Home > CMMC Services

Don’t Let CMMC Hold Up Your Contracts.

Countdown to Mandatory C3PAO Assessments for Many DoD Contracts

00
Days
00
Hours
00
Minutes
00
Seconds

Phase 2: Effective November 10, 2026

CMMC Readiness and Certification can take from 3-12+ Months, depending on RPO & C3PAO Availability

CMMC compliance is no longer optional, it’s becoming a contractual prerequisite. As the Cybersecurity Maturity Model Certification (CMMC) framework advances through its formal rulemaking stages, contractors across the Defense Industrial Base must align with escalating requirements to retain DoD contract and certain Federal Grant eligibility. 

August Schell Enterprises is an Authorized CMMC Third-Party Assessment Organization (C3PAO) and Registered Practitioner Organization (RPO). August Schell provides unified, expert-led, and cost-controlled support from initial preparation—whether you’re targeting Level 1, Level 2, or Level 3 certification and beyond with CMMC-Aligned Managed Services. 

Elevate your Cybersecurity postures with CMMC Compliance:

Contact the August Schell CMMC Team
Schedule a Consultation

CMMC Compliance Services

End-to-End Readiness. Built for Assessment.

Achieving CMMC compliance requires more than implementing controls—it requires defensible evidence, accurate scoping, and alignment with assessor expectations.

August Schell delivers end-to-end CMMC support aligned to both RPO advisory services and C3PAO assessment methodologies, helping organizations move from uncertainty to certification with confidence.

Designed for compliance. Validated for assessment…

Registered Provider
Organization (RPO)
Organizations managing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) can benefit from a dedicated secure enclave built to meet federal cybersecurity requirements.
Our RPO advisory team guides the design and implementation of enclave architectures aligned with NIST SP 800-171 security standards.
Certified Third-Party
Assessment Organization
(C3PAO)
As an authorized CMMC Certified Third-Party Assessment Organization (C3PAO), August Schell conducts independent certification assessments for organizations pursuing CMMC Level 2 compliance. Our certified assessors perform formal evaluations based on NIST SP 800-171 security requirements and CMMC assessment procedures, ensuring your environment meets Department of Defense cybersecurity standards.

CMMC Rulemaking Status and Implementation Timeline

On September 10, 2025, the Department of Defense published the Final Rule for the Cybersecurity Maturity Model Certification (CMMC) program in the Federal Register, codifying it into the Defense Federal Acquisition Regulation Supplement (DFARS) under 48 CFR 204.75 and DFARS Clause 252.204-7021. The rule becomes effective on November 10, 2025.

To support adoption across the Defense Industrial Base (DIB), DoD is implementing a four-phase rollout:

Phase 1: Begins November 10, 2025
Key Actions:
DoD may include CMMC Level 1 or Level 2 self-assessments in new solicitations and awards.
Contractors must submit self-assessment scores and an annual affirmation of compliance in the Supplier Performance Risk System (SPRS). ***Even if assessed & certified by a C3PAO for Level 2***
This phase supports gradual onboarding while enabling award eligibility for contractors demonstrating minimum compliance.
Phase 2: Begins November 10, 2026
Key Actions:
DoD begins requiring CMMC Level 2 certification by a C3PAO for select solicitations involving Controlled Unclassified Information (CUI).
All Level 2 certifications must be current (within 3 years) and validated in SPRS before award.
Phase 3: Begins November 10, 2027
Key Actions:
CMMC certification becomes a requirement to exercise option periods or extensions on contracts awarded after November 2025.
Level 3 certifications, conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), begin appearing in high-priority and high-risk DoD programs.
Phase 4: Begins November 10, 2028
Key Actions:
Full enforcement of CMMC across all applicable DoD contracts and subcontracts.
All certifications must be valid (not more than 3 years old) and maintained for the life of the contract.
Level 3 enforcement becomes standard for select mission-critical acquisitions.

Certified, Scalable Support for Every Phase 

August Schell delivers structured, audit-ready execution at every phase of your CMMC journey—from early preparation through certification and beyond.

Whether your organization is:
  • Defining scope and system boundaries
  • Closing gaps against NIST SP 800-171
  • Preparing for a C3PAO assessment
  • Or implementing NIST SP 800-172 for Level

…our approach combines assessor insight, engineering rigor, and proven implementation methodologies to ensure your environment is not only compliant—but defensible under assessment.

Built to meet requirements—and stand up to scrutiny.

Unified CMMC Compliance Execution

End-to-End Delivery (RPO + C3PAO-Aligned

A single, integrated team guiding you from initial gap analysis through assessment readiness—eliminating handoffs, reducing risk, and accelerating timelines.

Certified Assessment & Engineering Expertise 

Led by multiple Lead Certified CMMC Assessors (Lead CCAs) and supported by FedRAMP-experienced engineers, with deep experience across DoD and federal environments.

Flexible, Credit-Based Delivery Model

Predictable, transparent pricing through a consumption-based model—you only pay for work performed, with flexibility to scale as your needs evolve.

Full Lifecycle Support (Levels 1–3)

Comprehensive support across all CMMC levels:
  • Level 1: Self-assessment and attestation (FAR 52.204-21)
  • Level 2: NIST SP 800-171 implementation and C3PAO readiness
  • Level 3: Advanced security engineering aligned to NIST SP 800-172

C3PAO & DIBCAC Assessment Readiness Support 

Preparation aligned to C3PAO assessment methodologies, with structured support for DIBCAC-led Level 3 assessments, including evidence validation and audit readiness.

