Most guides on CMMC prep are written by people selling you something. They tell you to “conduct a gap assessment” and “remediate findings” like those are simple line items instead of months of actual work.
This page is different. It walks through what preparation actually looks like for a small defense contractor with 10 to 50 employees, a small IT team (or an MSP doing most of it), and a November 2026 deadline that is not moving.
If you haven’t started yet, you’re late. But “late” and “too late” are different things. Here’s how to close the gap.
The deadline: November 10, 2026
Phase 2 of CMMC starts November 10, 2026. That’s when mandatory C3PAO assessments begin appearing in contracts. If your prime or contracting officer requires CMMC Level 2, you either need to have passed your assessment by then or have one scheduled.
There are roughly 80,000 contractors who need Level 2 and fewer than 600 certified assessors. Do the math on scheduling availability. If you wait until September to book your assessment, you may not get a slot until 2027. By then, primes will be looking for subcontractors who already have their certification.
Before you touch anything: define your CUI boundary
Every hour you spend on security controls before defining your CUI boundary is potentially wasted time. The boundary determines what’s in scope. Everything outside the boundary is irrelevant to the assessment. Everything inside it needs to meet all 110 practices.
For most small contractors, the CUI boundary includes:
Systems: The laptops, servers, and cloud services where CUI is stored, processed, or transmitted. This includes email if CUI ever goes through email (it almost always does). It includes your file sharing platform. It includes any cloud application where CUI might end up.
People: Everyone who touches CUI. That’s not “everyone in the company” unless everyone in the company actually handles CUI. Narrowing this list narrows your scope and makes the assessment smaller.
Networks: The network segments those systems sit on. If your CUI systems share a flat network with everything else, your entire network is in scope. Segmentation is your friend.
Third parties: If your MSP remotes into systems that touch CUI, they’re in scope. If your cloud backup provider stores CUI, their environment matters. This is where shared responsibility documentation becomes critical.
The tighter your boundary, the fewer things you need to prove. Spending a week defining the boundary correctly can save months of unnecessary remediation work.
Month-by-month: what realistic prep looks like
This assumes you’re starting in spring 2026 with some security basics already in place (endpoint protection, MFA on most things, an MSP handling day-to-day IT). Adjust if you’re further along or further behind.
Months 1-2: Scoping and gap analysis
What you’re doing: Defining the CUI boundary (above), inventorying every system and person in scope, and walking through all 110 NIST 800-171 practices to identify where you stand.
For each practice, the question is simple: can you define it, explain it, and prove it? If any of those three is a “no,” that practice is a gap.
Most small contractors find that 60-70% of the technical controls are already handled by their MSP or built into their Microsoft 365 tenant. The gaps are almost always in documentation, process, and evidence. You have MFA enabled but no policy defining where MFA is required. You patch systems but have no documented patching cadence. You back up data but can’t show a backup test record.
What you should have at the end: A gap list, organized by NIST family, showing exactly what needs work. A defined CUI boundary diagram. An inventory of in-scope systems and people.
Months 2-4: SSP and policy writing
What you’re doing: Writing your System Security Plan (SSP) and supporting policies. The SSP is the single most important document in the assessment. It defines, in your own words, how each practice applies to your environment and how you meet it.
Write the SSP yourself. Or at least own it. If your MSP or a consultant writes it for you and you can’t explain what it says, the assessor will know. They’re going to ask you about specific sections and watch whether you reach for the document or answer from knowledge.
For each of the 110 practices, your SSP should cover: what you do, who is responsible, how often it happens, and what evidence exists. Specific names and frequencies. “The IT Director reviews access quarterly” is good. “Management reviews access periodically” will get follow-up questions you don’t want.
The practice pages on this site include example SSP language for every control. Read them to understand the pattern, then write your own in your own words.
What you should have at the end: A complete SSP draft covering all 110 practices. Supporting policies (access control policy, incident response plan, configuration management policy, etc.) that the SSP references.
Months 3-5: Remediation
What you’re doing: Closing the gaps from your analysis. This is the part that takes the longest because it’s real technical work.
Common remediation items for small contractors:
Documentation gaps (weeks, not months): Writing the change management procedure you’ve been doing informally. Documenting your access review process. Creating an incident response plan that actually describes your environment instead of generic NIST phases.
Technical gaps (variable): Enabling FIPS-compliant encryption on laptops. Configuring audit logging to capture the right events. Setting up vulnerability scanning at a defined frequency for every in-scope system. Disabling split tunneling on your VPN. Implementing application whitelisting.
Process gaps (ongoing): Starting the quarterly access reviews you committed to in your SSP. Running your first tabletop incident response exercise. Conducting security awareness training that actually covers insider threats.
The trap here is trying to fix everything at once. Prioritize by risk: anything that creates a hard “NOT MET” finding takes priority over things that might generate follow-up questions.
Months 4-6: Evidence collection
What you’re doing: Building the artifact package you’ll present during the assessment. Evidence is what separates a passing assessment from a failing one. The assessor isn’t going to take your word for anything.
For every practice in your SSP, you need evidence that it’s actually happening. Common evidence types:
Screenshots and exports: Conditional access policies, endpoint protection configurations, backup job reports, vulnerability scan results. Date-stamped. If the screenshot is from six months ago, it raises questions.
Records and logs: Access review sign-offs, change management tickets, incident response exercise notes, training completion records. These prove that your processes run at the frequency you claimed.
Live demonstrations: Some assessors will ask you to pull up configurations in real time. “Show me your conditional access policies in Entra ID.” “Pull up your vulnerability scanner and show me the last scan.” If you can do this confidently, it builds trust fast. If you fumble, they dig deeper.
The best artifact packages are organized by NIST family with a clear index. When the assessor asks about practice 3.4.1, you should be able to find the relevant evidence in under 30 seconds.
What you should have at the end: A complete evidence package with artifacts mapped to each of the 110 practices. No gaps. If a practice has no evidence yet, that’s a finding waiting to happen.
Month 5-6: Pre-assessment dry run
What you’re doing: Practicing. Get the person who will be in the assessment room and run through the practices out loud. For each one: explain what you do, show where it’s defined in the SSP, and pull up the evidence.
Time yourself. In a real assessment, the assessor will spend somewhere between 2 and 15 minutes per practice depending on complexity and how confident your answers are. If you can’t explain a practice in two sentences and find its evidence in 30 seconds, you need more practice.
If you use an MSP or MSSP, do a joint dry run. Make sure the MSP contact who will be in the room (if applicable) can speak to the technical controls they manage. Surprises during the real assessment are bad for everyone.
Month 6+: Schedule and complete the assessment
What you’re doing: Booking your C3PAO assessment and completing it. Schedule as early as possible. Assessment slots are limited and getting scarcer as the deadline approaches.
The assessment itself typically runs 3 to 5 days depending on your scope. The assessor will work through the practices family by family, reviewing your SSP, examining evidence, and asking questions. For a detailed walkthrough of what assessment day looks like, see the Assessment Day page.
Where most small contractors actually fail
After sitting through dozens of these assessments, the pattern is clear. Companies rarely fail because they don’t have the controls. They fail because of three things:
They can’t explain what they do. The controls are in place. The MSP configured everything correctly. But when the assessor asks “how does your organization handle least privilege for admin accounts?” nobody can answer without reading from the SSP. The assessment is a conversation. If you can’t have that conversation, you have a problem.
Their SSP doesn’t match reality. The SSP says access is reviewed monthly. The last review was four months ago. The SSP says terminated users are disabled within 24 hours. The assessor finds an active account for someone who left two months ago. Every contradiction between your SSP and your evidence is a potential finding.
They underestimate the documentation work. Small contractors tend to think CMMC is a technical problem. It’s not. It’s a documentation and process problem. The technical controls are usually 80% done. The documentation is usually 20% done. That gap is what takes months to close.
How this site helps
Every one of the 110 practice pages on this site covers what the assessor actually evaluates, example SSP language you can learn from, how to present evidence, the failures that get people flagged, and how shared responsibility works if you use an MSP or MSSP.
Start with the practices your assessment will hit first (usually Access Control) or jump to the ones your gap analysis flagged. If you’re not sure where to begin, the Start Here page walks through the basics.
The November 2026 deadline is real and it’s closer than it feels. But if you’re reading this page, you’re already ahead of most contractors who are still pretending they’ll deal with it later.
This guide is based on experience in real CMMC assessments and is intended to help small defense contractors prepare. It is not legal or compliance advice. Your organization’s situation is unique, and you should work with qualified professionals for formal assessment preparation.