there are no posts to show...

Helpful Resources


As soon as May 2023, federal contractors in the Defense Industrial Base (DIB) will face compliance requirements with a new version of the Cybersecurity Maturity Model Certification (CMMC) program. Many contractors don’t have the budget or expertise to achieve compliance in-house and need a partner.


Some organizations may seek a managed service provider (MSP) to help navigate the framework of CMMC 2.0. Robert Beuerlein, Principal Consultant of Aerospace & Defense at Frost & Sullivan, will present a whitepaper at CMMC CON 2022 to give an overview of the MSP landscape and offer contractors some qualities to identify in potential MSPs.


Beuerlein has 22 years of management experience in cyber operations and information warfare.  He is a retired senior commissioned officer with global experience in training and development systems, information technology, and defense contracting. His significant expertise in Department of Defense (DoD) planning and budgeting processes makes him an authority that contractors can glean a new perspective from.


Register for CMMC CON 2022 to join the conversation with Beuerlein about CMMC 2.0 compliance and how MSPs can help the DIB navigate a complex landscape.

Running your business and focusing on your core competency as you work hard to service your clients can take all of your time. How do you make sure that you are protecting your company from cyber threats? If you have internal IT resources, do they have the expertise and bandwidth to monitor your systems all day everyday?


That’s where our Security Operations Center or SOC can help. We partner with you to provide your business with the ability to see what’s going on in order to respond accordingly. Our team is constantly growing their skillset to combat ever-evolving, persistent cyber threats. We:

  • Understand the larger cybersecurity picture
  • Translate security into the language of your business
  • Hold deep technical knowledge matured over long cybersecurity careers
  • Possess a track record of success


How our SOC helps you

We take the inherent challenge associated with safeguarding the physical and logical business assets off your plate with our DFARS-compliant security management platform that provides a unified approach to threat detection and compliance management.


The SOC managed services provided by CyberSheath include:

  • Security Information and Event Management (SIEM): Working together we onboard your devices into the CyberSheath SIEM platform. This solution gathers and analyzes logs and event data from disparate security controls and devices across the network, and then correlates them to identify related security events.
  • Asset Discovery and Vulnerability Assessment: Our technical experts also deploy a vulnerability assessment platform that allows for the identification of vulnerabilities across your environment.
  • Intrusion Detection and Behavioral Monitoring: We deploy sensors to network locations to monitor traffic and establish a benchmark for normal behavior. In addition to network-based monitoring, our team deploys host-based monitoring agents to your infrastructure.
  • Threat Intelligence: We update correlation rules, IDS signatures, vulnerability detection rules, and IP reputation updates to ensure the security management platform is appropriately maintained and detecting current threats within your environment.


If you would like to learn more about how CyberSheath can help you gain peace of mind knowing that your systems are always monitored, contact us to learn more.

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks. 

CyberSheath can help. We offer services to build on all the great work you have already done to safeguard your information and your IT infrastructure. 


What these services are and why you need them

Anti-spam and phishing protection

Your organization needs to guard against threat actors delivering unwanted emails and trying to engage people to perform dangerous activities, like downloading and installing infected applications. To limit the ability of these threat actors to send email to your employees, you should have the right spam tool with the right settings in place. 


Solution: Microsoft 365 Defender helps stop phishing attacks. This tool, which is part of Microsoft’s XDR solution, leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, building a complete picture of each attack in a single dashboard. It offers two options, with both plans providing configuration protection capabilities, anti-phishing, and real-time detections. The more robust Plan 2 layers on additional capabilities like automation investigation or remediation, and education capabilities.


Endpoint detection response (EDR)

An important step to protecting your network is securing all your endpoints, including servers, individual workstations, and remote laptops. There are many ways these nodes can be inadvertently compromised, paving the way for a threat actor to install ransomware on one of your endpoints, lock it up, and encrypt critical files.


Solution: Microsoft Defender for Endpoint allows your team to minimize the damage to your environment by providing traditional signature-based antivirus protection where the tool identifies a bad program based on certain characteristics and then neutralizes that program before it causes harm. This solution also stops heuristic threats, and helps you gain visibility into potential malicious or anomalous behavior. In the event that malware is installed on an endpoint, Defender for Endpoint can also isolate a workstation before it becomes a malware host.


Domain name server (DNS) filtering

The next step to securing your infrastructure is to restrict access to websites serving potentially dangerous content. Issues could arise when users are accessing a new website and are mistakenly redirected to a different site, or when ad servers on a frequently visited site are compromised.


Solution: Cisco Umbrella provides DNS filtering for security protection from these issues. This solution keeps a record of all the websites that are known to be malicious and prevents employees from accessing those sites. Default DNS services do not possess this capability.


Spam, endpoint, and DNS tools all work together to make sure that your employees don’t download anything harmful and that nothing compromising is accessed. Even though they come from different solution providers, they are able to play in the same sandbox.


Our skilled team can install, configure, and monitor any of these tools. Contact us today to get started.

Working with the federal government means maintaining compliance with fluid cybersecurity standards. It can be an overwhelming, confusing, and expensive venture for a business that isn’t familiar with the ever-changing mandates.


CyberSheath’s Federal Enclave can ensure you stay compliant with federal cybersecurity minimums while saving you time and money.


Federal Enclave is both a common-sense approach to protecting data and the most comprehensive Defense Federal Acquisition Regulation Supplement (DFARS) compliant enclave. It ensures your users that handle sensitive data always have secure access to an out-of-the-box compliant environment, secured and managed by CyberSheath. Based on Microsoft Azure, Federal Enclave can be situationally deployed on any of Azure’s cloud platforms or on premises.


The Department of Defense (DoD) was the first federal entity to roll out mandatory minimums for cybersecurity with Cybersecurity Maturity Model Certification (CMMC) in 2020, and recently released a simplified, updated version with CMMC 2.0. It’s expected that all federal agencies will eventually require cybersecurity compliance for federal contractors, which makes now a great time to get ahead of the curve as you plan future work with the federal government.


Federal Enclave adheres to CMMC v1.02 and v2.0 as well as DFARS 252.204-7012, limits organizational controlled unclassified information (CUI) data sprawl, and controls role-based allowances to CUI.


CyberSheath has helped more than 500 clients discover their compliance starting point and roadmap. Federal Enclave simplifies adherence to the difficult cybersecurity business requirements and puts CyberSheath in your corner to ensure compliance. Register for CyberSheath’s webinar to launch Federal Enclave at 12 p.m. EST on Feb. 23.

Federal Enclave Webinar


Fifth-Annual List Honors Leading MSSP, MDR and SOCaaS Cybersecurity Companies Worldwide


RESTON, Va — Sept. 28, 2021 — MSSP Alert, published by After Nines Inc., has named CyberSheath to the Top 250 MSSPs list for 2021.


The list and research identify and honor the top MSSPs, managed detection and response (MDR) and Security Operations Center as a Service (SOCaaS) providers worldwide.


The rankings are based on MSSP Alert’s 2021 readership survey combined with the digital media site’s global editorial coverage of managed security services providers. The fifth-annual list and research report track the managed security service market’s ongoing growth and evolution.


“As Cybersecurity Maturity Model Certification (CMMC) is implemented, defense contractors have been sold incomplete options causing them to overspend and under-comply. CyberSheath’s Managed Services deliver a complete solution for federal contractors seeking to achieve compliance with the new requirements and remain eligible to win Department of Defense business,” said Eric Noonan, CEO of CyberSheath. “Ranking so high on this list demonstrates just how critical our efforts have been in keeping defense contractors compliant and further illustrates how CMMC has changed the federal contracting landscape for the better.”


“After Nines Inc. and MSSP Alert congratulate CyberSheath on this year’s honor,” said Amy Katz, CEO of After Nines Inc. “Amid continued ransomware, malware and supply chain cyber attacks, the MSSP Alert readership and community continues to mitigate risks for businesses and government organizations worldwide.”


Highlights from the associated MSSP Alert research include:

  • MSSP Revenue Growth & Financial Performance: MSSP honorees, on average, expect to generate $22.3 million in revenue for 2021, up 16% from $19.2 million in 2020. The growth rate remains consistent with last year’s report.
  • Geography: Honorees are headquartered in 26 different countries.
  • Profits: 85% of MSSPs surveyed expect to be profitable for fiscal year 2021, which is roughly even with 2020.
  • Security Operations Centers: 71% have in-house SOCs, 19% are hybrid, 8% completely outsource their SOCs, and 2% are reevaluating their SOC strategies.
  • Cyberattack Trends: The most frequent attacks targeting MSSP customers in 2021 include vulnerability exploits (87%), phishing (96%), and ransomware (89%) incidents.
  • Cybersecurity Solutions: In a continued sign of market fragmentation, MSSP survey participants mentioned 130 different hardware, software, cloud, and services vendors that assist their cybersecurity efforts — roughly even with our 2020 report.
  • New Managed Security Services Offered: In addition to traditional managed security services, capabilities such as MDR (91%) have now gone mainstream. Plus, fast-growth services offered include SOC as a service (76%), XDR (67%), cyber talent as a service (43%) and cloud security posture management (41%).


The Top 250 MSSPs list and research were overseen by Content Czar Joe Panettieri. Find the online list and associated report here:


CyberSheath is continuing to educate the Defense Industrial Base on the ins and outs of CMMC with a virtual event on Sept. 29. CMMC Con 2021 will equip defense contractors with a better understanding of the evolving threat landscape, the impact of cybersecurity compliance law aimed at mitigating these threats, and the how-to for solving these challenges.


About CyberSheath Services International, LLC

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at



CyberSheath Services International, LLC

Kristen Morales at


About After Nines Inc.

After Nines Inc. provides timeless IT guidance for strategic partners and IT security professionals across ChannelE2E ( and MSSP Alert (  ChannelE2E tracks every stage of the IT service provider journey — from entrepreneur to exit. MSSP Alert is the global voice for Managed Security Services Providers (MSSPs).

  • For sponsorship information contact After Nines Inc. CEO Amy Katz,
  • For content and editorial questions contact After Nines Inc. Content Czar Joe Panettieri,

As a defense contractor, you are eager to get your company compliant with the Cybersecurity Maturity Model Certification (CMMC). You’ve assessed your organization for CMMC readiness, documented your system security plan (SSP), formulated your plans of actions and milestones (POAMs)–and now it’s time to get it all done and implement any outstanding controls. How do you start? And what should you know before you dive in?

Where to start in securing your environment

If you are at the implementation stage, then you know there are 130 controls required to protect controlled unclassified information (CUI). Addressing all of these security measures can seem like a daunting task, as your organization must meet all 130 controls to be CMMC compliant. Let’s discuss the controls by general category.


Security Monitoring Controls

Security Information and Event Management (SIEM)

Regular review of logs is a key part of not only CMMC and NIST SP 800-171, as well as a general best practice. However, aggregating and reviewing the massive volume of logs is not practical to accomplish with manual processes.

Recommended tools: Microsoft Sentinel or Splunk

These tools can take in large amounts of data, and correlate that data–and then based on analytic alerts enabled inside of that SIEM environment, it will escalate events of interest to you. This allows you and your analysts to narrow your focus down in determining if there really is an incident in your environment.


Vulnerability Scanning

Vulnerability and patch management strategy is an essential requirement to meet CMMC. Unpatched vulnerabilities are often utilized by threat actors to exploit systems, leading to ransomware and data theft.

Recommended tools: Tenable and Qualys

These solutions are run in client environments to determine what vulnerabilities exist, and what patches are needed in the environment.


IT Infrastructure Controls

IT Infrastructure refers to all of your company’s hardware and software, both on-premise and in the cloud. Many companies struggle implementing controls in environments where CUI is stored on-premise and they have older unsupported hardware and software which puts CUI at risk.

The shadow IT, meaning the different individuals inside organizations spinning up servers in AWS or Azure or Google cloud, on top of what is happening in your environment, may need to be addressed under CMMC as well, if they handle CUI.


Policy and Administrative Controls

One of the key points in gaining CMMC compliance is ensuring that your controls have maturity. A POAM and SSP are both great tools to help you get there. Having documents including policies, plans, and standards explaining what the control is and how the company achieves each control is important.

Make sure you are capturing what technology you’re putting in place and the processes of implementing and managing that technology. Also create documentation about how to perform a specific function in the environment, including an incident response, vulnerability management, and risk management plans. Be mindful that these plans need to be understood, actively used, and approved across the organization.


Enclave Strategy

As your organization works to implement these controls, it might make sense to consider strategies to help you gain compliance, like creating an enclave. This is a way for companies to secure CUI without re-architecting their entire environment.

By embracing cloud infrastructure, companies can quickly stand up and secure CUI through several methods.

  • External CUI Communication – There may be times where you’re working with a partner on CUI. You may not want them to have access to your environment, and you may want to have a very secure enclave with controls, so that it is very clear who is accessing that documentation. In this scenario, set up a host in a SharePoint environment in a GCC environment.
  • Hybrid Cloud – This is where you’re allowing for segmented data that utilizes your existing Active Directory authentication structure, but also has an area inside the cloud that allows for segmentation and data storage. You have controls around that data to secure it, and individuals who don’t have clearance internally cannot get to access that data.
  • Private Cloud – This approach has an entirely separate cloud infrastructure for hosting CUI, including controls around servers and desktops, encompassing everything that resides in the cloud tenant. This strategy reduces the control burden on users who don’t need access to CUI. This is a great option to ensure that CUI data is protected.


Helpful Resources

Securing your infrastructure can be an intensive process as every environment is different. Microsoft has released a great tool mapping their products to CMMC, so you can easily visualize what tools will help you meet CMMC Level 3 compliance. 

Download Microsoft mapping tool 


No matter what stage your organization is at in working to gain CMMC compliance, the team at CyberSheath can help. From assessments and creation of SSP and POAMs to remediation and compliance management–we have the knowledge, skills, and experience to help your organization get it done. Contact us today.

As more resources move to the cloud and users increasingly work remotely, the National Security Agency issued new cybersecurity guidance. It had a line of particular importance for those companies that must meet CMMC compliance.


“NSA strongly recommends that a zero-trust security model be considered for all critical networks within National Security Systems, the Department of Defense’s critical networks, and Defense Industrial Base critical networks and systems,” the agency wrote in a February report.


The zero-trust model will evolve contractors’ compliance strategies as the CMMC rollout continues but could be key for companies outside the DIB also, because CMMC compliance may soon be required for a larger scope of contractors. The General Services Administration’s (GSA) STARS III solicitation states, “(w)hile CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisitions.”


Keith Nakasone, former deputy assistant commissioner of acquisition management for the GSA, will join CMMC Con to address how CMMC may soon be a requirement for all federal contracts.


Nakasone joined VMware as a federal strategist in June, after spending more than four years with the GSA. There, he oversaw roughly 300 procurement personnel and contracts worth more than $30 billion per year. Nakasone, who has 32 years of government experience, previously had senior procurement roles at the Federal Communications Commission and Defense Information Systems Agency.


Nakasone will join CyberSheath Vice President of Security Services Carl Herberger for a question and answer session on CMMC and supply chain security for all small companies working as contractors for the U.S. government. Register for CMMC Con 2021 now to join the discussion and learn how CMMC applies beyond the DoD.

As your organization works toward achieving CMMC compliance, creating your System Security Plan (SSP) and Plan of Action and Milestones (POA&M), are critical steps in the process. The documents both provide a foundation for your remediation efforts as you work to close all of your company’s cybersecurity compliance gaps.

Find the right SSP for your organization

Your SSP will outline how your organization approaches cybersecurity. It is your opportunity to narrate your security controls including discussing your environment and how you meet the intent of your controls. Before you begin drafting your plan, you need to determine which approach to take. Select one of the below to get started.

