there are no posts to show...

Helpful Resources


As soon as May 2023, federal contractors in the Defense Industrial Base (DIB) will face compliance requirements with a new version of the Cybersecurity Maturity Model Certification (CMMC) program. Many contractors don’t have the budget or expertise to achieve compliance in-house and need a partner.


Some organizations may seek a managed service provider (MSP) to help navigate the framework of CMMC 2.0. Robert Beuerlein, Principal Consultant of Aerospace & Defense at Frost & Sullivan, will present a whitepaper at CMMC CON 2022 to give an overview of the MSP landscape and offer contractors some qualities to identify in potential MSPs.


Beuerlein has 22 years of management experience in cyber operations and information warfare.  He is a retired senior commissioned officer with global experience in training and development systems, information technology, and defense contracting. His significant expertise in Department of Defense (DoD) planning and budgeting processes makes him an authority that contractors can glean a new perspective from.


Register for CMMC CON 2022 to join the conversation with Beuerlein about CMMC 2.0 compliance and how MSPs can help the DIB navigate a complex landscape.

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks. 

CyberSheath can help. We offer services to build on all the great work you have already done to safeguard your information and your IT infrastructure. 


What these services are and why you need them

Anti-spam and phishing protection

Your organization needs to guard against threat actors delivering unwanted emails and trying to engage people to perform dangerous activities, like downloading and installing infected applications. To limit the ability of these threat actors to send email to your employees, you should have the right spam tool with the right settings in place. 


Solution: Microsoft 365 Defender helps stop phishing attacks. This tool, which is part of Microsoft’s XDR solution, leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, building a complete picture of each attack in a single dashboard. It offers two options, with both plans providing configuration protection capabilities, anti-phishing, and real-time detections. The more robust Plan 2 layers on additional capabilities like automation investigation or remediation, and education capabilities.


Endpoint detection response (EDR)

An important step to protecting your network is securing all your endpoints, including servers, individual workstations, and remote laptops. There are many ways these nodes can be inadvertently compromised, paving the way for a threat actor to install ransomware on one of your endpoints, lock it up, and encrypt critical files.


Solution: Microsoft Defender for Endpoint allows your team to minimize the damage to your environment by providing traditional signature-based antivirus protection where the tool identifies a bad program based on certain characteristics and then neutralizes that program before it causes harm. This solution also stops heuristic threats, and helps you gain visibility into potential malicious or anomalous behavior. In the event that malware is installed on an endpoint, Defender for Endpoint can also isolate a workstation before it becomes a malware host.


Domain name server (DNS) filtering

The next step to securing your infrastructure is to restrict access to websites serving potentially dangerous content. Issues could arise when users are accessing a new website and are mistakenly redirected to a different site, or when ad servers on a frequently visited site are compromised.


Solution: Cisco Umbrella provides DNS filtering for security protection from these issues. This solution keeps a record of all the websites that are known to be malicious and prevents employees from accessing those sites. Default DNS services do not possess this capability.


Spam, endpoint, and DNS tools all work together to make sure that your employees don’t download anything harmful and that nothing compromising is accessed. Even though they come from different solution providers, they are able to play in the same sandbox.


Our skilled team can install, configure, and monitor any of these tools. Contact us today to get started.

Working with the federal government means maintaining compliance with fluid cybersecurity standards. It can be an overwhelming, confusing, and expensive venture for a business that isn’t familiar with the ever-changing mandates.


CyberSheath’s Federal Enclave can ensure you stay compliant with federal cybersecurity minimums while saving you time and money.


Federal Enclave is both a common-sense approach to protecting data and the most comprehensive Defense Federal Acquisition Regulation Supplement (DFARS) compliant enclave. It ensures your users that handle sensitive data always have secure access to an out-of-the-box compliant environment, secured and managed by CyberSheath. Based on Microsoft Azure, Federal Enclave can be situationally deployed on any of Azure’s cloud platforms or on premises.


The Department of Defense (DoD) was the first federal entity to roll out mandatory minimums for cybersecurity with Cybersecurity Maturity Model Certification (CMMC) in 2020, and recently released a simplified, updated version with CMMC 2.0. It’s expected that all federal agencies will eventually require cybersecurity compliance for federal contractors, which makes now a great time to get ahead of the curve as you plan future work with the federal government.


Federal Enclave adheres to CMMC v1.02 and v2.0 as well as DFARS 252.204-7012, limits organizational controlled unclassified information (CUI) data sprawl, and controls role-based allowances to CUI.


CyberSheath has helped more than 500 clients discover their compliance starting point and roadmap. Federal Enclave simplifies adherence to the difficult cybersecurity business requirements and puts CyberSheath in your corner to ensure compliance. Register for CyberSheath’s webinar to launch Federal Enclave at 12 p.m. EST on Feb. 23.

