Challenges & Needs

• No Real Experience with CMMC: Historically, the client had never been formally asked to report on any type of DoD compliance mandate (i.e., DFARS NIST 800-171, etc.). As such, they had no experience with the CMMC framework.
• Weak Security Documentation: With the exception of a handful of corporate-wide security policies, the client had no existing InfoSec, cybersecurity, or data privacy policies and procedures in place specific to CMMC reporting.
• Inadequate Security and Operational Controls: The client had notable deficiencies with critical security and operational controls when mapped against the CMMC framework.
• Missing Security & Compliance Tools and Solutions: CMMC compliance required implementation of various security tools and solutions, none of which the client had in place.
• No Project Management Experience for Regulatory Compliance: None of the internal I.T. and operational staff had any real history of managing a federal compliance engagement such as CMMC.

Our Solution

• Defined project scope, including roles and responsibilities for all internal personnel at the client.
• Identified CMMC control gaps and deficiencies, offering expert recommendations on remediation and next-steps.

Challenges Solved

• Developed all-new CMMC specific information security policies and procedures documentation, those based on NIST SP 800-53.
• Conducted in-house security awareness training.
• Established and put into operations an all-new cyber incident response and reporting program as required by the DoD for reporting breaches within a 72-hour period.

Value Created

• Put in place a corporate culture that now understands, respects, and truly values the concept of information security.
• Developed and implemented a highly respected regulatory compliance framework with formalized and well-documented internal controls.
• Successfully met the rigorous compliance requirements of CMMC.