- What is the Cybersecurity Maturity Model Certification 2.0 (CMMC)?
- Why Choose Pivot Point Security for CMMC Compliance & Preparation Services
- When you work with Pivot Point Security for CMMC Compliance & Certification Preparation, you don’t need to re-invent the wheel…
- You Have 4 Ways to Reach CMMC Certification With Pivot Point Security
- The Stakes are High… Make Sure You Have the Chips to Stay in the Game
- CMMC Compliance & Certification Can Make You Stronger
- CMMC FAQs
What is the Cybersecurity Maturity Model Certification 2.0 (CMMC)?
Safeguarding controlled government/military data from unauthorized disclosure/release is critical to our national security and economic freedom. Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 regulatory requirements… until now.
The self-attestation approach hasn’t worked very well, as evidenced by notable breaches of critical government information in both the public and private sector. This has driven the U.S. Department of Defense (DOD) and other government agencies to mandate a higher level of attestation; the Cybersecurity Maturity Model Certification (CMMC).
Keeping confidential government/military information secure from prying eyes is critical to our national sovereignty and economy. Companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 guidance since the enactment of DFARS 252.204-7012 in 2016. With CMMC v1 in 2020 and now CMMC 2.0, organizations handling more sensitive data will need to undergo third-party audits.
Defense suppliers mandated to comply with CMMC 2.0 Level 2 (Advanced) and participating in programs deemed critical to national security (so-called “prioritized acquisitions”) must undergo an independent certification audit by a C3PAO. Defense suppliers mandated to comply with CMMC 2.0 Level 3 (Expert) will be audited by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
However, those DIB organizations that must achieve CMMC 2.0 Level 2 (Advanced) compliance but are working only on “non-prioritized acquisitions” can now self-attest to their CMMC compliance. The major difference for these firms from DFARS 7012 obligations is that the self-attestation cadence is now annual and must be accompanied by a letter of affirmation by a senior executive.
Companies that handle only Federal Contract Information (FCI) and not CUI and need to comply only with the 17 practices at CMMC 2.0 Level 1 (Foundational) can also self-attest to their compliance.
Once rulemaking on CMMC 2.0 is complete, the CMMC level required to win a project will be listed in the solicitation and in any Requests for Information (RFIs). This means that your company must be in compliance with its CMMC 2.0 attestation requirements (self-attestation or third-party attestation) at the time of contract award to be eligible to win the bid.
Perhaps even more important, many Primes likely will require their pursuit team members and other critical suppliers to be CMMC 2.0 compliant — even in cases where the contract does not yet require it.
One last consideration: If your current contract has a DFARS 252.204-7012 clause, you still are contractually obligated to be provably NIST SP 800-171 compliant regardless of CMMC 2.0 rulemaking. The DCMA/DIBCAC has been more aggressive about enforcing this, even leveraging the False Claims Act to enact fines on DIB organizations that are not doing what they have said they have done.
Why Choose Pivot Point Security for CMMC Compliance & Preparation Services
Helping organizations like your’s prove you’re secure and compliant (so you can grow your businesses) is what we have done for thousands of clients over the last 20+ years.
When you work with Pivot Point Security for CMMC Compliance & Certification Preparation, you don’t need to re-invent the wheel…
When you work with Pivot Point Security for CMMC Compliance & Certification Preparation, you don’t need to re-invent the wheel…
You Have 4 Ways to Reach CMMC Certification With Pivot Point Security
The Stakes are High… Make Sure You Have the Chips to Stay in the Game
CMMC certification will be an absolute requirement to win DOD RFPs and/or have a contract awarded. For many SMBs impacted by the CMMC, DOD contracts make up a substantial percentage of their revenue—making CMMC certification a “go big or go home” proposition.
CMMC Compliance & Certification Can Make You Stronger
We believe there is a Darwinian element to CMMC. Those organizations that can “adapt” to the new reality, will not only survive, but are likely to prosper, by taking business from those that can’t adapt. Be the pigeon, not the dodo.
CMMC FAQs
Frequently Asked Questions
The US federal rulemaking process to codify CMMC 2.0 is expected to be complete by March 2023. The US Department of Defense (DoD) has stated that it will begin including CMMC language in contracts 60 days after that, in May 2023.
There are different controls totals for each level within CMMC 2.0:
- CMMC Level 1: 17 Practices (same as CMMC V1 Level 1)
- CMMC Level 2: 110 Practices (This is the level that fully achieves NIST SP 800-171 coverage)
- CMMC Level 3: This level is not yet fully defined, and the number of practices is still to be determined. Since Level 3 (equivalent to CMMC V1 Level 5) will be based on NIST SP 800-172, “Enhanced Security Controls,” which defines 35 controls beyond NIST SP 800-171, it will define somewhere between 110 and 145 practices.
You may no longer be able to win proposals to provide services in the DoD supply chain.
A reasonable assumption for achieving Level 2 CMMC 2.0 readiness is 6 to 10 months. It will ultimately depend on organizational knowledge and how soon you can get your “new normal” baked into your company culture and day-to-day processes.
Significant cost reduction, especially for SMBs, was a key goal of CMMC 2.0. The DoD has stated its intention to “publish a comprehensive cost analysis associated with each level of CMMC 2.0 as part of rulemaking.” If your business needs to undergo a third-party assessment, costs will vary based on factors like the complexity of your unclassified network for the certification scope, how close you are today to meeting the requirements for the CMMC level in your contract, as well as market forces. Of course, your overall CMMC 2.0 certification costs will be lower if you can self-attest to compliance.
Some ballpark cost estimates include:
- For a CMMC Level 2 C3PAO assessment, you could expect approximately 30 person-days of effort and a cost of $60,000 to $90,000.
- If you are starting from scratch to build a NIST 800-171 conforming cybersecurity program, your costs could be $50,000 to $150,000. If you already have a mature cybersecurity program, costs to provably establish NIST 800-171 compliance could be $20,000 or less.
- If you have cost estimates for CMMC v1, your CMMC 2.0 costs should be lower since the maturity requirements are no longer part of the program.
Both CMMC 2.0 Level 2 and NIST 800-171 are intended to protect Controlled Unclassified Information (CUI), and CMMC 2.0 is based on the 110 controls specified by NIST 800-171. Further, CMMC 2.0 is a certifiable standard that requires either a third-party audit or a self-assessment with executive sign-off to confirm that you are compliant. All organizations that become CMMC 2.0 certified at Level 2 or higher will still need to be DFARS 7012 and NIST 800-171 conforming, while those at Level 1 need only implement 17 of the 110 NIST 800-171 controls.
CMMC 2.0 will not be a contractual requirement until the DoD completes the rulemaking needed to implement the program. However, available information on CMMC 2.0 make it clear that the DoD will require DIB firms that handle CUI to have robust security postures that are “provably compliant” with NIST 800-171. Therefore, while you cannot currently undergo a CMMC 2.0 Level 2 or Level 3 audit, you should move quickly to close any gaps in your program relative to NIST 800-171. This is vitally important if you have a DFARS 7012 clause in any current contract, as this obligates you to NIST 800-171 compliance now.
A gap assessment is a good approach if you know that you have a very mature information security program that includes the required CMMC artifacts (e.g., Risk Assessment, System Security Plan, etc.). If not, you are better off viewing this as an implementation, with establishing the scope of your CUI environment as the best first step.