Federal Enclave Webinar


Fifth-Annual List Honors Leading MSSP, MDR and SOCaaS Cybersecurity Companies Worldwide


RESTON, Va — Sept. 28, 2021 — MSSP Alert, published by After Nines Inc., has named CyberSheath to the Top 250 MSSPs list for 2021.


The list and research identify and honor the top MSSPs, managed detection and response (MDR) and Security Operations Center as a Service (SOCaaS) providers worldwide.


The rankings are based on MSSP Alert’s 2021 readership survey combined with the digital media site’s global editorial coverage of managed security services providers. The fifth-annual list and research report track the managed security service market’s ongoing growth and evolution.


“As Cybersecurity Maturity Model Certification (CMMC) is implemented, defense contractors have been sold incomplete options causing them to overspend and under-comply. CyberSheath’s Managed Services deliver a complete solution for federal contractors seeking to achieve compliance with the new requirements and remain eligible to win Department of Defense business,” said Eric Noonan, CEO of CyberSheath. “Ranking so high on this list demonstrates just how critical our efforts have been in keeping defense contractors compliant and further illustrates how CMMC has changed the federal contracting landscape for the better.”


“After Nines Inc. and MSSP Alert congratulate CyberSheath on this year’s honor,” said Amy Katz, CEO of After Nines Inc. “Amid continued ransomware, malware and supply chain cyber attacks, the MSSP Alert readership and community continues to mitigate risks for businesses and government organizations worldwide.”


Highlights from the associated MSSP Alert research include:

  • MSSP Revenue Growth & Financial Performance: MSSP honorees, on average, expect to generate $22.3 million in revenue for 2021, up 16% from $19.2 million in 2020. The growth rate remains consistent with last year’s report.
  • Geography: Honorees are headquartered in 26 different countries.
  • Profits: 85% of MSSPs surveyed expect to be profitable for fiscal year 2021, which is roughly even with 2020.
  • Security Operations Centers: 71% have in-house SOCs, 19% are hybrid, 8% completely outsource their SOCs, and 2% are reevaluating their SOC strategies.
  • Cyberattack Trends: The most frequent attacks targeting MSSP customers in 2021 include vulnerability exploits (87%), phishing (96%), and ransomware (89%) incidents.
  • Cybersecurity Solutions: In a continued sign of market fragmentation, MSSP survey participants mentioned 130 different hardware, software, cloud, and services vendors that assist their cybersecurity efforts — roughly even with our 2020 report.
  • New Managed Security Services Offered: In addition to traditional managed security services, capabilities such as MDR (91%) have now gone mainstream. Plus, fast-growth services offered include SOC as a service (76%), XDR (67%), cyber talent as a service (43%) and cloud security posture management (41%).


The Top 250 MSSPs list and research were overseen by Content Czar Joe Panettieri. Find the online list and associated report here:


CyberSheath is continuing to educate the Defense Industrial Base on the ins and outs of CMMC with a virtual event on Sept. 29. CMMC Con 2021 will equip defense contractors with a better understanding of the evolving threat landscape, the impact of cybersecurity compliance law aimed at mitigating these threats, and the how-to for solving these challenges.


About CyberSheath Services International, LLC

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at



CyberSheath Services International, LLC

Kristen Morales at


About After Nines Inc.

After Nines Inc. provides timeless IT guidance for strategic partners and IT security professionals across ChannelE2E ( and MSSP Alert (  ChannelE2E tracks every stage of the IT service provider journey — from entrepreneur to exit. MSSP Alert is the global voice for Managed Security Services Providers (MSSPs).

  • For sponsorship information contact After Nines Inc. CEO Amy Katz,
  • For content and editorial questions contact After Nines Inc. Content Czar Joe Panettieri,

As a defense contractor, you are eager to get your company compliant with the Cybersecurity Maturity Model Certification (CMMC). You’ve assessed your organization for CMMC readiness, documented your system security plan (SSP), formulated your plans of actions and milestones (POAMs)–and now it’s time to get it all done and implement any outstanding controls. How do you start? And what should you know before you dive in?

Where to start in securing your environment

If you are at the implementation stage, then you know there are 130 controls required to protect controlled unclassified information (CUI). Addressing all of these security measures can seem like a daunting task, as your organization must meet all 130 controls to be CMMC compliant. Let’s discuss the controls by general category.


Security Monitoring Controls

Security Information and Event Management (SIEM)

Regular review of logs is a key part of not only CMMC and NIST SP 800-171, as well as a general best practice. However, aggregating and reviewing the massive volume of logs is not practical to accomplish with manual processes.

