You have any experience with that @Vitor Pamplona?
Not personally, but close colleagues did a few of those. 4-5 months to get a response.
As soon as possible, but not before the cipher is well chosen. And that should depend on actual implementation experience.
I also don't think there's much of a rush. Once there's an "official" number assigned, we recommend that clients use it. But until then the private usage number is just fine. What is most useful I think is to have more eyes on it, which the application process should achieve. And it's nice to have things buttoned up eventually.