  • Organizational plan – Sometimes called an enterprise system security plan, these plans represent a system security approach across an organization defining a standard cross-organization adoption of control requirements. Organizational plans work well for less complex organizations where all technology can be represented in a single document.
  • System focused plan – This approach concentrates on security through the lens of a particular system, IT service, or enclave, and fully documents control implementation details from the perspective of a specific system only.
  • Hybrid plan – This plan is between an organizational system security plan and a single system or enclave system security plan. It takes the idea of standardization from the organizational plan, but documents your deviations from your overarching standard in addendums or appendices.
  • Shared compliance – This is a type of hybrid plan that documents the accountability of control implementation that lies with a service provider. The organization should ensure, contractually or through verification, that inherited controls are in place at the service provider and that they are applicable to the systems and/or services in scope for system security planning.


SSP document structure

Regardless of the type of plan you proceed with, here is guidance on how to structure your SSP.  Include the following report elements.

  • System information – In this section it is important to include ownership and accountability for each system you are documenting, as well as a systems environment description, data flows and interconnections, users and roles, and hardware and software components.
  • Control narratives – For each control, note the status, which should be compliant, partially compliant, not compliant, not applicable, or inherited, and provide a narrative about the status. Also include discourse on the control implementation. This is your opportunity to discuss a control requirement. For every control where you are partially compliant or not compliant, provide a summary of planned actions to get you to compliance and direct readers to your POA&M.
  • Other considerations – There are other types of information that can be helpful to include in your SSP including:
    • Diagrams and visual representations to illustrate what your system is and how it works.
    • Assessment guide and supplemental guidance to assist your narratives and show what you need to achieve and how you will meet your objectives.
    • Expected or maintained evidence and artifacts to demonstrate how you will or are implementing the controls.
    • Maturity references including policies, practices, and plans to tie the pieces together and make it easier for a certifier to track down those pieces of evidence that confirm your controls are not newly implemented.
    • CUI authorizations to show the flow of CUI in your environment. This should talk to where CUI should exist, where it is stored, how it should be accessed, and how it flows.


Take the steps to compliance with a POA&M

A POA&M is a corrective action tracking mechanism. Here are the key components to have as you develop your own POA&M to assist with your CMMC compliance efforts.

  • Corrective actions list in the form of actionable tasks – What are the actions that you need to take to implement each control?
  • Milestones and timeline to achieve compliance – When do you plan to have each action completed? Include interim completion dates.
  • Ownership and resourcing of tasks – Who is responsible for managing and completing each action?
  • Prioritization – What is the compliance impact, estimated cost, and risk of each?
  • Weaknesses or deficiency – How was the weakness that requires this action identified?
  • Control mapping – Which control does this action correspond to and address?
  • Status – What is the status? Is this action ongoing or completed?


POA&M process and workflow tips

Start with a template and your assessment data as input. Select your template and aggregate all the information you uncovered in your internal assessment, external assessment, or audit. These will be your two inputs to leverage in building your plan of action and milestones.

Convert assessment recommendations to actionable tasks. Sometimes assessment-speak is at a high level. Make sure you are breaking down each requirement into steps that make sense. Include the necessary detail to address the steps your organization needs to take to bring you into a compliant state.

Populate your POA&M and follow your planned timeline. Note any changes to your targeted dates and make sure that you’re actively using this plan to help you achieve compliance.

Maintain your POA&M as you close out your tasks. Once you complete a task, move the status to complete. If you appropriately maintain your POA&M, it is easy to track your progress and note your outstanding items. It also establishes an audit trail of tasks that you are closing out.


SSP and POA&M Resources

The documents listed below are useful as you build your own SSP and POA&M.


If you have questions about how your organization can craft its SSP and POA&M, contact the experts at CyberSheath. We have helped clients assess and document their cybersecurity state, implement controls, and achieve and maintain compliance. Get started today.


As your organization is gearing up to start the process of attaining Cybersecurity Maturity Model Certification (CMMC), it is important to know how this cybersecurity standard compares to other regulations.


Five Ways that CMMC Differs from Other Laws.


1. CMMC is a certification.

Most regulations, laws, and mandates are attestations, but CMMC is more than that. It requires a third-party audit to certify that your organization is adhering to the cybersecurity practices and procedures the standard outlines. The audit must be completed by a CMMC third-party assessor organization (C3PAO), that will then make a recommendation to the accreditation body (AB) as to if your organization meets the certification requirements. Often attestations simply require a company to claim that they are compliant, relying on organizations to honestly self-report on their status without requiring information and artifacts for confirmation.

Seeking certification will significantly impact organizations. Each company must decide if they are going to take CMMC seriously, dive in, and get it done. Does the potential revenue from bidding on and securing DoD contracts make this effort worthwhile? Only your organization can make that important decision for itself.


2. CMMC is an audit and not a point in time assessment.

In order to count as completed and apply toward certification, the controls must be mature. An audit typically reviews organizational policies and behavior over a period of time. With CMMC, they want to look at the maturity of the processes. It’s not just about the product, software, and tools–it’s also about the process, procedures, and organizational learning around each control.

For example, with a point in time assessment, what often happens is an organization quickly implements the control or writes the policy, but that does not mean that that policy is fully implemented. Whereas with a CMMC audit, if a company has an acceptable use policy, the audit will review that policy, including the date it was created, timeline of changes to it, and other proof that it has been in place and is truly part of the way the company operates.


3. CMMC is piloted.

Most laws or regulations are introduced quickly with organizations receiving little to no guidance, other than the necessity of being compliant by a certain date. The DoD and AB are rolling CMMC out in a controlled manner to address any issues upfront. This approach also provides companies the time they need to determine what the mandate requires, as well as the opportunity to implement any new processes or procedures before certification is mandatory. CMMC will not be fully implemented until late 2025. Each year the AB will require a few more contractors and subcontractors to be certified.


4. CMMC is pass/fail.

If your company fails to comply with the requirements of certifications, you will be forfeiting your ability to secure valuable contracts from the DoD. As mentioned above, other regulations are self-reported attestations. If a company does not initially pass CMMC certification and therefore isn’t recommended to be certified by the AB, they reportedly have a 90-day period to remediate, address minor issues, and resubmit.  Any major deficiencies will require undergoing another assessment.

Your time commitment and the difficulty of passing CMMC depends on the size of your organization and maturity level you are hoping to attain as dictated by the type of contracts you wish to bid on and the types of information your company receives.


5. Interim scoring system promotes early adherence.

The Supplier Performance Risk System (SPRS) interim scoring allows your organization as well as the DoD to see how you are doing. The score can range from negative 203 to a perfect score of 110 if your company has implemented all 110 controls of NIST special publication 800-171 properly.

Under the current DFARS rule, all companies doing business with the DoD must log their SPRS score. The assessment that happens as you determine your SPRS score is extremely helpful as you build your remediation plans to address your compliance deficiencies. As you improve your cybersecurity by implementing better practices, you may update your SPRS score, notifying the DoD of your commitment to meeting their requirements.

SPRS is a helpful centralized tool to help you get ready for CMMC. It is a stepping stone to monitor your progress and to help you get to where you’ll need to be by the 2025 deadline.


Next Steps

If you have any questions about CMMC and how to make your path to compliance easier, get in touch with the experts at CyberSheath. We can help you assess where your organization is now, build a plan to enable you to reach compliance, and help you implement the processes and technology required. Contact us today to get started.


RESTON, VA — June 15, 2021 — Leading Managed CMMC Compliance provider CyberSheath has hired Tiffany Egenes as Customer Success Director. In that role, Egenes will act as a customer champion, owning all customer success activities from onboarding to adoption to retention. Her goal, through advocacy and by collaborating across multiple business functions, is to build a customer-centric culture and long-term, high-value relationships with every customer.


“As a fast growing compliance focused MSP/MSSP, CyberSheath recognizes the opportunity to better serve the Defense Industrial Base by building out a customer success organization under a world class leader,” says Eric Noonan, CEO. “CyberSheath puts our customers at the center of everything we do, and Tiffany’s hiring represents a significant milestone on our journey to serving the 350,000 Defense contractors mandated to comply with CMMC.”


Egenes brings more than 20 years of experience as a leader in customer success, professional services, implementation, and project management for organizations ranging from Fortune 15 companies to high-growth startups. As Director, Customer Success and Implementation at Kareo, an integrated medical SaaS platform, Egenes revamped processes and rallied the team around tangible customer success and outcomes, ultimately improving customer satisfaction scores by 70%.


Prior to Kareo, Egenes managed a technical service delivery organization at McKesson that included five lines of business totaling more than $60 million in annual revenues. She also led Sungard Availability Services’ Western Region and Latin America managed services and business continuity recovery operations. There she was in charge of seven managed services data centers and business recovery work centers serving organizations in high tech, government, and other industries.


“CMMC Compliance spans IT, cybersecurity, and governance, and CyberSheath offers all three pieces of that compliance puzzle,” says Egenes. “As a result, we have to integrate with and work in lock step with our customers. As Customer Success Director, I’ll ensure our culture, our relationships, our technology, and our employees are all working in sync and all the pieces are in place to keep customers compliant and secure. Our success is literally our customers’ success.”


Customer success with CMMC starts with better understanding of both the why and how behind the new framework. Join more than 1,000 defense industrial base leaders at CMMC Con 2021 on September 29, 2021, to learn how to navigate the rapidly shifting future of cybersecurity compliance. Registration is now open.


About CyberSheath Services International, LLC


Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at



CyberSheath Services International, LLC

Kristen Morales at

RESTON, Va. — May 18, 2021 — Leading Managed CMMC Compliance provider, CyberSheath, has been chosen to be a part of a select few official resellers for Microsoft GCC High and Office 365 GCC licensing. This adds another opportunity for CyberSheath to help the Defense Industrial Base (DIB) meet the federal government’s compliance and security requirements.

“The ability to sell Microsoft GCC High licensing makes CyberSheath a one-stop CMMC shop,” said Eric Noonan, CEO of CyberSheath. “Unlike other Microsoft partners who only resell the licensing, we also offer all the services — security, IT, and governance — that the DIB needs to manage CMMC compliance.”

In addition to its product and service offerings, CyberSheath has taken the lead on educating government contractors about strategies for CMMC compliance at its annual CMMC Con. The one-day event, returning on September 29, 2021, will reveal the evolving threat landscape, the impact of cybersecurity compliance law, and how to solve these challenges. Learn more and register for CMMC Con 2021.

About CyberSheath Services International, LLC

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at



CyberSheath Services International, LLC

Kristen Morales at

There are many ways to achieve CMMC compliance, from fully insourced IT, cybersecurity and governance to fully outsourced managed services, each carrying various costs and risks. While the cost of compliance is a valid concern, there’s one constant across all your options: If you don’t meet CMMC standards, you won’t be eligible for DoD contracts. Period.

You might think managing CMMC compliance on your own will save you money, but the process is complex and expensive. Purchasing multiple software solutions and hiring an internal security team and IT team to monitor and manage those solutions, not to mention documenting and providing proof of compliance, all require resources that many small and medium sized businesses don’t have. And any mistakes can lead to a breach or non-compliance with CMMC and have much more significant costs and consequences.

CMMC managed services, on the other hand, offer assured compliance with less effort and less investment. Partial compliance doesn’t count and many managed services push small businesses to over spend and under comply.

The only real comprehensive solution is CyberSheath’s no-nonsense fixed pricing for CMMC managed services. We deliver more value and pricing models that are easy to understand and implement, with no hidden costs. We want to make it as simple as possible for you to achieve CMMC compliance and win DoD contracts. We can deliver the complete solution or just the pieces that you are missing.

And we have pricing that meets you exactly where you are right now.


A Basic, Advanced and Future-Proof Approach to Compliance

No matter where you are in your journey, whether you want to do it yourself or fully invest in managed services, there’s a model for you.

CyberSheath’s basic, advanced and future-proof pricing model offers the tailored level of service you need and a pathway to transition to fully managed compliance if you choose. Here’s what each level of service entails:

Basic: If you are not yet ready to jump fully into CMMC and want to start with an assessment and Supplier Performance Risk System (SPRS) scoring, this is the level for you. It includes everything necessary for SPRS submission including your System Security Plan (SSP) and Plan of Action & Milestones (POAMs).

Enhanced: At this level, you’re looking to outsource the problem of CMMC Maturity Level 1 compliance and achieve a positive score for SPRS submissions. While you retain overall IT management, CyberSheath handles compliance management and governance, management of technical security tools and operations, or both.

You get compliance oversight and reporting through our cloud-based dashboard, and quickly gain the ability to bid on CMMC ML1 contracts.

Future-Proof: If you want full compliance across the board, this is the level for you. With this option, you achieve all 110 controls and requirements for SPRS submission — and CMMC ML3 compliance delivering all of the required people, processes and technology in a unique shared responsibility model.

CyberSheath maintains the rigorous program, technology, engineering, and implementation required for CMMC ML3 standards. We manage your governance, security, and IT operations.


The Value of CMMC Managed Services

With a path to a fully managed CMMC program, you can lay the foundations for your compliance against any shocks to CMMC policy or implementation approaches. We’ll be responsible for ongoing program maintenance encompassing any shifts, allowing you to continue to leverage your current infrastructure and offer the option to grow into a FEDRAMP HIGH or GCC HIGH cloud infrastructure in a hosted, compliant process.

With simple fixed pricing, free options for self-attestation, and a flexible pricing model, CyberSheath meets you wherever you are and ensures you’re CMMC compliant and eligible for DoD contracts.

Contact us to meet with a CyberSheath expert today to learn how we can help bring order to the chaos of achieving CMMC compliance.

The enclave approach to CMMC compliance is one of the most cost effective and least disruptive ways to safeguard CUI. You can maintain high-value custodial security of CUI without upending your existing processes, procedures, and people. That way, you can maintain the proper level of CMMC compliance and remain eligible to win DoD contracts.

Remember that CMMC compliance is all or nothing — you’re either compliant or not. And if you’re not, you won’t be eligible to win any business from the DoD. So how you protect CUI is critical.

Depending on how you handle CUI and the CMMC level you must abide by, your enclave is going to need different functionality. Which is why you need a CMMC enclave with multiple use case commitment levels and a way to manage multiple levels of CMMC.

This kind of versatility can be found in CyberSheath’s CMMCEnclave, part of its CMMC Managed Services.

How CMMCEnclave Expands Your Versatility

Based on Microsoft Azure, CMMCEnclave limits organizational CUI data sprawl and drives role-based allowances to CUI. It delivers CMMC ML3 of 130 controls. It also establishes a technical program on how to deal with other CUI-custodial suppliers to your organization.

And it’s the first CMMC enclave with optional management of multiple levels of CMMC. Those options include:

ML1:  Within weeks, become compliant with CMMC ML1 over your entire infrastructure, using Azure SIEM Sentinel continuous security monitoring and aggregation, managed endpoint detection and response (EDR) and malware protection, and detection and incident response of managed devices.

ML2: At this level, CyberSheath provides an overall virtual security officer and an ongoing compliance program oversight and routine reporting. It includes Tenable vulnerability and secure configuration management, Windows Active Directory identity protection, and multi-factor authentication.

ML3: Quickly gain an ability to bid on CMMC ML3 contracts with our Cloud-Based Hosted Compliance offerings, which include virtual security officer compliance oversight and reporting. Maintain compliance with Azure Information Protection against data leakage, Microsoft Mobility and Device Security Management, secure VPN services, Azure CMMC workbooks, Azure CMMC and NIST blueprints, and Azure Security Center for secure workloads, role-based access control, and configuration and posture management.

ML4 and ML5: We maintain the rigorous program, technology, engineering, and implementation required for the most robust security standards. Get in touch to talk through our offerings at CMMC levels 4 and 5.

A CMMC Enclave that Meets You Where You Are

CyberSheath’s CMMCEnclave includes four different use-case commitment levels based on contractors’ functionality and business needs, including:

External CUI communication: In this case, a secure SharePoint enclave is sufficient. This option can be hosted in GCC high or commercial cloud, depending on whether data is subject to exit controls.

CyberCloud — Shared Service: For users who only access Office applications, SharePoint Online, and OneDrive, this option uses Active Directory Partitions and Windows Virtual Desktop to share desktops in line with CMMC data security standards.

CyberCloud — Hybrid Cloud: Designed for organizations that need an affordable cloud platform and use custom applications or file servers, this option segregates customers on private network segments with network security boundaries on top of Active Directory partitioning. It keeps desktops private and only accessible by a single company, with options for private application servers on a customer network segment.

