Home > Solutions > CMMC Services

Don’t Let CMMC Hold Up Your Contracts.

CMMC compliance is no longer optional, it’s becoming a contractual prerequisite. As the Cybersecurity Maturity Model Certification (CMMC) framework advances through its formal rulemaking stages, contractors across the Defense Industrial Base must align with escalating requirements to retain DoD contract and certain Federal Grant eligibility.

August Schell provides unified, expert-led, and cost-controlled support from initial readiness through full audit preparation—whether you’re targeting Level 1, Level 2, or Level 3 certification.

Book a Complimentary Consultation:

Schedule

CMMC Rulemaking Status and Implementation Timeline

On September 10, 2025, the Department of Defense published the Final Rule for the Cybersecurity Maturity Model Certification (CMMC) program in the Federal Register, codifying it into the Defense Federal Acquisition Regulation Supplement (DFARS) under 48 CFR 204.75 and DFARS Clause 252.204-7021. The rule becomes effective on November 10, 2025.

To support adoption across the Defense Industrial Base (DIB), DoD is implementing a four-phase rollout:

CMMC 2.0 Program Establishment (CFR Rule 48 Finalization)

Days

Hours

Minutes

Seconds

Phase 1: Effective November 10, 2025

Phase 1: Begins November 10, 2025
Key Actions:

DoD may include CMMC Level 1 or Level 2 self-assessments in new solicitations and awards.

Contractors must submit self-assessment scores and an annual affirmation of compliance in the Supplier Performance Risk System (SPRS). ***Even if assessed & certified by a C3PAO for Level 2***

This phase supports gradual onboarding while enabling award eligibility for contractors demonstrating minimum compliance.

Phase 2: Begins November 10, 2026
Key Actions:

DoD begins requiring CMMC Level 2 certification by a C3PAO for select solicitations involving Controlled Unclassified Information (CUI).

All Level 2 certifications must be current (within 3 years) and validated in SPRS before award.

Phase 3: Begins November 10, 2027
Key Actions:

CMMC certification becomes a requirement to exercise option periods or extensions on contracts awarded after November 2025.

Level 3 certifications, conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), begin appearing in high-priority and high-risk DoD programs.

Phase 4: Begins November 10, 2028
Key Actions:

Full enforcement of CMMC across all applicable DoD contracts and subcontracts.

All certifications must be valid (not more than 3 years old) and maintained for the life of the contract.

Level 3 enforcement becomes standard for select mission-critical acquisitions.

Certified, Scalable Support for Every Phase

August Schell offers turnkey services tailored to each implementation phase. Whether your organization is in early preparation, pursuing third-party certification, or aligning to NIST SP 800-172 controls for Level 3, we provide certified, audit-ready execution backed by deep technical expertise.

Unified Compliance Execution

One team from Gap Analysis through C3PAO readiness—no handoffs or delays.

Certified
Expertise

Multiple Lead CCAs + FedRAMP engineers with deep DoD and Federal experience.

Credit-Based Billing Model

Predictable pricing, flexible delivery—only pay for executed work.

Support for
Levels 1–3

Level 1 self-attestation, Level 2 certification prep, and Level 3 engineering.

DIBCAC
Coordination

Direct support in working with DIBCAC for your Level 3 assessment.

Posture
Continuity

Post-assessment advisory, threat detection, and remediation planning.

Professionally Architected & Documented

Secure-by design architectures with audit ready documentation mapped to every CMMC control.

READY TO ELEVATE YOUR CYBERSECURITY WITH CMMC COMPLIANCE?

Navigating CMMC compliance doesn’t have to be overwhelming. Partner with August Schell and let us guide you every step of the way. Contact us today to schedule your consultation and take the first step towards a secure and compliant future.

Contact the August Schell CMMC Team

Schedule a Consultation

August Schell is a Registered Practitioner Organization (RPO) and Candidate Third Party Assessment Organization (C3PAO) for CMMC.

Frequently Asked Questions

How to get started?
Contact our CMMC Team or Schedule a Consultation, we will work with you to determine what is required for your particular situation:

CMMC Readiness Assessment: Unsure where to start with CMMC compliance? Our expert team will conduct a comprehensive readiness assessment to evaluate your organization’s current cybersecurity posture and identify areas for improvement to meet CMMC requirements.

CMMC Gap Analysis: Once we have assessed your organization’s readiness, we will perform a thorough gap analysis to identify any gaps between your current practices and the requirements of the desired CMMC level. This analysis serves as a roadmap for implementing necessary changes to achieve compliance.

CMMC Implementation & Documentation Support: Our team will provide hands-on support and guidance throughout the implementation process, helping you establish and maintain the necessary policies, procedures, and controls to meet CMMC requirements. We will work closely with your team to ensure a smooth and successful implementation.

CMMC Assessment Preparation: As you prepare for your official CMMC assessment, we will assist you in organizing documentation, conducting internal audits, and addressing any last-minute concerns to ensure you are fully prepared for a successful assessment with either a C3PAO Representation or Self-Attestation Support.

CMMC Managed Services: Once you have achieved compliance, our managed services team can provide ongoing support to help you maintain compliance, stay ahead of evolving threats, and adapt to changes in CMMC requirements over time.