CMMC Compliance Information
Starting with the Department of Defense (DoD), a program was created to verify compliance (what is implemented fully) for the NIST 800-171 controls (110 controls). The program is called the Cybersecurity Maturity Model Certification or “CMMC”. Although the CMMC verifies compliance under the NIST 800-171 framework, NIST 800-171 has been around for over 20-years. Additionally, the program only addresses contractors that work with non-classified systems and data, referred to as Controlled Unclassified Information (CUI). The CMMC program verifies that the defense contractor is truly protecting their environment from cybersecurity threats and protecting the levels above and below them (e.g. primes, DoD Agency/Office). The timetable for full implementation will occur over a series of years and is slated to begin Spring 2025.
Overview of the CMMC
- CMMC Level 1
- 17 Controls
- Basic level of controls/infrastructure (small percentage of contractors under this category).
- CMMC Level 2
- 110 Controls
- Full compliance with all 110 controls under the NIST 800-171 (majority of contractors fall under this category).
- CMMC Level 3
- 20 Controls
- Full compliance under the NIST 800-171 controls plus 20 select controls (small percentage of contractors under this category).
- 20 Controls
- 110 Controls
- 17 Controls
Steps to Compliance
- Perform Readiness Assessment (immediately)
- 1 to 3-month process
- Remediate (e.g. fully implement controls)
- 9 to 18-months to remediate
- 3 to 5x the cost of readiness assessment (remediate support does not include software/hardware purchases)
- Perform Test/Mock Certification
- Performed typically 90-days before the certification is scheduled
To learn more about our Cybersecurity Readiness Assessments, our cornerstone service, please follow the link below.
Compliance as a DoD contractors, whether you’re a prime contractor, subcontractor, vendor or supplier is growing more and more complex. The reason for the complexity is two-fold. First, the bad actors or our adversaries are attacking the Defense Industrial Base (DIB) and the threats are increasing. Two, is the need for solutions and protect and support the Warfighter are becoming more complex and hence, a greater level of competency is required to support the mission. Our team provides specific services and an overall Compliance-as-a-Services (CAAS) model to ensure you are compliant throughout the year.
Services Offered
- Cybersecurity Readiness Assessments and Remediation
- NIST 800-171, CMMC, NIST CSF
- SPRS Scoring
- Evidence Review and Cataloging
- DCAA Compliance
- Accounting System Review (Setup and Reporting)
- Costing Review
- Financial Reporting Advising
- Interim Services (Supporting Cybersecurity and DCAA)
- DoD Annual Risk Assessments
- SPRS Scoring Changes
- Test/Mock CMMC Assessments
To learn more about our Cybersecurity Readiness Assessments, our cornerstone service, please follow the link below.
During the due-diligence process of any potential deal between two or more organizations is the assessment of technical risks. Many of the questions that arise from this process highlight integrating software platforms including cloud storage, ERP and communications. Integrating or implementation of a new software platform, staff training and mid to long-term costs for upkeep sway a potential buyer away from a deal due to their base system being much different from the potential acquired company or environment.
Kriger USA acts as a teaming partner, outsourced risk manager or subject-matter expert to ensure that the buyer and seller have the greatest chance of succeeding with all of the cards on the table from an objective review.
Pre/Post-M&A Considerations
- Pre-M&A
- ERP Review (Cost-Benefit)
- Security Maturity (Tools, Staff)
- Usage of Workflows
- Outsourcing Viability
- Compliance Frameworks
- Operational, Security, PII
- Software Licensing (Local, Cloud)
- Project Management/PMO Review
- Staff Interviews
- Post-M&A
- Communications for Upcoming Changes
- Project Planning for Integration(s)/Implementation(s)
- Training Requirements/Costs
- Staff Redundancies
To learn more about our Cybersecurity Readiness Assessments, our cornerstone service, please follow the link below.
Kriger USA’s Readiness Assessments are the cornerstone of our services. Where does your organization’s cybersecurity maturity measure against the relevant frameworks that you are required to comply with? Once assessed, what path do you take to prioritize what needs to be implemented fully? Do you have the qualified personnel internally to complete this task efficiently? There are all crucial questions that need to be answered by experts in IT readiness assessments.
Readiness Assessment Procedures/Focus Areas
- Areas of Assessed
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Maintenance
- Media Protection
- Physical and Environmental Protection
- Personnel Security
System and Communications Protection - System and Information Integrity
- Framework Compliance
- FISMA
- GDPR (Europe)
- HIPAA
- ISO27001/27002
- NERC-CIP
- NIST 800-53
- NIST 800-171 (110 controls)
- NIST CSF
- SOC2
Remediation translates to the full implementation of control, as it relates to overall compliance for cybersecurity and related frameworks. We support our clients by advising their IT and supporting teams with best practices, project management of initiatives to complete the implementation and integration of solutions and an overall cataloging of evidence. Built within remediation is often the review of policies and procedures that govern how your internal and external users perform using the technologies. With proper policies, procedures and evidence, you will become compliant under the framework desired. Prior the remediation, you must first perform a readiness assessment to gain a full understanding of what’s needed to remediate. Please follow the link below to gain a greater understanding of Cybersecurity Readiness Assessments.
CIO-CTO Advising is crucial for firms of all sizes since it is extremely difficult to understand how to tackle day-to-day challenges of running an IT department without best practices and proven methods that others are leveraging. For many small to mid-sized organizations, having a full-time C-level IT professional is not needed and is often a cost that the organization need not incur. Simply having some guidance at key times or having an individual present or available online to guide the team is often all that is needed.
Industries Served
- Defense Contractors (Manufacturers, Service Providers)
- NIST 800-171, NIST CSF, CMMC, ISO27001/27002
- Insurance Brokers/Providers
- Due-Diligence
- Cybersecurity Readiness Assessments and Remediation
- ERP Integration/Implementation Support
- Staff Training
- Questionnaire Completion
- Doctor/Health Care Practices
- HIPAA Readiness Assessments and Remediation
- Staff Training
- ERP Integration/Implementation Support
- Auto Dealers/Dealer Groups
- Cybersecurity Readiness Assessments and Remediation
- ERP Integration/Implementation Support
- Staff Training
- Investors (Private Parties/Private Equity/Venture Capital/Home Offices)
- Cybersecurity Readiness Assessments and Remediation
- ERP Integration/Implementation Support
- Staff Training
To learn more about our Cybersecurity Readiness Assessments, our cornerstone service, please follow the link below.