CyberCloud — Private Cloud: Keep all components, including Active Directory, completely private, with all servers and desktops residing in your Microsoft Azure tenant. You can host any applications or files in your environment and can optionally connect the enclave to your corporate infrastructure.

A New Level of Versatility in CMMC Compliance

CyberSheath’s CMMCEnclave reduces complexity, future-proofs compliance, and lowers costs, both immediate and ongoing.

Learn more about CMMCEnclave and how CyberSheath’s CMMC Managed Services can help you quickly reach compliance with these complex new requirements.  Contact us to meet with a CyberSheath expert today to learn how we can help bring order to the chaos of achieving CMMC compliance.

CMMC is not a compliance framework. It’s a maturity model. That has big implications for how you approach compliance, but also how you keep track of all the elements that make up compliance.

And yet, visibility has been one of the most difficult challenges facing DIB contractors. It used to be that you would have to buy a service from a separate vendor to have any visibility at all into your compliance status, inventory of DFARS compliance artifacts and evidence, and your documented System Security Plan (SSP).

Even with those services, the best many contractors could do was to get a static report around a specific snapshot in time. The value of a report quickly fades in the face of an ever-changing threat landscape, not to mention a dynamic compliance environment. As POAMs evolve and you meet milestones, that report from the past can no longer tell you where you stand.

The dashboards that have existed to date all come with some assembly required. They would act more like containers with placeholders for asset management and other controls, leaving customers to cobble together a dashboard themselves.

It’s time for a real dashboard. This is why CyberSheath has added the first-ever CMMC Compliance-as-a-Service dashboard to its CMMC Managed Services.

A True CMMC Compliance Dashboard for Unparalleled Visibility

Available to customers regardless of previous or future technology selections, CyberSheath’s CMMC dashboard gives comprehensive visibility into every aspect of compliance and is continually updated so you can see at a glance, at any time, where you stand.

The dashboard offers up-to-the-minute visibility into your:

  • Current compliance status
  • Inventory of DFARS compliance artifacts and evidence
  • Security threat landscape and incident levels
  • Current version and documentation of your SSP
  • Supply chain assessment
  • Performance of your CMMC enclaves or regimes

It not only confirms your compliance status, but evolves and expands with your business as you need to meet new maturity levels. It also holds us accountable against the SLA we’re on contract for by showing you exactly where you stand with respect to CMMC requirements so there’s never a question of whether you’re eligible for DoD contracts. The dashboard gives you everything you need to know about your CMMC compliance status.

CyberSheath CMMC Compliance Dashboard

CyberSheath built the CMMC Compliance Dashboard leveraging the technology of the world’s leading companies including:

  • Microsoft Azure NIST & CMMC Blueprints
  • Microsoft Azure CMMC Workbooks
  • Microsoft Sentinel SOAR & Correlation engines

It also benefits from unique integrations such as compliance landscape updates.

It’s not enough to simply achieve compliance. As a maturity model, CMMC requires a new level of visibility. Learn more about CyberSheath’s CMMC Managed Services and how our dashboard helps contractors stay up to date on their CMMC compliance status, the current threat landscape, and their CMMCEnclave performance.

Need Help?

As your organization moves to become compliant with any level of CMMC, challenges can arise. CMMC compliance requires documented, integrated and evidence-based Cybersecurity, IT, and Governance – all of which is addressed in our recently enhanced CMMC Managed ServicesContact us to meet with a CyberSheath expert today to learn how we can help bring order to the chaos of achieving CMMC compliance.

For any of a variety of reasons including lack of communication, slow response times, or prolonged downtime, your organization has decided to change your managed service provider (MSP). Whether you have already signed an agreement with a new MSP or you are actively looking for a replacement, now is the time to take important steps to ensure that the transition to your new provider is a smooth one.

Tips on Getting Offboarding Started

  • Maintain communication – In terms of your outgoing MSP, one adage rings true–don’t burn bridges. The company you are letting go is a key to your success moving forward. Severing all ties prematurely could leave your company stranded, unsupportable, and looking at a larger bill to recover data, admin credentials, and backups, as well as negatively impact your overall business.
  • Transfer knowledge – While CyberSheath or another onboarding MSP has no authority to require the outbound MSP supply the needed information to manage the infrastructure effectively, performing knowledge transfer with your outgoing MSP can assist with all entities involved working as a team.
  • Include key details in release letter – Note that it is essential to have these expectations listed in your release letter. It is also a great idea to have the leaving MSP sign off and agree to participate in this process. Without these items, your new MSP will have the daunting task of figuring out your infrastructure and credentials.
  • Don’t delete a Global Admin account – Have you ever not had the global admin account for your domain controller or active directory? You will not do much without it. Deleting one of these accounts could have down-stream effects on your infrastructure and access that could require significant recovery efforts, which means considerable expense.
  • Ensure outgoing MSP participation in process – It is also a great idea to have the leaving MSP signoff and agree to participate in the offboarding process. Without this input, your incoming MSP will have a daunting task of figuring out your infrastructure and credentials, which not an easy task without certain information.

Key Information to Document

Remember that the outgoing service provider was a partner in your network and infrastructure, and therefore possesses information that is vital in supporting the success of your new service provider.

Below is an initial list of important information to record as you prepare to offboard your exiting MSP. Keep in mind that your company may have unique situations requiring additional information be turned over.

  1. All admin credentials for all in-scope devices used in the course of business. These include but not limited to servers, routers, firewalls, storage devices, and applications used by your company. It is a good idea to maintain a list of these even if you are not transitioning to a new MSP. MSPs often create accounts for themselves within your infrastructure. These are now keys to your environment, so it is a good practice to keep a list of who has access.
  2. All intellectual property (IP) needed to maintain current business practices and processes. MSPs often acquire a lot of knowledge about your company in their day-to-day operations of supporting your company. While it may be impractical to truly download everything your outgoing MSP knows about your company, it is a good idea to have a non-disclosure agreement (NDA) in place to ensure that information stays confidential.
  3. Complete list of all assets currently managed. This will help your new MSP understand your environment.
  4. Network topology diagram to include current IP mappings and ports used for day-to-day operations. CyberSheath recommends that you review this diagram on a quarterly basis or as you change components within your infrastructure. For example, if you moved on-premise servers to the cloud, be sure to ask for an updated diagram.
  5. Knowledge base information specific to or used in the support of your company’s infrastructure. The importance of this cannot be overstated. All companies have IT skeletons in their closets. Moving to a new MSP and not helping them with understanding the unexpected, sets the stage for failure.
  6. Backup schedules and access to the location where backup data is stored. Also be sure to have access to credentials to retrieve those backups and applications used to perform these tasks, as well as the most recent full backup.
  7. Licenses schedule and account information associated with those licenses so that the licenses can be transferred to your onboarding MSP. Companies should always document and maintain this information. You cannot renew or transfer software licenses without a company’s account number and approval. It is also recommended to have a quarterly review of your licensing footprint as unused licenses incur unnoticed expenses.
  8. Technical Point of Contact (TPOC) that can be available for the dates of the transition (usually 30 to 60 days). It is important that the person in this role understands technical issues to ensure the onboarding company has access to the client’s IT dependencies.

If you are still searching for your new MSP, CyberSheath offers a unique managed service combining security and IT services, which bring our customers a complete, protected service solution. Our MSP offering is secure, contains no ransomware, and allows our customers to keep their data.

We keep our customers up and running. Learn more about our managed services to help you with CMMC compliance, DFARS/NIST 800-171 compliance, or managed IT for defense contractors.

As your organization works to determine the meaning and application of the various levels of the newly enacted Cybersecurity Maturity Model Certification (CMMC), questions arise. One particular issue surrounds the issue of SIEM as it pertains to the first level of CMMC. The short answer to whether it is required or not is: it’s complicated.

A Closer Look at Level 1 SIEM Requirements

The key word in the assessment guide and in the CMMC practice for Systems and Communication Protection (SC) found at SC.1.175 is ‘Monitor.’ This practice requirement is heavily focused on perimeter and boundary defense, meaning that your cyber boundaries must be controlled, protected, and monitored.

What it means to your company – Chances are, you already have a firewall. Consequently, the most common compliance issue the CyberSheath team sees with this particular requirement is a lack of proactive monitoring. In CMMC level 1, you only need to address the one SC requirement–boundary protection and control services, such as firewall, intrusion detection system (IDS), intrusion prevention system (IPS), and web proxy if it exists.

How CyberSheath can help – At CyberSheath, we monitor your IT infrastructure with Azure Sentinel. Level 1 monitoring is cost-effective as there is less activity required, with less log integration, less log consumption, and less Azure Sentinel cost.

For Level 1, the monitoring cost is mostly based on storage, and excludes licensing, deployment, and management of Microsoft Defender or the Log Analytics Agent, since only the boundary and perimeter devices need to be monitored. Also, typically Level 1 does include government community cloud (GCC) requirements, as there is no controlled unclassified information (CUI) to contend with, only federal contact information (FCI). The result is commercial Microsoft services are appropriate for the SIEM requirements of Level 1.

Requirements Shift as You Advance to Level 3

As your organization moves to higher levels of CMMC, more controls need to be enacted around monitoring users including detecting unauthorized use of accounts, responding to support incidents, tracking log correlation requirements, and more.

At Level 3, your organization needs the right log sources to support the investigative process, such as endpoint protection, perimeter monitoring, authentication logs, and other security tools. As you can see, the resources needed to achieve Level 3 are more advanced, and also carry higher Azure Sentinel data costs.

Another Consideration for SIEM Requirements

The System and Information Integrity control family requires the ability to detect malware, and update signatures, at appropriate locations. The assessment guide specifies items like the ability to detect malware on the network (IDS/IPS) and on endpoints (Anti-Virus/endpoint detection and response (EDR)).

If your company wants to use basic, built-in Windows Defender, this can meet a Level 1 requirement. However, if your organization wants to license Microsoft Endpoint Defender to solve for this, you have the opportunity to easily integrate with Sentinel for monitoring on Commercial licensing at a fairly low cost. While not a necessity for CMMC level 1, this solution is good to have and also better prepares you should you seek CMMC Level 3 in the future.

Need Help?

As your organization moves to become compliant with any level of CMMC, challenges can arise.  Join Eric Noonan and Carl Herberger, VP of Security Services, on Wednesday, April 21st, 2021 at 9:00am (PST) | 12:00pm (EST), for “CMMC – How It Started. How It’s Going,” when they will talk through five common pain points experienced by organizations tackling DoD regulations.

No matter where you are on your path to compliance – calculating your assessment scores, navigating SPRS, implementing the controls, or writing you SSP – this webinar will accelerate your journey. Register Now.


Webinar CMMC - How It Started. How It's Going.

Many defense contractors outsource their IT to a Managed Service Provider (MSP), who generally deliver the IT required and allows a business to focus on their core competency. IT managed services through MSP’s have been around for a long time now and rarely include service or commitments to meet compliance requirements like the Cybersecurity Maturity Model Certification (CMMC). It has only been in the last several years that MSPs have moved into the cybersecurity space to expand on their IT service offerings. At best, the MSP market for defense contractors offers IT and cybersecurity in one provider but completely ignores CMMC compliance requirements. This is a big problem, and Department of Defense (DoD) contractors, as their future revenue opportunities are dependent upon achieving compliance.

Most MSP’s are brand new to CMMC but unfortunately for their customers’ asset management, patching, and media sanitization stand in the way of CMMC compliance and DoD revenue opportunities. Defense contractors who have an MSP, or are looking at an MSP, are putting their revenue opportunities in the hands of a third party. It is time to rethink your MSP relationship and possibly start searching for alternatives.

The Role of IT in achieving CMMC

Much of the thinking to date around MSP’s and CMMC gets into nuanced legal issues around the MSP’s access to Controlled Unclassified Information (CUI). Still, the real problem is much more fundamental and easy to understand. Your MSP is responsible for many of the requirements tied to your eventual CMMC objective. If your MSP is not delivering their services in a way that produces evidence of compliance with CMMC you won’t achieve certification; it is truly that simple. Many of the requirements of CMMC fall into the information technology category when it comes to delivering them on a day-to-day basis. All of the attention so far has been focused on the cybersecurity requirements of CMMC. Still, as anybody in an operational role knows, much of CMMC falls to the IT delivery organization. If your IT delivery organization is an MSP, are you comfortable trusting them with your future revenue opportunities? Will they learn about the CMMC on your dime? Do they even mention CMMC services on their current website?    

You need an MSP that can marry the delivery of IT, cybersecurity, and governance in one comprehensive, measurable package to ensure compliance. CMMC stands in the way of all future revenue opportunities with the DoD; it is too important to be an add-on to your existing MSP services. 

A potentially worse scenario is having one vendor do your IT services delivery as an MSP, and another vendor responsible for cybersecurity as your MSSP, with you, stuck in the middle playing referee. There is no way around it; achieving CMMC is difficult, costs money, and requires the coordination of IT, cybersecurity, and governance activities. Most small to medium businesses don’t have the resources to coordinate or even know how to evaluate vendor claims around CMMC. Asking an MSP to unpack the nuances and complexities of NIST 800-171, SPRS submission, and CMMC is generally a bridge too far for any MSP that wasn’t created exclusively to service the defense industrial base and their unique regulatory requirements.

So, what should small and mid-sized defense contractors do?

At our upcoming webinar, we will talk about bringing order to the chaos of achieving NIST 800-171 and CMMC compliance. We discuss strategies through the lens of working with an MSP because few are equipped to meet all NIST 800-171 and CMMC requirements on their own. We will detail solutions to key pain points felt by defense contractors contractually obligated to meet DoD requirements giving you insights into implementing these solutions with internal resources or through your MSP.

No matter where you are on your path to compliance – calculating your assessment scores, navigating SPRS, implementing the controls, or shopping for an MSP – this webinar will accelerate your journey. Register Now.


Webinar CMMC - How It Started. How It's Going.

The Department of Defense (DoD) has provided Florida’s business community with a $22 billion opportunity, but there’s a catch. Before Florida’s prime and sub-contractor defense companies can win those contracts; they must meet cybersecurity regulations. These standards have become minimums that must be complete before contract award and include the Defense Acquisition Regulation Systems (DFARS) regulations and DoD’s new Cybersecurity Maturity Model Certification (CMMC). With more than $22 billion a year spent on contracted defense procurement across Florida and more than $95 billion in total annual economic impact from the state’s military defense presence, meeting these requirements is critical to the warfighter and the state economy. CMMC is the DoD’s effort to ensure all defense contractors are practicing and maintaining the proper security level to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Moving forward compliance with meeting these requirements stands in front of any revenue opportunities with the DoD.

Eric Noonan, CyberSheath’s CEO, will be speaking at Florida Space Coast Cybersecurity Forum 2021, with a focus on the “how” behind achieving compliance. Register for the event here and tune in on March 23, 2021 at 9:00 am EST, to learn more.

As founder and CEO of CyberSheath, a Sponsor of Florida Space Coast Cybersecurity Forum 2021, Eric is well versed in the goals and efforts behind the CMMC. CyberSheath has been delivering audit-ready, compliance-focused managed services for NIST 800-171 requirements for 8+ years, and the CMMC is the next evolution of those standards. CyberSheath has been a part of the DoD public/private partnership since the beginning and is a CMMC Registered Provider Organization (CMMC-RPO), focused on enabling defense contractors to achieve compliance.

CMMC is one of the most comprehensive and impactful moves by the DoD to better secure sensitive data on defense contractors’ systems and networks. As a new set of requirements, many defense contractors are still working to understand the complexities and nuances of the standards, what they are responsible for, and how to implement those changes.

CyberSheath launched our compliance managed services for CMMC to assist DoD contractors through the process. Through our managed services, we are able to meet contractors where they are, identify gaps in CMMC compliance, implement the changes, and maintain and assure their compliance at the proper level.

We wanted to Sponsor Florida Space Coast Cybersecurity Forum 2021 because it’s advancing important conversations around the state of security and where we can go from here.

