What should we do first if we’re starting from scratch?
Start with defining the CUI boundary and scope. Until that [...]
Can we take an enclave approach to reduce scope?
In some cases, yes. An enclave is a scoping strategy, [...]
What is an SPRS score and when does it matter?
SPRS, the Supplier Performance Risk System, is the Department of [...]
What is a POA&M and what can’t it contain at Level 2?
A POA&M, or Plan of Action and Milestones, is a [...]
What is an SSP and why does it matter?
The System Security Plan documents how required controls are implemented [...]
What does “scoping” mean in CMMC, in plain English?
Scoping defines which systems, users, assets, and connections fall inside [...]
What is CUI and why does it change everything?
CMMC scope is driven by where CUI is stored, processed, [...]
Do we need a third-party assessment or a self-assessment for Level 2?
For Level 2, the assessment type depends on contract requirements. [...]
What’s the difference between CMMC Level 1, 2, and 3?
Level 1 focuses on safeguarding Federal Contract Information (FCI). Level [...]
How long does CMMC Level 2 readiness typically take?
For many organisations, CMMC Level 2 readiness takes around six [...]