.L2-3.13.1)
- Least-privilege access on remote access paths into OT (AC.L2-3.1.5)
- Audit logging across all systems in the CUI boundary (AU.L2-3.3.1)
- Multi-factor authentication for all remote and privileged access (IA.L2-3.5.3)
These controls require infrastructure changes, procurement, and operational coordination. They take months, not days.
For OT environments specifically, deploying a zero-trust network appliance addresses multiple controls simultaneously — segmentation, access control, session logging, and traffic monitoring from a single device — all without requiring agents on industrial equipment.
Step 3: Build Your Evidence Package
Assessors do not take your word for it. Every control requires documented evidence. Start building this now:
- System Security Plan (SSP) — the master document describing your CUI environment and how each control is implemented
- Network diagrams showing segmentation boundaries, data flows, and access points
- Configuration screenshots proving controls are active (firewall rules, access control lists, MFA configurations)
- Log samples demonstrating audit events are being captured and retained
- Policy documents for access control, incident response, media protection, and all other control families
Step 4: Run a Mock Assessment
Hire a Registered Practitioner Organization (RPO) or an experienced CMMC consultant to conduct a mock assessment against the full CMMC Level 2 assessment guide. This is different from a gap assessment:
- A gap assessment tells you what is missing
- A mock assessment simulates the actual C3PAO process and evaluates whether your evidence is sufficient
The mock assessment will uncover documentation gaps, misconfigured controls, and scope issues before you pay $100K for the real thing.
Step 5: Engage Your C3PAO Early
Do not wait until you are "ready" to contact a C3PAO. Given current wait times, you should:
- Identify 2-3 C3PAOs with availability in your target timeframe
- Request proposals and understand their assessment methodology
- Schedule a pre-assessment consultation (many C3PAOs offer this)
- Book your assessment window — even if it is 12+ months out
Pre-Assessment Readiness Checklist
Before your C3PAO walks in the door, verify every item:
| Category | Readiness Check | Status |
|---|---|---|
| Scope | CUI boundary documented and diagrammed | ☐ |
| Scope | Asset inventory complete for all in-scope systems | ☐ |
| SSP | System Security Plan covers all 110 controls | ☐ |
| SSP | Each control has implementation description and evidence reference | ☐ |
| Network | Segmentation enforced between IT, OT, and CUI enclave | ☐ |
| Network | Default-deny firewall rules at all boundary points | ☐ |
| Access | MFA enabled on all remote and privileged access | ☐ |
| Access | Individual accounts (no shared credentials) on all CUI systems | ☐ |
| Logging | Centralized log collection from all in-scope systems | ☐ |
| Logging | Log retention meets 90-day minimum (365 recommended) | ☐ |
| Incident Response | IR plan documented, tested within last 12 months | ☐ |
| Physical | Physical access controls documented for all CUI locations | ☐ |
| POA&M | Any open items limited to ≤20% of objectives | ☐ |
The Bottom Line
The C3PAO bottleneck is real and will not resolve before Phase 2 goes live. You cannot control when your assessment happens, but you can control how ready you are when it does.
Schedule your C3PAO now. Use the wait time to build a defensible CUI boundary, close your hardest technical gaps, and assemble an evidence package that leaves no room for ambiguity. If you also operate in the EU, consider building one compliance architecture that satisfies both CMMC and NIS2. The manufacturers who treat the waiting period as their implementation window will pass on the first attempt. The ones who wait until the assessment is booked to start working will fail — and go to the back of the line.
