[{"data":1,"prerenderedAt":1230},["ShallowReactive",2],{"blog-ssp-poam-sprs-cmmc-affirmations-small-manufacturers":3,"mdc-sfy5h2-key":67},{"id":4,"title":5,"author":6,"blogbody":7,"body":8,"category":15,"ctaLabel":16,"ctaUrl":17,"date":18,"description":19,"extension":20,"featured":21,"image":22,"lastReviewed":18,"meta":23,"navigation":24,"outboundlinks":25,"path":26,"reviewStatus":27,"seo":28,"seoTitle":29,"sources":30,"stem":58,"tags":59,"videos":25,"youtubelinks":25,"__hash__":66},"blog\u002Fblog\u002Fssp-poam-sprs-cmmc-affirmations-small-manufacturers.md","SSP, POA&M, SPRS, and CMMC Affirmations: What Small Manufacturers Need Before a Prime Contractor Asks","Nick DiVito","## Executive summary\n\nA lot of small manufacturers are waiting for a prime contractor, contracting officer, or customer portal to make CMMC feel real.\n\nThat is understandable. It is also risky.\n\nBy the time someone asks for your SPRS score, SSP status, POA&M plan, or CMMC affirmation, the real question is usually not \"Do you know what CMMC is?\"\n\nThe real question is: can your business explain the environment, the data, the gaps, the evidence, and the person who is willing to stand behind the answer?\n\nThat is a very different question.\n\nCMMC Phase 1 is active. The Department's public CMMC page says Phase 1 runs from November 10, 2025 through November 9, 2026 and focuses primarily on Level 1 and Level 2 self-assessments. Phase 2 begins November 10, 2026 and brings Level 2 certification requirements into more applicable solicitations. The important part is not the date trivia. The important part is that CMMC is moving from \"eventually\" into contracting reality.\n\nIf you are a small manufacturer, machine shop, industrial supplier, or DoD-adjacent business, the work now is not to panic.\n\nThe work is to get your scope, SSP, SPRS score, POA&M, evidence, and affirmation process clean enough that you are not inventing the story under pressure.\n\n## The prime contractor question is usually a proxy\n\nA prime contractor may ask a simple question:\n\n\"Do you have a current SPRS score?\"\n\nOr:\n\n\"Are you ready for CMMC?\"\n\nOr:\n\n\"Can you confirm your Level 2 status?\"\n\nThose questions sound simple because the person asking may only need to complete a supplier review, submit a bid package, or satisfy a flowdown requirement. But behind the question sits a whole chain of assumptions.\n\nDo you know whether you handle Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or both?\n\nDo you know which systems are in scope?\n\nDoes your System Security Plan describe the actual environment, or does it describe the environment you wish you had?\n\nIs your SPRS score tied to real evidence?\n\nAre your open gaps tracked in a POA&M that leadership understands?\n\nIf someone affirms compliance, do they understand what they are affirming?\n\nThat is where a lot of small businesses get sideways. They treat the prime's question like an administrative request when it is really a readiness test.\n\nNot a formal assessment, necessarily. Not always a pass-fail moment.\n\nBut a test of whether the business has enough control over its own security story to answer without guessing.\n\n## The four artifacts that show whether readiness is real\n\nThe language gets messy, so let us simplify it.\n\nFor most small manufacturers preparing for CMMC Level 2 pressure, four artifacts matter early:\n\n- **SSP:** the system story.\n- **SPRS score:** the current score summary.\n- **POA&M:** the gap closure plan.\n- **Affirmation:** the leadership statement that the organization continues to meet the applicable requirements.\n\nThese are not random paperwork objects. They connect to each other.\n\nThe SSP explains the system. The assessment score reflects how well the requirements are implemented in that system. The POA&M tracks what is not done. The affirmation raises the question of whether leadership can responsibly stand behind the status.\n\nIf those four things disagree with each other, the business is fragile.\n\nA common example: the SSP says MFA is implemented. The SPRS score claims the requirement is met. The POA&M says nothing about access control. Then someone discovers that shared shop-floor accounts still exist, cloud admin accounts do not use phishing-resistant MFA, and old contractor access was never removed.\n\nThat is not just a documentation problem. That is an operating problem.\n\nThe paperwork revealed it.\n\n## Start with scope, or everything else gets weird\n\nScope is where the CMMC conversation either becomes useful or turns into theater.\n\nManufacturers rarely have clean environments. They have estimating files, drawings, customer portals, ERP systems, shared drives, email threads, old file servers, CNC programming workflows, quality documentation, vendor remote support, and a few laptops that somehow became \"temporary\" seven years ago.\n\nThat is normal.\n\nBut normal does not mean ignorable.\n\nBefore you can write a useful SSP or score NIST SP 800-171 honestly, you need to understand where FCI and CUI live. You also need to understand which systems protect or support those systems. That includes cloud storage, identity providers, endpoint protection, backups, logging, email security, MSP access, and sometimes specialized assets on the shop floor.\n\nThe goal is not to shove the entire business into scope because that feels safer. That usually makes the work more expensive, more confusing, and harder to maintain.\n\nThe goal is also not to play games and pretend CUI never touches anything important.\n\nThe goal is a truthful boundary.\n\nA useful scope answers questions like:\n\n- Which contracts, customers, parts, drawings, specifications, or portals create FCI or CUI pressure?\n- Which users need access to that information?\n- Which systems process, store, or transmit it?\n- Which external service providers affect those systems?\n- Which assets are specialized, isolated, or operationally sensitive?\n- Which systems are business-important but outside the CMMC assessment boundary?\n\nWhen the scope is vague, every control discussion turns into fog. When the scope is clear, the business can make decisions.\n\n## The SSP is not a template trophy\n\nThe System Security Plan is one of the most abused documents in small business compliance.\n\nA lot of companies treat it like a binder. Fill in the blanks, save the file, put it in a folder, and hope nobody asks hard questions.\n\nThat misses the point.\n\nAn SSP should explain how the covered environment works. It should describe the boundary, architecture, responsible roles, CAGE codes, implemented requirements, inherited services, external dependencies, and the actual way the business protects the relevant information.\n\nIf a new executive, IT provider, assessor, or prime contractor needed to understand your environment, the SSP should help them get oriented.\n\nIt does not need to be fancy. It does need to be believable.\n\nFor a manufacturer, a believable SSP may need to explain awkward realities:\n\n- How drawings move between email, portals, shared drives, and production systems.\n- Whether ERP data includes CUI or only business records.\n- Which cloud services are used for storage, collaboration, identity, security, and backup.\n- How shop-floor or specialized assets are treated when they cannot follow normal endpoint patterns.\n- How vendors, MSPs, or remote support providers are authorized and monitored.\n- How evidence is produced when a requirement is marked implemented.\n\nThat last part matters.\n\nIf the SSP says something is implemented, somebody should be able to point to evidence. Not a vibes-based explanation. Not \"we think the MSP handles that.