Secude’s Post

#manufacturers Want to do business with #DOD or #Federal Government? 1. Give me a call or 2. Start here https://lnkd.in/gr5GfjkV Then we can discuss the differences between #CMMC and #NIST800-171123. NIST 800-171 applies to non-federal agencies and contractors handling Controlled Unclassified Information (#CUI), while CMMC applies to all contractors doing business with the Department of Defense (DoD). NIST 800-171 contains administrative and technical requirements for protecting CUI, while CMMC provides a set of best practices for safeguarding CUI. NIST 800-171 is about self-certification, whereas CMMC involves third-party assessments and assigns maturity levels. The more you know!

Wonder why the DoD is so focused on implementing CMMC 2.0 and shifting from self assessments to third party assessments? Basically, self assessments aren't usually a great indicator of true compliance - with an average "Basic" (self assessment) score of 56 vs average "Medium" (DoD assessment) score of -57.75. (perfect score is 110, lowest score is -203)*. That's a difference of over 100 points! I get it, being fully compliant to CMMC 2.0 / NIST 800-171 is tough and DoD contractors and MSPs are a little lenient when doing the self-assessment, but now that official assessments are going to begin next year, most are going to need help to get to 110 in a third-party assessment. Thanks to Koren Wise for showing me this chart which was presented by *Nick Delrosso, the DIBCAC Director on 3/6/23 at CS2 Conference.

CMMC 2.0 is here to make compliance simpler and more scalable for DoD contractors of all sizes. Don’t miss out on new opportunities—stay compliant and secure your place in federal contracts! #CMMC2 #DoDUpdates #CybersecurityCompliance #GovContracts #SmallBizOpportunities

DoD Contractors: FCI vs CUI We discuss CMMC Compliance requirements, implementing NIST 800-171 110 controls to meet CMMC Level 1 and prepare for CMMC Level 2 assessment.

📢 Important Update for the DIB! As of December 16, 32 CFR has officially gone into effect, and CMMC assessments are set to begin on January 2, 2025. With the CMMC now in effect, defense contractors need to either self-attest or complete third-party assessments, depending on whether they require Level 1 or Level 2 compliance. This means it’s time to get ready—compliance is now key to winning and keeping DoD contracts. Important Takeaways: ☑️ Both prime and subcontractors must achieve the required CMMC levels before contract awards. ☑️ Phase 1 of the rollout begins when 48 CFR is effective, with DoD retaining discretion to enforce requirements as needed. ☑️ Contractors should review contracts, assess their systems, and prepare for certification, which can take 6-8 months. Stay ahead of the curve and prepare CMMC as the program rolls out. SMPL-C is here to help you! #CMMC #DoD # #32CFR

Defense & Government Contract Manufacturers alert! The Final CMMC rule is published and is effective December 16, 2024. Going forward CMMC level 1, 2, or 3 may be a Condition of Award in new contracts and new option years. CMMC Contract clause DFARS 252.204-7021 will require the development of a System Security Plan (SSP). - Defense contractors & subcontractors processing, storing, or transmitting Federal Contract Information (FCI) are subject to CMMC Level 1 (17 Controls) - Defense contractors & subcontractors processing, storing, or transmitting Controlled Unclassified Information (CUI) are subject to CMMC Level 2 (110 Controls) or 3 (Level 2 Cert + 24 Controls from NIST 800-172) - The applicability of CMMC Level for procurement will be determined by the Department of Defense (DoD) - Subcontractor flow-down is a requirement For more information, check out this article. https://hubs.la/Q02YY6Hv0 There are lots of considerations and detail in this Final Rule. To be sure your systems and processes support your journey, contact Godlan!

Defense & Government Contract Manufacturers alert! The Final CMMC rule is published and is effective December 16, 2024. Going forward CMMC level 1, 2, or 3 may be a Condition of Award in new contracts and new option years. CMMC Contract clause DFARS 252.204-7021 will require the development of a System Security Plan (SSP). - Defense contractors & subcontractors processing, storing, or transmitting Federal Contract Information (FCI) are subject to CMMC Level 1 (17 Controls) - Defense contractors & subcontractors processing, storing, or transmitting Controlled Unclassified Information (CUI) are subject to CMMC Level 2 (110 Controls) or 3 (Level 2 Cert + 24 Controls from NIST 800-172) - The applicability of CMMC Level for procurement will be determined by the Department of Defense (DoD) - Subcontractor flow-down is a requirement For more information, check out this article. https://hubs.la/Q02YY89P0 There are lots of considerations and detail in this Final Rule. To be sure your systems and processes support your journey, contact Godlan!

We've put together a downloadable guide for DIB Contractors that goes over the interplay of DFARS, NIST 800-171, SPRS, and CMMC 2.0. https://hubs.li/Q02r-Ghm0 #ControlCase #dfars #nist #nist800171 #sprs #cmmc #cmmc2

📣 Final rule to implement #CMMC program heads into OMB interagency review process. The final rule would make changes to Title 32 of the Code of Federal Regulations. 🔐 Key points include: 1. Three CMMC levels with increasing security requirements:   ✅ Level 1: Basic safeguarding of Federal Contract Information   ✅ Level 2: Protection of Controlled Unclassified Information   ✅ Level 3: Enhanced protection against advanced persistent threats 2. Assessments required to verify compliance:   ✅ Level 1: Annual self-assessment   ✅ Level 2: Triennial self-assessment or third-party certification   ✅ Level 3: Triennial government-led assessment 3. Phased implementation over four phases, with full implementation expected by late 2026. 4. Flow-down requirements to subcontractors at all tiers. 5. Potential for contract ineligibility if CMMC requirements are not met. DOD contractors should act fast to prepare for CMMC 2.0. If you need a partner to help you prepare, look no further than TriVigil. ⏳ #Auditpreparedness #Partner #CMMC2 #DoDContractors

CMMC Final Rule Published: What This Means for MSPs The CMMC Final Rule has been pre-published in the U.S. Federal Register, with official publication on October 15. This update brings a critical change for MSPs supporting defense contractors. The original proposal required MSPs to pass a Level 2 or 3 CMMC assessment at the same level as their clients, or the clients would fail. But the final rule changes that: If an MSP (or any External Service Provider) does not process, store, or transmit Controlled Unclassified Information (CUI), they will not need their own CMMC assessment. Instead, their services will be assessed as part of the defense contractor's certification. What this means for MSPs: If you or your vendors aren't handling CUI, you're not on the hook for a costly Level 2 assessment. Mike will share more once he has had time to dive into the full 470-page document, but feel free to reach out with any immediate questions.