The Readiness page tracks your journey from initial CMMC programme setup through certification and ongoing maintenance.
Certification Stages
| Not Started | CMMC programme not initiated |
| Scoping | Defining CUI boundary and in-scope systems |
| Gap Assessment | Evaluating posture, calculating initial SPRS score |
| Remediation | Implementing controls and closing gaps (typically the longest phase) |
| Pre-Assessment | Final preparation, internal reviews, mock assessments |
| Assessment | Formal assessment underway |
| POA&M Closeout | Conditional certification, remediating within 180 days |
| Certified | Full certification achieved |
| Recertification | Preparing for next assessment cycle |
Pre-Assessment Checklist
Key items to verify before scheduling your formal assessment:
- SSP — Complete System Security Plan covering all in-scope practices
- POA&M — All known gaps documented; no prohibited practices on POA&M
- Policies — All required policies written, approved, and distributed
- FIPS Encryption — CUI encrypted at rest and in transit with FIPS 140-2/3 modules
- MFA — Enabled for all privileged accounts and remote CUI access
- Audit Logging — Enabled, protected, and retained per policy
- Training — All CUI-handling personnel trained
- SPRS Score Submitted — Current score in SPRS portal with senior official affirmation
After Certification
- Annual affirmation — Submit to SPRS confirming continued compliance
- Continuous monitoring — Maintain controls, review logs, scan for vulnerabilities
- Change management — Evaluate system changes' impact on CUI boundary
- Incident reporting — Report CUI incidents within 72 hours via DIBNet
- Recertification planning — Begin 6-12 months before expiry