\" Something real enough to survive a review.\n\nThe SSP should not be written for a consultant. It should be written for the business.\n\nIf your leadership team cannot use it to understand the environment, the document is probably too decorative.\n\n## SPRS is not just a number\n\nSPRS gets reduced to \"what is your score?\"\n\nThat is understandable. The score is easy to ask for. It fits in a supplier form. It feels objective.\n\nBut the score is not the whole story.\n\nDFARS 252.204-7019 says that, when NIST SP 800-171 applies, an offeror needs a current assessment for each covered contractor information system relevant to the offer. The provision points to SPRS for summary score visibility. DFARS 252.204-7020 defines the Basic Assessment as a contractor self-assessment based on a review of the SSP and the DoD Assessment Methodology.\n\nThat means the score is supposed to connect back to the SSP.\n\nIf the SSP is weak, the score is weak.\n\nIf the scope is wrong, the score is probably wrong.\n\nIf the evidence is missing, the score may be hard to defend.\n\nThis is why a small manufacturer should not treat SPRS entry like a one-time administrative chore. The number should be the output of a real review.\n\nA practical SPRS-ready package usually includes:\n\n- The system or systems assessed.\n- The relevant CAGE codes.\n- The date of assessment.\n- The NIST SP 800-171 version used for the assessment.\n- The summary score.\n- The expected date to reach full implementation, if gaps remain.\n- The POA&M items that support that expected date.\n- The evidence or reasoning behind each scored requirement.\n\nThe score should not be inflated because a bid is due.\n\nI get the temptation. Nobody wants to be the supplier with the ugly number.\n\nBut an honest score with a serious remediation plan is much stronger than an optimistic score that collapses the first time someone asks how it was calculated.\n\n## The POA&M is not a junk drawer\n\nA POA&M is supposed to be a plan of action and milestones.\n\nThat name is clunky, but useful. It should show what is not done, who owns it, what will be done, what evidence will prove closure, and when it is expected to be complete.\n\nThe problem is that a POA&M often becomes a junk drawer.\n\nMissing MFA? POA&M.\n\nNo logging review? POA&M.\n\nNo asset inventory? POA&M.\n\nNo vendor review? POA&M.\n\nNobody knows who owns access approvals? POA&M.\n\nThat might be fine for internal planning. It is not fine if the business starts treating the POA&M as a place where hard requirements go to age quietly.\n\nThe current CMMC program allows limited POA&M use for Level 2 and Level 3, but not Level 1. For conditional Level 2 and Level 3 status, public CMMC materials point to a 180-day closeout expectation. The final rule also distinguishes assessment-related POA&Ms from normal operational plans of action that a company may use to manage changes, patches, or newly discovered issues after achieving status.\n\nPlain language: not every gap can safely sit in the same bucket.\n\nA useful POA&M should separate:\n\n- Gaps that affect the current assessment score.\n- Operational improvement items that reduce risk but are not part of a conditional CMMC status.\n- Tooling tasks.\n- Policy and procedure updates.\n- Evidence cleanup.\n- Leadership decisions that require money, ownership, or a process change.\n\nThat last category matters more than people want to admit.\n\nSome gaps are not technical. They are business decisions nobody has made yet.\n\nWho approves new users? Who reviews privileged access? Who owns the asset list? Who decides whether a cloud service is allowed? Who can accept risk when a machine cannot be patched the normal way?\n\nIf those answers are missing, the POA&M should not pretend the problem is only a ticket for IT.\n\n## Affirmations raise the leadership stakes\n\nThe word \"affirmation\" sounds harmless until you slow down and think about it.\n\nUnder the CMMC program, affirmations are part of maintaining status. The Department's CMMC page is currently reminding companies to submit affirmations with CMMC assessments in SPRS. The CMMC rule describes an affirming official attesting to continuing compliance after assessments and annually thereafter.\n\nThat is not the same as a consultant saying, \"Looks good.\"\n\nSomeone in the organization is putting their name behind the status.\n\nThis is where I think many SMBs need to mature quickly. Not because executives need to become security engineers. They do not.\n\nBut leadership does need a business-level understanding of the security posture.\n\nAn executive should be able to answer:\n\n- What environment are we affirming?\n- What level are we affirming against?\n- What assessment produced the status?\n- What gaps remain?\n- What POA&M commitments exist?\n- What changed since the last assessment?\n- Who is responsible for keeping the program current?\n\nIf those questions cannot be answered in normal business language, the affirmation process is too thin.\n\nThat does not mean leadership should micromanage firewall rules. It means the organization needs a bridge between technical work, compliance status, and executive accountability.\n\nThat bridge is usually missing in small businesses. It is also one of the highest-value things to build.\n\n## Revision 3 is real, but CMMC is still in a transition space\n\nNIST published SP 800-171 Revision 3 in May 2024. It supersedes Revision 2 as the current NIST publication, and NIST also published assessment-related companion material.\n\nAt the same time, current public CMMC Level 2 materials still describe the Level 2 requirement set as aligned to NIST SP 800-171 Revision 2. The Department has also published resources related to Revision 3 organization-defined parameters and transition planning.\n\nThat creates an awkward but manageable reality.\n\nIf you are preparing for a current CMMC Level 2 assessment path, you need to understand the Rev. 2-based CMMC expectations. If you are building a security program that needs to last, you should also understand where Rev. 3 is moving the baseline.\n\nDo not use the transition as an excuse to freeze.\n\nA good program should survive a revision change better than a pile of template documents will.\n\nAccess control, asset inventory, logging, incident response, risk assessment, configuration management, vendor oversight, and evidence discipline are not going out of style.\n\nThe labels may shift. The operating backbone still matters.\n\n## What small manufacturers should collect before a prime asks\n\nIf you want to be ready for the supplier conversation, start collecting the boring things.\n\nBoring is good here.\n\nBoring means you are not scrambling.\n\nA useful readiness file might include:\n\n- Current contracts or flowdowns that mention FCI, CUI, DFARS 252.204-7012, DFARS 252.204-7019, DFARS 252.204-7020, DFARS 252.204-7021, CMMC, or NIST SP 800-171.\n- A short CUI and FCI handling summary.\n- A system boundary diagram or written scope summary.\n- Current SSP.\n- Current NIST SP 800-171 assessment worksheet or score basis.\n- Current SPRS summary information.\n- POA&M with owners, dates, and closure evidence.\n- Policies and procedures that match the actual environment.\n- Evidence samples for high-friction controls.\n- Cloud service and external service provider list.\n- User access and privileged access review records.\n- Incident reporting and escalation process.\n- Executive summary for leadership.\n\nDo not overcomplicate the first version. The point is to make the business legible.