By role.
The same program, summarized three times — for the person who signs, the person who builds, and the person who keeps the record.
CMMC lands differently depending on the chair you sit in. These are compact role summaries — what you own, the facts that matter most from your seat, and your first three moves — for executives, technical leads, and compliance owners. They compress the desk; the routes on Start Here read it in full.
01For the executive who signs
What you own. The affirmation — most likely with your name on it, as the Affirming Official — and the decisions with money and signature attached: whether to scope an enclave or the whole company, which provider contracts to hold or change, and when the assessment happens. What you do not own is the level: your contracts set that, not your preference and not a vendor’s (The Levels).
Five facts, from your chair. An affirmation is a representation to the government, renewed annually at every level and again at POA&M closeout — the DOJ’s Civil Cyber-Fraud Initiative has pursued False Claims Act cases over cybersecurity misrepresentations, so it deserves the same care as anything else you certify. A status is only current while both clocks run: the assessment (annual at Level 1, triennial above) and the affirmation (annual). Conditional status is a 180-day, non-extendable window, not a comfortable holding pattern. Whether Level 2 means self-assessment or a C3PAO is written in each solicitation. And DoD’s own cost estimates — the desk cites them, hedged, in the FAQ — cover assessment and affirmation, not the security work itself; budget accordingly.
First three moves. Have someone produce the one-sentence-per-contract summary of what is actually required (Start Here signals). Read The Levels once, yourself — it is the ten minutes that makes every later briefing shorter. Put the affirmation and reassessment dates on a calendar that survives staff turnover, with a named owner.
02For the technical lead who builds
What you own. Scope and implementation: where the boundary sits, what is inside it, and whether the 110 requirements’ objectives are actually met on the systems that matter — plus the evidence those systems throw off as they run.
Five facts, from your chair. The boundary decision sizes everything — assessment cost, remediation scope, and how much of the network you answer for (Scope & Boundary). Three families — AC, SC, and IA — carry 49 of the 110 requirements between them, so access, communications protection, and authentication are where the engineering hours go (Domains, with an at-a-glance box on every family page). MFA is read literally against every access path the requirement names — email-only MFA is the classic partial (IA). “Encrypted” and “FIPS-validated” are different claims, and 3.13.11 turns on the second one (SC). And evidence is ordinary output — tickets, configs, logs — not a binder built the week before (Evidence, SSP & POA&M).
First three moves. Trace where FCI and CUI actually flow, including the places nobody scoped on purpose (The Data, section 05). Sort every asset into the five categories and settle the enclave question on operational grounds. Then walk the families in weight order, naming an artifact per objective as you go (Gap analysis).
03For the compliance owner who keeps the record
What you own. The record the program actually checks: a current SSP, the POA&M and its clock, the SPRS entries and CMMC UIDs, the affirmation calendar, and the artifacts — retained six years from the status date.
Five facts, from your chair. The SSP can never sit on a POA&M — it is one of six requirements excluded outright, so its currency is non-negotiable (the SSP). POA&M eligibility is narrow: at least 88 of 110, 1-point items only, one named 3-point exception, 180 days, no extensions (the mechanics). The bar an assessor applies is the assessment objectives, not the requirement sentences — track your evidence at that level (Gap analysis). SPRS is the system of record, and a legacy 800-171 score there is not a CMMC Status (SPRS, explained). And the affirmation is the shortest clock in the whole program — the easiest thing to miss and the most expensive to have missed.
First three moves. Read Evidence, SSP & POA&M end to end — it is the desk’s page for your chair. Check the SSP against the typical shape and against the live network, not last year’s. Stand up the two calendars — affirmation and reassessment — with owners, and confirm who holds the SPRS role in PIEE before anything is due (SPRS, explained).
04If you’re the MSP or ESP
Your summary is shorter because the desk already routes you: your services, responsibility matrix, and the client infrastructure that connects to you become part of your client’s assessment story — not a substitute for it. Scope & Boundary section 04 carries the mechanics, and Route 3 on Start Here reads the desk in your order.
05Sources
These summaries compress pages that carry their own inline citations — the load-bearing ones here are 32 CFR 170.15–170.22 (assessment paths, POA&M limits, affirmations, artifact retention), 32 CFR 170.24 (scoring), NIST SP 800-171 Rev. 2 and SP 800-171A (requirements and objectives), and the DOJ Civil Cyber-Fraud Initiative announcement (the False Claims Act context for affirmations). The Source Library carries the full bibliography with when-to-reach-for-it notes.