- What is the Cybersecurity Maturity Model Certification 2.0 (CMMC)?
- Why Choose Pivot Point Security for CMMC Compliance & Preparation Services
- When you work with Pivot Point Security for CMMC Compliance & Certification Preparation, you don’t need to re-invent the wheel…
- You Have 4 Ways to Reach CMMC Certification With Pivot Point Security
- The Stakes are High… Make Sure You Have the Chips to Stay in the Game
- CMMC Compliance & Certification Can Make You Stronger
- CMMC FAQs
What is the Cybersecurity Maturity Model Certification 2.0 (CMMC)?
Safeguarding controlled government/military data from unauthorized disclosure/release is critical to our national security and economic freedom. Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 regulatory requirements… until now.
The self-attestation approach hasn’t worked very well, as evidenced by notable breaches of critical government information in both the public and private sector. This has driven the U.S. Department of Defense (DOD) and other government agencies to mandate a higher level of attestation; the Cybersecurity Maturity Model Certification (CMMC).
Keeping confidential government/military information secure from prying eyes is critical to our national sovereignty and economy. Companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 guidance since the enactment of DFARS 252.204-7012 in 2016. With CMMC v1 in 2020 and now CMMC 2.0, organizations handling more sensitive data will need to undergo third-party audits.
Defense suppliers mandated to comply with CMMC 2.0 Level 2 (Advanced) and participating in programs deemed critical to national security (so-called “prioritized acquisitions”) must undergo an independent certification audit by a C3PAO. Defense suppliers mandated to comply with CMMC 2.0 Level 3 (Expert) will be audited by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
However, those DIB organizations that must achieve CMMC 2.0 Level 2 (Advanced) compliance but are working only on “non-prioritized acquisitions” can now self-attest to their CMMC compliance. The major difference for these firms from DFARS 7012 obligations is that the self-attestation cadence is now annual and must be accompanied by a letter of affirmation by a senior executive.
Companies that handle only Federal Contract Information (FCI) and not CUI and need to comply only with the 17 practices at CMMC 2.0 Level 1 (Foundational) can also self-attest to their compliance.
Once rulemaking on CMMC 2.0 is complete, the CMMC level required to win a project will be listed in the solicitation and in any Requests for Information (RFIs). This means that your company must be in compliance with its CMMC 2.0 attestation requirements (self-attestation or third-party attestation) at the time of contract award to be eligible to win the bid.
Perhaps even more important, many Primes likely will require their pursuit team members and other critical suppliers to be CMMC 2.0 compliant — even in cases where the contract does not yet require it.
One last consideration: If your current contract has a DFARS 252.204-7012 clause, you still are contractually obligated to be provably NIST SP 800-171 compliant regardless of CMMC 2.0 rulemaking. The DCMA/DIBCAC has been more aggressive about enforcing this, even leveraging the False Claims Act to enact fines on DIB organizations that are not doing what they have said they have done.
Why Choose Pivot Point Security for CMMC Compliance & Preparation Services
Helping organizations like your’s prove you’re secure and compliant (so you can grow your businesses) is what we have done for thousands of clients over the last 20+ years.
When you work with Pivot Point Security for CMMC Compliance & Certification Preparation, you don’t need to re-invent the wheel…
When you work with Pivot Point Security for CMMC Compliance & Certification Preparation, you don’t need to re-invent the wheel…
You Have 4 Ways to Reach CMMC Certification With Pivot Point Security
Guide
Perfect if you have time and a DIY spirit but need EXPERTISE, light IMPLEMENTATION SUPPORT, and CONFIDENCE you will achieve certification.
Collaborate
Perfect if you have time and a DIY spirit but need EXPERTISE, light IMPLEMENTATION SUPPORT, and CONFIDENCE you will achieve certification.
Partner
Perfect if you have time and a DIY spirit but need EXPERTISE, light IMPLEMENTATION SUPPORT, and CONFIDENCE you will achieve certification.
Turnkey
Perfect if you have time and a DIY spirit but need EXPERTISE, light IMPLEMENTATION SUPPORT, and CONFIDENCE you will achieve certification.
The Stakes are High… Make Sure You Have the Chips to Stay in the Game
CMMC certification will be an absolute requirement to win DOD RFPs and/or have a contract awarded. For many SMBs impacted by the CMMC, DOD contracts make up a substantial percentage of their revenue—making CMMC certification a “go big or go home” proposition.
CMMC Compliance & Certification Can Make You Stronger
We believe there is a Darwinian element to CMMC. Those organizations that can “adapt” to the new reality, will not only survive, but are likely to prosper, by taking business from those that can’t adapt. Be the pigeon, not the dodo.
CMMC FAQs
Frequently Asked Questions
V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.
The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.
V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.
The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.
V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.
The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.
V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.
The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.
V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.
The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.
V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.
The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.
V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.
The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.
V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.
The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.