CMMC Consulting Services for CMMC Compliance

Corserva blog

When it comes to compliance, no one wants to overpay — for assessments, audits, tools, or services.

To be able to work under a federal contract that requires compliance with Cybersecurity Maturity Model Certification (CMMC), you will eventually need to pay for a CMMC assessment by a Certified 3rd Party Assessor Organization (C3PAO).

There are a variety of CMMC consulting services available that will better ensure your company will pass a CMMC assessment on the first try.

Not knowing what you should be doing is scary. Take steps now to prepare for a future CMMC assessment so you don't waste money.

 

Reduce Your Costs for CMMC Compliance

CUISince the cost of a CMMC assessment is based on how you manage Controlled Unclassified Information (CUI) and not the size of your company, the best way to reduce your costs for a CMMC assessment is to narrow the scope of CUI.

This is how CMMC consulting services can save you money long term.

When preparing for your CMMC assessment, the following types of CMMC consulting services will reduce your costs for CMMC compliance.

  1. NIST assessments
  2. Creation of SSPs and POA&Ms
  3. CMMC readiness assessments
  4. Remediation of gaps and other issues
  5. Development of customized security programs to address gaps and issues
  6. Vulnerability scanning
  7. Implementation and configuration of compliant systems
  8. End user training in cybersecurity best practices

 

1. NIST Assessments

Corserva performs NIST assessments for companies that need to comply with NIST Special Publication 800-171. The NIST 800-171 publication, and others like it created by NIST, have become recognized by IT security, compliance, and risk management professionals as a standard for best practice for any commercial enterprise. (This is why Corserva aligns its cybersecurity practice with the NIST cybersecurity framework.)

The DoD contract under which you are working determines whether you need to meet NIST 800-171 or CMMC.

The DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting clause directs compliance with NIST SP 800-171. As of December 31, 2017, all contractors and subcontractors operating in government supply chains were expected to be compliant with NIST 800-171.

 

NIST Assessment Process

Corserva's NIST assessment process includes:

  • Business process review
  • Technical assessment of systems and networks
  • Data analysis

During the assessment process, your information system environment as it relates to specific CUI cases will be reviewed. You will be asked about different access scenarios. Your policies and procedures regarding IT systems (formal, informal, and written) will also be reviewed.

For each of the 110 NIST 800-171 controls, Corserva will rate your company as fully compliant, partially compliant, or not compliant. We will provide you with supporting documentation on your compliance status, as well as recommendations of what changes to make to become compliant in each area.

NIST compliance

The NIST assessment process is as follows:

  1. Identify all relevant requirements within the NIST 800-171 Revision 2 security requirement families currently in effect.
  2. Perform an "as is" high level assessment of the current state of processes and controls relative to the NIST 800-171 security requirements.
  3. Develop a gap analysis that identifies those areas where your processes and controls fall short of the NIST 800-171 security requirements.
  4. Develop a set of recommended actions you will need to take to align with the NIST 800-171 security requirements.

 

NIST Security Requirement Families

During project execution, Corserva performs an assessment of your compliance with the following NIST 800-171 security requirement families.

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  1. Media Protection
  2. Personnel Security
  3. Physical Security
  4. Risk Assessment
  5. Security Assessment
  6. System and Communications Protection
  7. System and Information Integrity

We then produce a report to reflect your compliance baseline. The report includes all data collected, your compliance status with each of the 110 controls, and recommendations for remediation and proposed next steps.

 

NIST and CMMC

 

2. Creation of SSPs and POA&Ms

As evidence of compliance with NIST 800-171, companies in the Defense Industrial Base develop and maintain formal documents for submission to DoD prime contractors upon contract initiation or renewal. These documents include a System Security Plan (SSP) and Plan of Action with Milestones (POA&M).

From NIST SP 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations:

Nonfederal organizations describe, in a system security plan, how the security requirements are met or how organizations plan to meet the requirements and address known and anticipated threats. The system security plan describes: the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems. Nonfederal organizations develop plans of action that describe how unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and the plan of action as separate or combined documents and in any chosen format.

The SSP and POA&M documents identify any gaps in compliance with NIST 800-171 and plans for how you will close the gaps.

