CMMC Journey Page: Your Roadmap to Audit Ready

Alright, let’s talk about the My Journey page, because this is one of those screens that can calm people down in about ten seconds. And with CMMC, that is no small miracle. If you’re in the Defense Industrial Base and you open a compliance platform, your first thought is usually not, “Ah yes, peace and clarity.” It’s more like, “How bad is this gonna be?” The good news is, the Journey page is not where the hardest work happens. It’s the roadmap. It’s the zoomed-out view. If the Controls page is where you roll up your sleeves and do the heavy lifting, the Journey page is where you figure out where you are, what comes next, and how not to wander into the compliance woods without a map. That matters because CMMC Level 2 is built around all 110 controls from NIST SP 800-171 Rev 2. One hundred and ten is a real number. It is not a motivational number. Nobody sees 110 controls and says, “Wonderful, I’ll knock that out before lunch.” So this page breaks that mountain into five manageable basecamps. That’s really the right way to think about it. You’re not leaping to the summit in one move. You’re moving stage by stage. At the top, you’ve got the Journey Progress Bar. Nice and linear. Clear. No mystery novel energy. Just five stages from day one to audit ready. Stage 1 is Foundation. This is where you start telling the system who your company is. Onboarding, initial assessment, the basics that shape everything else. Company profile, industry context, those early security questions. It’s less glamorous than people want, but I mean, foundations usually are. Nobody brags about concrete until the house stays standing. Stage 2 is Discovery. This is where the platform starts helping you uncover what you already have. And honestly, this is where a lot of companies get a little breathing room. Through document scanning and gap analysis, you begin to identify controls you may already be meeting, even if nobody had formally mapped them yet. That’s a common story. You’ve got good practices, good tools, decent processes, but they’ve been living in people’s heads or scattered across documents. Stage 3 is Build. This is the phase where you create what’s missing, especially policies and procedures. If Discovery tells you what’s there and what’s not, Build is where you close those gaps. It’s practical work. Draft the policy. Clarify the process. Make it real. Not just “we should probably do this,” but “here is how we do this.” Big difference. Stage 4 is Prove. And this one is huge, because compliance is not just about saying the right things. It’s showing them. This is your evidence-gathering phase. You upload proof that controls are actually operating. Screenshots, records, documents, whatever supports the case. Auditors are not grading vibes. They want evidence. Then Stage 5 is Audit Ready. That’s the finish line. Or maybe better said, it’s the point where the card unlocks and you know you’re in shape for a professional assessor. Doesn’t mean the journey was easy. It means it was organized. And that’s the whole design idea here. So if you’re new and this page feels almost too simple, that’s actually a good sign. Good compliance tools reduce panic. They don’t add decorative confusion. My Journey is there to help you see the path: first get grounded, then discover, then build, then prove, then get ready for audit. One stage at a time, one basecamp at a time, instead of staring at 110 controls like they all need your attention by 4 p.m. Now below those stages, you’ll see the Domain Progress grid, and this is where the roadmap starts getting specific. The 110 controls are organized into 14 domains, or families, like Access Control, Incident Response, Physical Protection, Audit and Accountability, all the core areas in NIST 800-171. Each card shows a real-time percentage for how many controls in that domain are complete. I like this view because it helps you stop thinking about compliance as one giant blob. You can see where you’re stronger, where you’re weaker, and where to focus next. Maybe Access Control is moving along, but Incident Response is lagging. Maybe Physical Protection is in better shape than you expected. That kind of visibility is useful, especially for smaller contractors who don’t have a giant internal compliance team sitting around with color-coded binders. And let me say this part plainly: if everything starts at 0%, do not panic. Really. Zero on the screen does not automatically mean zero in real life. It often just means zero has been documented in the system yet. Those are very different things. A lot of organizations already meet at least some requirements without realizing it. If you’re using modern tools like Microsoft 365, if you’ve got MFA turned on, if laptops are encrypted, if you’re using a managed firewall, if access is at least somewhat controlled, you may already have meaningful pieces in place. Where was I going with that? Oh right: the Journey page is where you start tracking those wins, not where they magically first appear. So what should you do next? Pretty simple game plan. First, click into the Foundation card and finish that company profile work. Get onboarding done. The better that starting information is, the more useful the rest of the platform becomes, especially the recommendations and analysis. Second, use the domain view to focus on one area at a time. And the recommendation here is to start with Access Control, AC. That’s usually one of the easiest domains to document first because most companies already have something to say there. Who has access, how accounts are handled, whether MFA is enabled, how devices are protected, that sort of thing. It gives you momentum, and momentum matters. Third, read the control titles and plain-English guidance. You do not need to memorize regulatory language like you’re cramming for some very unpleasant trivia night. The point is to understand what each control is asking for in normal human terms. Then update the status. Mark controls as Compliant, In Progress, or Non-Compliant based on where you actually are. Honest beats optimistic every single time in compliance work. If it’s half done, say it’s in progress. If it’s missing, mark it that way and move on to fixing it. And finally, add short notes explaining how you meet the control. Keep it simple. “All laptops encrypted.” “MFA enabled for email and VPN.” “Visitor access logged at front desk.” That little note field does more work than people expect. It captures the how. And that “how” is exactly the kind of thing an auditor needs to understand later. So the Journey page is really doing two jobs at once. It shows progress in a way that’s easy to digest, and it nudges you toward the next right action. Not every action. Just the next one. And in CMMC, that’s usually how good programs get built anyway, steady and documented, one clear move after another. We’ll keep building on that.