While the U.S. faces cyber threats from around the world, we have plenty of lessons to learn from and a new bar for effective cybersecurity.  We don’t know what attacks might be coming, but we do know how to prepare. We hope this year’s conference will spur all in attendance to advance the cybersecurity goals that will defend American innovation and infrastructure.

CyberSheath is excited to announce the availability of a new service offering specifically designed for Defense Contractors required to ensure compliance from their managed IT providers. This new Managed IT Services for Defense Contractors future-proofs your environment to changes in regulatory scope, interpretation and / or increased scrutiny of your compliance to DoD contracting in the long-term. It is clear that the US Government is becoming less patient with lapses in the Defense Industrial Base (DIB) regulatory compliance of IT management and, paradoxically, cyberthreats are increasing at the same time. Legacy IT delivery models are failing every day as the lines between IT and security have permanently blurred as to who is accountable for specific requirements.

With big picture strategic challenges like avoiding nation-state cyber-attacks and industrial espionage sorting out roles and responsibilities between IT and security is the last thing defense contractors need to worry about. 

CyberSheath has long recognized that a large part of IT delivery, things like patching and asset management, are foundational to NIST 800-171 and CMMC compliance, which is why we are offering a force-multiplying solution for Managed IT services. This offering is only available to defense contractors and uniquely built to make CMMC and NIST 800-171 compliance a natural outcome of day-to-day operations.

What is the DIB Managed Service Provider Compliance Problem?

Defense contractors have a special responsibility to the DoD in ensuring supply chain integrity and trustworthiness and as a result must adhere to cybersecurity requirements outlined across variety of Federal Regulations including:

FAR: 52.204.21 (calls for 15 cybersecurity controls inclusive of specific verbatim pass through / down verbiage to subcontractors and service providers handling Federal Contracting Information (FCI)-Type data)

DFARS: 252.204-7012 (calls for 110 cybersecurity controls inclusive of specific verbatim l pass through / down verbiage to subcontractors and service providers handling Controlled Unclassified Information (CUI)-type data)

DFARS: 252.204-7019-21 directs the DIB to the newly created CMMC Advisory Board for guidance on third-party-providers (TPPs). For refence, the latest guidance from the CMMC AB is as follows:

OSC’s who use cloud services must meet requirements that differ from C3PAO’s.

 1) Companies under the current DFARS 7012 using cloud services or products that receive, transmit, store, and secure CUI on or behalf of the contractor must meet requirements as described in the DoD Procurement Toolbox, Cybersecurity FAQ (Below in part in comments). Remember-The DoD prime/subcontractor is responsible to ensure that the CSP meets the requirements at 252.204-7012 (b)(2)(ii)(D). 

2) Organizations Seeking Certification (OSC) for CMMC L3 using external service providers/cloud services involving CUI must apply the DOD FAQ and consider the impact/evidence required for inherited practice or process objectives as discussed in the v1.10 CMMC L3 Assessment Guide, “A practice or process objective that is inherited is met because adequate evidence is provided that the enterprise or another entity, such as an External Service Provider (ESP), performs the practice or process objective.” See for official policy/guidance. 

Introducing CyberSheath’s New Managed IT for Defense Contractor Service!

CyberSheath’s Managed IT Services for Defense Contractors delivers world-class IT service delivery, integrated with cybersecurity and enabling the documented evidence required to successfully pass a compliance audit or prove certifiable to the next government RFP / RFI. Andy Shooman, CyberSheath’s COO opines, “We’ve been future proofing our customers from policy and technology changes related to CMMC since our managed services debuted in 2015 and our managed IT services eliminates the finger pointing between IT and security giving our customers one vendor to hold accountable. The fact is 60% or more of cyber security requirements touch IT in some way and that has to be accounted for Part of an overall compliance posture.”

Our Managed IT Services for Defense Contractors solution transforms the disconnected IT and security functions into a compliant, integrated, and auditable. 

Base Service Offering: Manage the following in a compliant cost-effective manner for a US Defense Contractor:

    • Endpoint Management/Support Remote Access via VPN
    • Email
    • Identity & Access Management
    • Firewall & Network Management
    • Operating System and Network Device Patch Management
    • Infrastructure Configuration Management

Provide 24/7/365 Support for the following:

    • Support Ticket Management
    • Help Desk / Problem Resolution
    • End User Support Requests
    • Change Management
    • Asset/Configuration Management
    • System Availability / Outages

 Our Premium Service, in addition to the services above, is to manage the following in a compliant manner for a US Defense Contractor:

    • VOIP Telephony
    • Data Storage
    • System Backups
    • O/M365 Office Suite (beyond Mail)

Benefits of the Managed IT Service for Defense Contractors include the following:

It is easy to deploy and maintain (fully outsourced) and You are COMPLIANT!  

  • With CyberSheath’s Assured Compliance Commitment. We commit to having our infrastructure and managed IT services continuously assessed and certified as compliant with DFARS.
  • It is comprehensive technology, security, and governance to DFARS:
    • The Managed IT for Defense Contractors is a solution that is designed from the ground up to comply with DFARS cybersecurity requirements holistically.   
  • End-to-end deployment. 
    • You can combine this service with a world class MSSP / SECURITY!! Leveraging CyberSheath’s 24x7x365 Security Operations Center means someone is always watching the client’s network – freeing up resources so they can get on with other important business. Its Effective Risk Management Traditional information security / antivirus solutions will not stop polymorphic and zero-day threats. We also understand that providing defenses against nation-state’s unique offensive capabilities requires strong security programs. CyberSheath deploys best of breed, compliance technology baselines, SIEM, Phishing Defense, cloud workload protections, threat and endpoint detection and response (EDR), continuous monitoring and cyber threat intelligence (CTI) solutions coupled with our experts in threat analysis and intelligence (i.e., you) that deliver actionable information to mitigate risks to a client’s organization.
    • We adjust to the changing threats automatically! Through robust managed Compliance we can adjust to a very robust compliance landscape and allow for your program to rest-assured that the proper descriptions, documentations, and adjustments are made as to quickly identify potential threats. We combine the best of human and known toolsets to keep a client’s organization up to date with compliance.
  • There are easy procurement options.  
    • Customize Solutions – Although we have preconceived compliance levels, we know every customer is different. So, in the end, our solutions are Tailored to Every Client’s Needs! We know deeply that different organizations require different levels of security. CyberSheath has packaged offerings, allowing you to easily ramp up your security for greater protection, without having to deal with multiple vendors or security resellers.  
    • Flexibility – We have been on the ground floor of NIST/DFARS/CMMC for 12 years shaping, interpreting, and implementing DoD policy and requirements in a way that meets our customers where they are and keeps them in the game. There is no one size fits all and ridged implementation and interpretation will cripple your business with excessive cost and best guess interpretations as to what the DoD is looking for.

 Why CyberSheath as a Managed IT Services Organization?

CyberSheath has over 8 years of providing information security services for our clients. 

Moreover, CyberShealth’s personnel all have military or defense contracting (or both) as their heritage. Threats are global, ever changing, and require a specialized skillset to truly protect organizations. Our managed services staff include experts with previous impressive roles at global defense contracting, managed security services organizations, security software and hardware manufacturers, Military Cyber Operations experience and have multiple security and technical certifications including CISSP.

  • Hundreds of successful NIST 800-171 / DFARS 252.204-7012 engagements over the last 8 years
  • CyberSheath was founded to deliver this solution and “born” out of a Fortune 500 defense contractors experience influencing and implementing evolving DoD cybersecurity policy and requirements.
  • “Skin in the game” – We have been through DoD audits, many, with DoD components validating our approach and the work we do. We will be onsite with your team throughout assessment, remediation, managed services, and your eventual audit.

If you are looking for DFARS compliant Managed IT Services we look forward to providing you a single point of accountability for not only providing the requisite controls, but also for implementing across your IT infrastructure, true one stop shopping.

RESTON, Va.—February 2, 2020—CyberSheath Services International today launched its Managed IT Services for Defense Contractors to ensure compliance with the new cybersecurity standards for commercial contractors of the United States government. The managed services include a Shared Security Compliance Framework to ensure compliance for both DFARS Clause 252.204-7012 / NIST SP 800-171 and the new DFARS 252.204-7019-7021 CMMC requirements.

When combined with CyberSheath’s existing Managed Compliance and Security Services, the new Managed IT Services cover the full spectrum of managed services needs for most U.S. Defense Industrial Base (DIB) contractors. CyberSheath has long recognized that a large part of IT delivery, tasks such as patching and asset management, are foundational to NIST 800-171 and CMMC compliance, and customers need a force multiplying solution for Managed IT services. This offering is only available to defense contractors and uniquely built to make CMMC and NIST 800-171 compliance a natural outcome of day-to-day operations.

This new consolidated solution is anchored on Microsoft technology or Microsoft Solution Partner technology, but flexible enough to “meet you where you are.” It has the distinct ability to add compliance or security-as-a-service either upon initial onboarding, or at any time during the subscription period. As a “Hosted Compliance,” it combines elements of MSSP and Managed IT and uses a Microsoft-focused technology stack, including Azure Government Blueprints, Microsoft 365 Government (GCC High), and the full strength of the vast Department of Defense (DoD)-approved Microsoft security portfolio. CyberSheath’s CMMC Managed Services future-proof clients against CMMC policy changes and new implementation requirements.

“Any defense contractor that fails to comply with the CMMC will not be doing business with the DoD moving forward as the DoD now prevents non-compliant contractors from participating in DoD contract awards,” said Andy Shooman, COO at CyberSheath Services International. “Our IT managed services are built for the many defense contractors, both Primes and Subs, that still don’t fully understand the DFARS requirements and believe that their weakest link to compliance may be their existing IT services. Simply put, the new DFARS rules raise the stakes and companies that don’t quickly become compliant will be left out of DoD contracts. Our IT managed services ensure that doesn’t happen.”

The U.S. Department of Defense (DoD) established the CMMC as a new security measure to protect Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and other sensitive data residing on systems and networks owned by defense contractors. The DoD requires all of its contractors and suppliers to comply with the new CMMC standards at a given level and undergo a certification process based on review by an accredited third-party assessment organization prior to contract award.

CyberSheath uses a proven AIM™ (Assess – Implement – Manage) methodology to meet defense contractors where they are and bring them up to standard both for existing regulatory requirements and CMMC. CyberSheath offers five CMMC levels of assured compliance, ranging from premise-based technology companies to cloud-driven FedRAMP High environments. Leveraging AIM™ to identify gaps against CMMC requirements, CyberSheath quickly implements any needed changes and revises architectures to maintain desired levels of CMMC compliance.

CyberSheath takes ownership of CMMC compliance, leveraging a Shared Responsibility Model, a concept uniquely adapted from cloud providers and applied to CMMC Managed Services. This management framework dictates the security obligations of a CMMC compliance environment and its users to ensure accountability and define where and how security measures should be applied, with a special focus on CUI and other sensitive government data. The result is a self-reinforcing model that reduces the burden on government contractors and ensures compliance.

“Frankly, defense contractors have seen a lot of changes in cybersecurity compliance over the past year, but we have been delivering audit-ready, U.S. DoD compliance-focused managed services for more than five years in response to the original NIST 800-171 requirements and know we can assist contractors expeditiously with their needs,” said Mr. Shooman.

About CyberSheath Services International, LLC

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at


Press Contact:


The Department of Defense (DoD) suppliers were notified at the end of September about the new DFARS Interim Rule designed to collect NIST 800-171 assessment scores from all DoD contractors through submittal to the Supplier Performance Risk System (SPRS). As mentioned in a previous blog post, starting in mid-October, Northrop Grumman, Lockheed Martin, General Dynamics, BAE, and other prime contractors sent letters to suppliers asking them to determine their current DoD assessment score and upload it to the SPRS by November 30th. As of December 1st, the DFARS Interim Rule has become law reinforcing suppliers need to submit their NIST 800-171 assessment score to the government to avoid lost DoD revenue.

The CyberSheath team works with our clients to ensure they meet all DoD cybersecurity requirements, and to that end, have assisted our clients in the submittal of their assessment to the SPRS.  To help suppliers navigate a potentially overwhelming process, we have created a step-by-step guide to showing how to successfully create an account and submit your assessment score to the government.


Step-by-Step Guide to SPRS Assessment Submittal

Step 1: Set up Your Account

First, you will want to visit the PIEE website. Click on REGISTER button on the top right of the screen.

PIEE Account Set Up

Next, accept the Privacy Act Statement and Terms and Conditions.

Select VENDOR from the options.

PIEE Vendor Options

If your company has a Common Access Card or Certificate, you can choose this option from the drop down. However, you can choose User ID\Password if you do not have the other information readily available.

PIEE Captacha

Enter in your security questions.

PIEE Security Questions

Provide your name and contact information.

PIEE User Profile

Enter supervisor (not required) and company contact information.

PIEE Supervisor Contacts

STEP 2: Access the Supplier Performance Risk System (SPRS)

Select SPRS (Supplier Performance Risk System) from the drop-down menu.

PIEE SPRS Drop Down Menu

STEP 3: Select SPRS Cyber Vendor User

PIEE SPRS Cyber Vendor

STEP 4: Add Roles

Next, click ADD ROLES. You will see a line at the bottom with a LOCATION CODE field. This is where you will enter the CAGE code for your company.

PIEE Add Roles

Enter in your CAGE code. If you have multiple CAGE codes, you will need to repeat Step 3 to add those additional lines.

PIEE Add Cage Code

Enter the justification for your account. Attachments would be used for justification and/or identification. However, do not attach your self-assessment here.

Step 5: Complete the Agreement

From here you will need complete the Agreement portion of the application. You should receive approval for your account promptly after completion. If you do not have a CAGE code or if the CAGE code, you have not been registered with an in-use DoD contract you may not be able to successfully create an account. If you run into this issue or your company has never won a contract, you can submit your self-assessment to *NOTE* Remember to submit your self-assessment via encrypted email.

Step 6: Admin Approval of Cage Code

Once you register you will have to have the admin who is linked to the cage code approve your account.

PIEE Log In Credentials

If you are not the Contract Administrator of the cage code and are unsure who that person is, you can look it up by going to the PIEE homepage and selecting FIND MY ACCOUNT ADMINISTRATOR from the NEED HELP WITH YOUR ACCOUNT? menu.

On the next screen you will need to input your cage code under the LOCATION CODE. You do NOT select any options from the APPLICATION or ROLE options. After the cage code has been inputted type in the numbers from the CAPTCHA Image and click SUBMIT.

PIEE Location Code

The next screen will populate who the Administrator of the cage code is and who you will need to contact for account approval. If there has not been an Administrator linked to the cage code you will need to contact PIEE support (1-866-618-5988) to get that provisioned.

You have successfully created your account. Once the account registration is approved by the cage code administrator you are ready to submit your score.

Step 7: Submit Your Assessment Score

Now that you have an account you will need to go to the PIEE website and click LOG IN.

Login Btn

Select the SPRS Icon. Then select NIST SP 800-171 Assessment from the options.


You will need to select the company name at the desired level (BASIC will be the most common unless your company went through an audit consisting of Government personnel). Once selected click ADD NEW ASSESSMENT from the menu.

PIEE Attach Assessment

Enter assessment details and click SAVE.

PIEE Enter Assessment Details

Next Steps

You have successfully submitted your assessment meeting the requirements under the DFARS rule and can now begin working toward your Plans of Actions and Milestones (POAM).

If you have not done an NIST 800-171 assessment and do not know your score, we are here to help. Please do not hesitate to reach out with any questions or talk through a project plan to avoid penalties and remain competitive in the DoD acquisition process.

RESTON, Va.—November 11, 2020—CyberSheath Services International has been awarded two CIO Review recognitions, including the “Most Promising CyberSecurity Consulting & Service for 2020” and “Most Outstanding CMMC MSSP for 2020.”

CIO Review produces an annual list of providers that are at the forefront of providing consulting, services, compliance, and risk solutions to enterprises worldwide. The goal of these awards is to spotlight companies with a proven track record in effectively delivering high-

caliber managed technology and compliance solutions, while enabling decision-makers to stay well-informed on industry trends through research and evaluation of the vendor marketplace.

