CMMC Compliance Services
CMMC Certification Preparation to Ensure You Will Keep & Grow You DoD Business
Safeguarding controlled government/military data from unauthorized disclosure/release is critical to our national security and economic freedom. Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 regulatory requirements… until now.
The self-attestation approach hasn’t worked very well, as evidenced by notable breaches of critical government information in both the public and private sector. This has driven the U.S. Department of Defense (DOD) and other government agencies to mandate a higher level of attestation; the Cybersecurity Maturity Model Certification (CMMC).
Start a discussion with a CMMC expert
Keeping confidential government/military information secure from prying eyes is critical to our national sovereignty and economy. Companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 guidance since the enactment of DFARS 252.204-7012 in 2016. With CMMC v1 in 2020 and now CMMC 2.0, organizations handling more sensitive data will need to undergo third-party audits.
Defense suppliers mandated to comply with CMMC 2.0 Level 2 (Advanced) and participating in programs deemed critical to national security (so-called “prioritized acquisitions”) must undergo an independent certification audit by a C3PAO. Defense suppliers mandated to comply with CMMC 2.0 Level 3 (Expert) will be audited by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
However, those DIB organizations that must achieve CMMC 2.0 Level 2 (Advanced) compliance but are working only on “non-prioritized acquisitions” can now self-attest to their CMMC compliance. The major difference for these firms from DFARS 7012 obligations is that the self-attestation cadence is now annual and must be accompanied by a letter of affirmation by a senior executive.
Companies that handle only Federal Contract Information (FCI) and not CUI and need to comply only with the 17 practices at CMMC 2.0 Level 1 (Foundational) can also self-attest to their compliance.
Once rulemaking on CMMC 2.0 is complete, the CMMC level required to win a project will be listed in the solicitation and in any Requests for Information (RFIs). This means that your company must be in compliance with its CMMC 2.0 attestation requirements (self-attestation or third-party attestation) at the time of contract award to be eligible to win the bid.
Perhaps even more important, many Primes likely will require their pursuit team members and other critical suppliers to be CMMC 2.0 compliant — even in cases where the contract does not yet require it.
One last consideration: If your current contract has a DFARS 252.204-7012 clause, you still are contractually obligated to be provably NIST SP 800-171 compliant regardless of CMMC 2.0 rulemaking. The DCMA/DIBCAC has been more aggressive about enforcing this, even leveraging the False Claims Act to enact fines on DIB organizations that are not doing what they have said they have done.
Achieving and maintaining your CMMC certification is important, but so are a lot of things on your plate. Finding the time and expertise on your staff to make sure security gets the attention it needs is a challenge.
Why Choose Pivot Point Security for CMMC Compliance & Preparation Services
Helping organizations like your’s prove you’re secure and compliant (so you can grow your businesses) is what we have done for thousands of clients over the last 20+ years.
When you work with Pivot Point Security for CMMC Compliance & Certification Preparation, you don’t need to re-invent the wheel…
You Have 4 Ways to Reach CMMC Certification With Pivot Point Security
These Options are Built To Meet Varying Budget, Timeline, Current Control Maturity, & Expertise/Resourcing Needs
GUIDE
Perfect if you have time and a DIY spirit but need EXPERTISE, light IMPLEMENTATION SUPPORT, and CONFIDENCE you will achieve certification.
COLLABORATE
Perfect if you need EXPERTISE, heavy IMPLEMENTATION SUPPORT, and CONFIDENCE you will achieve certification.
PARTNER
Perfect if you need EXPERTISE, heavy IMPLEMENTATION SUPPORT, and CONFIDENCE you will achieve & maintain certification.
TURNKEY
Perfect if you need EXPERTISE, heavy IMPLEMENTATION SUPPORT, and CONFIDENCE you will achieve certification FAST and maintain certification.
Think you are ready for your C3PAO Security Assessment now and want to have confidence you will pass your audit? A CMMC Readiness Assessment may be just what you need!
READY
Perfect if you need EXPERTISE and CONFIDENCE you are ready for you C3PAO Security Assessment.
The Stakes are High… Make Sure You Have the Chips to Stay in the Game
CMMC certification will be an absolute requirement to win DOD RFPs and/or have a contract awarded. For many SMBs impacted by the CMMC, DOD contracts make up a substantial percentage of their revenue—making CMMC certification a “go big or go home” proposition.