\n\nA prime contractor may not ask for all of this. A C3PAO assessment may require much more. An internal readiness review may find the first version is incomplete.\n\nThat is fine.\n\nThe goal is not to build the perfect archive overnight. The goal is to stop being dependent on memory, assumptions, and whoever happens to know where the spreadsheet is.\n\n## What not to do\n\nThere are a few traps I would avoid.\n\n**Do not buy tools before you understand scope.** Tools can help, but they do not decide what CUI is, where it lives, or who owns the program.\n\n**Do not copy a giant SSP and call it done.** A big document that nobody can explain is not better than a short document that tells the truth.\n\n**Do not inflate your SPRS score because the real number is uncomfortable.** The discomfort is useful. It tells leadership where the business needs to invest.\n\n**Do not treat the POA&M as permanent storage.** If something matters enough to list, it needs an owner and a path to closure.\n\n**Do not let the affirming official be surprised.** If leadership is going to affirm, leadership needs the plain-language version before the button gets clicked.\n\n**Do not make CMMC an IT-only project.** IT can implement a lot of controls. The business still owns scope, contracts, risk, vendors, budgets, and operating decisions.\n\nThat last one is usually the big one.\n\nCMMC sits in the uncomfortable space between security, contracts, operations, and leadership. If you pretend it only belongs to one department, the program gets brittle.\n\n## A practical 30-day path\n\nIf you are starting from scattered documents and a vague sense that \"we need CMMC,\" here is a practical first month.\n\n**Week 1: Find the pressure.**\n\nPull contracts, prime flowdowns, supplier questionnaires, portal requirements, and any customer language that mentions CMMC, CUI, FCI, DFARS, or NIST SP 800-171. Do not interpret everything yet. Just collect the pressure.\n\n**Week 2: Map the information.**\n\nIdentify where FCI and CUI may enter, move, rest, and leave the business. Include email, portals, shared drives, CAD\u002FCAM workflows, ERP, backups, mobile devices, MSP access, and cloud services. This does not need to be beautiful. It needs to be honest.\n\n**Week 3: Reconcile the SSP and score.**\n\nReview the SSP against the actual environment. If you have a current SPRS score, ask whether the scope, evidence, and POA&M still support it. If you do not have one, build the score from the SSP and assessment methodology rather than guessing.\n\n**Week 4: Brief leadership.**\n\nTurn the findings into a plain-language summary: what applies, what is in scope, current score posture, major gaps, likely contract risk, top remediation decisions, and what leadership would be affirming if asked.\n\nThat is not a complete CMMC program.\n\nIt is a serious start.\n\nMore importantly, it gives the business a way to have an adult conversation before a bid deadline or customer request turns everything into a fire drill.\n\n## The real value is operational clarity\n\nCMMC gets talked about like a compliance hurdle. It is one.\n\nBut for small manufacturers, the better way to think about this is operational clarity.\n\nDo we know what sensitive information we handle?\n\nDo we know where it lives?\n\nDo we know who can access it?\n\nDo we know which systems protect it?\n\nDo we know what gaps remain?\n\nDo we know who owns the fixes?\n\nDo we know what leadership is affirming?\n\nIf the answer to those questions is mostly yes, you are in a much better position. Not magically compliant. Not guaranteed anything. Just more controlled, more credible, and less dependent on hope.\n\nThat is the point.\n\nA small manufacturer does not need enterprise theater. It needs a security program that can be explained, operated, evidenced, and improved.\n\nThe SSP, SPRS score, POA&M, and affirmation process are not the whole program.\n\nThey are the places where the program has to show itself.\n\n## How Trawvid Sec can help\n\nTrawvid Sec helps small manufacturers and regulated businesses turn CMMC pressure into a practical operating plan.\n\nThat can mean scoping the environment, cleaning up the SSP, reviewing SPRS score logic, building a realistic POA&M, preparing leadership for affirmation decisions, or turning scattered security activity into evidence-ready documentation.\n\nThe goal is not to bury the business in paperwork.\n\nThe goal is to make the security story true enough, clear enough, and useful enough that the company can actually operate from it.",{"type":9,"value":10,"toc":11},"minimark",[],{"title":12,"searchDepth":13,"depth":13,"links":14},"",2,[],"CMMC Readiness","Schedule a CMMC readiness consultation","https:\u002F\u002Fcalendar.app.google\u002FqT8vtwaEDG2Pt51o8","2026-06-19","Small manufacturers preparing for CMMC need more than a control checklist. They need a defensible scope, usable SSP, honest SPRS score, disciplined POA&M, and leadership-ready affirmation story.","md",false,"\u002Fimg\u002Fcmmc-logo-300x255-1.jpg",{},true,null,"\u002Fblog\u002Fssp-poam-sprs-cmmc-affirmations-small-manufacturers","Current",{"title":5,"description":19},"SSP, POA&M, SPRS, and CMMC Affirmations for Manufacturers",[31,34,37,40,43,46,49,52,55],{"label":32,"url":33},"DoD CIO CMMC","https:\u002F\u002Fdodcio.defense.gov\u002FCMMC\u002F",{"label":35,"url":36},"DoD CIO About CMMC","https:\u002F\u002Fdodcio.defense.gov\u002FCMMC\u002FAbout\u002F",{"label":38,"url":39},"DoD CIO CMMC Resources and Documentation","https:\u002F\u002Fdodcio.defense.gov\u002FCMMC\u002FResources-Documentation\u002F",{"label":41,"url":42},"Federal Register CMMC Program Final Rule","https:\u002F\u002Fwww.federalregister.gov\u002Fdocuments\u002F2024\u002F10\u002F15\u002F2024-22905\u002Fcybersecurity-maturity-model-certification-cmmc-program",{"label":44,"url":45},"Federal Register DFARS CMMC Acquisition Rule","https:\u002F\u002Fwww.federalregister.gov\u002Fdocuments\u002F2025\u002F09\u002F10\u002F2025-17359\u002Fdefense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of",{"label":47,"url":48},"DFARS 252.204-7019","https:\u002F\u002Fwww.acquisition.gov\u002Fdfars\u002F252.204-7019-notice-nistsp-800-171-dod-assessment-requirements.",{"label":50,"url":51},"DFARS 252.204-7020","https:\u002F\u002Fwww.acquisition.gov\u002Fdfars\u002F252.204-7020-nist-sp-800-171dod-assessment-requirements.",{"label":53,"url":54},"Supplier Performance Risk System","https:\u002F\u002Fwww.sprs.csd.disa.mil\u002F",{"label":56,"url":57},"NIST SP 800-171 Revision 3","https:\u002F\u002Fcsrc.nist.gov\u002Fpubs\u002Fsp\u002F800\u002F171\u002Fr3\u002Ffinal","blog\u002Fssp-poam-sprs-cmmc-affirmations-small-manufacturers",[60,61,62,63,64,65],"CMMC","SPRS","SSP","POA&M","NIST 800-171","Manufacturers","Hkq5UZ5fYx1ePfCksOKqsPViCGlywqvLAjf_loNFhsg",{"data":68,"body":69},{},{"type":70,"children":71},"root",[72,81,87,92,97,102,107,112,117,122,128,133,138,143,148,152,157,162,167,172,177,182,187,192,197,202,207,213,218,223,269,274,279,284,289,294,299,305,310,315,320,325,330,335,340,345,350,383,388,394,399,404,409,414,419,424,429,462,467,472,477,482,488,493,498,503,508,513,518,523,528,533,538,581,586,591,596,602,607,612,617,622,627,632,637,642,647,652,657,662,695,700,705,710,715,721,726,731,736,741,746,751,756,794,799,804,809,815,820,825,830,835,840,845,850,855,861,866,871,876,881,949,954,959,964,969,975,980,990,1000,1010,1020,1030,1040,1045,1050,1056,1061,1069,1074,1082,1087,1095,1100,1108,1113,1118,1123,1128,1134,1139,1144,1149,1154,1159,1164,1169,1174,1179,1184,1189,1194,1199,1204,1210,1215,1220,1225],{"type":73,"tag":74,"props":75,"children":77},"element","h2",{"id":76},"executive-summary",[78],{"type":79,"value":80},"text","Executive summary",{"type":73,"tag":82,"props":83,"children":84},"p",{},[85],{"type":79,"value":86},"A lot of small manufacturers are waiting for a prime contractor, contracting officer, or customer portal to make CMMC feel real.",{"type":73,"tag":82,"props":88,"children":89},{},[90],{"type":79,"value":91},"That is understandable. It is also risky.",{"type":73,"tag":82,"props":93,"children":94},{},[95],{"type":79,"value":96},"By the time someone asks for your SPRS score, SSP status, POA&M plan, or CMMC affirmation, the real question is usually not \"Do you know what CMMC is?