“Amid the continually changing regulations on the U.S. Defense Industrial Base, we help our clients achieve compliance quickly and cost-effectively while optimizing their operations,” said CyberSheath’s CEO and Founder Eric Noonan. “CyberSheath is honored to receive these awards and to be recognized as a leader in our market. And we’re grateful to CIO Review for enabling industry participants to make informed, evidence-based decisions when choosing the technology that is so integral to their business.”

CyberSheath, as a trusted third-party managed service provider, simplifies compliance for its clients in three stages: assess, implement, manage — AIM™. After the initial assessment, CyberSheath understands the client’s compliance requirements and breaks down the reasons behind their noncompliance before moving to implementation. CyberSheath follows a shared responsibility model, owning the gaps and fixing them.

To help stakeholders in the DIB better understand the shifting future of cybersecurity compliance, CyberSheath is holding CMMC Con 2020 on November 18, 2020. Featuring keynote speakers, breakout sessions, a panel discussion with DIB CEOs, and more, the event will bring contractors up to speed on the threats they face, changes to cybersecurity compliance law, and immediate steps they can take toward security and compliance. Registration is now open.

To learn more about CyberSheath and its industry-leading compliance managed services platform, visit

About CyberSheath Services International, LLC

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at


Press Contact:

Kristen Morales

RESTON, Va.—October 29, 2020—CyberSheath Services International today announced that it has been selected to join the Microsoft Intelligent Security Association (MISA) as one of the association’s first CMMC-focused managed security service providers.

“MISA members are cybersecurity industry leaders,” said Eric Noonan, CEO at CyberSheath. “They’re unified by the common goal of helping secure our customers by offering unique and valuable customized expertise and making the association more effective as it becomes more diverse.”

CyberSheath has extensive Microsoft expertise, including professional and managed security services for a wide array of U.S. defense contractors, and was nominated for MISA for their managed security service offerings for Azure Sentinel and Microsoft Defender for Endpoint. CyberSheath uses a Microsoft technology stack fueled by Microsoft Azure Sentinel, the cloud-native Security Information and Event Management (SIEM) solution that quickly identifies security threats across hybrid enterprises.

MISA began as an ecosystem of independent software vendors (ISVs) that integrated their security products with Microsoft’s to better defend against a world of increasing threats. Due to increased demand for a closely interwoven security ecosystem, the association is growing and launching an invitation-only pilot program for select managed security service providers.

MISA plays a vital role in reducing the cost and complexity of integrating disparate security tools. Adding managed security service providers promises to increase the ecosystem’s value even more by offering an extra layer of threat protection without requiring day-to-day involvement of in-house security teams,” said Andy Shooman, COO at CyberSheath. “It’s another important step in both strengthening and simplifying security at a time when risk mitigation is one of IT’s highest priorities.”

“The Microsoft Intelligent Security Association has grown into a vibrant ecosystem comprised of the most reliable and trusted security software vendors across the globe,” said Rani Lofstrom, Senior Product Marketing Manager, Microsoft Security. “Our members, like CyberSheath, share Microsoft’s commitment to collaboration within the cybersecurity community to improve our customers’ ability to predict, detect, and respond to security threats faster.”

About CyberSheath Services International, LLC

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at



Press Contact:

Kristen Morales


In 2019, the Department of Defense (DoD) officially announced the introduction of a Cybersecurity Maturity Model Certification (CMMC). This unique maturity model is designed to improve the cybersecurity regarding Controlled Unclassified Information (CUI) within supply chains, especially as it applies to the Defense Industrial Base (DIB).

Version 1.0 of the CMMC framework was released in January 2020. By June 2020, CMMC requirements have started to be included in DoD and later GSA Stars Contracts Request for Information (RFIs) and Requests for Proposals (RFPs). Think about that for a second, within six months of creating a new model to assess the cybersecurity of defense contractor networks the language has started appearing in official acquisition documents. The CMMC train has left the station, in a hurry.

CMMC is the latest entry in regulations from a decade long process of public/private partnership between the DoD and DIB. Critically, the DoD is moving away from contractor led self-assessment and reporting to compulsory third-party certification pre-contract award. You will need certification, from an independent third party for future DoD contracts. (See graphic below.)


Who Must Comply?

As of this post, CMMC was still working its way through the rulemaking process for DFARS (Defense Federal Acquisition Regulation Supplement), which is expected to be released in November 2020. That said if your company provides products being sold to the Department of Defense (DoD) you are required to comply with the minimum cybersecurity standards set by the current DFARS clause 252.204-7012. All DoD contractors that process, store, or transmit Controlled Unclassified Information (CUI) must meet DFARS minimum security standards or risk losing their DoD contracts. DFARS provides a set of adequate security controls to safeguard information systems where contractor data resides. Based on NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations,” manufacturers must implement these security controls through all levels of their supply chain. The silver lining is that CMMC builds on NIST 800-171 so when in doubt that is where you should start as it’s the current legal requirement.

If your DoD contracts do not require you to process, store, or transmit CUI, you must still protect Federal Contract Information (FCI) under Federal Acquisition Regulation (FAR) 52.204-21. Examples of FCI include contract documents, schedules, billing information, etc. The new DFARS clause is expected to combine the cybersecurity requirements from DFARS 25.204-7012 and FAR 52.204-21 into a common framework based on the CMMC model.

Government contractors are now being asked to effectively police their supply chains to address, among other risks, cybersecurity.  Supply chain management is now a key element to ensuring a company’s compliance with laws, regulations, and its internal policies, and to identify risks that could impact a company’s ability to perform, as well as its reputation. The fact that supply chains are global, increases the risks and demands on companies.

In fact, they must not simply police their supply chain, but they are legally bound to use specific contract verbiage with providers who may interface with CUI information which is as follows:

DFARS 252.204-7012(m):  “Include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information,…”

Keypoints to this law:

  1. All third-party providers (TPPs) and Managed Security Service Providers (MSSPs) must be obligated to DFARS if they house, control, process, or maintain CUI.
  2. You are not in compliance with CMMC if your downstream MSSPs / TPPs are not compliant.
  3. You are not compliant if you don’t have contractually compliant language between you and the TPPs / MSSPs.

Navigating the dizzying world of different CMMC solutions can be a daunting task.  The recommended solutions and vendor mix can be very hard to understand.  Now let’s investigate these key points made above in more detail:

Pivotal question: Does my TPP or MSSP need to be compliant?

All TPPs and MSSPs must be obligated to DFARS if they house, control, process, or maintain CUI.   What exactly is CUI?  Let’s read on:

I want to repost an excerpt from our key business partner Microsoft in which Richard Wakeman provides a blog on CUI as follows:

What is Controlled Unclassified Information?
If you have not read the CUI History from the National Archives and Records Administration (NARA), I highly recommend it.  It’s a short read, and helpful for context. To summarize, before the advent of CUI, there was a myriad of autonomous Federal agencies and departments that had each developed its own practices for protecting sensitive information.  This non-conformity made it extremely difficult to share information with transparency throughout the Federal government and its stakeholders, such as the Defense Industrial Base (DIB). The CUI program is an ever-evolving initiative to standardize the markings and data protection practices across Federal agencies to facilitate sharing of sensitive information, transcending individual agencies.  Ultimately, NARA oversees the CUI Program and is primarily scoped to the Federal executive branch agencies.  Major contributors to the program include the DoD, the Department of Energy (DoE), the Department of Homeland Security (DHS), the Department of State (DoS), etc. NARA defines CUI as: “Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”Presidential executive orders evolved to a rule published in 2016 called “32 CFR Part 2002 Controlled Unclassified Information”.  You can read about it here in the Federal Register. 32 CFR Part 2002 prescribes the CUI Program markings that span many categories and groupings.  The groupings consist of everything from Financial and Privacy data, all the way up to Export Controlled and Intelligence data.  You can find the list here.
Microsoft Summary CUI Registry

3 Key Questions for your MSSP to indicate CMMC Compliance

Question 1: Is the CUI housed in USA Sovereignty? –  Or – Where are the location of all operations?  Perhaps another way to ask this question is by querying if the vendor has any operations located outside of the US?

A key attribute to the US DoD supply chain is understanding where their supply chain is located, and whether the location may provide some risk to the DoD supply chain.  U.S. companies that do business abroad or handle overseas data will now have to comply with a host of new cybersecurity rules after China became the latest country to impose regulations on firms operating there.

This follows hot on the heels of the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which came into force in the U.S. in March 2018, and the European Union’s (EU) General Data Protection Regulation (GDPR), introduced two months later.

The implementation of these new protocols is driven by the recent surge in cyberattacks and, in the case of China, greater protectionism, exacerbated by the U.S. trade war, as the world becomes more divided.   Regardless, there are many cybersecurity firms that maintain global operations and software maintenance stations in unassuming regions of the world and this must be understood before you select your vendor.


Question 2:  Like Amazon Web Services, Microsoft and Google, do you separate out your government CUI customers from the infrastructure of all of your other customers? Does your provider know how to make the infrastructure comply with the various forms of CUI?

Here is the issue with mixed tenants of cloud environments and the protection of CUI which was quoted by Microsoft’s blog:

“Microsoft has prescribed the US Sovereign Cloud with Azure Government and Microsoft 365 GCC High to protect CUI and CDI consistently.  Our rationale is that CUI does include ITAR regulated data, and the DoD requires DFARS 7012 to protect it.  We only accommodate that contractually across Azure, Office 365, and Dynamics 365 in the US Sovereign Cloud.  It’s that simple.  It’s true that you may demonstrate compliance for CUI in our Commercial or GCC cloud offerings, but you will not get a contractual obligation from Microsoft to protect an aggregate of CUI anywhere else other than in the US Sovereign Cloud.  It will be your sole responsibility to prove and maintain compliance for it in other clouds.”


Question 3: Have you placed the DFARs compliant verbiage on CUI into the contract with the MSSP / TPP?   Was this a standard offering in verbiage in their contracts or non-standard?

I believe this is self-explanatory however to make this point very poignant let’s look at the prescribing law:

DAU Related Policies Cloud Computing

For many organizations, their technology, and the corresponding data are among their most valued assets. An organization’s CMMC / CUI Cybersecurity Program is an ever-evolving initiative that attempts to standardize the security data protection practices across supply chains including third-party providers and managed security service providers.  If your TPP or MSSP cannot meet the full requirements of CMMC certification, it is unlikely that you will be able to successfully complete a CMMC certification assessment. When choosing TPP’s or MSSP’s, choose wisely, your DoD revenue may depend on it.

Looking for an MSSP to partner with on your journey to CMMC preparation?

Join CyberSheath’s Eric Noonan, CEO, and Carl Herberger, VP of Security Services, dive into CyberSheath’s CMMC Managed Services for Defense Contractors using Microsoft Technology Stack during our upcoming webinar September 30, 2020, at 9:00 am | 12:00 pm EST > Save Your Spot

CMMC Compliance Managed Service Launch - Register Now

Current Compliance Landscape

Deputy Defense Secretary Patrick Shanahan spoke at the Armed Forces Communications and Electronics Association (AFCEA) on Feb 6, 2018, and said, “The culture we need to get to [around IT security] is that we’re going to defend ourselves and that we want the bar to be so high that it becomes a condition of doing business.” Fast forward two years later and we are on the cusp of one of the largest changes to DoD acquisition ever with mandatory minimums for cybersecurity across all DoD contracts.

For commercial firms providing services to the U.S. defense industry, the challenge that is cybersecurity has been growing for years but largely without any oversight from the DoD. Defense budgets and the use of contractors have grown in parallel to the storing of important, yet unclassified information on commercial defense contractor networks. This exposure, Controlled Unclassified Information (CUI) resident on unregulated and often under secured contractor networks across the DoD supply chain has become a risk that requires addressing for the DoD.

The Defense Industry has always worried about security around products and services.  However, the business systems and IT infrastructure that supported those defense contractors were not monitored or significantly regulated by the US Government although vulnerable to attack.  The Pentagon has acknowledged an urgent need to tighten cybersecurity across its vast contracting operations and hold contractors accountable for minimum standards of care around cybersecurity.  Indeed, the requirements to protect data have been expanding for more than a decade and the Federal Acquisition Regulation (FAR) and the General Services Acquisition Regulation (GSAR) are expected to add data protection requirements in 2020.  In truth, the new Cybersecurity Maturity Model Certification (CMMC) and the ambitious effort to secure the DoD supply chain has been underway for many years now (see chart below).


Overview of CMMC

The Cybersecurity Maturity Model Certification (CMMC) program will serve as a method of verifying that appropriate levels of cybersecurity controls and processes meet a specific standard and are in place to protect controlled unclassified information that may be held on the DoD’s industry partners’ networks.

The CMMC program builds on another US government acquisition regulation called DFARS Clause 252.204-7012 which requires the implementation of NIST SP 800-171, Protecting Unclassified Information in Nonfederal Information Systems, and Organizations, as the standard for defense contractors handling CUI data.  As such, compliance with NIST 800-171 has been essential for winning and sustaining contracts since 2017 but the lack of oversight and auditing has led to many self-certified contractors that might not stand up to the scrutiny of a 3rd party audit. Because CMMC is at its foundation based on DFARS Clause 252.204-7012 and NIST SP 800-171 it’s important to understand these two separate but related requirements.

Understanding DFARS Clause


CMMC, when finalized and fully mature, will require independent validation of compliance by a CMMC Third-Party Assessor Organization (C3PAO). This is a significant change from DFARS Clause 252.204-7012 which allowed for self-certification and could upend a largely unprepared supply chain that has taken advantage of lax oversight and enforcement.

CMMC is broken down into five compliance levels which a company will need to be certified to be able to be awarded a DoD contract.  The levels break down (see below) into demonstrable levels of cybersecurity maturity from which a defense contractor can acquire more and more abilities to conduct services with the DoD.

CMMC Level Requirements

Your Current Managed Security Service Provider (MSSP) Probably Isn’t Doing Enough For CMMC

Most small business defense contractors do not separate IT from cybersecurity and often the IT work takes priority, not cybersecurity or compliance. Small businesses with one or two IT staff members who are already oversubscribed have no chance of ingesting CMMC and achieving compliance without the help of a Managed CMMC Service. Maintaining the security and compliance programs required by the government is now a full-time job and failure to do so will prevent your company from doing business with the DoD.  No matter how qualified or knowledgeable, a small team simply does not have time or the breadth of skills to architect, administer, and manage their environments in alignment with CMMC requirements. You cannot do it alone.

Over the last decade, many businesses have outsourced their security and/or compliance requirements through a Managed Security Service Provider (MSSP).  Effectively MSSPs take care of the security requirements and allow a business to focus on their core competencies. Few if any MSSPs have any real skin in the game when it comes to compliance. Read their statement of work and it is lightly mentioned if at all and there are caveats galore around why they are not responsible or accountable in any meaningful way. In many cases, MSSPs introduce their own set of issues, vulnerabilities, and compliance headaches because the MSSP is not properly equipped to manage data and processes in a manner aligned with CMMC requirements.  With the MSSP handling most every piece of security and monitoring but never documenting and attesting compliance with CMMC, the current MSSP model falls short of CMMC requirements.

Investing in CMMC compliance (which includes compliance with DFARS 7012 and NIST 800-171) is a big effort because it now includes line of business systems including finance, personnel, and IT vulnerability information.  While MSSPs are valuable partners who reduce overhead costs and enable businesses to stay focused on their core mission, it is important to remember that MSSPs will have access to documents, CUI, and data including passwords, access codes, and vulnerability information about their IT environment.  Because MSSPs have this kind of sensitive data in their possession, it is critical that they make the same investment in NIST 800-171 to ensure that you stay compliant and properly manage CUI information and the security of your IT environment. Again, most MSSPs have very little if anything in their statements of work regarding compliance so small businesses are left with a false sense of security around achieving CMMC compliance.

Without clear lines of responsibilities between the owner of compliance and the business and IT operations of the host company, the failure of a compliance audit is inevitable.

That is the bad news, now for the good news.