Continuous Compliance & Operational Resilience

Post-assessment support to maintain compliance and security posture:
  • Continuous monitoring and threat detection
  • Control validation and drift management
  • Ongoing remediation and POA&M tracking

Architected for Audit Readiness

Secure-by-design environments with fully documented, assessor-aligned artifacts, including SSPs, policies, and evidence mapped directly to CMMC and NIST SP 800-171 controls.

Start Your CMMC Journey with Confidence

August Schell is both a Registered Practitioner Organization (RPO) and an authorized Certified Third-Party Assessment Organization (C3PAO)—providing end-to-end expertise from readiness through certification.
Whether you are beginning your compliance journey or preparing for a formal assessment, our team delivers structured, audit-ready guidance aligned to CMMC and DoD expectations.
Take the next step toward certification with a team built for both preparation and assessment.
Contact the August Schell CMMC Team
Schedule a Consultation

Conflict of Interest Notice

August Schell operates as both a CMMC RPO (advisory/consulting) and an authorized C3PAO (certification assessments).

In accordance with Cyber AB accreditation requirements, August Schell is prohibited from conducting a CMMC Level 2 certification assessment for any organization to which it has provided consulting or remediation services within the preceding three years.

Organizations receiving advisory or implementation support from August Schell must obtain certification through an independent C3PAO.

Prepared with precision. Assessed with integrity. Certified with confidence.

CMMC Frequently Asked Questions

Getting Started
How do I get started with CMMC compliance?
Start by identifying whether your organization handles FCI or CUI and what CMMC level is required by your contracts. From there, a structured approach includes:
  • Scoping and boundary definition
  • Readiness assessment
  • Gap analysis
  • Remediation and documentation
  • Assessment preparation
An RPO supports preparation, while a C3PAO performs the formal certification assessment.
CMMC Levels & Requirements
How do I know which CMMC level I need?
The required level is defined in the contract solicitation:
  • Level 1: FCI only (self-assessment)
  • Level 2: CUI (self or C3PAO assessment)
  • Level 3: Advanced threats (government-led)
The requirement is driven by data type, not organization size.
What is the relationship between CMMC and NIST SP 800-171?
CMMC Level 2 directly assesses the 110 controls in NIST SP 800-171 Rev. 2, verifying that they are:
  • Implemented
  • Operationalized
  • Supported by objective evidence
Readiness & Preparation
What is a CMMC readiness assessment?
A readiness assessment evaluates your current posture against CMMC requirements, identifying:
  • Control implementation status
  • Gaps and risks
  • Scoping accuracy
This is advisory and not a certification.
What documentation is required for a CMMC assessment?
Key artifacts include:
  • System Security Plan (SSP) (required)
  • Policies and procedures
  • Evidence of control implementation
  • POA&M (if applicable)
An incomplete SSP can prevent a valid assessment.
Can we pass with a POA&M?
Yes, with limitations:
  • Must meet minimum scoring thresholds
  • Certain controls cannot be deferred
  • All POA&Ms must be closed within 180 days
Failure to close results in loss of certification status.
Assessment Expectations (C3PAO Perspective)
What happens during a C3PAO assessment?
Assessors will:
  • Examine documentation
  • Interview personnel
  • Test technical controls
They evaluate whether your environment is consistently implemented and supported by evidence.
How often are assessments required?
  • Level 1: Annually
  • Level 2 & 3: Every 3 years + annual affirmation
What are common reasons organizations fail?
  • Missing or incomplete SSP
  • Poorly defined scope
  • Lack of objective evidence
  • Controls not consistently followed
  • Misalignment between policy and practice
External Providers & Cloud
Do cloud providers need to meet FedRAMP requirements?
Yes. If processing CUI, cloud services must meet FedRAMP Moderate or equivalent.
Are MSPs included in scope?
Yes. External providers impacting security controls are included in the assessment boundary, even if they are not separately certified.
Strategy & Timeline
How long does CMMC compliance take?
Typically 3–12+ months for Level 2, depending on:
  • Existing maturity
  • Environment complexity
  • Scope of CUI
How should organizations prepare?
The DoD recommends:
  • Fully implementing controls
  • Conducting a self-assessment
  • Remediating all gaps before assessment
Organizations that focus only on documentation—not implementation—are at higher risk of failure.

Why August Schell?

One trusted partner across the entire CMMC lifecycle—from education and readiness to certification and continuous compliance.
End-to-End CMMC Support
Achieving Cybersecurity Maturity Model Certification requires more than a single assessment. August Schell supports organizations across the entire CMMC lifecycle—from readiness and implementation to certification and continuous compliance.
As both a Registered Practitioner Organization (RPO) and an Authorized CMMC Third-Party Assessment Organization (C3PAO), we provide the expertise needed at every stage of the journey. When appropriate, we collaborate with trusted CMMC ecosystem partners to support readiness activities while maintaining the independence and integrity required for the CMMC assessment process.
Education & Readiness
We help organizations understand CMMC requirements, assess their cybersecurity posture, and develop a clear roadmap toward compliance.
Implementation & Compliance Engineering
Our experts support the implementation of NIST SP 800-171 controls, secure enclave architectures, and the documentation required for audit readiness.
Independent Certification Assessments
As an authorized C3PAO, August Schell conducts independent CMMC Level 2 certification assessments aligned with DoD requirements.
Continuous Compliance & Managed Services
Following certification, we provide ongoing advisory and managed security services to help organizations maintain compliance and strengthen their cybersecurity posture.

References

DoD CMMC FAQ (Nov 2025)
32 CFR Part 170 (CMMC Program Rule)
DFARS 252.204-7012 / 7021
NIST SP 800-171 Rev. 2
NIST SP 800-172