We laid out the CMMC 2.0 rollout in an earlier piece — the four-phase timeline, what the Acquisition Rule changed, and why the calendar matters. Here's the short version so this post can stand on its own: Phase 2 begins November 10, 2026, and it makes third-party certification by an accredited C3PAO mandatory for any contract that involves Controlled Unclassified Information. Self-attestation on the things that matter goes away.
This is the companion piece — the practical one. If the last post was the "why," this is the "what to do next." Below is a phased 90-day sprint that turns the 110 requirements of NIST SP 800-171 Rev 2 from an intimidating list into a sequence of moves you can actually run.
One honest caveat up front: 90 days is a sprint, not the whole race. Getting to a defensible Level 2 posture from a cold start realistically takes 9 to 12 months, because evidence takes time to accumulate. But 90 focused days is enough to scope the problem, close the highest-risk gaps, and know exactly where you stand before you spend money on a C3PAO. If you haven't started, this is where you start — and the fact that evidence has to age is precisely why starting now, not in Q3, is the whole point.
Days 1-15: Draw the CUI boundary before you touch a control
Every dollar you spend on CMMC is priced by your scope. Over-scope and you're hardening laptops that never see CUI. Under-scope and the assessor finds CUI living somewhere you forgot to protect, which is worse. Get this right first.
- Identify where CUI actually enters, lives, moves, and leaves — email, file shares, ERP, engineering workstations, backups, and any contractor who touches it.
- Draw the assessment boundary and classify every asset inside it: CUI assets, Security Protection assets, Contractor Risk Managed assets, and out-of-scope. This asset inventory is an assessment artifact — build it as a living document, not a one-time spreadsheet.
- Produce a current network diagram that matches the boundary. An assessor will compare your diagram to reality; make sure they agree.
- Document your External Service Providers — your MSP, cloud tenants, any managed SOC. Their responsibilities have to be written down and, where CUI is involved, backed by the right agreements.
Days 15-30: Gap-assess against all 110 requirements
Now measure yourself honestly against the standard — all 110 requirements and the 320 underlying assessment objectives that a C3PAO scores against. The goal is not a pass/fail grade. It's a prioritized, evidence-mapped remediation plan.
- Score each requirement as Met, Not Met, or Not Applicable, and record where the proof lives for every "Met." If you can't name the evidence, it isn't met yet.
- Calculate your SPRS self-assessment score honestly. Remember the math that governs Conditional status later: you generally need at least 88 of 110 (80 percent), and several high-weight requirements — including multifactor authentication and FIPS-validated encryption — cannot be deferred to a POA&M at all.
- Rank the gaps by risk and by lead time. Controls that need weeks of operating history to prove — logging, monitoring, vulnerability remediation cadence — jump to the front of the line.
Days 30-60: Stand up the highest-impact controls
These are the requirement families that consistently derail SMBs, and they're where your remediation hours pay off fastest. Implement them early in the window so their evidence trail has time to build.
- Access control and identity (3.1 / 3.5). Enforce least privilege and role-based access, separate administrative accounts from daily-driver accounts, and deploy phishing-resistant multifactor authentication everywhere it's required. MFA is non-negotiable and non-deferrable.
- Logging and continuous monitoring (3.3 / 3.14). Centralize audit logs into a SIEM, define what events you capture, and put eyes on them. This is where a managed SOC earns its keep — and where "we turned it on last week" fails an assessment.
- Incident response (3.6). A tested IR plan with named roles, DoD 72-hour reporting built in, and a documented tabletop exercise on the calendar. A policy PDF alone is a finding.
- Configuration management (3.4). Documented baselines, an approved change process, and a mechanism that proves live configurations match the baseline over time.
Days 45-75: Build the evidence trail — this is the real work
This is the phase most first-timers underestimate. An assessor is not checking whether a control exists. They're checking whether it has been operating — reliably, over time, with proof. "We enabled it" is not evidence. A control switched on the day before the assessment is, to a C3PAO, a control with no track record.
- Capture artifacts continuously: log samples, alert-and-response records, change tickets, access reviews, vulnerability scan history, patch timelines, backup restore tests, and training completion records.
- Timestamp everything and keep at least 90 days of operating history for monitoring-type controls. This is the single strongest argument for starting the clock now.
- Map each artifact back to the specific requirement and assessment objective it satisfies, so nothing is a scramble on assessment day.
Days 60-80: Write or refresh the SSP and POA&M
The System Security Plan is the first document a C3PAO opens, and a weak one poisons the whole assessment. It has to describe how each of the 110 requirements is implemented in your environment — specific systems, specific responsibilities — not generic boilerplate.
- Write the SSP to reflect reality, including where an External Service Provider carries a control on your behalf.
- Build a disciplined POA&M for the remaining gaps — only for items that are actually eligible to be deferred, each with an owner and a realistic close date. If you land in Conditional status, those items must be closed and re-assessed within 180 days.
- Finalize policies and procedures as approved documents, not drafts. Assessors distinguish sharply between the two.
Days 80-90: Run a mock assessment, then engage a C3PAO
Before you pay for the real thing, pressure-test it yourself. Run an internal mock assessment exactly like the live one: pull requirements at random, demand the evidence, and interview the people who own each control. The gap you're hunting is the space between "we do this" and "we can prove we do this" — find it here, where it's free to fix.
Then engage an accredited C3PAO. Demand is heavy and the assessment window runs roughly 60 to 120 days, so booking is itself a lead-time problem. Walk in with a clean SSP, a real evidence library, and a mock assessment behind you, and the certification becomes a confirmation rather than a discovery.
The business case for moving today
None of this is exotic engineering. It's sequencing and discipline under a hard deadline — and the deadline has teeth beyond the assessment itself. Primes are already screening subcontractors by CMMC posture, which means firms without a credible plan get quietly routed out of bid packages long before November 2026, and usually never told that's why. Compliance has become contract continuity.
Torchsec's compliance engineering team runs this sprint with defense-adjacent SMBs end to end — CUI scoping, gap assessment, SSP and POA&M support, and the managed controls that actually generate the evidence: 24/7 SOC, SIEM-backed logging and continuous monitoring, MDR, identity and MFA, incident response, and configuration management. If you want an honest read on where you stand and a plan to get certified, get in touch.
Ready to talk?
If any of this sounds familiar, we'd be happy to walk your team through it. Book a no-obligation consultation or request a free risk assessment.