\"",{"type":73,"tag":82,"props":98,"children":99},{},[100],{"type":79,"value":101},"The real question is: can your business explain the environment, the data, the gaps, the evidence, and the person who is willing to stand behind the answer?",{"type":73,"tag":82,"props":103,"children":104},{},[105],{"type":79,"value":106},"That is a very different question.",{"type":73,"tag":82,"props":108,"children":109},{},[110],{"type":79,"value":111},"CMMC Phase 1 is active. The Department's public CMMC page says Phase 1 runs from November 10, 2025 through November 9, 2026 and focuses primarily on Level 1 and Level 2 self-assessments. Phase 2 begins November 10, 2026 and brings Level 2 certification requirements into more applicable solicitations. The important part is not the date trivia. The important part is that CMMC is moving from \"eventually\" into contracting reality.",{"type":73,"tag":82,"props":113,"children":114},{},[115],{"type":79,"value":116},"If you are a small manufacturer, machine shop, industrial supplier, or DoD-adjacent business, the work now is not to panic.",{"type":73,"tag":82,"props":118,"children":119},{},[120],{"type":79,"value":121},"The work is to get your scope, SSP, SPRS score, POA&M, evidence, and affirmation process clean enough that you are not inventing the story under pressure.",{"type":73,"tag":74,"props":123,"children":125},{"id":124},"the-prime-contractor-question-is-usually-a-proxy",[126],{"type":79,"value":127},"The prime contractor question is usually a proxy",{"type":73,"tag":82,"props":129,"children":130},{},[131],{"type":79,"value":132},"A prime contractor may ask a simple question:",{"type":73,"tag":82,"props":134,"children":135},{},[136],{"type":79,"value":137},"\"Do you have a current SPRS score?\"",{"type":73,"tag":82,"props":139,"children":140},{},[141],{"type":79,"value":142},"Or:",{"type":73,"tag":82,"props":144,"children":145},{},[146],{"type":79,"value":147},"\"Are you ready for CMMC?\"",{"type":73,"tag":82,"props":149,"children":150},{},[151],{"type":79,"value":142},{"type":73,"tag":82,"props":153,"children":154},{},[155],{"type":79,"value":156},"\"Can you confirm your Level 2 status?\"",{"type":73,"tag":82,"props":158,"children":159},{},[160],{"type":79,"value":161},"Those questions sound simple because the person asking may only need to complete a supplier review, submit a bid package, or satisfy a flowdown requirement. But behind the question sits a whole chain of assumptions.",{"type":73,"tag":82,"props":163,"children":164},{},[165],{"type":79,"value":166},"Do you know whether you handle Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or both?",{"type":73,"tag":82,"props":168,"children":169},{},[170],{"type":79,"value":171},"Do you know which systems are in scope?",{"type":73,"tag":82,"props":173,"children":174},{},[175],{"type":79,"value":176},"Does your System Security Plan describe the actual environment, or does it describe the environment you wish you had?",{"type":73,"tag":82,"props":178,"children":179},{},[180],{"type":79,"value":181},"Is your SPRS score tied to real evidence?",{"type":73,"tag":82,"props":183,"children":184},{},[185],{"type":79,"value":186},"Are your open gaps tracked in a POA&M that leadership understands?",{"type":73,"tag":82,"props":188,"children":189},{},[190],{"type":79,"value":191},"If someone affirms compliance, do they understand what they are affirming?",{"type":73,"tag":82,"props":193,"children":194},{},[195],{"type":79,"value":196},"That is where a lot of small businesses get sideways. They treat the prime's question like an administrative request when it is really a readiness test.",{"type":73,"tag":82,"props":198,"children":199},{},[200],{"type":79,"value":201},"Not a formal assessment, necessarily. Not always a pass-fail moment.",{"type":73,"tag":82,"props":203,"children":204},{},[205],{"type":79,"value":206},"But a test of whether the business has enough control over its own security story to answer without guessing.",{"type":73,"tag":74,"props":208,"children":210},{"id":209},"the-four-artifacts-that-show-whether-readiness-is-real",[211],{"type":79,"value":212},"The four artifacts that show whether readiness is real",{"type":73,"tag":82,"props":214,"children":215},{},[216],{"type":79,"value":217},"The language gets messy, so let us simplify it.",{"type":73,"tag":82,"props":219,"children":220},{},[221],{"type":79,"value":222},"For most small manufacturers preparing for CMMC Level 2 pressure, four artifacts matter early:",{"type":73,"tag":224,"props":225,"children":226},"ul",{},[227,239,249,259],{"type":73,"tag":228,"props":229,"children":230},"li",{},[231,237],{"type":73,"tag":232,"props":233,"children":234},"strong",{},[235],{"type":79,"value":236},"SSP:",{"type":79,"value":238}," the system story.",{"type":73,"tag":228,"props":240,"children":241},{},[242,247],{"type":73,"tag":232,"props":243,"children":244},{},[245],{"type":79,"value":246},"SPRS score:",{"type":79,"value":248}," the current score summary.",{"type":73,"tag":228,"props":250,"children":251},{},[252,257],{"type":73,"tag":232,"props":253,"children":254},{},[255],{"type":79,"value":256},"POA&M:",{"type":79,"value":258}," the gap closure plan.",{"type":73,"tag":228,"props":260,"children":261},{},[262,267],{"type":73,"tag":232,"props":263,"children":264},{},[265],{"type":79,"value":266},"Affirmation:",{"type":79,"value":268}," the leadership statement that the organization continues to meet the applicable requirements.",{"type":73,"tag":82,"props":270,"children":271},{},[272],{"type":79,"value":273},"These are not random paperwork objects. They connect to each other.",{"type":73,"tag":82,"props":275,"children":276},{},[277],{"type":79,"value":278},"The SSP explains the system. The assessment score reflects how well the requirements are implemented in that system. The POA&M tracks what is not done. The affirmation raises the question of whether leadership can responsibly stand behind the status.",{"type":73,"tag":82,"props":280,"children":281},{},[282],{"type":79,"value":283},"If those four things disagree with each other, the business is fragile.",{"type":73,"tag":82,"props":285,"children":286},{},[287],{"type":79,"value":288},"A common example: the SSP says MFA is implemented. The SPRS score claims the requirement is met. The POA&M says nothing about access control. Then someone discovers that shared shop-floor accounts still exist, cloud admin accounts do not use phishing-resistant MFA, and old contractor access was never removed.",{"type":73,"tag":82,"props":290,"children":291},{},[292],{"type":79,"value":293},"That is not just a documentation problem. That is an operating problem.",{"type":73,"tag":82,"props":295,"children":296},{},[297],{"type":79,"value":298},"The paperwork revealed it.",{"type":73,"tag":74,"props":300,"children":302},{"id":301},"start-with-scope-or-everything-else-gets-weird",[303],{"type":79,"value":304},"Start with scope, or everything else gets weird",{"type":73,"tag":82,"props":306,"children":307},{},[308],{"type":79,"value":309},"Scope is where the CMMC conversation either becomes useful or turns into