CMMC Compliance & Certification Can Make You Stronger
We believe there is a Darwinian element to CMMC. Those organizations that can “adapt” to the new reality, will not only survive, but are likely to prosper, by taking business from those that can’t adapt. Be the pigeon, not the dodo.
CMMC FAQs
When will CMMC 2.0 go into effect?
V1.0 of the CMMC, which was released on January 31 2020, has been suspended and will not be included in any contracts.
The rulemaking process required to implement CMMC 2.0 is expected to take 9 to 24 months starting from November 2021, so the earliest DoD is likely to roll out CMMC requirements is August 2022.
How many controls (practices) does CMMC 2.0 require?
There are different controls totals for each level within CMMC 2.0:
- CMMC Level 1: 17 Practices (same as CMMC V1 Level 1)
- CMMC Level 2: 110 Practices (This is the level that fully achieves NIST SP 800-171 coverage)
- CMMC Level 3: This level is not yet fully defined, and the number of practices is still to be determined. Since Level 3 (equivalent to CMMC V1 Level 5) will be based on NIST SP 800-172, “Enhanced Security Controls,” which defines 35 controls beyond NIST SP 800-171, it will define somewhere between 110 and 145 practices.
What is the minimum CMMC level you need to reach NIST SP 800-171?
CMMC 2.0 Level 2 is the first target level fully addressing NIST 800-171.
If we’re not CMMC certified what does that mean?
In the near future, you will no longer be able to win proposals to provide services in the DoD supply chain.
If we have a relatively immature security program, how long will it take to get CMMC certified?
A reasonable assumption for achieving Level 2 CMMC 2.0 readiness is 6 to 10 months. It will ultimately depend on organizational knowledge and how soon you can get your “new normal” baked into your company culture and day-to-day processes.
How much will CMMC 2.0 certification cost?
Significant cost reduction, especially for SMBs, was a key goal of CMMC 2.0. The DoD has stated its intention to “publish a comprehensive cost analysis associated with each level of CMMC 2.0 as part of rulemaking.” If your business needs to undergo a third-party assessment, costs will vary based on factors like the complexity of your unclassified network for the certification scope, how close you are today to meeting the requirements for the CMMC level in your contract, as well as market forces. Of course, your overall CMMC 2.0 certification costs will be lower if you can self-attest to compliance.
Some ballpark cost estimates include:
- For a CMMC Level 2 C3PAO assessment, you could expect approximately 30 person-days of effort and a cost of $60,000 to $90,000.
- If you are starting from scratch to build a NIST 800-171 conforming cybersecurity program, your costs could be $50,000 to $150,000. If you already have a mature cybersecurity program, costs to provably establish NIST 800-171 compliance could be $20,000 or less.
- If you have cost estimates for CMMC v1, your CMMC 2.0 costs should be lower since the maturity requirements are no longer part of the program.
What is the difference between CMMC 2.0 and NIST 800-171?
Both CMMC 2.0 Level 2 and NIST 800-171 are intended to protect Controlled Unclassified Information (CUI), and CMMC 2.0 is based on the 110 controls specified by NIST 800-171. Further, CMMC 2.0 is a certifiable standard that requires either a third-party audit or a self-assessment with executive sign-off to confirm that you are compliant. All organizations that become CMMC 2.0 certified at Level 2 or higher) will still need to be DFARS 7012 and NIST 800-171 conforming, while those at Level 1 need only implement 17 of the 110 NIST 800-171 controls.
When should we get CMMC certified?
CMMC 2.0 will not be a contractual requirement until the DoD completes the rulemaking needed to implement the program; that is, probably not earlier than August 2022. However, available information on CMMC 2.0 make it clear that the DoD will require DIB firms that handle CUI to have robust security postures that are “provably compliant” with NIST 800-171. Therefore, while you cannot currently undergo a CMMC 2.0 Level 2 or Level 3 audit, you should move quickly to close any gaps in your program relative to NIST 800-171. This is vitally important if you have a DFARS 7012 clause in any current contract, as this obligates you to NIST 800-171 compliance now.
Should we start preparing for CMMC 2.0 with a Gap Analysis/Assessment?
A gap assessment is a good approach if you know that you have a very mature information security program that includes the required CMMC artifacts (e.g., Risk Assessment, System Security Plan, etc.). If not, you are better off viewing this as an implementation, with establishing the scope of your CUI environment as the best first step. See this blog for additional detail on approach.
The Pivot Point Security team have done an excellent job outlining the steps to become CMMC Level #3 compliant
Thanks for the high praise! We like our process too :)