CyberSheath’s Managed CMMC Service

In response to the new federal requirements and an ever-changing landscape, CyberSheath has created a whole new set of Managed Services to allow for any business to achieve any CMMC compliance level they desire. Unlike every other MSSP in the market today our CMMC service offerings are an evolution of our successful legacy NIST 800-171 Managed Services. Said another way, we aren’t new to this space and we have been through dozens of successful third-party audits over the past five-plus years.

We offer 5 different levels of assured compliance for you to choose from based on your business requirements. To date, 100% of our customers are focused on CMMC Maturity Level (ML) 3 as it so closely aligns with the NIST 800-171 requirements.

First Step:

  • We meet your business where it is today. We will gain visibility of your desired CMMC ML and any gaps in processes, documentation, practices, or technology.
  • Gain current and ongoing visibility into NIST 800-171 / CMMC via professional certified assessments and remediation plans.

Second Step – Select Hosted Compliance Level(s):

  • Level 1: Become compliant with CMMC ML1 over your entire infrastructure within weeks.
  • Level 2: Work with a virtual security officer and get assistance with ongoing compliance program oversight and routine reporting.
  • Level 3: Quickly gain the ability to achieve compliance and bid on CMMC ML3 contracts with our cloud-based guaranteed compliance offering.
  • Level 4 or Level 5: Leverage our expertise as we maintain the rigorous program, technology, engineering, and implementation required for the most robust security standards.
  • Beyond:
    • Future-proof your compliance to changes in CMMC policy or implementation approaches by assigning ongoing program maintenance to CyberSheath.
    • High Cloud infrastructure in a hosted compliant process.

Third Step:   We manage your compliance as an outsourced compliance program inclusive of an MSSP

CyberSheath’s CMMC Shared Security Model is the Answer to CMMC Compliance for Small Businesses

Whether it be a public, private, or hybrid architecture, businesses must take responsibility for ensuring that their data is secure. With limited resources and no time to become a CMMC expert, the solution to the problem is clearly a shared responsibility model. CyberSheath has successfully implemented and been audited against our shared responsibility model many times over the last five-plus years so our solution is tested and audit-ready. Our tailored responsibility matrix eliminates single points of failure and ensures that all required security requirements have an owner and produce the required documentation and evidence. The shared responsibility model reduces the day-to-day operational demands on your business and ensures documented, repeatable, and audit-ready compliance.

With government revenues on the line, it is crucial to determine who controls the various components of the CMMC compliant infrastructure and operations. CyberSheath defines where and how security measures should be applied, with a special focus on CUI and other sensitive government data.

CyberSheath differentiates itself by taking ownership of assured CMMC compliance and it is a contractual requirement that we put right into our statements of work. This cannot be done in isolation and requires shared and distinct responsibilities on both sides of the partnership which tend to be specific to each company.  CyberSheath offers a ‘single-pane-of-glass’ to gain visibility into CMMC compliance, continuous security monitoring, and various important datasets, analytics, and user interfaces in one place. Our CMMC management platform is built around Microsoft Azure’s FedRAMP GCC High environment which ensures infrastructure capabilities that can detect and remedy security misconfigurations, leveraging services to ensure near-real-time compliance features.

Why CyberSheath?

Cybersheath has leveraged and lived this Shared Responsibility Model for NIST 800-171 successfully for many years now, and expect that it will be a fundamental part of CMMC attestation and MSSP partnerships going forward.  The experts at CyberSheath understand your challenges – and we can help. Contact us to make sure your CMMC readiness gets – and stays – on track.

CyberSheath has attended multiple listening sessions and events with DoD leadership revealing more information regarding the DoD Cybersecurity Maturity Model Certification (CMMC).  I want to expand on our previous blog with the additional details and actionable plans on what DoD contractors need to do to prepare for the changes.

What We Understand about CMMC so Far

CMMC stands for “Cybersecurity Maturity Model Certification” and will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in Request for Proposals (RFP) sections L and M to be used as a “go / no go decision.” This means that instead of the ability to bid and win a contract and then comply post-award with cybersecurity requirements, DoD contractors will have to be certified to the CMMC level required in advance, pre-bid, to even be eligible to bid. DoD will determine the appropriate tier (i.e. not everything requires the highest level) for contracts they administer and the required CMMC level will be contained in sections L & M of the RFP making cybersecurity an “allowable cost” in DoD contracts. CMMC level requirements will begin appearing in DoD RFP’s as soon fall 2020 and Version 1.0 of the CMMC framework will be available January 2020 to support training requirements. In June 2020, the industry should begin to see the CMMC requirements as part of Requests for Information. DoD contractors are expected to begin achieving certification sometime after June 2020. That is less than 12 months away so if you have not started implementing the NIST 800-171 security requirements, you had better get moving.

How to Best Prepare for CMMC and Stay Eligible for DoD Contracts

All companies conducting business with the DoD must be certified. The level of certification required depends upon the Controlled Unclassified Information (CUI) a company handles or processes. The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes. If you have worked to implement NIST 800-171, your hard work will not go to waste. Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity and does not allow for self-certification. There will be no CMMC self-certification, instead, DoD contractors will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule your CMMC assessment.

Everything You Should Do to Effectively Prepare for Certification

All the information shared to date on CMMC maturity levels aligns with the implementation of the 110 security requirements of NIST 800-171. The DoD is building on and strengthening not abandoning NIST 800-171. While the specific maturity levels for individual contracts have not been determined it’s understood that implementing the NIST 800-171 security requirements is the best way to prepare for CMMC. Meeting your existing contractual requirements around DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and NIST 800-171 implementation is how you prepare for CMMC.

Implementing the NIST 800-171 requirements includes writing a System Security Plan (SSP) and with 110 security requirements, you can expect to be out of compliance with some number of those individual requirements. For requirements not yet implemented you will need to also document Plans of Action & Milestones (POA&Ms). The heavy lifting is in implementing the security requirements as you prepare for CMMC and controls like Multi-Factor Authentication and Incident Response which require time to fully implement. DoD contractors, subcontractors and vendors taking a wait and see approach to CMMC are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. Act now!

5 Steps to CMMC Preparation

Download our 5 Step Guide to CMMC Preparation to plan and enable certification as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to prepare for CMMC in a way that fits your business and budget.

5 Steps to CMMC Preparation

When shopping for a Managed Security Services Provider (MSSP), there are plenty of checklists that you can download to help funnel you right to that vendor’s particular product. This isn’t that blog post, although at some point I am sure we have published one too. While checklists are helpful in narrowing down the capabilities and tools that you want to add to your probably already too big portfolio of tools, the focus should really be on the services that you will be adding to your existing team.

Candidly, the capabilities are generally similar across MSSP’s and cover some kind of SIEM platform, monitoring, incident response (IR), vulnerability management (VM) and a number of other competencies that are bundled into a managed service offering. They are bundled in part because these are what the vast majority of business lack and need, but also because the bundling enables sales, at scale, for product vendors and MSSP’s. It’s been our experience that the material difference from one product vendor or MSSP to the next, in your favorite version of a Magic Quadrant, covers features and capabilities that don’t ultimately make your business more secure or compliant. Often, it’s a distinction without a difference, especially for a security program that is still struggling with the blocking and tackling of cybersecurity-related patching, asset management, and incident response. So, beyond checklists, “threat hunting” and “advanced intelligence platforms”, where should your business focus when trying to make a mid to long term commitment with your first or a new MSSP?

Where Should Your Business Focus When Deciding on an MSSP?

Start with service, as in the service your business specifically needs to extract value from the MSSP relationship. The service your business needs are, in fact, unique to your business. If it wasn’t, you could pick the first Google Ads result that comes up (which isn’t the best MSSP for your business, just the best MSSP at creating Google Adword campaigns on any given day). Instead of analysis that is overly focused on the most advanced capabilities and toolsets, it will pay dividends to meet with a potential MSSP and align their offering with your business requirements. Selecting an MSSP is a business decision, even if the vendor marketing is geared towards making it a technology decision. For example, if you are in a highly regulated industry like Defense Contracting, and NIST 800-171 compliance is fundamental to your ability to win business, your MSSP should have core expertise in delivering on these security requirements. The technology, SIEM, VM, IR, etc. are a given but the ability of your MSSP to enable documented, automated and auditable compliance with your customer requirements isn’t. Ultimately, the MSSP you choose in this scenario should make compliance a natural outcome of day-to-day security operations so that over time you can focus more resources on actual defense. What does this look like in practice?

Achieving Compliance as a Natural Outcome of Day-to-Day Security Operations

For most businesses, it doesn’t look like a laundry list of acronyms and industry jargon about threat intelligence and advanced threat hunting capabilities. It looks like an integrated team, your internal staff (to the extent you have one) and that of your MSSP, working together on a weekly basis to deliver measurable outcomes over time. The tools leveraged by your MSSP can produce beautiful charts and endless trends but the critical questions to answer relate to outcomes achieved. It’s nice that an MSSP can tell you the top 10 vulnerabilities in your environment, but the outcome you should be focused on is remediating those vulnerabilities. If your team is too busy to patch or otherwise remediate the “top 10 vulnerabilities”, you just end up with a pretty graphic that doesn’t make you more secure or compliant.

To drive outcomes, instead of charts and trendlines, you must have a regular cadence of meetings with your MSSP focused on the things that matter most at any given point in time to your business. Ideally, these meetings are weekly and are more aligned with the initiatives underway within IT and Security and not just focused on the tools that the MSSP brought to the party. In our experience, the MSSP relationship is a combination of managed services and staff augmentation. Staying with the same example of NIST 800-171 compliance, if you are struggling to implement all 110 security requirements then drive your MSSP to help at a minimum, but ideally lead the efforts. Eliminate redundant meetings for your already oversubscribed team by incorporating your compliance and operational project management meetings into your weekly MSSP meetings. Create an integrated project plan with specific accountabilities for your team and the MSSP. Your MSSP should be working on your agenda and not driving theirs. If implementing Multi-Factor Authentication or Privileged Account Management is an internal priority for your business, a great MSSP will make it a priority for their business.

Partnering with the Right MSSP for Your Business

None of this is easy, but nothing worth doing ever is. Contractually it’s hard to create this kind of defined yet flexible arrangement and it generally requires an acceptance that outside of the core service offerings there will be a shifting list of priorities that you are going to rely on your MSSP to tackle. Not every MSSP is going to have the staff or program management skills to partner this way. If you have had a series of successful engagements and measurable outcomes with a professional services partner that knows your people, processes, and technologies but doesn’t show up on the “Top MSSP” list of the day, weight your personal experience over the pay to play marketing that dominates our industry.

To better understand what it means to contract for Managed Security Services that matter and what that experience can look like for your business, schedule a 30-minute introductory call with CyberSheath today and start your journey by focusing on outcomes instead of checklists.


Every day, hackers and thieves are becoming more sophisticated, daring, and aggressive in their attempts to turn stolen data into substantial paydays. And with criminal entities regularly on the prowl for cyber weaknesses to exploit, it’s no wonder that the number of data breaches is growing at a record pace. Partially in response to this rise in cyber attacks, Ohio Attorney General Mike DeWine’s CyberOhio Initiative has introduced The Data Protection Act, signed into law by Governor John Kasich on August 3rd 2018.

Whereas most of the preceding cybersecurity legislation has sought to motivate businesses with punitive and disciplinary action, the DPA is a looking to take a new approach by giving companies a positive and confident push forward towards a more secure future.

The first law of its kind in the nation to provide an affirmative legal defense, the DPA is an absolute boon to any company involved the handling of sensitive data. Beneficial for all involved, it’s designed to inspire a proactive approach to cybersecurity to make the exchange of sensitive information safer and more comfortable for everyone.

The law incentivizes businesses to further protect themselves against cybersecurity risks by providing legal protection to those who deal with personal information in case of a breach, provided that they comply with a designated cybersecurity framework.

A Safe Harbor

Fairly or not, people affected by data breaches often look for a scapegoat. In many cases, they end up trying to hold the breached company liable for losses or damages they’ve incurred.

With even the smallest attack leaving a business vulnerable to serious legal consequences, this bill represents a valuable tool for those looking to limit their liability. Although it doesn’t provide immunity to your company if you comply, it does afford you a ‘safe harbor’ against tort claims that failed cybersecurity measures resulted in the data breach.

Both businesses and consumers should be set to benefit from this development as companies become more motivated to up their game and meet industry standards for cybersecurity.

How to Comply

As of November 2nd, 2018, your business can trigger the ‘safe harbor’ provided that you adopt a cybersecurity program designed to:

  • Protect the security and confidentiality of personal information;
  • Protect against any anticipated threats or hazards to the security or integrity of the personal information; and
  • Protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.

Since no two companies are alike, the law does acknowledge that the above guidelines are not meant to be a one-size-fits-all approach to cybersecurity. An effective program will have to be scaled to match:

  • The size, complexity, and nature of your business and its activities;
  • The level of sensitivity of the personal information your business possesses;
  • The cost and availability of tools to improve your security and reduce vulnerabilities; and
  • The resources your business has at its disposal to expand on cybersecurity.

Further guidance also advises businesses to ‘reasonably conform’ to one of the following industry-recognized frameworks:

  • The National Institute of Standards and Technology’s (NIST) Cybersecurity Frameworks;
  • NIST Special Publication 800-171, or Publications 800-53 and 800-53a;
  • The Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework;
  • The International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards;
  • Center for Internet Security’s Critical Security Controls for Effective Cyber Defense;
  • The Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) for healthcare industry businesses subject to HIPAA oversight;
  • The Federal Information Security Modernization Act of 2014 (P.L. 113-283); and
  • The Safeguards Rule of the Gramm-Leach-Bliley Act, for certain financial institutions.

If you accept card payments, you’ll also have to comply with the Payment Card Industry’s Data Security Standards (PCI-DSS).

Challenges Ahead

Although guidelines have been provided, demonstrating full compliance may prove challenging since many of the specified frameworks lack standard certification processes.

Also, since some data security laws have more flexible requirements than others, questions remain over how to demonstrate complete conformity, or which aspects to comply with to ensure the best legal defense. For this reason, when attempting to implement frameworks, it’s a wise move to consult with cybersecurity experts like CyberSheath.

Our Managed Services enables compliance with the Ohio DPA to ensure comprehensive, framework based compliance. We’ll guide you through the process from assessment through remediation, integrating your existing people, processes, and technologies with your chosen frameworks.

A Win-win for Your Business and Your Customers

Not only will CyberSheath’s managed services help you to achieve full compliance and reduce your legal liability, but you’ll also see a demonstrable improvement to your day-to-day operational security — a true win-win for your business and your customers.


Cybersecurity at small and mid-sized businesses are often under-resourced with an “Army of One” approach to compliance and risk management. Compliance with regulatory requirements like DFARs 252.204-7012, HIPAA, PCI DSS, NERC CIP, Sarbanes Oxley (SOX) and more compete with actual cyber defense efforts to monitor, detect and respond to threats. Doing what you have always done, buying more products and surviving audits, isn’t effective and doesn’t scale. There is a better way and its effectiveness can be measured with contractual Service Level Agreements (SLA’s) that enable cybersecurity to be a force multiplier for your business.

Instead of hiring FTE’s and deploying one-off, point solution products that don’t integrate with existing investments, consider Managed Security Services that deliver:

  • Cloud-based security monitoring platform in one unified solution
  • Integrated security information and event management (SIEM) and log management
  • Asset discovery
  • Vulnerability assessment
  • Intrusion detection
  • Behavioral monitoring
  • Threat intelligence
  • Privileged account management
  • Automated and simplified regulatory compliance management

Just think about your infrastructure today. How many tools and products do you have spread across too few engineers without enough time to deploy, monitor and manage them? Do you feel like a SIEM solution is a luxury that a business your size can’t afford? Small and mid-sized businesses often have to make tough choices between resource allocation, and a SIEM solution rarely makes the cut because of cost and complexity. The irony is that a SIEM solution is a foundational investment that improves your ability to allocate resources, meet compliance requirements and defend your infrastructure. Coupled with Managed Security Services, the return on investment (ROI) for your business is measurable in a variety of ways.

