Government contractors need to know that the systems they use will support their cybersecurity and compliance goals. For many, compliance with the appropriate level of the Cybersecurity Maturity Model Certification (CMMC) will be necessary in order to win contracts as the CMMC is fully rolled out within the Department of Defense and other Federal Agencies. Today, complying with DFARS 7012 and NIST 800-171 will be a source of competitive advantage with your customer and prime.
Capture2Proposal will maintain a CMMC compliance assertion by an independent licensed third-party assessment organization to give our customers the confidence that we have implemented robust cybersecurity to protect their data. We can provide the documentation you need to prove that our system complies with the necessary guidelines when you need to list your tools for your own security audits.
- Capture2Proposal, as a SaaS vendor, meets the government standards for certified security credentials and capabilities,
- Capture2Proposal’s security policies and control are consistent with government standards for SaaS applications,
- Capture2Proposal, as a third-party provider, protects their Controlled Unclassified Information (CUI) to accepted industry standards and is a trusted, secure partner in achieving their business goals.
Capture2Proposal is the only BD/Capture/Proposal Management solution that fully meets those security controls and current CMMC compliance guidance.
Why is CMMC Compliance Necessary for your BD & Proposal Management?
Data managed by your business development, capture, and proposal management system(s) can be subject to CMMC, whether due to ‘marking’ by the government, by the prime contractor, or information created by your own team that is FCI or CUI. Federal Contract Information (FCI) is typically associated with Level 1 of CMMC, while CUI is associated with CMMC Level 2. (Note the change here as with the publication of CMMC 2.0 on 11/4/2021 protecting CUI is now aligned with Level 2, as the Version 1.0 CMMC Level 2 has been eliminated)
As one very significant example of this trend, one of the largest IDIQs is now marking some opportunity documents as CUI, such as the Performance of Work Statement, and Statement of Work. This requires your BD processes and systems that manage them to be compliant with the CMMC Level associated with this.
Cybersecurity advisory firm Summit 7 who has helped more than 400 government contractors meet DFARS 7012, and CMMC, commented:
“FCI data and content can be found in the vast majority of proposal submissions and the systems that contain those capture efforts. In fact, CMMC provides an example in the appendix for Access Control (AC) 1.003 where a business development and proposal team is creating an RFP/RFI/RFQ response to the DoD. And where there’s FCI, there’s likely CUI, and where there’s CUI – you will need to meet Level 2 in CMMC 2.0. It also doesn’t make sense to have part of your infrastructure secure, and the other systems configured to Level 1 or less.”
Beyond Compliance – a Competitive Advantage
CMMC compliance will eventually be essential for GovCons working with the DoD as the DoD roles out the requirement over the next several years, but there are compelling reasons for every GovCon to be compliant with NIST SP 800-171, and therefore DFARS 7012, as soon as possible:
- It’s a good, enduring practice
- It sets them up for future CMMC compliance certification, as it evolves, to be evaluated by a C3PAO
- It avoids Prime or Sub data management risks during Capture and Proposal Development, Post-Submission and Post-Award.
- It ensures the proposal will meet Section L/M requirements and evaluation factors in the future – and will be a differentiator and strength for your firm at this time.
- It increases your PWin (Probability of Win)