Recommended tools: Microsoft Sentinel or Splunk

These tools can take in large amounts of data, and correlate that data–and then based on analytic alerts enabled inside of that SIEM environment, it will escalate events of interest to you. This allows you and your analysts to narrow your focus down in determining if there really is an incident in your environment.


Vulnerability Scanning

Vulnerability and patch management strategy is an essential requirement to meet CMMC. Unpatched vulnerabilities are often utilized by threat actors to exploit systems, leading to ransomware and data theft.

Recommended tools: Tenable and Qualys

These solutions are run in client environments to determine what vulnerabilities exist, and what patches are needed in the environment.


IT Infrastructure Controls

IT Infrastructure refers to all of your company’s hardware and software, both on-premise and in the cloud. Many companies struggle implementing controls in environments where CUI is stored on-premise and they have older unsupported hardware and software which puts CUI at risk.

The shadow IT, meaning the different individuals inside organizations spinning up servers in AWS or Azure or Google cloud, on top of what is happening in your environment, may need to be addressed under CMMC as well, if they handle CUI.


Policy and Administrative Controls

One of the key points in gaining CMMC compliance is ensuring that your controls have maturity. A POAM and SSP are both great tools to help you get there. Having documents including policies, plans, and standards explaining what the control is and how the company achieves each control is important.

Make sure you are capturing what technology you’re putting in place and the processes of implementing and managing that technology. Also create documentation about how to perform a specific function in the environment, including an incident response, vulnerability management, and risk management plans. Be mindful that these plans need to be understood, actively used, and approved across the organization.


Enclave Strategy

As your organization works to implement these controls, it might make sense to consider strategies to help you gain compliance, like creating an enclave. This is a way for companies to secure CUI without re-architecting their entire environment.

By embracing cloud infrastructure, companies can quickly stand up and secure CUI through several methods.

  • External CUI Communication – There may be times where you’re working with a partner on CUI. You may not want them to have access to your environment, and you may want to have a very secure enclave with controls, so that it is very clear who is accessing that documentation. In this scenario, set up a host in a SharePoint environment in a GCC environment.
  • Hybrid Cloud – This is where you’re allowing for segmented data that utilizes your existing Active Directory authentication structure, but also has an area inside the cloud that allows for segmentation and data storage. You have controls around that data to secure it, and individuals who don’t have clearance internally cannot get to access that data.
  • Private Cloud – This approach has an entirely separate cloud infrastructure for hosting CUI, including controls around servers and desktops, encompassing everything that resides in the cloud tenant. This strategy reduces the control burden on users who don’t need access to CUI. This is a great option to ensure that CUI data is protected.


Helpful Resources

Securing your infrastructure can be an intensive process as every environment is different. Microsoft has released a great tool mapping their products to CMMC, so you can easily visualize what tools will help you meet CMMC Level 3 compliance. 

Download Microsoft mapping tool 


No matter what stage your organization is at in working to gain CMMC compliance, the team at CyberSheath can help. From assessments and creation of SSP and POAMs to remediation and compliance management–we have the knowledge, skills, and experience to help your organization get it done. Contact us today.

As more resources move to the cloud and users increasingly work remotely, the National Security Agency issued new cybersecurity guidance. It had a line of particular importance for those companies that must meet CMMC compliance.


“NSA strongly recommends that a zero-trust security model be considered for all critical networks within National Security Systems, the Department of Defense’s critical networks, and Defense Industrial Base critical networks and systems,” the agency wrote in a February report.


The zero-trust model will evolve contractors’ compliance strategies as the CMMC rollout continues but could be key for companies outside the DIB also, because CMMC compliance may soon be required for a larger scope of contractors. The General Services Administration’s (GSA) STARS III solicitation states, “(w)hile CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisitions.”


Keith Nakasone, former deputy assistant commissioner of acquisition management for the GSA, will join CMMC Con to address how CMMC may soon be a requirement for all federal contracts.


Nakasone joined VMware as a federal strategist in June, after spending more than four years with the GSA. There, he oversaw roughly 300 procurement personnel and contracts worth more than $30 billion per year. Nakasone, who has 32 years of government experience, previously had senior procurement roles at the Federal Communications Commission and Defense Information Systems Agency.


Nakasone will join CyberSheath Vice President of Security Services Carl Herberger for a question and answer session on CMMC and supply chain security for all small companies working as contractors for the U.S. government. Register for CMMC Con 2021 now to join the discussion and learn how CMMC applies beyond the DoD.