Our partner, AlienVault, commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study that detailed the potential ROI organizations can realize by deploying the AlienVault Unified Security Management ® (USM) platform. The results aligned with our experience delivering managed services in the defense, financial, healthcare, technology and manufacturing industries. Here is what Forrester Consulting found:

Simplified compliance reporting for companies, resulting in nearly 6,000 hours of time-savings each year. Prior to adopting AlienVault USM Anywhere, key pieces of information had to be pulled from many different systems and consolidated into reports for the auditor. This process took nearly four months, but with AlienVault, onsite audits could be completed in one week as the compliance information and reports were readily available in real-time. This resulted in approximately 2,000 hours of time savings per audit and, on average, three audits were being held each year.

AlienVault USM Anywhere reduces the cost of incidents by improving threat detection and incident response time by 80%. Based on a 2017 study conducted by the Ponemon Institute, the probability that an organization will experience a breach greater than 1,000 records is 14%. However, with the deployment of USM Anywhere, the time to detect incidents was dramatically reduced, helping organizations identify and respond to attacks much faster. With 80% faster detection and response time, the impact and probability of a breach could be reduced.

An 80% security operations staff productivity improvement. Prior to adopting AlienVault solutions, organizations didn’t dedicate much time to daily monitoring tasks. On average, two to three investigations arose each week, which took the combined effort of two dedicated resources. After the deployment of AlienVault’s USM Anywhere platform, the security operations team was able to monitor and detect issues in real-time. This reduced the manual effort involved in investigative activities by 80% and allowed the resources to focus their time on more value-added tasks. “We are still responsible for monitoring alerts and logging, but it’s gone from hours per day to minutes. It allows us to focus on things like serving our customers, writing new code, and ultimately bringing more business in the door.”

Threat intelligence saves time and money. With AlienVault Labs threat intelligence, organizations no longer have to dedicate resources to sifting through multiple sources of information and bulletins to keep up with the latest intelligence. Now they can rely on the AlienVault Labs Security Research Team for continuous updates to threat correlation rules and directives. With the added benefit of not having to pay for an alternative threat intelligence subscription, the overall annual cost savings for the composite organization resulted in more than $40,000 per year.

The data from the study was clear, managed services save time and money by enabling more effective regulatory compliance and risk management. You’re probably already intuitively know that managed security services will be a game-changer for your organization and the data from the study only further strengthened your opinion. That said there are often at least two challenges to moving forward that businesses struggle with:

  1. Senior management doesn’t want to spend the money, I don’t care what your fancy study says.
  2. Managed Security Services Providers are like gas stations, there’s one on every corner and they all sell the same thing.

Getting past these barriers to realizing the benefits of managed services requires the same solution, selecting a Managed Security Services Provider that can push past them before you have spent any money. You will know when you have selected the right partner when they invest the time upfront to specifically show you how their services benefit your business. Candidly, management is right. Nobody cares what a vendor study says might happen at your business based on possibility. Your potential MSSP should be spending time documenting and demonstrating how their services will reduce risk and simplify compliance at your business. You will quickly be able to differentiate MSSP’s offering canned reporting and push-button threat detection from those with teams that span CISO through operations analyst level experience. You are buying a service and that service should have real people that can document and articulate the MSSP value specific to your business before you spend any money. Regardless of whether that takes two weeks or six months, you will know you have the right MSSP when they invest the time pre-sales to detail the value to your business.

Managed security services are the answer to your small and mid-sized business cybersecurity needs and selecting the right partner will be a force multiplier for your business.

Contact us today to learn how to save time and money with CyberSheath Managed Security Services.

Thanks to the increasingly sophisticated and aggressive cybersecurity threats facing the U.S., there has been much focus recently on reinforcing the nation’s cybersecurity. Much of this effort has revolved around strengthening the Department of Defense (DoD) supply chain.

The Defense Federal Acquisition Regulation Supplement, or DFARS, has been working to encourage DoD contractors to proactively comply with certain frameworks in order to achieve this goal. Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is the latest mandatory addition.

Under the Clause, all contractors must comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), a framework that lays out how contractors must protect sensitive defense information and report cybersecurity incidents.

The NIST framework requires you, as a defense contractor, to document how you have met the following requirements in particular:

• Security requirement 3.12.4 requires the contractor to develop, document, and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Security Requirement 3.12.2 requires the contractor to develop and implement Plans of Action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

Read more about implementing SSPs and POAs.

Under the Clause, DoD contractors are obliged to submit evidence of their compliance with NIST SP 800-171 to the U.S. Government. However, the Clause goes beyond NIST compliance and sets out additional rules for the protection of Covered Defense Information (CDI).

Supply Chain Management

DFARS Clause 252.204-7012 aims to encourage you, as a contractor, to take a proactive role in the protection of CDI. Not only are you required to demonstrate compliance within your own business, but in order to strengthen the entire supply chain, you must take steps to ensure that your subcontractors comply, too.

It is the responsibility of your subcontractors to inform you if their practices deviate in any way from the DFARS and NIST 800-171 guidelines, and it is your responsibility to demonstrate that an equally secure alternative practice is in place before you share CDI with that subcontractor.

Reporting Cybersecurity Incidents

A cybersecurity incident is defined as a breach of security protocols that negatively impacts, compromises, or endangers CDI held on your systems or networks, or those of your subcontractors.

In the event of a cybersecurity incident, your responsibility under DFARS Clause 252.204-7012 is to report the incident to the DoD within 72 hours. You must present the affected data and all related data covering the 90 days prior to the date of the report, along with any infected software. You must also conduct a thorough systems review and identify ways in which you will prevent future breaches.

In the event that a subcontractor experiences a cybersecurity incident, they must report it to you, or to the next highest tier of subcontractor, and present the evidence as required. As the prime contractor, you’re then required to report the incident to the DoD and submit the evidence, as detailed above.

Cloud Service Provision

If you offer your own cloud services as part of your DoD contract, then DFARS states that you must enact the safeguards set forth in the Cloud Computing Security Requirements Guide (SRG), unless waived by the Chief Information Officer of the DoD. If you use a third-party cloud service, then you’re required to ensure that your cloud service provider follows the security provisions therein.

Don’t Know Where to Start?

A quick look at documents like the above and it’s clear to see why some contractors are still struggling with compliance long after the December 31st, 2017 deadline has passed. It truly is a daunting task bringing your business into line with these extensive regulations, especially when the stakes are so high.

That’s where a Managed Services expert like CyberSheath comes in. We’ve helped defense contractors large and small to achieve comprehensive DFARS and NIST compliance.

Put Your Cybersecurity Compliance in Expert Hands

We’ll take the stress and the guesswork out of compliance by handling every step of the journey, from assessment and gap identification to the development of robust System Security Plans and Plans of Action. And because we’re always monitoring the evolution of DoD frameworks, we’ll continue to update your plans in line with regulatory changes to guarantee ongoing compliance.

Let CyberSheath help you to protect your valuable DoD contracts and remain competitive in the defense supply chain. Contact us now for a no-obligation discussion to find out how.


5 Steps to DFARS Compliance

Good hygiene habits are drilled into us from a young age, and for good reason! Neglect to wash your hands, take a shower, use deodorant, or brush your teeth, and you could find yourself friendless, dateless, and quite possibly sick.

While they probably won’t stop you getting a date, bad cyber hygiene habits can be just as harmful to your company’s health. They leave you, your clients, and your customers vulnerable to a host of threats, including hackers, viruses, data theft, and data loss. Ultimately, they can damage your reputation beyond repair and even land you in serious financial and legal trouble.

What is Good Cyber Hygiene?

You’ve presumably mastered the art of personal hygiene by now! But what does good cyber hygiene look like? First, let’s look at exactly why it’s necessary. There are two key reasons: performance and security.

Just like brushing and flossing every day keeps your teeth in optimum condition, good cyber hygiene keeps your IT systems working at peak performance. When your systems are functioning at their best, you’ll save valuable resources and deliver a great customer/client experience to boot. And more importantly, regular maintenance will help you to spot and close security gaps before they can be exploited.

Security threats like hacking, viruses, malware, spyware, and data theft are becoming more sophisticated by the day, and they have the potential to bring your business to its knees. Just as you can ward off illness and stay healthy with good personal hygiene, you can stay ahead of threats and minimize their impact on your business with solid cyber hygiene routines.

Now let’s talk about what these cyber hygiene routines look like in practice…

The 12-Step Program

At CyberSheath, we recommend a thorough 12-step routine for impeccable cyber hygiene. To be truly effective, this routine should be:

• Part of an official company security policy.
• Built into your organizational culture.
• Universally adopted across your business.

Why is this necessary? Well, you’re only as strong as your weakest link. It only takes one careless employee to leave your entire business vulnerable to malfunction or attack. By formalizing your routine, promoting a ‘security first’ culture, and encouraging widespread compliance, you’re sending a clear message that lapses are not an option.

The program begins with a fundamental step…

1. Take an inventory

In order to properly protect your assets, you first need to document them. The most efficient way to do this is to group them into three categories:

Hardware, such as computers, printers, scanners, smartphones, and tablets.
Software programs installed on your devices, such as web browsers or messaging systems.
Remotely hosted applications like cloud-based storage drives or smartphone apps.

Next, create an inventory of your assets under each of these categories and make a record of details like installation date, license expiry date, version number, date last used, and authorized users. This information will help you to identify security vulnerabilities, such as outdated software or unrestricted equipment usage.

2. Implement secure password practices

Password security is one of the easiest ways to practice cyber hygiene, but it’s also one of the most neglected. You’d be amazed just how much sensitive data is ‘protected’ with weak passwords such as… well, ‘password’!

Today’s computers, smartphones, and tablets come with security options ranging from simple text passwords to bio-recognition (think fingerprint and iris scanners), so there’s simply no excuse not to have your devices protected. The same applies to software and online applications, particularly those that are mission-critical or contain highly sensitive data.

The best text passwords are a complex mix of numbers, letters, and symbols, with no link to identifiable information like names, birthdays, or employee numbers. It’s important that they’re memorized, rather than written down, and they should never be shared. In fact, it’s good practice to incorporate a ‘no-sharing’ rule into your company’s formal code of conduct.

A final note on password security: encourage your team to log out of software, apps, and devices when not in use, especially if they’re leaving their desks.

3. Use multi-factor authentication

For particularly sensitive devices, programs, or applications, such as email accounts or mission-critical hardware, multi-factor (AKA two-step) authentication adds an extra layer of security.

After the user has entered their password, they’re typically required to enter another passcode, answer a question, or submit biometric information like a fingerprint in order to gain access. That means that, even if somebody does manage to obtain the user’s password, they still can’t access their accounts.

If you’re using a passcode, it’s good practice not to request the full code. Instead, ask for specific characters from the code at random. This reduces the risk of a malicious party obtaining the full code and gaining unauthorized access to your systems.

4. Keep up with software updates

We’re all guilty of ignoring those software update notifications when we’re in the middle of an important task. However, it’s essential to pay attention to these updates for several reasons.

Not only do updates increase the performance, functionality, and efficiency of your software, they usually include ‘fixes’ for security issues that have been identified after launch. If you fail to keep your software updated, you might find yourself missing out on great new features at best, and exposing yourself to serious security breaches at worst.

Another problem is that software developers often phase out support for previous versions of their software. In the same way that Apple will no longer help you with an iPhone 5, you may find that your developer will no longer be able to fix issues in software that’s five versions behind the most current one. If your essential software packs up and the developer can’t help you, where does that leave your business?

For peace of mind, resist the urge to snooze your software notifications, or even set them to automatic. Note that some malware can disable your automatic updates, so check back periodically just in case.

5. Patch up security holes regularly

Security vulnerabilities are often picked up by software developers between versions. Rather than leave their users exposed until the next update, developers will release ‘patches’ to protect them in the meantime.

Like software updates, patches are often neglected, but they’re one of the biggest security risks for your business. Think about it — if you know there’s a security hole, so do hackers. They then actively look for unpatched software that they can exploit.

Patching can be a tedious process, especially in larger organizations, but it really is worth taking the time to keep your software protected. That applies to the software on connected devices like printers, too.

6. Replace outdated hardware

Just like software, hardware is continually being updated and improved. And like software, falling behind on your hardware updates will leave you vulnerable to poor performance and avoidable security threats.

If you’ve identified outdated hardware in your inventory, update it now to maintain peak performance and full security compliance. If the hardware is no longer being used, disconnect it from your network and properly remove any sensitive data within it.

7. Control installations

Software downloads can be used as a vehicle to implant viruses, malware, and spyware on your systems. For that reason, it’s essential that users are not given free rein to install software on their company devices.

Develop a policy that governs which employees can install which software on which devices. You might decide that only certain groups of users are allowed to install software, or you might allow installations from trusted sources, or you might require that all installations are approved first. Whatever your specific policy looks like, it should be controlled centrally by you or your IT team, and not on an individual basis.

8. Limit users

In order to minimize the potential damage from a hacking or malware attack, it’s important to carefully control the level of access your employees have to devices and programs.

For example, if 200 of your employees can access a system, that’s 200 routes by which a hacker can enter that system. If only 100 of them actually need to use that system, you can cut your risk in half by restricting access to an ‘as-required’ basis.

If all 100 of those users have admin rights, that’s 100 opportunities for a hacker to inflict damage on your system. If you restrict admin rights to the 10 employees that need it, you’ve cut your risk again by 90%. You get the idea!

For each item in your inventory — hardware, software, and applications — evaluate which of your employees needs access, and what privileges they need within the system to in order to do their job. Everybody else should be restricted accordingly.

9. Back up data

Even with the very strictest of security, life still happens. Loss, damage, technical malfunction, sabotage, and theft can never be fully prevented, so make sure you have a reliable system for backing up your data — both yours and that of your clients and customers.

Ideally, you’ll have back-ups of your data in multiple formats and locations. Copies of digital data should be stored on an encrypted, cloud-based server, while copies of physical data and documents should be stored in a secure off-site location.

Build regular data back-ups into your security plan. If possible, automate the process to save time and money, and of course, to eliminate the risk of forgetting.

10. Invest in training and awareness

When it comes to keeping your business safe, knowledge truly is power, so take the time to identify knowledge gaps within your team and provide training as necessary. This will fortify your business from top to bottom, teaching everything from password etiquette and best-practice software usage to threat identification and crisis management.

11. Develop an incident response plan

Despite your best efforts, the worst has happened — you’ve been hacked. What do you do?

If you don’t have an answer to that question, then now’s the time to find one! The best incident response is the one that’s planned, rehearsed, and perfected ahead of time, ready to be rolled out seamlessly if and when disaster strikes.

Work with your IT team on developing responses to all possible threats you might face. Consider what actions will be needed, who will take responsibility for them, and whether they have the skills and knowledge necessary to do so. Make sure everyone understands their role and hold regular drills to keep the procedure fresh in everybody’s minds.

12. Employ a cybersecurity framework

For organizations that deal with particularly sensitive data — think government or defense suppliers, for example — it may be wise to consider adopting a more advanced security framework. Industry-standard protocols like the NIST Framework and the CIS Benchmark offer you standards, guidelines, and best practices to manage cybersecurity risks in critical environments, protecting both your business and your clients from a threat.

And finally, the Golden Rule…

If in Doubt, Leave It to the Experts

When it comes to cybersecurity, you can’t just wing it! If you don’t have the resources or the expertise to properly manage your security in-house, then don’t take the risk — outsource it to professionals.  A Managed Security Services Provider (MSSP) like CyberSheath can take all of the work and the worry out of cybersecurity. We already have the infrastructure and the experts in place, so we can quickly set up a bulletproof, fully staffed security system with minimal effort on your part.

CyberSheath’s MSSP is also one of the most cost-effective security options available to businesses like yours. We keep your costs consistent and predictable, which gives you much more control over your budget, and you benefit from the latest in security technology without having to invest in research and development.

To learn more about cyber hygiene and discuss how your business could benefit from the cost-effective, comprehensive protection of an MSSP, contact us now for a no-obligation discussion.

The December 31, 2017 deadline for achieving compliance with NIST 800-171 has come and gone. If you’re still not compliant, you’re at risk for penalties, and chances of winning future contracts and bids are at great risk. The good news is it’s not too late!