Corserva can create your SSP and POA&M documents, customized to your IT environment. These documents describe how any unimplemented security requirements will be met and how any planned improvements will be implemented. Detailed milestones are used to measure your progress.

After reviewing the documents with you, we will input the System Security Plan directly into the latest version of the published SSP template provided by NIST. The POA&M we create for you also follows the latest version of the POA&M template provided by NIST.

 

Using an SSP and POA&M as a Roadmap to CMMC Compliance

The SSP and POA&M are helpful to companies as they prepare to meet the more stringent requirements for CMMC. Until you close the gaps in compliance identified in an SSP and POA&M, you will not pass a CMMC audit.

If you have gone through the effort of creating an SSP and POA&M, now you have a roadmap of areas that you will need to fix (at a minimum) before a CMMC assessment, in addition to other CMMC requirements you may not be meeting that fall outside the scope of NIST 800-171.

As stipulated in Cybersecurity Maturity Model Certification (CMMC), Version 1.02, you need to maintain system security plans to achieve CMMC compliance (depending on the CMMC level desired):

CA.2.157 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

 

3. CMMC Readiness Assessments

For companies that need to comply with CMMC, Corserva can prepare you for a future CMMC assessment by performing an "assessment before the assessment" to determine your current compliance status.

 

CMMC Certification Levels

The CMMC framework contains 5 certification levels ranging from basic cyber hygiene to reducing the risk from Advanced Persistent Threats (APT). Across the 5 maturity levels are 5 maturity processes and a total of 171 cybersecurity best practices.

 

5-levels-step

 

Prior to a CMMC assessment, you will first want to determine the level to which your company should be certified. This decision will be based on the contract under which you expect to be working in the future or your internal business goals.

 

CMMC Readiness Assessment Process

This is the process Corserva follows when performing a CMMC readiness assessment:

  1. Identify all relevant requirements within the NIST 800-171 Revision 2 security requirement families and CMMC processes and practices for the desired level of compliance currently in effect (level 1, 2, 3, 4, or 5).
  2. Perform an "as is" high level assessment of the current state of processes and controls relative to NIST 800-171 security requirements and CMMC processes and practices for your desired level.
  3. Develop a set of recommended actions you will need to take to align with the NIST 800-171 security requirements and CMMC processes and practices for the applicable level.

 

NIST Security Requirement Families & CMMC Domains

During project execution, Corserva performs an assessment of your compliance with the following NIST 800-171 security requirement families and CMMC capability domains.

The NIST 800-171 security requirement families are:

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  1. Media Protection
  2. Personnel Security
  3. Physical Security
  4. Risk Assessment
  5. Security Assessment
  6. System and Communications Protection
  7. System and Information Integrity

 

The CMMC capability domains are:

  1. Access Control (AC)
  2. Asset Management (AM)
  3. Audit and Accountability (AU)
  4. Awareness and Training (AT)
  5. Configuration Management (CM)
  6. Identification and Authentication (IA)
  7. Incident Response (IR)
  8. Maintenance (MA)
  9. Media Protection (MP)
  1. Personnel Security (PS)
  2. Physical Security (PE)
  3. Recovery (RE)
  4. Risk Management (RM)
  5. Security Assessment (CA)
  6. Situational Awareness (SA)
  7. System and Communications Protection (SC)
  8. System and Information Integrity (SI)

 

After Corserva performs an assessment of your compliance with the NIST requirements and CMMC domains, we then produce a report to reflect your compliance baseline. The report includes all data collected, your compliance status with the requirements of NIST 800-171 and the applicable level of CMMC, and recommendations for remediation and proposed next steps.

GET A QUOTE

 

4. Remediation of Gaps and Other Issues

During a NIST assessment or CMMC readiness assessment, security gaps and other cybersecurity issues will be discovered.

If you have an SSP and POA&M, these documents can serve as a roadmap of areas that you will need to fix (at a minimum) before a formal CMMC assessment by a C3PAO.

With design or process changes, some of the systems you already have in place can be made compliant.

Corserva can remedy compliance gaps and issues by making configuration changes to:

  • Firewalls
  • Computers
  • Servers
  • Microsoft 365 and other platforms
  • and more

As part of remediation efforts, Corserva can set up alerts to enable internal IT staff to proactively manage the IT infrastructure moving forward. You can also hire Corserva to monitor your IT infrastructure and make configuration changes as your infrastructure changes for on-going compliance oversight.