As your organization works toward achieving CMMC compliance, creating your System Security Plan (SSP) and Plan of Action and Milestones (POA&M), are critical steps in the process. The documents both provide a foundation for your remediation efforts as you work to close all of your company’s cybersecurity compliance gaps.

Find the right SSP for your organization

Your SSP will outline how your organization approaches cybersecurity. It is your opportunity to narrate your security controls including discussing your environment and how you meet the intent of your controls. Before you begin drafting your plan, you need to determine which approach to take. Select one of the below to get started.

  • Organizational plan – Sometimes called an enterprise system security plan, these plans represent a system security approach across an organization defining a standard cross-organization adoption of control requirements. Organizational plans work well for less complex organizations where all technology can be represented in a single document.
  • System focused plan – This approach concentrates on security through the lens of a particular system, IT service, or enclave, and fully documents control implementation details from the perspective of a specific system only.
  • Hybrid plan – This plan is between an organizational system security plan and a single system or enclave system security plan. It takes the idea of standardization from the organizational plan, but documents your deviations from your overarching standard in addendums or appendices.
  • Shared compliance – This is a type of hybrid plan that documents the accountability of control implementation that lies with a service provider. The organization should ensure, contractually or through verification, that inherited controls are in place at the service provider and that they are applicable to the systems and/or services in scope for system security planning.


SSP document structure

Regardless of the type of plan you proceed with, here is guidance on how to structure your SSP.  Include the following report elements.

  • System information – In this section it is important to include ownership and accountability for each system you are documenting, as well as a systems environment description, data flows and interconnections, users and roles, and hardware and software components.
  • Control narratives – For each control, note the status, which should be compliant, partially compliant, not compliant, not applicable, or inherited, and provide a narrative about the status. Also include discourse on the control implementation. This is your opportunity to discuss a control requirement. For every control where you are partially compliant or not compliant, provide a summary of planned actions to get you to compliance and direct readers to your POA&M.
  • Other considerations – There are other types of information that can be helpful to include in your SSP including:
    • Diagrams and visual representations to illustrate what your system is and how it works.
    • Assessment guide and supplemental guidance to assist your narratives and show what you need to achieve and how you will meet your objectives.
    • Expected or maintained evidence and artifacts to demonstrate how you will or are implementing the controls.
    • Maturity references including policies, practices, and plans to tie the pieces together and make it easier for a certifier to track down those pieces of evidence that confirm your controls are not newly implemented.
    • CUI authorizations to show the flow of CUI in your environment. This should talk to where CUI should exist, where it is stored, how it should be accessed, and how it flows.


Take the steps to compliance with a POA&M

A POA&M is a corrective action tracking mechanism. Here are the key components to have as you develop your own POA&M to assist with your CMMC compliance efforts.

  • Corrective actions list in the form of actionable tasks – What are the actions that you need to take to implement each control?
  • Milestones and timeline to achieve compliance – When do you plan to have each action completed? Include interim completion dates.
  • Ownership and resourcing of tasks – Who is responsible for managing and completing each action?
  • Prioritization – What is the compliance impact, estimated cost, and risk of each?
  • Weaknesses or deficiency – How was the weakness that requires this action identified?
  • Control mapping – Which control does this action correspond to and address?
  • Status – What is the status? Is this action ongoing or completed?


POA&M process and workflow tips

Start with a template and your assessment data as input. Select your template and aggregate all the information you uncovered in your internal assessment, external assessment, or audit. These will be your two inputs to leverage in building your plan of action and milestones.

Convert assessment recommendations to actionable tasks. Sometimes assessment-speak is at a high level. Make sure you are breaking down each requirement into steps that make sense. Include the necessary detail to address the steps your organization needs to take to bring you into a compliant state.

Populate your POA&M and follow your planned timeline. Note any changes to your targeted dates and make sure that you’re actively using this plan to help you achieve compliance.

Maintain your POA&M as you close out your tasks. Once you complete a task, move the status to complete. If you appropriately maintain your POA&M, it is easy to track your progress and note your outstanding items. It also establishes an audit trail of tasks that you are closing out.


SSP and POA&M Resources

The documents listed below are useful as you build your own SSP and POA&M.


If you have questions about how your organization can craft its SSP and POA&M, contact the experts at CyberSheath. We have helped clients assess and document their cybersecurity state, implement controls, and achieve and maintain compliance. Get started today.


As your organization is gearing up to start the process of attaining Cybersecurity Maturity Model Certification (CMMC), it is important to know how this cybersecurity standard compares to other regulations.


Five Ways that CMMC Differs from Other Laws.


1. CMMC is a certification.

Most regulations, laws, and mandates are attestations, but CMMC is more than that. It requires a third-party audit to certify that your organization is adhering to the cybersecurity practices and procedures the standard outlines. The audit must be completed by a CMMC third-party assessor organization (C3PAO), that will then make a recommendation to the accreditation body (AB) as to if your organization meets the certification requirements. Often attestations simply require a company to claim that they are compliant, relying on organizations to honestly self-report on their status without requiring information and artifacts for confirmation.

Seeking certification will significantly impact organizations. Each company must decide if they are going to take CMMC seriously, dive in, and get it done. Does the potential revenue from bidding on and securing DoD contracts make this effort worthwhile? Only your organization can make that important decision for itself.


2. CMMC is an audit and not a point in time assessment.

In order to count as completed and apply toward certification, the controls must be mature. An audit typically reviews organizational policies and behavior over a period of time. With CMMC, they want to look at the maturity of the processes. It’s not just about the product, software, and tools–it’s also about the process, procedures, and organizational learning around each control.

For example, with a point in time assessment, what often happens is an organization quickly implements the control or writes the policy, but that does not mean that that policy is fully implemented. Whereas with a CMMC audit, if a company has an acceptable use policy, the audit will review that policy, including the date it was created, timeline of changes to it, and other proof that it has been in place and is truly part of the way the company operates.


3. CMMC is piloted.

Most laws or regulations are introduced quickly with organizations receiving little to no guidance, other than the necessity of being compliant by a certain date. The DoD and AB are rolling CMMC out in a controlled manner to address any issues upfront. This approach also provides companies the time they need to determine what the mandate requires, as well as the opportunity to implement any new processes or procedures before certification is mandatory. CMMC will not be fully implemented until late 2025. Each year the AB will require a few more contractors and subcontractors to be certified.


4. CMMC is pass/fail.

If your company fails to comply with the requirements of certifications, you will be forfeiting your ability to secure valuable contracts from the DoD. As mentioned above, other regulations are self-reported attestations. If a company does not initially pass CMMC certification and therefore isn’t recommended to be certified by the AB, they reportedly have a 90-day period to remediate, address minor issues, and resubmit.  Any major deficiencies will require undergoing another assessment.

Your time commitment and the difficulty of passing CMMC depends on the size of your organization and maturity level you are hoping to attain as dictated by the type of contracts you wish to bid on and the types of information your company receives.


5. Interim scoring system promotes early adherence.

The Supplier Performance Risk System (SPRS) interim scoring allows your organization as well as the DoD to see how you are doing. The score can range from negative 203 to a perfect score of 110 if your company has implemented all 110 controls of NIST special publication 800-171 properly.

Under the current DFARS rule, all companies doing business with the DoD must log their SPRS score. The assessment that happens as you determine your SPRS score is extremely helpful as you build your remediation plans to address your compliance deficiencies. As you improve your cybersecurity by implementing better practices, you may update your SPRS score, notifying the DoD of your commitment to meeting their requirements.

SPRS is a helpful centralized tool to help you get ready for CMMC. It is a stepping stone to monitor your progress and to help you get to where you’ll need to be by the 2025 deadline.


Next Steps

If you have any questions about CMMC and how to make your path to compliance easier, get in touch with the experts at CyberSheath. We can help you assess where your organization is now, build a plan to enable you to reach compliance, and help you implement the processes and technology required. Contact us today to get started.


RESTON, VA — June 15, 2021 — Leading Managed CMMC Compliance provider CyberSheath has hired Tiffany Egenes as Customer Success Director. In that role, Egenes will act as a customer champion, owning all customer success activities from onboarding to adoption to retention. Her goal, through advocacy and by collaborating across multiple business functions, is to build a customer-centric culture and long-term, high-value relationships with every customer.


“As a fast growing compliance focused MSP/MSSP, CyberSheath recognizes the opportunity to better serve the Defense Industrial Base by building out a customer success organization under a world class leader,” says Eric Noonan, CEO. “CyberSheath puts our customers at the center of everything we do, and Tiffany’s hiring represents a significant milestone on our journey to serving the 350,000 Defense contractors mandated to comply with CMMC.”


Egenes brings more than 20 years of experience as a leader in customer success, professional services, implementation, and project management for organizations ranging from Fortune 15 companies to high-growth startups. As Director, Customer Success and Implementation at Kareo, an integrated medical SaaS platform, Egenes revamped processes and rallied the team around tangible customer success and outcomes, ultimately improving customer satisfaction scores by 70%.


Prior to Kareo, Egenes managed a technical service delivery organization at McKesson that included five lines of business totaling more than $60 million in annual revenues. She also led Sungard Availability Services’ Western Region and Latin America managed services and business continuity recovery operations. There she was in charge of seven managed services data centers and business recovery work centers serving organizations in high tech, government, and other industries.


