Ninety days is a tight but achievable window to prepare for a CMMC Level 2 assessment — if you know exactly what to focus on. Most contractors waste time on low-priority controls while leaving critical gaps unfixed. This guide gives you a realistic, prioritized 90-day plan.
Before anything else: run a gap assessment. You cannot build a remediation plan without knowing where your gaps are. Use AuditSolz or any structured assessment to identify your specific weaknesses before starting this plan.
Why 90 days?
The CMMC assessment itself takes 2–4 weeks once you're ready. That means you have roughly 60 days of actual remediation time in a 90-day window — enough to fix most gaps if you prioritize correctly and have the right resources committed.
If you have more than 90 days, great — use the same approach but spread it out. If you have less, focus exclusively on the critical and high-severity gaps that will cause immediate audit failure.
The 90-day plan
Days 1–7: Assessment and gap identification
Complete a full CMMC readiness assessment covering all 110 NIST 800-171 controls. Do not skip this step or estimate — you need specific, documented answers for each control. Use a structured tool that records your responses.
Output: A list of all gaps sorted by severity (critical, high, medium, low), with specific fix guidance for each one.
Days 8–14: Planning and resource allocation
Review your gap list and assign every task to a specific person with a realistic deadline. Get leadership sign-off on the resources required. If you have IT staff, dedicate them primarily to CMMC remediation for the next 60 days.
Create your POAM (Plan of Action and Milestones) document now — you'll need it for your assessment regardless, and having it forces accountability.
Days 15–45: Fix critical and high gaps
Focus exclusively on critical and high severity gaps. These are the ones that will cause immediate audit failure. Common critical gaps include:
- Multi-factor authentication not enforced (AC.3.012) — fix in hours, not days
- Audit log retention under 90 days (AU.2.041) — 2-hour fix in Microsoft 365
- CUI data not encrypted at rest (SC.3.177) — enable BitLocker via Intune
- No vulnerability scanning program (RA.2.141) — deploy Nessus or Defender VM
- No incident response plan (IR.2.092) — write and test the plan
For each fix, collect evidence immediately — screenshots, configuration exports, policy documents. Upload these to your evidence locker as you go.
Days 46–70: Fix medium gaps and write documentation
Work through medium-severity gaps while simultaneously writing your System Security Plan. The SSP needs to describe how you implement each of the 110 controls — writing it now, while you're actively implementing controls, is much easier than writing it afterward.
Key documentation to complete: SSP, POAM (updated with completion dates), access control policy, incident response plan, system boundary documentation.
Days 71–80: Mock audit and final review
Conduct a mock audit — either using a tool like AuditSolz's mock audit feature or by having someone unfamiliar with your environment walk through each control and challenge your evidence. This will surface gaps and weak documentation before the real assessment.
Update your SSP and evidence based on mock audit findings. Run your assessment tool again to confirm your posture score has improved.
Days 81–90: Final preparation and C3PAO engagement
Ensure all documentation is finalized and organized. Brief your team on what to expect during the assessment — assessors will interview staff, not just review documents. Schedule your C3PAO assessment.
Any remaining low-severity gaps should be documented in your POAM with realistic milestone dates. Assessors understand that some gaps take time to remediate — what they need to see is awareness and a credible plan.
The most common mistakes
- Starting with documentation instead of controls. Write the SSP while implementing, not before. Policy documents without technical implementation will fail your audit.
- Treating all gaps equally. An unfixed critical gap will fail your entire assessment. Medium and low gaps with a documented POAM will not.
- No evidence collection. "We do this" is not sufficient. Assessors need screenshots, configuration exports, and policy documents as evidence.
- Scoping too broadly. CUI only needs to be protected in systems that actually handle it. Define your system boundary clearly and keep CUI out of systems that don't need it.
Start your 90-day plan today
AuditSolz runs your gap assessment in 20 minutes and generates a prioritized remediation roadmap automatically. Your SSP and POAM are auto-generated from your answers.
Start your assessment →