 

5. Development of Customized Security Programs to Address Gaps and Issues

During an assessment, your policies and procedures regarding IT systems (formal, informal, and written) will be reviewed.

Where there are gaps in your written documentation, Corserva can create and document policies and procedures for you. We provide advice on best practices and can make any necessary configuration changes for you to support new policies and procedures.

For example, we can configure data access and sharing policies for email, OneDrive, SharePoint, etc.

GET A QUOTE

 

6. Vulnerability Scanning

Depending on the level of CMMC compliance that applies to your company, you may need to meet the CMMC requirement for vulnerability scanning.

As stipulated in Cybersecurity Maturity Model Certification (CMMC), Version 1.02, level 2 of the Risk Management domain: 

RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

RM.2.143 Remediate vulnerabilities in accordance with risk assessments.

Corserva can perform a baseline vulnerability scan, which includes:

  • External scan of your IP addresses
  • Agent deployment on test devices (both workstations and servers)

After the scan, Corserva creates a report to review with you, describing our findings and recommendations for remediation.

Corserva can also remediate issues identified during vulnerability scanning activities.

 

7. Implementation and Configuration of Compliant Systems

If you are planning to add any new platforms to help you meet CMMC compliance, it is important to remember that, in general, nothing is compliant right out of the box — the configuration is a big part of it.

For example, if you plan to implement Microsoft 365 GCC, Corserva can deploy a security configuration of the platform within your Microsoft Azure virtual server to align with compliance requirements.

If you are already using Microsoft 365 GCC, Corserva can review the current deployment of Microsoft 365 GCC to all endpoints and end users. Corserva will:

  1. Review and validate the deployed configuration of Microsoft 365.
  2. Validate access privileges and defined user roles, then reconfigure where needed for compliance.
  3. Review and validate multi-factor authentication (MFA) settings and reconfigure where needed for compliance.
  4. Configure audit logging and alerting.
  5. Configure Azure Information Protection (AIP) for email encryption and document security.
  6. Configure data access and sharing policies for email, OneDrive, SharePoint, etc.
  7. Configure a sensitivity label to mark information as CUI for conditional access and DLP testing.
  8. Test and validate reconfigured features and services.

For Microsoft Azure, Corserva can:

  1. Configure non-privileged and privileged accounts.
  2. Configure secure remote access.
  3. Install and configure Microsoft Office applications and email.
  4. Provision the Outlook app for mobile device email access.
  5. Test and validate FIPS validated disk encryption.
  6. Test and validate features and functionality for email, data access, logging, and reporting.

Corserva also provides you with reference architecture diagrams and documentation.

After implementation, Corserva can provide training and support for new platforms.

GET A QUOTE

 

8. End User Training in Cybersecurity Best Practices

Part of CMMC compliance is ensuring that your employees have the required cybersecurity training. One of the 17 domains in CMMC is "Awareness and Training (AT)," which includes these capabilities:

  • Conduct security awareness activities
  • Conduct training

For those companies that are relatively new to CMMC, compliance often involves bringing a security-first mindset to the organization.

Corserva offers security awareness training and other cybersecurity training for your staff. We instruct employees in the latest mechanisms of spam, phishing, malware, ransomware, and social engineering so that they can apply this knowledge in their day-to-day activities, keeping the business protected from cyber threats.

 

Request a Quote for CMMC Consulting Services

RPOCorserva's CMMC consulting services prepare you for a CMMC assessment by a C3PAO, greatly reducing your costs and efforts to achieve CMMC compliance.

Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the CMMC-AB Marketplace.

As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors.

Get started today. Talk to a CMMC compliance expert by requesting a quote for CMMC consulting.

GET A QUOTE

 

Post Date: July 28, 2021 // 4:09 PM

Topic category:

NIST & CMMC

Author:

Adam Keely

Adam is a security analyst and CMMC-AB Registered Practitioner (RP). He is a member of Corserva’s assessment and compliance team, guiding companies in meeting business objectives with NIST 800-171 and CMMC. Adam spent 5 years in the United States Marine Corps as a Communications Electronics Technician before entering the corporate world, where he has worked in web development and cybersecurity.

Share: