CMMCDocs.comWe are now six months into CMMC Phase 2 implementation. The landscape is clearer than it was in January, and the data tells an interesting story about industry readiness.
Assessment Volume
C3PAO assessments are ramping up, but capacity constraints remain real. The Cyber AB has certified additional assessors, but demand continues to outpace supply. Contractors in defense-heavy regions (Northern Virginia, San Diego, Huntsville) report 2-3 month lead times for scheduling assessments. Smaller markets may have shorter waits but fewer assessor options.
Common Failure Points
Early assessment data reveals consistent patterns in where contractors struggle. The most common NOT MET findings cluster around: AU (Audit) controls — specifically log retention and review cadence; SC (System and Communications) controls — particularly FIPS-validated encryption; and PS (Personnel Security) controls — background screening documentation gaps. These are not surprising to anyone who has worked in the space, but they reinforce that documentation and process discipline matter as much as technical controls.
The SPRS Gap
Many contractors who reported high SPRS scores through self-assessment are discovering that their actual scores are lower when subjected to independent verification. The gap between self-reported and assessed scores averages 20-30 points. This is not fraud in most cases — it is optimistic interpretation of ambiguous requirements. Having a platform that enforces evidence-based scoring helps close this gap before the assessor finds it.
What To Do Now
If you have not started, start today. If you have started but stalled, identify your top 10 gaps and create POA&M items with realistic deadlines. If you are assessment-ready, book your C3PAO now — wait times are only growing. The contractors who move decisively in 2026 will be the ones who keep their contracts in 2027.