Venvera CMMC 2.0 dashboard
The CMMC 2.0 dashboard — shown with sample data.

The Readiness page tracks your journey from initial CMMC programme setup through certification and ongoing maintenance.

Certification Stages

Not StartedCMMC programme not initiated
ScopingDefining CUI boundary and in-scope systems
Gap AssessmentEvaluating posture, calculating initial SPRS score
RemediationImplementing controls and closing gaps (typically the longest phase)
Pre-AssessmentFinal preparation, internal reviews, mock assessments
AssessmentFormal assessment underway
POA&M CloseoutConditional certification, remediating within 180 days
CertifiedFull certification achieved
RecertificationPreparing for next assessment cycle

Pre-Assessment Checklist

Key items to verify before scheduling your formal assessment:

  • SSP — Complete System Security Plan covering all in-scope practices
  • POA&M — All known gaps documented; no prohibited practices on POA&M
  • Policies — All required policies written, approved, and distributed
  • FIPS Encryption — CUI encrypted at rest and in transit with FIPS 140-2/3 modules
  • MFA — Enabled for all privileged accounts and remote CUI access
  • Audit Logging — Enabled, protected, and retained per policy
  • Training — All CUI-handling personnel trained
  • SPRS Score Submitted — Current score in SPRS portal with senior official affirmation

After Certification

  • Annual affirmation — Submit to SPRS confirming continued compliance
  • Continuous monitoring — Maintain controls, review logs, scan for vulnerabilities
  • Change management — Evaluate system changes' impact on CUI boundary
  • Incident reporting — Report CUI incidents within 72 hours via DIBNet
  • Recertification planning — Begin 6-12 months before expiry