“CMMC Compliance spans IT, cybersecurity, and governance, and CyberSheath offers all three pieces of that compliance puzzle,” says Egenes. “As a result, we have to integrate with and work in lock step with our customers. As Customer Success Director, I’ll ensure our culture, our relationships, our technology, and our employees are all working in sync and all the pieces are in place to keep customers compliant and secure. Our success is literally our customers’ success.”


Customer success with CMMC starts with better understanding of both the why and how behind the new framework. Join more than 1,000 defense industrial base leaders at CMMC Con 2021 on September 29, 2021, to learn how to navigate the rapidly shifting future of cybersecurity compliance. Registration is now open.


About CyberSheath Services International, LLC


Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at



CyberSheath Services International, LLC

Kristen Morales at

RESTON, Va. — May 18, 2021 — Leading Managed CMMC Compliance provider, CyberSheath, has been chosen to be a part of a select few official resellers for Microsoft GCC High and Office 365 GCC licensing. This adds another opportunity for CyberSheath to help the Defense Industrial Base (DIB) meet the federal government’s compliance and security requirements.

“The ability to sell Microsoft GCC High licensing makes CyberSheath a one-stop CMMC shop,” said Eric Noonan, CEO of CyberSheath. “Unlike other Microsoft partners who only resell the licensing, we also offer all the services — security, IT, and governance — that the DIB needs to manage CMMC compliance.”

In addition to its product and service offerings, CyberSheath has taken the lead on educating government contractors about strategies for CMMC compliance at its annual CMMC Con. The one-day event, returning on September 29, 2021, will reveal the evolving threat landscape, the impact of cybersecurity compliance law, and how to solve these challenges. Learn more and register for CMMC Con 2021.

About CyberSheath Services International, LLC

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at



CyberSheath Services International, LLC

Kristen Morales at

There are many ways to achieve CMMC compliance, from fully insourced IT, cybersecurity and governance to fully outsourced managed services, each carrying various costs and risks. While the cost of compliance is a valid concern, there’s one constant across all your options: If you don’t meet CMMC standards, you won’t be eligible for DoD contracts. Period.

You might think managing CMMC compliance on your own will save you money, but the process is complex and expensive. Purchasing multiple software solutions and hiring an internal security team and IT team to monitor and manage those solutions, not to mention documenting and providing proof of compliance, all require resources that many small and medium sized businesses don’t have. And any mistakes can lead to a breach or non-compliance with CMMC and have much more significant costs and consequences.

CMMC managed services, on the other hand, offer assured compliance with less effort and less investment. Partial compliance doesn’t count and many managed services push small businesses to over spend and under comply.

The only real comprehensive solution is CyberSheath’s no-nonsense fixed pricing for CMMC managed services. We deliver more value and pricing models that are easy to understand and implement, with no hidden costs. We want to make it as simple as possible for you to achieve CMMC compliance and win DoD contracts. We can deliver the complete solution or just the pieces that you are missing.

And we have pricing that meets you exactly where you are right now.


A Basic, Advanced and Future-Proof Approach to Compliance

No matter where you are in your journey, whether you want to do it yourself or fully invest in managed services, there’s a model for you.

CyberSheath’s basic, advanced and future-proof pricing model offers the tailored level of service you need and a pathway to transition to fully managed compliance if you choose. Here’s what each level of service entails:

Basic: If you are not yet ready to jump fully into CMMC and want to start with an assessment and Supplier Performance Risk System (SPRS) scoring, this is the level for you. It includes everything necessary for SPRS submission including your System Security Plan (SSP) and Plan of Action & Milestones (POAMs).

Enhanced: At this level, you’re looking to outsource the problem of CMMC Maturity Level 1 compliance and achieve a positive score for SPRS submissions. While you retain overall IT management, CyberSheath handles compliance management and governance, management of technical security tools and operations, or both.

You get compliance oversight and reporting through our cloud-based dashboard, and quickly gain the ability to bid on CMMC ML1 contracts.

Future-Proof: If you want full compliance across the board, this is the level for you. With this option, you achieve all 110 controls and requirements for SPRS submission — and CMMC ML3 compliance delivering all of the required people, processes and technology in a unique shared responsibility model.

CyberSheath maintains the rigorous program, technology, engineering, and implementation required for CMMC ML3 standards. We manage your governance, security, and IT operations.


The Value of CMMC Managed Services

With a path to a fully managed CMMC program, you can lay the foundations for your compliance against any shocks to CMMC policy or implementation approaches. We’ll be responsible for ongoing program maintenance encompassing any shifts, allowing you to continue to leverage your current infrastructure and offer the option to grow into a FEDRAMP HIGH or GCC HIGH cloud infrastructure in a hosted, compliant process.

