Certification Details
| Attribute | Value |
|---|---|
| Certification Level | CMMC Level 2 |
| Assessment Type | C3PAO (Third-Party Assessment Organization) |
| Valid From | May 27, 2025 |
| Valid Until | May 27, 2028 |
| Certificate Number | Available upon request |
What CMMC Level 2 Means
CMMC Level 2 requires implementation of 110 security practices aligned with NIST SP 800-171, covering:- Access Control - Managing who can access systems and data
- Audit and Accountability - Tracking and logging system activity
- Configuration Management - Maintaining secure system configurations
- Identification and Authentication - Verifying user identities
- Incident Response - Responding to security events
- Maintenance - Keeping systems secure over time
- Media Protection - Protecting data storage media
- Personnel Security - Ensuring trusted workforce
- Physical Protection - Securing physical facilities
- Risk Assessment - Identifying and managing risks
- Security Assessment - Evaluating security effectiveness
- System and Communications Protection - Securing data in transit
- System and Information Integrity - Maintaining data accuracy
Access Control Practices
Govly implements the following access control measures aligned with CMMC requirements:Control Flow Enforcement (3.1.3)
- Network segmentation between security zones
- Firewall rules controlling traffic flow
- VPN requirements for remote access
Separation of Duties (3.1.4)
- Role-based access controls preventing conflicts of interest
- Segregated administrative functions
- Multi-person approval for sensitive operations
Least Privilege (3.1.5)
- Users granted minimum necessary access
- Regular access reviews and recertification
- Just-in-time access for privileged operations
Non-Privileged Account Use (3.1.6)
- Standard accounts for routine tasks
- Privileged accounts only for administrative functions
- Separate credentials for different privilege levels
Privileged Function Prevention (3.1.7)
- Technical controls preventing privilege escalation
- Monitoring of privileged account usage
- Automated alerts for anomalous activity
Unsuccessful Login Attempts (3.1.8)
- Account lockout after failed authentication attempts
- Progressive delays between attempts
- Alerting on brute force patterns
CMMC-Compliant Services
The following Govly services operate within our CMMC-compliant enclave:- Secure Email Ingestion - Process CUI-containing emails at
[organization]@secure.govly.com - Web Automation - Monitor procurement portals with CMMC-compliant data handling
- Data Storage - Store and process CUI within authorized boundaries
For Customers Handling CUI
If your organization handles Controlled Unclassified Information or is preparing for CMMC certification:- Contact [email protected] to discuss your compliance requirements
- Request access to our CMMC-compliant enclave services
- Review our System Security Plan (SSP) excerpts (available under NDA)
Compliance Documentation
Govly can provide the following documentation upon request:- CMMC Level 2 Certificate
- System Security Plan (SSP) excerpts
- Customer Responsibility Matrix
- Third-party assessment reports