Practical Approach to CMMC Compliance: Identifying and Reducing the Scope of Your Assessment-Practical Approach to CMMC Compliance Identifying and Reducing the Scope of Your Assessment Recording

Practical Approach to CMMC Compliance Identifying and Reducing the Scope of Your Assessment Recording

Video Transcription

Video Summary

The presentation by Charles Reardon focuses on practical steps for CMMC (Cybersecurity Maturity Model Certification) Level 2 compliance, crucial for Department of Defense (DoD) contractors handling Controlled Unclassified Information (CUI). Charles emphasizes understanding whether a business handles CUI, as this drives the scope of the assessment. The first step is defining the scope by identifying all asset categories related to CUI processing: CUI assets, security protection assets (SPAs), contractor risk-managed assets (CRMAs), specialized assets, and out-of-scope assets. Only CUI and SPA categories are assessed against all 110 NIST 800-171/CMMC controls.<br /><br />Next, contractors must develop and document a System Security Plan (SSP) detailing scope, environment, controls, and evidence. A self-assessment following NIST and DoD guidelines is essential to identify gaps, score readiness, and create a Plan of Action and Milestones (POAM) for remediation. Documentation and honest assessment at the control objective level (over 320 objectives) are critical.<br /><br />Charles notes there is currently no CMMC 2.0 certification requirement yet; contractors self-attest, submit scores to DoD’s SPRS, and may be spot-checked. Full certification will be mandatory by October 2025 to bid on contracts, making early and thorough preparation vital. Third-party assessments will be required once rulemaking is finalized. The core message stresses scope reduction, detailed documentation, continuous self-assessment, and proactive remediation as keys to CMMC Level 2 compliance success.

Keywords

CMMC Level 2 compliance

Controlled Unclassified Information (CUI)

Department of Defense contractors

NIST 800-171 controls

System Security Plan (SSP)

Self-assessment and POAM

Scope definition and asset categories

SPRS submission and self-attestation

Certification deadline October 2025