With simple fixed pricing, free options for self-attestation, and a flexible pricing model, CyberSheath meets you wherever you are and ensures you’re CMMC compliant and eligible for DoD contracts.

Contact us to meet with a CyberSheath expert today to learn how we can help bring order to the chaos of achieving CMMC compliance.

The enclave approach to CMMC compliance is one of the most cost effective and least disruptive ways to safeguard CUI. You can maintain high-value custodial security of CUI without upending your existing processes, procedures, and people. That way, you can maintain the proper level of CMMC compliance and remain eligible to win DoD contracts.

Remember that CMMC compliance is all or nothing — you’re either compliant or not. And if you’re not, you won’t be eligible to win any business from the DoD. So how you protect CUI is critical.

Depending on how you handle CUI and the CMMC level you must abide by, your enclave is going to need different functionality. Which is why you need a CMMC enclave with multiple use case commitment levels and a way to manage multiple levels of CMMC.

This kind of versatility can be found in CyberSheath’s CMMCEnclave, part of its CMMC Managed Services.

How CMMCEnclave Expands Your Versatility

Based on Microsoft Azure, CMMCEnclave limits organizational CUI data sprawl and drives role-based allowances to CUI. It delivers CMMC ML3 of 130 controls. It also establishes a technical program on how to deal with other CUI-custodial suppliers to your organization.

And it’s the first CMMC enclave with optional management of multiple levels of CMMC. Those options include:

ML1:  Within weeks, become compliant with CMMC ML1 over your entire infrastructure, using Azure SIEM Sentinel continuous security monitoring and aggregation, managed endpoint detection and response (EDR) and malware protection, and detection and incident response of managed devices.

ML2: At this level, CyberSheath provides an overall virtual security officer and an ongoing compliance program oversight and routine reporting. It includes Tenable vulnerability and secure configuration management, Windows Active Directory identity protection, and multi-factor authentication.

ML3: Quickly gain an ability to bid on CMMC ML3 contracts with our Cloud-Based Hosted Compliance offerings, which include virtual security officer compliance oversight and reporting. Maintain compliance with Azure Information Protection against data leakage, Microsoft Mobility and Device Security Management, secure VPN services, Azure CMMC workbooks, Azure CMMC and NIST blueprints, and Azure Security Center for secure workloads, role-based access control, and configuration and posture management.

ML4 and ML5: We maintain the rigorous program, technology, engineering, and implementation required for the most robust security standards. Get in touch to talk through our offerings at CMMC levels 4 and 5.

A CMMC Enclave that Meets You Where You Are

CyberSheath’s CMMCEnclave includes four different use-case commitment levels based on contractors’ functionality and business needs, including:

External CUI communication: In this case, a secure SharePoint enclave is sufficient. This option can be hosted in GCC high or commercial cloud, depending on whether data is subject to exit controls.

CyberCloud — Shared Service: For users who only access Office applications, SharePoint Online, and OneDrive, this option uses Active Directory Partitions and Windows Virtual Desktop to share desktops in line with CMMC data security standards.

CyberCloud — Hybrid Cloud: Designed for organizations that need an affordable cloud platform and use custom applications or file servers, this option segregates customers on private network segments with network security boundaries on top of Active Directory partitioning. It keeps desktops private and only accessible by a single company, with options for private application servers on a customer network segment.

CyberCloud — Private Cloud: Keep all components, including Active Directory, completely private, with all servers and desktops residing in your Microsoft Azure tenant. You can host any applications or files in your environment and can optionally connect the enclave to your corporate infrastructure.

A New Level of Versatility in CMMC Compliance

CyberSheath’s CMMCEnclave reduces complexity, future-proofs compliance, and lowers costs, both immediate and ongoing.

Learn more about CMMCEnclave and how CyberSheath’s CMMC Managed Services can help you quickly reach compliance with these complex new requirements.  Contact us to meet with a CyberSheath expert today to learn how we can help bring order to the chaos of achieving CMMC compliance.

CMMC is not a compliance framework. It’s a maturity model. That has big implications for how you approach compliance, but also how you keep track of all the elements that make up compliance.

And yet, visibility has been one of the most difficult challenges facing DIB contractors. It used to be that you would have to buy a service from a separate vendor to have any visibility at all into your compliance status, inventory of DFARS compliance artifacts and evidence, and your documented System Security Plan (SSP).

Even with those services, the best many contractors could do was to get a static report around a specific snapshot in time. The value of a report quickly fades in the face of an ever-changing threat landscape, not to mention a dynamic compliance environment. As POAMs evolve and you meet milestones, that report from the past can no longer tell you where you stand.

