If you are here, you are serious about CMMC. Whether you are a small business owner staring down a DFARS clause for the first time, an IT professional who just got tapped to lead your company's compliance effort, a consultant building a CMMC practice, or a university research security officer trying to figure out how to stand up a CUI enclave, this community exists for one reason: to help you get ready. Let me be direct about something from the start. Taking courses in the Classroom as they become available does not make you CMMC-compliant. This community is for you if: ✅ You handle IT, security, or compliance for a defense contractor ✅ You are preparing for a CMMC Level 1 self-assessment or Level 2 C3PAO audit ✅ You work in higher education and handle CUI or defense research contracts ✅ You are tired of vague guidance and want practical, implementable steps ✅ You want a community of peers who are navigating the same maze This is probably not for you if: ❌ You are looking for a C3PAO to assess your organization (we do not do that here) ❌ You want someone to do the compliance work for you ❌ You are not willing to put in the work to understand your own environment If what you've read above strikes a harmonic chord within you, then join this community and let's build a space where knowledge and experience can be put to good use. As courses become available in this community, they teach you the framework, requirements, implementation strategies, and assessment process. They provide you with the knowledge and tools to build a compliance program. But completing a course is not the same as implementing 110 security controls, building a System Security Plan, passing a C3PAO assessment, and earning a certification. Anyone who tells you otherwise is selling something you should not buy. This community will help prepare you for compliance. That distinction matters, and I want every member to understand it clearly: - Readiness means you understand what CMMC requires and why. - Readiness means you can identify your required level, scope your environment, and build a realistic implementation plan. - Readiness means you know how to write an SSP, structure a POA&M, collect evidence, and prepare your team for an assessor's questions. - Readiness means you can walk into the compliance process with clarity instead of confusion, and confidence instead of panic.

This community works because its members share openly, ask honest questions, and help each other solve real problems. To keep it that way, there are some clear boundaries everyone needs to understand and respect. What You CAN Share General questions about CMMC requirements, processes, and strategies. Example: "We are trying to decide between VLAN-based segmentation and a separate physical network for our CUI enclave. What have others done at our size?" Lessons learned from your compliance journey (what worked, what did not, what you would do differently). These are some of the most valuable posts in the community. Questions about specific NIST SP 800-171 practices, control families, or implementation approaches. Example: "How are people handling the audit log retention requirement when storage costs are a concern?" Experiences with C3PAOs, assessment preparation, evidence gathering, and the assessment process itself (without disclosing proprietary assessment findings). Career questions about the CCA, CCP, and consulting paths. Questions about tooling and technology: firewalls, SIEM platforms, MFA solutions, cloud environments (GCC High, AWS GovCloud), endpoint protection, and similar topics. University and higher education-specific CMMC challenges (enclave design, faculty engagement, institutional governance). What You CANNOT Share - This is critical. Read it carefully. Do NOT post any Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), or any data that carries CUI markings. This community is hosted on Skool, which is a commercial platform. It is not a CUI-authorized environment. It is not encrypted to FIPS 140-2 standards. It is not within anyone's Assessment Boundary. Posting CUI here would be a compliance violation for you and potentially for your organization. Do NOT post specific technical details about your organization's security architecture that could be exploited. You can say "we use a FortiGate firewall at our boundary." You should not post your firewall rule set, your network diagram with IP addresses, your vulnerability scan results, or your SSP contents. Your CISO will get mad. I will get mad. Turbulence will be the expected result. Discuss approaches and strategies in general terms. Keep the specifics inside your organization.

I am JD Ussery, and I am building The CMMC Readiness Vault and this community because I am a practitioner and saw a gap that needed to be filled. There is no shortage of CMMC content. There are webinars, white papers, LinkedIn posts, vendor pitches disguised as education, and plenty of consultants who discovered CMMC six months ago and now claim to be experts. What is in short supply is practical, accurate, implementation-focused guidance built by someone who is doing this work. That is what I bring to the table. Here is my background so you can evaluate it for yourself. The IT Leadership Foundation I serve as Associate CIO of Enterprise Applications at the University of Arkansas, Fayetteville, where I oversee enterprise and business application teams for a major research university. Before that, I held IT leadership roles at the University of Wisconsin-Madison and in the private sector, including Vitro Corp, RCA, Crop Production Services, CSC, and IBM. My career spans enterprise IT architecture, data governance, information security, and the operational realities of running complex technology environments in large organizations. I hold CIGO (Certified Information Governance Officer), PMP, and ITIL certifications. I am not a theorist. I have spent decades managing the systems, processes, and organizational dynamics required by CMMC compliance. I am a CMMC Registered Practitioner (RP) and working toward Registered Practitioner Advanced (RPA) certification. The CMMC Practitioner Perspective My CMMC work is grounded in direct, hands-on experience. At the university level, I am working on CMMC compliance documentation, including System Security Plans, procedure manuals, authorization and access registers, and the workflow specifications needed to operationalize NIST SP 800-171 controls in a complex institutional environment. I understand the unique challenges of implementing CMMC in higher education: shared governance, transient research workforces, faculty autonomy, and the scoping complexity of CUI in a research university. Course 5 (CMMC for Higher Education) will address this specifically with the depth it requires.