Welcome back. Let’s talk about the Controls Panel, because this is where the real work happens. If the Dashboard is your health check-up, this page is the training room. It’s the hands-on workspace. It’s where CMMC Level 2 stops being this big abstract idea and starts becoming actual, trackable work. Now, Level 2 requires 110 specific security controls from NIST SP 800-171. And I know, the minute folks hear that number, they kind of tense up. One hundred and ten sounds like somebody dropped a phone book on your desk and said, “Good luck.” But take a breath. You are probably not starting from zero. In fact, you almost certainly are not. That’s the first thing I want to make real clear. A lot of companies, especially manufacturing firms, machine shops, aerospace suppliers, IT support teams, they’re already doing part of this work through the normal tools they use every day. They just may not be calling it by the control name yet. That’s a very different problem than having nothing at all. So, for example, if you already have Windows password policies in place, well, you’ve already started on account management. If you’ve got a firewall protecting your environment, you’re already addressing boundary protection. If your team backs up data, then you’re doing work that connects to contingency planning. That matters. A lot. And that’s really the spirit of this page. The Controls Panel is not telling you to build all 110 controls from scratch with your bare hands and a cup of cold coffee. It’s helping you document what already exists and then identify the actual gaps. That’s a much more manageable task. I’ve seen people get stuck because they assume compliance starts only when they buy some shiny new tool. Sometimes it does require new work, sure. But often the first win is simply recognizing, “Oh, wait a minute, we do have password rules. We do have backups. We do have some protections in place.” That recognition creates momentum, and momentum is precious. On this page, all 110 controls are organized by domain, and each control can be opened up as a card. The helpful part here is that the cards are written in plain English, not dense technical jargon. So instead of staring at a requirement and wondering what on earth it means, you can see what it means, what you need to do, and what proof you need. That’s a big shift from confusion to action. And each control card gives you practical tools right there: status editing, notes, Upload Evidence, Ask AI About This, and Generate Policy. So you’re not bouncing all over the system trying to remember what comes next. The workflow is right in front of you. If you need proof, there’s a place for it. If you need explanation, there’s a button for that. If you need policy language, same story. There’s also a bigger ecosystem around this, which is pretty smart. The Dashboard gives you the readiness view. The Health Report shows your domain scores. The Evidence Locker stores proof. The POA&M Tracker helps you manage gaps. Documents can generate your SSP and policies using your real control statuses. So the Controls Panel isn’t isolated. It’s the operational center that connects all that other stuff. So if you remember one thing from this first part, make it this: the Controls Panel is where compliance gets practical. It’s not about panic. It’s not about pretending you’re perfect. It’s about saying, “Here’s what we already do, here’s what we can prove, and here’s what still needs attention.” Honestly, that’s how good compliance work starts. Alright, so how do you actually use this page without getting overwhelmed? Keep it simple. Use the domain filter and focus on one area at a time. That’s the move. Don’t try to swallow all 110 controls in one sitting, because that’s how perfectly smart people end up staring into space wondering why they opened the laptop in the first place. The recommended place to start is the Access Control domain, or AC. Usually that’s the easiest place to begin because most companies already have some kind of password or account management in place. Maybe not polished, maybe not fully documented, but usually something is there. That makes it a good starting point because you can get early wins. Now, when you open a control, your job is to mark the status honestly. Not optimistically. Not aspirationally. Honestly. There are three status choices, and they’re pretty straightforward. Compliant means you do this and you have evidence to prove it. In Progress means you are building it or improving it right now. Non-Compliant means it’s a gap that has not been addressed yet. That middle one, In Progress, is important, because it gives you room to be truthful without feeling like you failed some kind of quiz. A lot of compliance work lives there for a while. And that’s okay. The goal is accuracy. Honest documentation beats perfect documentation every time. I’ll say that again because folks need to hear it: honest documentation beats perfect documentation every time. For each control, add a one-sentence note explaining how you meet it. Keep it plain. Keep it specific. Something like, “MFA enforced via Azure AD,” or “All laptops encrypted with BitLocker.” Short notes like that are gold, because they tell an assessor exactly how you’re meeting the requirement. If you need more room, you can click the edit icon and expand the card. And this is where the system really helps you. Every control card can also connect to evidence, and the AI on the page knows the exact control and your compliance status. So when you use Ask AI About This, you’re not getting some generic lecture. You’re getting help tied to that one specific control. Same with policy generation. It all stays grounded in the work you’re doing. So here’s your first action step, and I mean like right now after this episode. Go to the Access Control domain and find AC-2, Account Management. Mark the status. If you have password policies, mark it Compliant. If you don’t, mark it Non-Compliant. If you’re in the middle of getting it sorted, well, In Progress may be the honest answer. Then add one sentence describing what’s in place and save it. That’s it. Don’t overcomplicate it. One control. One status. One sentence. Save. And I know that can sound almost too simple, but simple is exactly what breaks the ice. Once you mark one control, then maybe you do three or four. Once you do three or four, the page starts to feel less like a wall and more like a checklist. You begin to see progress instead of just requirements. So start with AC. Be honest. Document what you actually do. Use the tools on the card when you need help. And let that first saved control build a little momentum. That’s the work. That’s the rhythm. We’ll keep walking through it next time.
Audio Coursesby Jellypod