CMMC Compliance Services

CMMC Certification Preparation to Ensure You Will Keep & Grow You DoD Business

Keeping confidential government/military information secure from prying eyes is critical to our national sovereignty and economy. Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 guidance… until now.

The self-attestation approach hasn’t worked very well, as evidenced by notable breaches of critical government information. This has driven the U.S. Department of Defense (DOD) and other government agencies to mandate a higher level of attestation; the Cybersecurity Maturity Model Certification (CMMC).


Ready to talk? Click here to schedule time with a CMMC expert
CMMC Compliance Services

The DOD’s CMMC formally went into effect in Q3 of 2020.

Since the standard has only recently been finalized, it would be presumptuous for us (or anyone) to be called CMMC “experts.” We are, however, experts at developing and managing information security and privacy management systems that comply with government and industry regulations. We have also helped organizations ranging from $500K to $3B comply with DFARS clause 252.204-7012 and NIST SP 800-171 which covers 110 of the 131 controls required for CMMC Level 3 certification. So, while CMMC is a new certification scheme — the process of preparing for CMMC certification isn’t.

Pivot Point Security is on the Registered Provider Organization (RPO) list, has all CMMC related staff on the Registered Practitioner (RP) List, and submitted our application as an Organization Seeking Certification (OSC). We are as far down the path as anyone can be.

Why Choose Pivot Point Security for CMMC Compliance & Preparation Services

Helping organizations like your’s prove you’re secure and compliant (so you can grow your businesses) is what we have done for thousands of clients over the last 20+ years.

CMMC compliance Pivot Point Security Experience


When you work with Pivot Point Security, you don’t need to re-invent the wheel…

CMMC compliance certification proven process

You Have 4 Ways to Reach CMMC Certification With Pivot Point Security

These Options are Built To Meet Varying Budget, Timeline, Current Control Maturity, & Expertise/Resourcing Needs

cmmc compliance options

The Stakes are High… Make Sure You Have the Chips to Stay in the Game

CMMC certification will be an absolute requirement to bid on DOD RFPs and/or have a contract awarded. For many SMBs impacted by the CMMC, DOD contracts make up a substantial percentage of their revenue—making CMMC certification a “go big or go home” proposition.

cmmc compliance services - unhappy

CMMC Compliance & Certification Can Make You Stronger

We believe there is a Darwinian element to CMMC. Those organizations that can “adapt” to the new reality, will not only survive, but are likely to prosper, by taking business from those that can’t adapt. Be the pigeon, not the dodo.

cmmc compliance services - working


When does CMMC go into effect?

V1.0 of the CMMC was released on January 31st 2020. The audit program is being developed and should be in full effect by fall of 2020.  CMMC will appear in Requests for Information (RFI’s) and Requests for Proposal (RFP’s) as early as August 2020.

How many controls (practices) does CMMC require?

There are different controls totals for each level within CMMC:

  • CMMC Level 1: 17 Practices
  • CMMC Level 2: 72 Practices & 34 Processes
  • CMMC Level 3: 130 Practices & 51 Processes (This is the 1st level that fully achieved NIST SP 800-171 coverage)
  • CMMC Level 4: 156 Practices & 68 Processes
  • CMMC Level 5: 171 Practices & 85 Processes

What is the minimum CMMC level you need to reach NIST SP 800-171?

CMMC Level 3 is the first target level fully addressing NIST 800-171 and it covers 20 controls beyond NIST SP 800-171 (a total of 130).

If I’m not CMMC certified what does that mean?

Starting as early as August 2020, you will no longer be able to submit proposals to provide services in the DoD supply chain.

What is the difference between CMMC and NIST?

CMMC is a certifiable standard that requires regular audits to obtain and maintain certification. NIST is a self-attestable standard that allows organizations to self-attest to their own security maturity.

If we have relatively immature security program, how long will it take to get CMMC certified?

A reasonable assumption for achieving Level 3 CMMC readiness is 6 – 10 months.

How much does CMMC certification cost?

Until teh auditor program is fully established the actual cost of the audit has not yet been established. A reasonable guess for the audit is $20 – 40K.

Establishing an information security program that is capable of being CMMC Level 3 certified can be a notable expense dependent upon the current maturity of your program.  If you already have a mature NIST 800-171 compliant environment in place it may be $20K or less.  If you are starting from scratch it could be $50 – 150K.  See this blog for a better explanation on the price ranges.

What is the difference between CMMC and NIST 800-171?

CMMC is a certifiable standard that requires a third party audit to confirm that you are compliant with the standard, NIST-800-171 is (or was 😆) a self-attestable standard to protect the same CUI that CMMC does.  All organizations that become CMMC certified (level 3 or higher) will still need to be 800-171 conforming and the CMMC certification will demonstrate that they have achieved 800-171 as well.

With the DoD’s more “limited roll out” I heard about should we get CMMC certified this year?

Many of the companies in the Defense Industrial Base we are speaking with believe that it will be a competitive advantage to do so. Our understanding is that larger Prime’s will either require or favor those that are as they are building “pursuit teams”.

Should we start preparing for CMMC with a Gap Assessment?

A gap assessment is a good approach if you know that you have a very mature information security program that includes the required CMMC artifacts (e.g., Risk Assessment, System Security Plan, etc.).  If not, you are better off viewing this as an implementation, with establishing the scope of your CUI environment as the best first step.  See this blog for additional detail on approach.