CMMC Compliance Services

CMMC Certification Preparation to Ensure You Will Keep & Grow You DoD Business

What is the Cybersecurity Maturity Model Certification 2.0 (CMMC)?

​Safeguarding controlled government/military data from unauthorized disclosure/release is critical to our national security and economic freedom. Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 regulatory requirements… until now.

The self-attestation approach hasn’t worked very well, as evidenced by notable breaches of critical government information in both the public and private sector. This has driven the U.S. Department of Defense (DOD) and other government agencies to mandate a higher level of attestation; the Cybersecurity Maturity Model Certification (CMMC).

img

Keeping confidential government/military information secure from prying eyes is critical to our national sovereignty and economy. Companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 guidance since the enactment of DFARS 252.204-7012 in 2016. With CMMC v1 in 2020 and now CMMC 2.0, organizations handling more sensitive data will need to undergo third-party audits.

Defense suppliers mandated to comply with CMMC 2.0 Level 2 (Advanced) and participating in programs deemed critical to national security (so-called “prioritized acquisitions”) must undergo an independent certification audit by a C3PAO. Defense suppliers mandated to comply with CMMC 2.0 Level 3 (Expert) will be audited by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

However, those DIB organizations that must achieve CMMC 2.0 Level 2 (Advanced) compliance but are working only on “non-prioritized acquisitions” can now self-attest to their CMMC compliance. The major difference for these firms from DFARS 7012 obligations is that the self-attestation cadence is now annual and must be accompanied by a letter of affirmation by a senior executive.

Companies that handle only Federal Contract Information (FCI) and not CUI and need to comply only with the 17 practices at CMMC 2.0 Level 1 (Foundational) can also self-attest to their compliance.

Once rulemaking on CMMC 2.0 is complete, the CMMC level required to win a project will be listed in the solicitation and in any Requests for Information (RFIs). This means that your company must be in compliance with its CMMC 2.0 attestation requirements (self-attestation or third-party attestation) at the time of contract award to be eligible to win the bid.

Perhaps even more important, many Primes likely will require their pursuit team members and other critical suppliers to be CMMC 2.0 compliant — even in cases where the contract does not yet require it.

One last consideration: If your current contract has a DFARS 252.204-7012 clause, you still are contractually obligated to be provably NIST SP 800-171 compliant regardless of CMMC 2.0 rulemaking. The DCMA/DIBCAC has been more aggressive about enforcing this, even leveraging the False Claims Act to enact fines on DIB organizations that are not doing what they have said they have done.

Why Choose Pivot Point Security for CMMC Compliance & Preparation Services

Helping organizations like your’s prove you’re secure and compliant (so you can grow your businesses) is what we have done for thousands of clients over the last 20+ years.

image 12 1
image 13

When you work with Pivot Point Security for CMMC Compliance & Certification Preparation, you don’t need to re-invent the wheel…

When you work with Pivot Point Security for CMMC Compliance & Certification Preparation, you don’t need to re-invent the wheel…

image 14

You Have 4 Ways to Reach CMMC Certification With Pivot Point Security

These Options are Built To Meet Varying Budget, Timeline, Current Control Maturity, & Expertise/Resourcing Needs
image 15

Guide

Perfect if you have time and a DIY spirit but need EXPERTISE, light IMPLEMENTATION SUPPORT, and CONFIDENCE you will achieve certification.

image 16

Collaborate

Perfect if you have time and a DIY spirit but need EXPERTISE, light IMPLEMENTATION SUPPORT, and CONFIDENCE you will achieve certification.

image 17

Partner

Perfect if you have time and a DIY spirit but need EXPERTISE, light IMPLEMENTATION SUPPORT, and CONFIDENCE you will achieve certification.

image 18

Turnkey

Perfect if you have time and a DIY spirit but need EXPERTISE, light IMPLEMENTATION SUPPORT, and CONFIDENCE you will achieve certification.

The Stakes are High… Make Sure You Have the Chips to Stay in the Game

image 19 min

CMMC certification will be an absolute requirement to win DOD RFPs and/or have a contract awarded. For many SMBs impacted by the CMMC, DOD contracts make up a substantial percentage of their revenue—making CMMC certification a “go big or go home” proposition.

CMMC Compliance & Certification Can Make You Stronger

image 19 1 min

We believe there is a Darwinian element to CMMC. Those organizations that can “adapt” to the new reality, will not only survive, but are likely to prosper, by taking business from those that can’t adapt. Be the pigeon, not the dodo.

CMMC FAQs

Frequently Asked Questions

When will CMMC 2.0 go into effect?

V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.

The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.

How many controls (practices) does CMMC 2.0 require?

V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.

The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.

If we’re not CMMC certified what does that mean?

V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.

The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.

If we have a relatively immature security program, how long will it take to get CMMC certified?

V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.

The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.

How much will CMMC 2.0 certification cost?

V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.

The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.

What is the difference between CMMC 2.0 and NIST 800-171?

V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.

The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.

When should we get CMMC certified?

V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.

The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.

Should we start preparing for CMMC 2.0 with a Gap Analysis/Assessment?

V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.

The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.