theater.",{"type":73,"tag":82,"props":311,"children":312},{},[313],{"type":79,"value":314},"Manufacturers rarely have clean environments. They have estimating files, drawings, customer portals, ERP systems, shared drives, email threads, old file servers, CNC programming workflows, quality documentation, vendor remote support, and a few laptops that somehow became \"temporary\" seven years ago.",{"type":73,"tag":82,"props":316,"children":317},{},[318],{"type":79,"value":319},"That is normal.",{"type":73,"tag":82,"props":321,"children":322},{},[323],{"type":79,"value":324},"But normal does not mean ignorable.",{"type":73,"tag":82,"props":326,"children":327},{},[328],{"type":79,"value":329},"Before you can write a useful SSP or score NIST SP 800-171 honestly, you need to understand where FCI and CUI live. You also need to understand which systems protect or support those systems. That includes cloud storage, identity providers, endpoint protection, backups, logging, email security, MSP access, and sometimes specialized assets on the shop floor.",{"type":73,"tag":82,"props":331,"children":332},{},[333],{"type":79,"value":334},"The goal is not to shove the entire business into scope because that feels safer. That usually makes the work more expensive, more confusing, and harder to maintain.",{"type":73,"tag":82,"props":336,"children":337},{},[338],{"type":79,"value":339},"The goal is also not to play games and pretend CUI never touches anything important.",{"type":73,"tag":82,"props":341,"children":342},{},[343],{"type":79,"value":344},"The goal is a truthful boundary.",{"type":73,"tag":82,"props":346,"children":347},{},[348],{"type":79,"value":349},"A useful scope answers questions like:",{"type":73,"tag":224,"props":351,"children":352},{},[353,358,363,368,373,378],{"type":73,"tag":228,"props":354,"children":355},{},[356],{"type":79,"value":357},"Which contracts, customers, parts, drawings, specifications, or portals create FCI or CUI pressure?",{"type":73,"tag":228,"props":359,"children":360},{},[361],{"type":79,"value":362},"Which users need access to that information?",{"type":73,"tag":228,"props":364,"children":365},{},[366],{"type":79,"value":367},"Which systems process, store, or transmit it?",{"type":73,"tag":228,"props":369,"children":370},{},[371],{"type":79,"value":372},"Which external service providers affect those systems?",{"type":73,"tag":228,"props":374,"children":375},{},[376],{"type":79,"value":377},"Which assets are specialized, isolated, or operationally sensitive?",{"type":73,"tag":228,"props":379,"children":380},{},[381],{"type":79,"value":382},"Which systems are business-important but outside the CMMC assessment boundary?",{"type":73,"tag":82,"props":384,"children":385},{},[386],{"type":79,"value":387},"When the scope is vague, every control discussion turns into fog. When the scope is clear, the business can make decisions.",{"type":73,"tag":74,"props":389,"children":391},{"id":390},"the-ssp-is-not-a-template-trophy",[392],{"type":79,"value":393},"The SSP is not a template trophy",{"type":73,"tag":82,"props":395,"children":396},{},[397],{"type":79,"value":398},"The System Security Plan is one of the most abused documents in small business compliance.",{"type":73,"tag":82,"props":400,"children":401},{},[402],{"type":79,"value":403},"A lot of companies treat it like a binder. Fill in the blanks, save the file, put it in a folder, and hope nobody asks hard questions.",{"type":73,"tag":82,"props":405,"children":406},{},[407],{"type":79,"value":408},"That misses the point.",{"type":73,"tag":82,"props":410,"children":411},{},[412],{"type":79,"value":413},"An SSP should explain how the covered environment works. It should describe the boundary, architecture, responsible roles, CAGE codes, implemented requirements, inherited services, external dependencies, and the actual way the business protects the relevant information.",{"type":73,"tag":82,"props":415,"children":416},{},[417],{"type":79,"value":418},"If a new executive, IT provider, assessor, or prime contractor needed to understand your environment, the SSP should help them get oriented.",{"type":73,"tag":82,"props":420,"children":421},{},[422],{"type":79,"value":423},"It does not need to be fancy. It does need to be believable.",{"type":73,"tag":82,"props":425,"children":426},{},[427],{"type":79,"value":428},"For a manufacturer, a believable SSP may need to explain awkward realities:",{"type":73,"tag":224,"props":430,"children":431},{},[432,437,442,447,452,457],{"type":73,"tag":228,"props":433,"children":434},{},[435],{"type":79,"value":436},"How drawings move between email, portals, shared drives, and production systems.",{"type":73,"tag":228,"props":438,"children":439},{},[440],{"type":79,"value":441},"Whether ERP data includes CUI or only business records.",{"type":73,"tag":228,"props":443,"children":444},{},[445],{"type":79,"value":446},"Which cloud services are used for storage, collaboration, identity, security, and backup.",{"type":73,"tag":228,"props":448,"children":449},{},[450],{"type":79,"value":451},"How shop-floor or specialized assets are treated when they cannot follow normal endpoint patterns.",{"type":73,"tag":228,"props":453,"children":454},{},[455],{"type":79,"value":456},"How vendors, MSPs, or remote support providers are authorized and monitored.",{"type":73,"tag":228,"props":458,"children":459},{},[460],{"type":79,"value":461},"How evidence is produced when a requirement is marked implemented.",{"type":73,"tag":82,"props":463,"children":464},{},[465],{"type":79,"value":466},"That last part matters.",{"type":73,"tag":82,"props":468,"children":469},{},[470],{"type":79,"value":471},"If the SSP says something is implemented, somebody should be able to point to evidence. Not a vibes-based explanation. Not \"we think the MSP handles that.\" Something real enough to survive a review.",{"type":73,"tag":82,"props":473,"children":474},{},[475],{"type":79,"value":476},"The SSP should not be written for a consultant. It should be written for the business.",{"type":73,"tag":82,"props":478,"children":479},{},[480],{"type":79,"value":481},"If your leadership team cannot use it to understand the environment, the document is probably too decorative.",{"type":73,"tag":74,"props":483,"children":485},{"id":484},"sprs-is-not-just-a-number",[486],{"type":79,"value":487},"SPRS is not just a number",{"type":73,"tag":82,"props":489,"children":490},{},[491],{"type":79,"value":492},"SPRS gets reduced to \"what is your score?\"",{"type":73,"tag":82,"props":494,"children":495},{},[496],{"type":79,"value":497},"That is understandable. The score is easy to ask for. It fits in a supplier form. It feels objective.",{"type":73,"tag":82,"props":499,"children":500},{},[501],{"type":79,"value":502},"But the score is not the whole story.",{"type":73,"tag":82,"props":504,"children":505},{},[506],{"type":79,"value":507},"DFARS 252.204-7019 says that, when NIST SP 800-171 applies, an offeror needs a current assessment for each covered contractor information system relevant to the offer. The provision points to SPRS for summary score visibility. DFARS 252.204-7020 defines the Basic Assessment as a contractor self-assessment based on a review of the SSP and the DoD Assessment Methodology.",{"type":73,"tag":82,"props":509,"children":510},{},[511],{"type":79,"value":512},"That means the score is supposed to connect back to the SSP.",{"type":73,"tag":82,"props":514,"children":515},{},[516],{"type":79,"value":517},"If the SSP is weak, the score is weak.",{"type":73,"tag":82,"props":519,"children":520},{},[521],{"type":79,"value":522},"If the scope is wrong, the score is probably wrong.",{"type":73,"tag":82,"props":524,"children":525},{},[526],{"type":79,"value":527},"If the evidence is missing, the score may be hard to defend.",{"type":73,"tag":82,"props":529,"children":530},{},[531],{"type":79,"value":532},"This is why a small manufacturer should not treat SPRS entry like a one-time administrative chore. The number should be the output of a real review.",{"type":73,"tag":82,"props":534,"children":535},{},[536],{"type":79,"value":537},"A practical SPRS-ready package usually includes:",{"type":73,"tag":224,"props":539,"children":540},{},[541,546,551,556,561,566,571,576],{"type":73,"tag":228,"props":542,"children":543},{},[544],{"type":79,"value":545},"The system or systems assessed.",{"type":73,"tag":228,"props":547,"children":548},{},[549],{"type":79,"value":550},"The relevant CAGE codes.",{"type":73,"tag":228,"props":552,"children":553},{},[554],{"type":79,"value":555},"The date of assessment.",{"type":73,"tag":228,"props":557,"children":558},{},[559],{"type":79,"value":560},"The NIST SP 800-171 version used for the assessment.",{"type":73,"tag":228,"props":562,"children":563},{},[564],{"type":79,"value":565},"The summary score.",{"type":73,"tag":228,"props":567,"children":568},{},[569],{"type":79,"value":570},"The expected date to reach full implementation, if gaps remain.",{"type":73,"tag":228,"props":572,"children":573},{},[574],{"type":79,"value":575},"The POA&M items that support that expected date.",{"type":73,"tag":228,"props":577,"children":578},{},[579],{"type":79,"value":580},"The evidence or reasoning behind each scored requirement.",{"type":73,"tag":82,"props":582,"children":583},{},[584],{"type":79,"value":585},"The score should not be inflated because a bid is due.",{"type":73,"tag":82,"props":587,"children":588},{},[589],{"type":79,"value":590},"I get the temptation. Nobody wants to be the supplier with the ugly number.",{"type":73,"tag":82,"props":592,"children":593},{},[594],{"type":79,"value":595},"But an honest score with a serious remediation plan is much stronger than an optimistic score that collapses the first time someone asks how it was calculated.",{"type":73,"tag":74,"props":597,"children":599},{"id":598},"the-poam-is-not-a-junk-drawer",[600],{"type":79,"value":601},"The POA&M is not a junk drawer",{"type":73,"tag":82,"props":603,"children":604},{},[605],{"type":79,"value":606},"A POA&M is supposed to be a plan of action and milestones.",{"type":73,"tag":82,"props":608,"children":609},{},[610],{"type":79,"value":611},"That name is clunky, but useful. It should show what is not done, who owns it, what will be done, what evidence will prove closure, and when it is expected to be complete.",{"type":73,"tag":82,"props":613,"children":614},{},[615],{"type":79,"value":616},"The problem is that a POA&M often becomes a junk drawer.",{"type":73,"tag":82,"props":618,"children":619},{},[620],{"type":79,"value":621},"Missing MFA? POA&M.",{"type":73,"tag":82,"props":623,"children":624},{},[625],{"type":79,"value":626},"No logging review? POA&M.",{"type":73,"tag":82,"props":628,"children":629},{},[630],{"type":79,"value":631},"No asset inventory? POA&M.",{"type":73,"tag":82,"props":633,"children":634},{},[635],{"type":79,"value":636},"No vendor review? POA&M.",{"type":73,"tag":82,"props":638,"children":639},{},[640],{"type":79,"value":641},"Nobody knows who owns access approvals? POA&M.",{"type":73,"tag":82,"props":643,"children":644},{},[645],{"type":79,"value":646},"That might be fine for internal planning. It is not fine if the business starts treating the POA&M as a place where hard requirements go to age quietly.",{"type":73,"tag":82,"props":648,"children":649},{},[650],{"type":79,"value":651},"The current CMMC program allows limited POA&M use for Level 2 and Level 3, but not Level 1. For conditional Level 2 and Level 3 status, public CMMC materials point to a 180-day closeout expectation. The final rule also distinguishes assessment-related POA&Ms from normal operational plans of action that a company may use to manage changes, patches, or newly discovered issues after achieving status.",{"type":73,"tag":82,"props":653,"children":654},{},[655],{"type":79,"value":656},"Plain language: not every gap can safely sit in the same bucket.",{"type":73,"tag":82,"props":658,"children":659},{},[660],{"type":79,"value":661},"A useful POA&M should separate:",{"type":73,"tag":224,"props":663,"children":664},{},[665,670,675,680,685,690],{"type":73,"tag":228,"props":666,"children":667},{},[668],{"type":79,"value":669},"Gaps that affect the current assessment score.",{"type":73,"tag":228,"props":671,"children":672},{},[673],{"type":79,"value":674},"Operational improvement items that reduce risk but are not part of a conditional CMMC status.",{"type":73,"tag":228,"props":676,"children":677},{},[678],{"type":79,"value":679},"Tooling tasks.",{"type":73,"tag":228,"props":681,"children":682},{},[683],{"type":79,"value":684},"Policy and procedure updates.",{"type":73,"tag":228,"props":686,"children":687},{},[688],{"type":79,"value":689},"Evidence cleanup.",{"type":73,"tag":228,"props":691,"children":692},{},[693],{"type":79,"value":694},"Leadership decisions that require money, ownership, or a process change.",{"type":73,"tag":82,"props":696,"children":697},{},[698],{"type":79,"value":699},"That last category matters more than people want to admit.",{"type":73,"tag":82,"props":701,"children":702},{},[703],{"type":79,"value":704},"Some gaps are not technical. They are business decisions nobody has made yet.",{"type":73,"tag":82,"props":706,"children":707},{},[708],{"type":79,"value":709},"Who approves new users? Who reviews privileged access? Who owns the asset list? Who decides whether a cloud service is allowed? Who can accept risk when a machine cannot be patched the normal way?",{"type":73,"tag":82,"props":711,"children":712},{},[713],{"type":79,"value":714},"If those answers are missing, the POA&M should not pretend the problem is only a ticket for IT.",{"type":73,"tag":74,"props":716,"children":718},{"id":717},"affirmations-raise-the-leadership-stakes",[719],{"type":79,"value":720},"Affirmations raise the leadership stakes",{"type":73,"tag":82,"props":722,"children":723},{},[724],{"type":79,"value":725},"The word \"affirmation\" sounds harmless until you slow down and think about it.",{"type":73,"tag":82,"props":727,"children":728},{},[729],{"type":79,"value":730},"Under the CMMC program, affirmations are part of maintaining status. The Department's CMMC page is currently reminding companies to submit affirmations with CMMC assessments in SPRS. The CMMC rule describes an affirming official attesting to continuing compliance after assessments and annually thereafter.",{"type":73,"tag":82,"props":732,"children":733},{},[734],{"type":79,"value":735},"That is not the same as a consultant saying, \"Looks good.\"",{"type":73,"tag":82,"props":737,"children":738},{},[739],{"type":79,"value":740},"Someone in the organization is putting their name behind the status.",{"type":73,"tag":82,"props":742,"children":743},{},[744],{"type":79,"value":745},"This is where I think many SMBs need to mature quickly. Not because executives need to become security engineers. They do not.",{"type":73,"tag":82,"props":747,"children":748},{},[749],{"type":79,"value":750},"But leadership does need a business-level understanding of the security posture.",{"type":73,"tag":82,"props":752,"children":753},{},[754],{"type":79,"value":755},"An executive should be able to answer:",{"type":73,"tag":224,"props":757,"children":758},{},[759,764,769,774,779,784,789],{"type":73,"tag":228,"props":760,"children":761},{},[762],{"type":79,"value":763},"What environment are we affirming?",{"type":73,"tag":228,"props":765,"children":766},{},[767],{"type":79,"value":768},"What level are we affirming against?",{"type":73,"tag":228,"props":770,"children":771},{},[772],{"type":79,"value":773},"What assessment produced the status?",{"type":73,"tag":228,"props":775,"children":776},{},[777],{"type":79,"value":778},"What gaps remain?",{"type":73,"tag":228,"props":780,"children":781},{},[782],{"type":79,"value":783},"What POA&M commitments exist?",{"type":73,"tag":228,"props":785,"children":786},{},[787],{"type":79,"value":788},"What changed since the last assessment?",{"type":73,"tag":228,"props":790,"children":791},{},[792],{"type":79,"value":793},"Who is responsible for keeping the program current?",{"type":73,"tag":82,"props":795,"children":796},{},[797],{"type":79,"value":798},"If those questions cannot be answered in normal business language, the affirmation process is too thin.",{"type":73,"tag":82,"props":800,"children":801},{},[802],{"type":79,"value":803},"That does not mean leadership should micromanage firewall rules. It means the organization needs a bridge between technical work, compliance status, and executive accountability.",{"type":73,"tag":82,"props":805,"children":806},{},[807],{"type":79,"value":808},"That bridge is usually missing in small businesses. It is also one of the highest-value things to build.",{"type":73,"tag":74,"props":810,"children":812},{"id":811},"revision-3-is-real-but-cmmc-is-still-in-a-transition-space",[813],{"type":79,"value":814},"Revision 3 is real, but CMMC is still in a transition space",{"type":73,"tag":82,"props":816,"children":817},{},[818],{"type":79,"value":819},"NIST published SP 800-171 Revision 3 in May 2024. It supersedes Revision 2 as the current NIST publication, and NIST also published assessment-related companion material.",{"type":73,"tag":82,"props":821,"children":822},{},[823],{"type":79,"value":824},"At the same time, current public CMMC Level 2 materials still describe the Level 2 requirement set as aligned to NIST SP 800-171 Revision 2. The Department has also published resources related to Revision 3 organization-defined parameters and transition planning.",{"type":73,"tag":82,"props":826,"children":827},{},[828],{"type":79,"value":829},"That creates an awkward but manageable reality.",{"type":73,"tag":82,"props":831,"children":832},{},[833],{"type":79,"value":834},"If you are preparing for a current CMMC Level 2 assessment path, you need to understand the Rev. 2-based CMMC expectations. If you are building a security program that needs to last, you should also understand where Rev. 3 is moving the baseline.",{"type":73,"tag":82,"props":836,"children":837},{},[838],{"type":79,"value":839},"Do not use the transition as an excuse to freeze.",{"type":73,"tag":82,"props":841,"children":842},{},[843],{"type":79,"value":844},"A good program should survive a revision change better than a pile of template documents will.",{"type":73,"tag":82,"props":846,"children":847},{},[848],{"type":79,"value":849},"Access control, asset inventory, logging, incident response, risk assessment, configuration management, vendor oversight, and evidence discipline are not going out of style.",{"type":73,"tag":82,"props":851,"children":852},{},[853],{"type":79,"value":854},"The labels may shift. The operating backbone still matters.",{"type":73,"tag":74,"props":856,"children":858},{"id":857},"what-small-manufacturers-should-collect-before-a-prime-asks",[859],{"type":79,"value":860},"What small manufacturers should collect before a prime asks",{"type":73,"tag":82,"props":862,"children":863},{},[864],{"type":79,"value":865},"If you want to be ready for the supplier conversation, start collecting the boring things.",{"type":73,"tag":82,"props":867,"children":868},{},[869],{"type":79,"value":870},"Boring is good here.",{"type":73,"tag":82,"props":872,"children":873},{},[874],{"type":79,"value":875},"Boring means you are not scrambling.",{"type":73,"tag":82,"props":877,"children":878},{},[879],{"type":79,"value":880},"A useful readiness file might include:",{"type":73,"tag":224,"props":882,"children":883},{},[884,889,894,899,904,909,914,919,924,929,934,939,944],{"type":73,"tag":228,"props":885,"children":886},{},[887],{"type":79,"value":888},"Current contracts or flowdowns that mention FCI, CUI, DFARS 252.204-7012, DFARS 252.204-7019, DFARS 252.204-7020, DFARS 252.204-7021, CMMC, or NIST SP 800-171.",{"type":73,"tag":228,"props":890,"children":891},{},[892],{"type":79,"value":893},"A short CUI and FCI handling summary.",{"type":73,"tag":228,"props":895,"children":896},{},[897],{"type":79,"value":898},"A system boundary diagram or written scope summary.",{"type":73,"tag":228,"props":900,"children":901},{},[902],{"type":79,"value":903},"Current SSP.",{"type":73,"tag":228,"props":905,"children":906},{},[907],{"type":79,"value":908},"Current NIST SP 800-171 assessment worksheet or score basis.",{"type":73,"tag":228,"props":910,"children":911},{},[912],{"type":79,"value":913},"Current SPRS summary information.",{"type":73,"tag":228,"props":915,"children":916},{},[917],{"type":79,"value":918},"POA&M with owners, dates, and closure evidence.",{"type":73,"tag":228,"props":920,"children":921},{},[922],{"type":79,"value":923},"Policies and procedures that match the actual environment.",{"type":73,"tag":228,"props":925,"children":926},{},[927],{"type":79,"value":928},"Evidence samples for high-friction controls.",{"type":73,"tag":228,"props":930,"children":931},{},[932],{"type":79,"value":933},"Cloud service and external service provider list.",{"type":73,"tag":228,"props":935,"children":936},{},[937],{"type":79,"value":938},"User access and privileged access review records.",{"type":73,"tag":228,"props":940,"children":941},{},[942],{"type":79,"value":943},"Incident reporting and escalation process.",{"type":73,"tag":228,"props":945,"children":946},{},[947],{"type":79,"value":948},"Executive summary for leadership.",{"type":73,"tag":82,"props":950,"children":951},{},[952],{"type":79,"value":953},"Do not overcomplicate the first version. The point is to make the business legible.",{"type":73,"tag":82,"props":955,"children":956},{},[957],{"type":79,"value":958},"A prime contractor may not ask for all of this. A C3PAO assessment may require much more. An internal readiness review may find the first version is incomplete.",{"type":73,"tag":82,"props":960,"children":961},{},[962],{"type":79,"value":963},"That is fine.",{"type":73,"tag":82,"props":965,"children":966},{},[967],{"type":79,"value":968},"The goal is not to build the perfect archive overnight. The goal is to stop being dependent on memory, assumptions, and whoever happens to know where the spreadsheet is.",{"type":73,"tag":74,"props":970,"children":972},{"id":971},"what-not-to-do",[973],{"type":79,"value":974},"What not to do",{"type":73,"tag":82,"props":976,"children":977},{},[978],{"type":79,"value":979},"There are a few traps I would avoid.",{"type":73,"tag":82,"props":981,"children":982},{},[983,988],{"type":73,"tag":232,"props":984,"children":985},{},[986],{"type":79,"value":987},"Do not buy tools before you understand scope.",{"type":79,"value":989}," Tools can help, but they do not decide what CUI is, where it lives, or who owns the program.",{"type":73,"tag":82,"props":991,"children":992},{},[993,998],{"type":73,"tag":232,"props":994,"children":995},{},[996],{"type":79,"value":997},"Do not copy a giant SSP and call it done.",{"type":79,"value":999}," A big document that nobody can explain is not better than a short document that tells the truth.",{"type":73,"tag":82,"props":1001,"children":1002},{},[1003,1008],{"type":73,"tag":232,"props":1004,"children":1005},{},[1006],{"type":79,"value":1007},"Do not inflate your SPRS score because the real number is uncomfortable.",{"type":79,"value":1009}," The discomfort is useful. It tells leadership where the business needs to invest.",{"type":73,"tag":82,"props":1011,"children":1012},{},[1013,1018],{"type":73,"tag":232,"props":1014,"children":1015},{},[1016],{"type":79,"value":1017},"Do not treat the POA&M as permanent storage.",{"type":79,"value":1019}," If something matters enough to list, it needs an owner and a path to closure.",{"type":73,"tag":82,"props":1021,"children":1022},{},[1023,1028],{"type":73,"tag":232,"props":1024,"children":1025},{},[1026],{"type":79,"value":1027},"Do not let the affirming official be surprised.",{"type":79,"value":1029}," If leadership is going to affirm, leadership needs the plain-language version before the button gets clicked.",{"type":73,"tag":82,"props":1031,"children":1032},{},[1033,1038],{"type":73,"tag":232,"props":1034,"children":1035},{},[1036],{"type":79,"value":1037},"Do not make CMMC an IT-only project.",{"type":79,"value":1039}," IT can implement a lot of controls. The business still owns scope, contracts, risk, vendors, budgets, and operating decisions.",{"type":73,"tag":82,"props":1041,"children":1042},{},[1043],{"type":79,"value":1044},"That last one is usually the big one.",{"type":73,"tag":82,"props":1046,"children":1047},{},[1048],{"type":79,"value":1049},"CMMC sits in the uncomfortable space between security, contracts, operations, and leadership. If you pretend it only belongs to one department, the program gets brittle.",{"type":73,"tag":74,"props":1051,"children":1053},{"id":1052},"a-practical-30-day-path",[1054],{"type":79,"value":1055},"A practical 30-day path",{"type":73,"tag":82,"props":1057,"children":1058},{},[1059],{"type":79,"value":1060},"If you are starting from scattered documents and a vague sense that \"we need CMMC,\" here is a practical first month.",{"type":73,"tag":82,"props":1062,"children":1063},{},[1064],{"type":73,"tag":232,"props":1065,"children":1066},{},[1067],{"type":79,"value":1068},"Week 1: Find the pressure.",{"type":73,"tag":82,"props":1070,"children":1071},{},[1072],{"type":79,"value":1073},"Pull contracts, prime flowdowns, supplier questionnaires, portal requirements, and any customer language that mentions CMMC, CUI, FCI, DFARS, or NIST SP 800-171. Do not interpret everything yet. Just collect the pressure.",{"type":73,"tag":82,"props":1075,"children":1076},{},[1077],{"type":73,"tag":232,"props":1078,"children":1079},{},[1080],{"type":79,"value":1081},"Week 2: Map the information.",{"type":73,"tag":82,"props":1083,"children":1084},{},[1085],{"type":79,"value":1086},"Identify where FCI and CUI may enter, move, rest, and leave the business. Include email, portals, shared drives, CAD\u002FCAM workflows, ERP, backups, mobile devices, MSP access, and cloud services. This does not need to be beautiful. It needs to be honest.",{"type":73,"tag":82,"props":1088,"children":1089},{},[1090],{"type":73,"tag":232,"props":1091,"children":1092},{},[1093],{"type":79,"value":1094},"Week 3: Reconcile the SSP and score.",{"type":73,"tag":82,"props":1096,"children":1097},{},[1098],{"type":79,"value":1099},"Review the SSP against the actual environment. If you have a current SPRS score, ask whether the scope, evidence, and POA&M still support it. If you do not have one, build the score from the SSP and assessment methodology rather than guessing.",{"type":73,"tag":82,"props":1101,"children":1102},{},[1103],{"type":73,"tag":232,"props":1104,"children":1105},{},[1106],{"type":79,"value":1107},"Week 4: Brief leadership.",{"type":73,"tag":82,"props":1109,"children":1110},{},[1111],{"type":79,"value":1112},"Turn the findings into a plain-language summary: what applies, what is in scope, current score posture, major gaps, likely contract risk, top remediation decisions, and what leadership would be affirming if asked.",{"type":73,"tag":82,"props":1114,"children":1115},{},[1116],{"type":79,"value":1117},"That is not a complete CMMC program.",{"type":73,"tag":82,"props":1119,"children":1120},{},[1121],{"type":79,"value":1122},"It is a serious start.",{"type":73,"tag":82,"props":1124,"children":1125},{},[1126],{"type":79,"value":1127},"More importantly, it gives the business a way to have an adult conversation before a bid deadline or customer request turns everything into a fire drill.",{"type":73,"tag":74,"props":1129,"children":1131},{"id":1130},"the-real-value-is-operational-clarity",[1132],{"type":79,"value":1133},"The real value is operational clarity",{"type":73,"tag":82,"props":1135,"children":1136},{},[1137],{"type":79,"value":1138},"CMMC gets talked about like a compliance hurdle. It is one.",{"type":73,"tag":82,"props":1140,"children":1141},{},[1142],{"type":79,"value":1143},"But for small manufacturers, the better way to think about this is operational clarity.",{"type":73,"tag":82,"props":1145,"children":1146},{},[1147],{"type":79,"value":1148},"Do we know what sensitive information we handle?",{"type":73,"tag":82,"props":1150,"children":1151},{},[1152],{"type":79,"value":1153},"Do we know where it lives?",{"type":73,"tag":82,"props":1155,"children":1156},{},[1157],{"type":79,"value":1158},"Do we know who can access it?",{"type":73,"tag":82,"props":1160,"children":1161},{},[1162],{"type":79,"value":1163},"Do we know which systems protect it?",{"type":73,"tag":82,"props":1165,"children":1166},{},[1167],{"type":79,"value":1168},"Do we know what gaps remain?",{"type":73,"tag":82,"props":1170,"children":1171},{},[1172],{"type":79,"value":1173},"Do we know who owns the fixes?",{"type":73,"tag":82,"props":1175,"children":1176},{},[1177],{"type":79,"value":1178},"Do we know what leadership is affirming?",{"type":73,"tag":82,"props":1180,"children":1181},{},[1182],{"type":79,"value":1183},"If the answer to those questions is mostly yes, you are in a much better position. Not magically compliant. Not guaranteed anything. Just more controlled, more credible, and less dependent on hope.",{"type":73,"tag":82,"props":1185,"children":1186},{},[1187],{"type":79,"value":1188},"That is the point.",{"type":73,"tag":82,"props":1190,"children":1191},{},[1192],{"type":79,"value":1193},"A small manufacturer does not need enterprise theater. It needs a security program that can be explained, operated, evidenced, and improved.",{"type":73,"tag":82,"props":1195,"children":1196},{},[1197],{"type":79,"value":1198},"The SSP, SPRS score, POA&M, and affirmation process are not the whole program.",{"type":73,"tag":82,"props":1200,"children":1201},{},[1202],{"type":79,"value":1203},"They are the places where the program has to show itself.",{"type":73,"tag":74,"props":1205,"children":1207},{"id":1206},"how-trawvid-sec-can-help",[1208],{"type":79,"value":1209},"How Trawvid Sec can help",{"type":73,"tag":82,"props":1211,"children":1212},{},[1213],{"type":79,"value":1214},"Trawvid Sec helps small manufacturers and regulated businesses turn CMMC pressure into a practical operating plan.",{"type":73,"tag":82,"props":1216,"children":1217},{},[1218],{"type":79,"value":1219},"That can mean scoping the environment, cleaning up the SSP, reviewing SPRS score logic, building a realistic POA&M, preparing leadership for affirmation decisions, or turning scattered security activity into evidence-ready documentation.",{"type":73,"tag":82,"props":1221,"children":1222},{},[1223],{"type":79,"value":1224},"The goal is not to bury the business in paperwork.",{"type":73,"tag":82,"props":1226,"children":1227},{},[1228],{"type":79,"value":1229},"The goal is to make the security story true enough, clear enough, and useful enough that the company can actually operate from it.",1781896802938]