It’s understandable if you haven’t yet actually implemented the required NIST 800-171 security requirements. In the past, the DOD permitted businesses to choose a future date for implementing required security controls through the Plan of Actions & Milestones (POA&M) policy. As a result, businesses and organizations used POA&M merely as a simple checkbox system, which led to weak System Security Plans and stalled control implementations. Today, the DOD has upped their game by insisting on stronger cybersecurity practices among its business partners. They’ve moved to an enforcement phase for cybersecurity compliance and requirements with recently released DoD Guidance.

On April 24th, 2018 the U.S. Department of Defense released its draft “Guidance for Reviewing System Security Plans and the NIST SP-800-171 Security Requirements Not Yet Implemented.” The extensive document contains more stringent guidelines on exactly how the DOD will enforce and assess the implementation of security controls for awarding contracts and evaluating proposals. It also provides detailed recommendations for properly assessing System Security Plans (SSPs) and Plans of Action and Milestones (POA&M).

The DoD Guidance provides additional information on how they might penalize business partners who fail to adhere to new security rules, including penalties and not being awarded new contracts.

Failure to Implement the Required NIST 800-171 Controls will Lead to Lost Bids, Vendors and Revenue

For the best chances of new contract awards and superior contract performance in the competitive cybersecurity market, you need to implement the Security Controls and heightened information security requirements as outlined in NIST SP 800-171.

NIST has a set of 110 security requirements that stem from the NIST SP 800-53, which governs the cybersecurity standards for government systems. The new guidance was also designed to help businesses assess and prioritize the most effective ways for them to begin implementing these crucial 110 security controls specified in NIST SP 800-171.

The DOD has a new tactic for reviewing SSPs and security requirements not yet implemented, which is to assign risk scores to controls. For example, security controls that are considered high risk and haven’t been implemented pose an extremely high risk to the data being protected and your ability to win DoD contracts.

Security controls that haven’t been implemented are given a DOD Risk Value for each security requirement that ranges from the highest, which is 5 (highest risk and priority for implementation) to 1 (lowest risk and priority for implementation).

If you don’t meet the 110 security requirements, it will likely lead to losing potential contracts through poorly written SSPs and high-risk scores resulting from a failure to implement the required controls.

Relax. We’ve Got This!

At CyberSheath, we know that successfully implementing these new security controls can be a daunting undertaking for your organization. We’ve successfully assessed and implemented the required NIST 800-171 controls for organizations large and small in the defense industrial base supply chain. We’ll ensure your System Security Plan (SSP) and associated Plans of Action & Milestones (POA&M) are documented and fully implemented. Our cybersecurity experts will take care of all identified gaps in your information systems, schedule implementation of any outstanding items and ensure your organization is compliant with all of the latest requirements. We follow all DOD guidance to ensure review of SSPs and POA&Ms and “assist in prioritizing the implementation of security requirements not yet implemented.” After we have delivered a fully compliant solution we offer managed services to maintain your compliance and incorporate any updates from the DoD.

Contact CyberSheath today for a no-obligation phone consultation, and learn how we can ensure compliance with NIST SP 800-171 in five steps.

Managed Security Services are an extension of your security operations enabling 24×7 security operations center support and regulatory compliance. These services integrate your existing people, processes and technology to make security a force multiplier without the tremendous investment required to build the capability internally.

Instead of investing in the headcount, you can outsource key services to an Managed Security Services Provider (MSSP) as an extension of your existing operations. Advantages of managed security services include:

  • Consistent, known, and manageable costs with excellent return on investment
  • Ability to leverage innovations and stay at the front of the technology curve
  • Improved security and peace of mind knowing experts are proactively handling issues
  • Internal team members can focus on strategic projects

Businesses have endless options available as MSSP partners and the array of choices, industry jargon, and configurable service options can cause analysis paralysis. Without a team of security experts to vet vendor service offerings, the MSSP selection process is daunting. For tips on selecting an MSSP check out this blog post:

If you want someone to solve this problem for you using best-of-breed technology and professional services that have you up and running quickly, consider CyberSheath Managed Services leveraging AlienVault technology and shared intelligence.  AlienVault® Unified Security Management® (USM) delivered by CyberSheath is quickly becoming the go-to solution for businesses of all shapes and sizes.

Like our customers, CyberSheath had an endless set of choices when selecting a technology to deliver our managed security services, and we chose Alien Vault. In addition to being a SANS Premier Affiliate Member, AlienVault technologies have been recognized globally ( and we chose AlienVault as a way to enable less expensive, faster and more effective managed security services.

CyberSheath Managed Security Services leverage the AlienVault unified approach to security which includes:

Unified Security Management® (USM)

Simple and affordable centralized threat detection & incident response which integrates with your existing IT workflow for 24/7 security coverage.

Integrated Threat Intelligence

Actionable threat intelligence updates from AlienVault Labs delivered continuously to the USM platform ensuring you always get the latest threat intelligence.

Security Orchestration & Automation with AlienApps™

Easily extend threat detection & incident response to third-party products like Office 365, Service Now, and Cisco Umbrella.

CyberSheath tailored implementation of AlienVault technologies deliver five essential security capabilities in one platform:

The comprehensive solution provides complete cloud and on-premises monitoring. USM Anywhere cloud sensors natively monitor Amazon Web Services and Microsoft Azure Cloud and On-premises, virtual sensors run on VMware and Microsoft Hyper-V to monitor your physical and virtual IT infrastructure.

The “secret sauce” of leveraging AlienVault to deliver Asset Discovery, Vulnerability Assessment, Intrusion Detection, Behavioral Monitoring and SIEM and Log Management is partnering with an MSSP that has the flexibility to deliver what you need. CyberSheath delivers, monitors and manages AlienVault technologies, but we also monitor the many third-party products and widely-used technologies you’re already running so there’s no need to rip and replace.

Operational security enables compliance and CyberSheath tailors our MSSP services to enable immediate, tangible operational security improvements that facilitate regulatory compliance. Customized Alien Vault technology solutions mapped to your requirements make your business both secure and compliant. Chances are you don’t have the time or resources to manage compliance as a separate activity from securing your business, so we document the alignment between the two and deliver the services required to survive both an attack and an audit.

Delivering on the “service” part of being an MSSP is what differentiates CyberSheath from the dozens of other MSSP’s you can choose from. Of course, SLA’s are a part of every contract we write but there is an undocumented level of service that you get with CyberSheath that can’t be captured in an SLA. Unlike other providers, CyberSheath gives you access to a technical account executive who helps you solve new business challenges as they arise. When you are in the midst of an audit, deploying a new technology or just want to run something by an expert before briefing your boss, CyberSheath’s technical account executives answer your questions within the context of your existing business. We do it because we want to earn your business every day, not sell you more tools. Contact us today to learn more.

As an owner of a small or mid-sized business, you have endless options available as you partner with a Managed Security Services Provider (MSSP) to better secure your business. The array of choices, industry jargon, and configurable service options can leave you wondering if you left something on the table that you will later regret. Without a team of security experts to vet vendor service offerings, the selection process is even more daunting.

How can you simplify the process and ensure that you are getting everything you need to be secure and compliant?

Maximize Your Chance of Success When Selecting an MSSP

  1. Document your requirements
    • Increase your likelihood of getting what you need by taking the time to compile this list. It will make you a smarter buyer and tremendously help you find the right resource for your needs.
    • Note that this doesn’t have to be a detailed spreadsheet of operational capabilities and Service Level Agreements (SLAs). You may opt to start with compliance issues as most businesses have specific regulatory requirements that they must satisfy including DFARS NIST 800-171, Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and many others.
    • Ask potential MSSP vendors how they can help your business to measure, satisfy, or simplify compliance with any of the above compliance requirements. MSSPs should possess in-depth knowledge of the requirements, use cases from existing customers, and references.
  2. Be ready to answer questions
    • Have a technical person and someone who understands your business available to answer questions around current security tools in place including how they are used, which users need what level of access, and existing business processes. A good MSSP will want to understand your business both in terms of your existing on-premise and cloud-based infrastructure and your actual business.
    • Trust your instincts and steer clear of sales pitches that focus on technology rather than your business requirements. Know that MSSPs who don’t ask the right questions and who push technology won’t be good long-term partners. There isn’t a tool on the planet that can make you secure. Ideally, your conversations will be with the MSSP operational staff rather than salespeople as operational folks will have the experience that can be applied to your business requirements.
  3. Make sure your MSSP enables security and compliance
    • Remember that operational security enables compliance. Drive your MSSP to explain how their proposed solution to your requirements can make your business both secure and compliant. Chances are you don’t have the time or resources to manage compliance as a separate activity from securing the company. Whatever you contract for should enable both operational security and compliance and the alignment between the two should be documented.
      • Example: If an MSSP is offering a Security Incident Event Management (SIEM) and log management capability, there should be a documented alignment of the capability delivered and your specific compliance requirements. You intuitively understand why you need a firewall and anti-virus protection, but make the MSSP demonstrate how that operational need maps to your compliance requirements to become a force multiplier.
    • Keep in mind that other examples of operational technologies that your MSSP should easily be able to map to your compliance requirements include:
      • Asset Discovery and Inventory
      • Vulnerability Assessment
      • Intrusion Detection
      • Behavioral Monitoring
      • SIEM and Log Management
  4. Vet your MSSP to ensure service delivery
    • Spend time examining your MSSP to be sure that you are they are going to deliver on the “service” part of being an MSSP. SLAs should be a part of your contract but there is an undocumented level of service that you should be getting from your MSSP that can’t be captured in an SLA.
    • Consider these things:
      • Are you comfortable with their technical expertise?
      • When you call, do you know if you’ll get a knowledgeable expert who goes the extra mile to solve your problems or a tier-one analyst who just opens a ticket?
      • When compliance questions relating to a business issue arise, will you find your MSSP to be a partner working with you to solve to problems?
      • Does the MSSP have clear value-added services that go beyond “management dashboards” that only demonstrate tools are being deployed?
    • Narrow your selection to responsive, service-oriented vendors during your procurement process. Many customers has been sold MSSP “services” that do little more than collect logs and monitor.
  5. Be diligent in checking references
    • Ask for references and take the time to call these contacts. Inquire about the reference’s experience during onboarding and delivery of services months after the sale was made. Is the MSSP still engaged and delivering value or do they only surface at contract renewal time?
    • See if your chosen MSSP has delivered any remediation or implementation projects as they are indicators of hands-on experience that will benefit your business. Ideally, references will be in the same business or industry as yours, but if everything else checks out this isn’t a necessity.

Partnering with an MSSP is a great way to secure your business infrastructure. To find out how quickly CyberSheath can enable 24/7 operational security and compliance reporting for your business, contact us at


As a small- or medium-sized business, you are faced with many challenges. How do you stay focused on your company’s core mission while scaling your organization’s infrastructure to accommodate growth and investing in the right technologies and solutions?

That’s where managed services come in. Instead of investing in the headcount, you can outsource key services to IT professionals focused on critical areas. Advantages of this approach include:

  • Consistent, known, and manageable costs with a good return on investment
  • Ability to leverage innovations and stay at the front of the technology curve
  • Improved security and peace of mind knowing experts are proactively handling issues
  • Internal team members can focus on strategic projects, furthering your company’s cause

How CyberSheath Can Help

You can rely on CyberSheath for your Managed Security Services or Governance, Risk, and Compliance needs. Partnering with other managed service providers while carving out our area of expertise means that you see no additional spend for licensing costs.

You need:CyberSheath offers:
A DFARS-compliant security management platform that monitors your cloud, hybrid cloud, and on-premises infrastructure to provide a unified approach to threat detection and compliance management

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.3.1, 3.3.4, 3.3.5, 3.3.6, and 3.3.8

Security Management Platform

  • Security Information and Event Management (SIEM) | Gathers and analyzes logs and event data from disparate security controls and devices across the network, and correlates them to identify related security events.
  • Vulnerability Management & Asset Discovery | Provides visibility into assets and user activity and identifies vulnerabilities across the environment.
  • Intrusion Detection System | Detects intrusions and monitors behavior to track events and establish a benchmark for normal conduct.
  • Threat Intelligence | Implements correlation rules, IDS signatures, vulnerability detection rules, and IP reputation updates to ensure the security management platform is appropriately maintained and detecting current threats.
A DFARS compliant incident response monitoring program that will continuously monitor your environment for malicious outsider threats as well as malicious and non-malicious insider threats.

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.3.3, 3.6.1, 3.6.2, 3.14.3, 3.14.6, and 3.14.7

Incident Response Monitoring Managed Service

  • Comprehensively monitors and analyzes correlated alerts derived from log feeds of selected devices feeding into the SIEM solution. Monitoring will be provided by security experts to identify and respond to security threats.
  • Provides detailed notification and recommendation for containment, eradication, and recovery from security incidents as dictated in the organizational Incident Response Plan (IRP).
  • Creates, edits, and manages all details of the incident in a tracking solution until incident closure.
  • Tracks metrics for incident occurrences, time to resolution, and other critical measurements of the IRP.
  • Provides updates and improvements to the IRP based on after-action reports and lessons learned.
An identification and authentication service that complies with the DFARS security requirements for multi-factor authentication

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.5.3, 3.5.5, and 3.7.5

Multifactor Authentication (MFA) Managed Service

  • Secures access to accounts by offering a layered approach to security for your VPN, privileged accounts, and Covered Defense Information (CDI) systems.
  • Work with stakeholders and end-users to test the validity of MFA solutions against the in-scope systems and defined use-cases.
  • Deployment of the capability to the in-scope users and systems.
  • Develop and deliver training material for all in-scope users who will be required to use the MFA solution.
  • Work to resolve any system irregularities or issues with the MFA solution.
A mobile device management service for mobile devices that complies with the DFARS security requirements for systems which store, process, or transmit CDI.

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.1.1, 3.1.8, 3.1.10, 3.1.18, 3.1.19, 3.8.6, 3.13.11, and 3.13.16

Mobile Device Management (MDM) Managed Service

  • Enforces security configuration and encryption for bring-your-own-device (BYOD) or company-provided mobile phones or tablets.
  • Work with stakeholders and end-users to test the capabilities of the mobile device management solution against the in-scope systems and defined use-cases.
  • Deployment of the capability to the in-scope users and systems.
  • Develop and deliver training material for all in-scope users.
  • Work with the organizations to administer the MDM solution as it relates to the provisioning and de-provisioning of mobile devices and users within the scoped environment.
An endpoint protection solution that complies with the DFARS security requirements for the protection of endpoints (client systems and servers) and removable media which store, process, or transmit CDI.

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.1.19, 3.8.6, 3.8.7, 3.13.11, 3.13.16, 3.14.2, 3.14.4, 3.14.5

Endpoint Protection Managed Service

  • Centralize management of anti-virus, anti-malware, and full disk encryption of the laptops, work stations, and servers.
  • Work with stakeholders and end-users to test the capabilities of the endpoint protection and encryption solutions against the in-scope systems.
  • Deployment of the capability to the in-scope users and systems.
  • Develop and deliver training material for all in-scope users who will be required to use the encryption solutions.
  • Work with the organization to administer the endpoint protection suite as it relates to the configuration and troubleshooting of systems within the scope environment.
A GRC program that enables the organization to track and maintain DFARS compliance after all remediation efforts have been completed

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.2.1, 3.2.2, 3.2.3, 3.4.1, 3.6.2, 3.12.3, 3.12.1, 3.12.3

Governance, Risk, and Compliance (GRC) Managed Service

  • Provides and maintains a repository of assets, threats, and pre-mapped controls, and assigns controls based on role throughout the organization.
  • Manages policy based on your organization’s unique risk profile, regulatory requirements, and best practice needs.
  • Inventories, tracks and manages of all vendor and service provider assessment activities.
  • Manages training with web-based information security awareness training in-line with DFARS security requirements.
  • Provides audit management with a streamlined verification process of IT security controls through defined audit workflows.
  • Identifies, tracks, and manages regulatory changes to ensure your organization maintains a state of compliance.

You can rely on CyberSheath to provide quality managed services for your IT security needs. Contact us to learn more about how we can help your organization.


CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO