Home > CMMC

Don’t Let CMMC Hold Up Your Contracts.

Countdown to Mandatory C3PAO Assessments for Many DoD Contracts

00
Days
00
Hours
00
Minutes
00
Seconds

Phase 2: Effective November 10, 2026

CMMC Readiness and Certification can take from 3-12+ Months, depending on RPO & C3PAO Availability

CMMC compliance is no longer optional, it’s becoming a contractual prerequisite. As the Cybersecurity Maturity Model Certification (CMMC) framework advances through its formal rulemaking stages, contractors across the Defense Industrial Base must align with escalating requirements to retain DoD contract and certain Federal Grant eligibility. 

August Schell Enterprises is an Authorized CMMC Third-Party Assessment Organization (C3PAO) and Registered Practitioner Organization (RPO). August Schell provides unified, expert-led, and cost-controlled support from initial preparation—whether you’re targeting Level 1, Level 2, or Level 3 certification and beyond with CMMC-Aligned Managed Services. 

Elevate your Cybersecurity postures with CMMC Compliance:

Contact the August Schell CMMC Team
Schedule a Consultation

CMMC Rulemaking Status and Implementation Timeline

On September 10, 2025, the Department of Defense published the Final Rule for the Cybersecurity Maturity Model Certification (CMMC) program in the Federal Register, codifying it into the Defense Federal Acquisition Regulation Supplement (DFARS) under 48 CFR 204.75 and DFARS Clause 252.204-7021. The rule becomes effective on November 10, 2025.

To support adoption across the Defense Industrial Base (DIB), DoD is implementing a four-phase rollout:

Phase 1: Begins November 10, 2025
Key Actions:
DoD may include CMMC Level 1 or Level 2 self-assessments in new solicitations and awards.
Contractors must submit self-assessment scores and an annual affirmation of compliance in the Supplier Performance Risk System (SPRS). ***Even if assessed & certified by a C3PAO for Level 2***
This phase supports gradual onboarding while enabling award eligibility for contractors demonstrating minimum compliance.
Phase 2: Begins November 10, 2026
Key Actions:
DoD begins requiring CMMC Level 2 certification by a C3PAO for select solicitations involving Controlled Unclassified Information (CUI).
All Level 2 certifications must be current (within 3 years) and validated in SPRS before award.
Phase 3: Begins November 10, 2027
Key Actions:
CMMC certification becomes a requirement to exercise option periods or extensions on contracts awarded after November 2025.
Level 3 certifications, conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), begin appearing in high-priority and high-risk DoD programs.
Phase 4: Begins November 10, 2028
Key Actions:
Full enforcement of CMMC across all applicable DoD contracts and subcontracts.
All certifications must be valid (not more than 3 years old) and maintained for the life of the contract.
Level 3 enforcement becomes standard for select mission-critical acquisitions.

Start Your CMMC Journey with Confidence

August Schell is both a Registered Practitioner Organization (RPO) and an authorized Certified Third-Party Assessment Organization (C3PAO)—providing end-to-end expertise from readiness through certification.
Whether you are beginning your compliance journey or preparing for a formal assessment, our team delivers structured, audit-ready guidance aligned to CMMC and DoD expectations.
Getting Started
How do I get started with CMMC compliance?
Start by identifying whether your organization handles FCI or CUI and what CMMC level is required by your contracts. From there, a structured approach includes:
  • Scoping and boundary definition
  • Readiness assessment
  • Gap analysis
  • Remediation and documentation
  • Assessment preparation
An RPO supports preparation, while a C3PAO performs the formal certification assessment.

Take the next step toward certification with a team built for both preparation and assessment.
Contact the August Schell CMMC Team
Schedule a Consultation

The August Schell Difference

Prepare → Certify → Sustain
At August Schell, we go beyond advisory services—delivering a structured, end-to-end approach that reduces risk, controls cost, and builds a repeatable, sustainable capability that supports certification today and mission success long after. 
Designed for Outcomes, Not Just Compliance 
We go beyond checklists—aligning CMMC with Mission Assurance so your environment is secure, resilient, and ready for real-world demands.
Integrated Across the Full Lifecycle 
From preparation to certification to sustainment, we deliver a seamless lifecycle approach that accelerates your path forward and ensures continuity across every phase. 
Cost Control You Can Trust 
Our flexible, credit-based or subscription model provides predictable costs, scalable support, and full transparency—no surprises. 
Real-World, Auditor-Ready 
We build practical, defensible solutions—from SSPs, policies, and secure enclaves—designed to stand up to both assessors and operational demands. 
Aligned to Your Mission and Growth 
We help you achieve certification faster, reduce operational risk, and strengthen your position as a trusted partner. 

CMMC Compliance Services

End-to-End Readiness. Built for Assessment.

Achieving CMMC compliance requires more than implementing controls—it requires defensible evidence, accurate scoping, and alignment with assessor expectations.

August Schell delivers end-to-end CMMC support aligned to both RPO advisory services and C3PAO assessment methodologies, helping organizations move from uncertainty to certification with confidence.

Designed for compliance. Validated for assessment…

Registered Provider
Organization (RPO)
Organizations managing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) can benefit from a dedicated secure enclave built to meet federal cybersecurity requirements.
Our RPO advisory team guides the design and implementation of enclave architectures aligned with NIST SP 800-171 security standards.
Certified Third-Party
Assessment Organization
(C3PAO)
As an authorized CMMC Certified Third-Party Assessment Organization (C3PAO), August Schell conducts independent certification assessments for organizations pursuing CMMC Level 2 compliance. Our certified assessors perform formal evaluations based on NIST SP 800-171 security requirements and CMMC assessment procedures, ensuring your environment meets Department of Defense cybersecurity standards.

CMMC Frequently Asked Questions

CMMC Levels & Requirements
How do I know which CMMC level I need?
The required level is defined in the contract solicitation:
Level 1: FCI only (self-assessment)
Level 2: CUI (self or C3PAO assessment)
Level 3: Advanced threats (government-led)
The requirement is driven by data type, not organization size.
What is the relationship between CMMC and NIST SP 800-171?
CMMC Level 2 directly assesses the 110 controls in NIST SP 800-171 Rev. 2, verifying that they are:
Implemented
Operationalized
Supported by objective evidence
Readiness & Preparation
What is a CMMC readiness assessment?
A readiness assessment evaluates your current posture against CMMC requirements, identifying:
Control implementation status
Gaps and risks
Scoping accuracy
This is advisory and not a certification.
What documentation is required for a CMMC assessment?
Key artifacts include:
System Security Plan (SSP) (required)
Policies and procedures
Evidence of control implementation
POA&M (if applicable)
An incomplete SSP can prevent a valid assessment.
Can we pass with a POA&M?
Yes, with limitations:
Must meet minimum scoring thresholds
Certain controls cannot be deferred
All POA&Ms must be closed within 180 days
Failure to close results in loss of certification status.
Assessment Expectations (C3PAO Perspective)
What happens during a C3PAO assessment?
Assessors will:
Examine documentation
Interview personnel
Test technical controls
They evaluate whether your environment is consistently implemented and supported by evidence.
How often are assessments required?
Level 1: Annually
Level 2 & 3: Every 3 years + annual affirmation
What are common reasons organizations fail?
Missing or incomplete SSP
Poorly defined scope
Lack of objective evidence
Controls not consistently followed
Misalignment between policy and practice
External Providers & Cloud
Do cloud providers need to meet FedRAMP requirements?
Yes. If processing CUI, cloud services must meet FedRAMP Moderate or equivalent.
Are MSPs included in scope?
Yes. External providers impacting security controls are included in the assessment boundary, even if they are not separately certified.
Strategy & Timeline
How long does CMMC compliance take?
Typically 3–12+ months for Level 2, depending on:
Existing maturity
Environment complexity
Scope of CUI
How should organizations prepare?
The DoD recommends:
Fully implementing controls
Conducting a self-assessment
Remediating all gaps before assessment
Organizations that focus only on documentation—not implementation—are at higher risk of failure.

Certified, Scalable Support for Every Phase 

August Schell delivers structured, audit-ready execution at every phase of your CMMC journey—from early preparation through certification and beyond.

Whether your organization is:
  • Defining scope and system boundaries
  • Closing gaps against NIST SP 800-171
  • Preparing for a C3PAO assessment
  • Or implementing NIST SP 800-172 for Level
…our approach combines assessor insight, engineering rigor, and proven implementation methodologies to ensure your environment is not only compliant—but defensible under assessment.

Built to meet requirements—and stand up to scrutiny.

Unified CMMC Compliance Execution

End-to-End Delivery (RPO + C3PAO-Aligned

A single, integrated team guiding you from initial gap analysis through assessment readiness—eliminating handoffs, reducing risk, and accelerating timelines.

Certified Assessment & Engineering Expertise 

Led by multiple Lead Certified CMMC Assessors (Lead CCAs) and supported by FedRAMP-experienced engineers, with deep experience across DoD and federal environments.

Flexible, Credit-Based Delivery Model

Predictable, transparent pricing through a consumption-based model—you only pay for work performed, with flexibility to scale as your needs evolve.

Full Lifecycle Support (Levels 1–3)

Comprehensive support across all CMMC levels:
Level 1: Self-assessment and attestation (FAR 52.204-21)
Level 2: NIST SP 800-171 implementation and C3PAO readiness
Level 3: Advanced security engineering aligned to NIST SP 800-172

C3PAO & DIBCAC Assessment Readiness Support 

Preparation aligned to C3PAO assessment methodologies, with structured support for DIBCAC-led Level 3 assessments, including evidence validation and audit readiness.

Continuous Compliance & Operational Resilience

Post-assessment support to maintain compliance and security posture:
– Continuous monitoring and threat detection
– Control validation and drift management
– Ongoing remediation and POA&M tracking

Architected for Audit Readiness

Secure-by-design environments with fully documented, assessor-aligned artifacts, including SSPs, policies, and evidence mapped directly to CMMC and NIST SP 800-171 controls.

Conflict of Interest Notice

August Schell operates as both a CMMC RPO (advisory/consulting) and an authorized C3PAO (certification assessments).

In accordance with Cyber AB accreditation requirements, August Schell is prohibited from conducting a CMMC Level 2 certification assessment for any organization to which it has provided consulting or remediation services within the preceding three years.

Organizations receiving advisory or implementation support from August Schell must obtain certification through an independent C3PAO.

Prepared with precision. Assessed with integrity. Certified with confidence.