CMMC Compliance Services
CMMC Certification Preparation to Ensure You Will Keep & Grow You DoD Business
Safeguarding controlled government/military data from unauthorized disclosure/release is critical to our national security and economic freedom. Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 regulatory requirements… until now.
The self-attestation approach hasn’t worked very well, as evidenced by notable breaches of critical government information in both the public and private sector. This has driven the U.S. Department of Defense (DOD) and other government agencies to mandate a higher level of attestation; the Cybersecurity Maturity Model Certification (CMMC).
Click here to schedule time with a CMMC expert
Keeping confidential government/military information secure from prying eyes is critical to our national sovereignty and economy. Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 guidance… until now.
Instead, CMMC requires each organization to undergo a third party audit to determine the maturity of their information security controls. Your maturity level (1→5) is used to determine which RFPs you are “qualified” to pursue.
The CMMC level required to win a project will be listed in Request for Proposals (RFP) sections L and M and used as a “go/no-go decision.” This means that instead of the ability to bid, win a contract, and then comply post-award with cybersecurity requirements, DoD contractors will have to be certified to that CMMC level required in advance, to be eligible to win the bid.
Perhaps even more important, many Primes are requiring their pursuit team members to be CMMC certified — even in cases where the contract does not yet require it.
One last note to consider, if your current contract has a DFAR252.204-7012 clause, whether you choose to pursue CMMC Level 3 or not, you still are contractually obligated to be provably NIST SP 800-171 compliant. The DCMA/DIBCAC have been more aggressive about enforcing this, even leveraging the False Claims Act to enact fines on DIB organizations who are not doing what they have said they have done.
Achieving and maintaining your CMMC certification is important, but so are a lot of things on your plate. Finding the time and expertise on your staff to make sure security gets the attention it needs is a challenge.
Why Choose Pivot Point Security for CMMC Compliance & Preparation Services
Helping organizations like your’s prove you’re secure and compliant (so you can grow your businesses) is what we have done for thousands of clients over the last 20+ years.
When you work with Pivot Point Security for CMMC Compliance & Certification Preparation, you don’t need to re-invent the wheel…
You Have 4 Ways to Reach CMMC Certification With Pivot Point Security
These Options are Built To Meet Varying Budget, Timeline, Current Control Maturity, & Expertise/Resourcing Needs
GUIDE
Perfect if you have time and a DIY spirit but need EXPERTISE, light IMPLEMENTATION SUPPORT, and CONFIDENCE you will achieve certification.
COLLABORATE
Perfect if you need EXPERTISE, heavy IMPLEMENTATION SUPPORT, and CONFIDENCE you will achieve certification.
PARTNER
Perfect if you need EXPERTISE, heavy IMPLEMENTATION SUPPORT, and CONFIDENCE you will achieve & maintain certification.
TURNKEY
Perfect if you need EXPERTISE, heavy IMPLEMENTATION SUPPORT, and CONFIDENCE you will achieve certification FAST and maintain certification.
Think you are ready for your C3PAO Security Assessment now and want to have confidence you will pass your audit? A CMMC Readiness Assessment may be just what you need!
READY
Perfect if you need EXPERTISE and CONFIDENCE you are ready for you C3PAO Security Assessment.
The Stakes are High… Make Sure You Have the Chips to Stay in the Game
CMMC certification will be an absolute requirement to win DOD RFPs and/or have a contract awarded. For many SMBs impacted by the CMMC, DOD contracts make up a substantial percentage of their revenue—making CMMC certification a “go big or go home” proposition.
CMMC Compliance & Certification Can Make You Stronger
We believe there is a Darwinian element to CMMC. Those organizations that can “adapt” to the new reality, will not only survive, but are likely to prosper, by taking business from those that can’t adapt. Be the pigeon, not the dodo.
CMMC FAQ’s
When does CMMC go into effect?
V1.0 (now 1.02) of the CMMC was released on January 31st 2020. The audit program and training program are being developed and should be in full effect by fall/winter of 2020. CMMC will appear in Requests for Information (RFI’s) and Requests for Proposal (RFP’s) as early as November 2020.
How many controls (practices) does CMMC require?
There are different controls totals for each level within CMMC:
- CMMC Level 1: 17 Practices
- CMMC Level 2: 72 Practices & 34 Processes
- CMMC Level 3: 130 Practices & 51 Processes (This is the 1st level that fully achieved NIST SP 800-171 coverage)
- CMMC Level 4: 156 Practices & 68 Processes
- CMMC Level 5: 171 Practices & 85 Processes
What is the minimum CMMC level you need to reach NIST SP 800-171?
CMMC Level 3 is the first target level fully addressing NIST 800-171 and it covers 20 controls beyond NIST SP 800-171 (a total of 130).
If I’m not CMMC certified what does that mean?
In the near future, you will no longer be able to win proposals to provide services in the DoD supply chain.
If we have relatively immature security program, how long will it take to get CMMC certified?
A reasonable assumption for achieving Level 3 CMMC readiness is 6 – 10 months. It will ultimately depend on institutional knowledge and how long you can get your “new normal” baked into your company culture & day to day processes.
How much does CMMC certification cost?
Until the auditor program is fully established the actual cost of the audit has not yet been established. A reasonable guess for a C3PAO audit is $20 – 40K.
Establishing an information security program that is capable of being CMMC Level 3 certified can be a notable expense dependent upon the current maturity of your program. If you already have a mature NIST 800-171 compliant environment in place it may be $20K or less. If you are starting from scratch it could be $50 – 150K. See this blog for a better explanation on the price ranges.
What is the difference between CMMC and NIST 800-171?
CMMC is a certifiable standard that requires a third party audit to confirm that you are compliant with the standard, NIST-800-171 is (or was 😆) a self-attestable standard to protect the same CUI that CMMC does. All organizations that become CMMC certified (level 3 or higher) will still need to be 800-171 conforming and the CMMC certification will demonstrate that they have achieved 800-171 as well.
With the DoD’s more “limited roll out” I heard about should we get CMMC certified this year?
Many of the companies in the Defense Industrial Base we are speaking with believe that it will be a competitive advantage to do so. Our understanding is that larger Prime’s will either require or favor those that are as they are building “pursuit teams”.
Should we start preparing for CMMC with a Gap Analysis/Assessment?
A gap assessment is a good approach if you know that you have a very mature information security program that includes the required CMMC artifacts (e.g., Risk Assessment, System Security Plan, etc.). If not, you are better off viewing this as an implementation, with establishing the scope of your CUI environment as the best first step. See this blog for additional detail on approach.
The Pivot Point Security team have done an excellent job outlining the steps to become CMMC Level #3 compliant
Thanks for the high praise! We like our process too :)