The dashboards that have existed to date all come with some assembly required. They would act more like containers with placeholders for asset management and other controls, leaving customers to cobble together a dashboard themselves.

It’s time for a real dashboard. This is why CyberSheath has added the first-ever CMMC Compliance-as-a-Service dashboard to its CMMC Managed Services.

A True CMMC Compliance Dashboard for Unparalleled Visibility

Available to customers regardless of previous or future technology selections, CyberSheath’s CMMC dashboard gives comprehensive visibility into every aspect of compliance and is continually updated so you can see at a glance, at any time, where you stand.

The dashboard offers up-to-the-minute visibility into your:

  • Current compliance status
  • Inventory of DFARS compliance artifacts and evidence
  • Security threat landscape and incident levels
  • Current version and documentation of your SSP
  • Supply chain assessment
  • Performance of your CMMC enclaves or regimes

It not only confirms your compliance status, but evolves and expands with your business as you need to meet new maturity levels. It also holds us accountable against the SLA we’re on contract for by showing you exactly where you stand with respect to CMMC requirements so there’s never a question of whether you’re eligible for DoD contracts. The dashboard gives you everything you need to know about your CMMC compliance status.

CyberSheath CMMC Compliance Dashboard

CyberSheath built the CMMC Compliance Dashboard leveraging the technology of the world’s leading companies including:

  • Microsoft Azure NIST & CMMC Blueprints
  • Microsoft Azure CMMC Workbooks
  • Microsoft Sentinel SOAR & Correlation engines

It also benefits from unique integrations such as compliance landscape updates.

It’s not enough to simply achieve compliance. As a maturity model, CMMC requires a new level of visibility. Learn more about CyberSheath’s CMMC Managed Services and how our dashboard helps contractors stay up to date on their CMMC compliance status, the current threat landscape, and their CMMCEnclave performance.

Need Help?

As your organization moves to become compliant with any level of CMMC, challenges can arise. CMMC compliance requires documented, integrated and evidence-based Cybersecurity, IT, and Governance – all of which is addressed in our recently enhanced CMMC Managed ServicesContact us to meet with a CyberSheath expert today to learn how we can help bring order to the chaos of achieving CMMC compliance.

For any of a variety of reasons including lack of communication, slow response times, or prolonged downtime, your organization has decided to change your managed service provider (MSP). Whether you have already signed an agreement with a new MSP or you are actively looking for a replacement, now is the time to take important steps to ensure that the transition to your new provider is a smooth one.

Tips on Getting Offboarding Started

  • Maintain communication – In terms of your outgoing MSP, one adage rings true–don’t burn bridges. The company you are letting go is a key to your success moving forward. Severing all ties prematurely could leave your company stranded, unsupportable, and looking at a larger bill to recover data, admin credentials, and backups, as well as negatively impact your overall business.
  • Transfer knowledge – While CyberSheath or another onboarding MSP has no authority to require the outbound MSP supply the needed information to manage the infrastructure effectively, performing knowledge transfer with your outgoing MSP can assist with all entities involved working as a team.
  • Include key details in release letter – Note that it is essential to have these expectations listed in your release letter. It is also a great idea to have the leaving MSP sign off and agree to participate in this process. Without these items, your new MSP will have the daunting task of figuring out your infrastructure and credentials.
  • Don’t delete a Global Admin account – Have you ever not had the global admin account for your domain controller or active directory? You will not do much without it. Deleting one of these accounts could have down-stream effects on your infrastructure and access that could require significant recovery efforts, which means considerable expense.
  • Ensure outgoing MSP participation in process – It is also a great idea to have the leaving MSP signoff and agree to participate in the offboarding process. Without this input, your incoming MSP will have a daunting task of figuring out your infrastructure and credentials, which not an easy task without certain information.

Key Information to Document

Remember that the outgoing service provider was a partner in your network and infrastructure, and therefore possesses information that is vital in supporting the success of your new service provider.

Below is an initial list of important information to record as you prepare to offboard your exiting MSP. Keep in mind that your company may have unique situations requiring additional information be turned over.

  1. All admin credentials for all in-scope devices used in the course of business. These include but not limited to servers, routers, firewalls, storage devices, and applications used by your company. It is a good idea to maintain a list of these even if you are not transitioning to a new MSP. MSPs often create accounts for themselves within your infrastructure. These are now keys to your environment, so it is a good practice to keep a list of who has access.
  2. All intellectual property (IP) needed to maintain current business practices and processes. MSPs often acquire a lot of knowledge about your company in their day-to-day operations of supporting your company. While it may be impractical to truly download everything your outgoing MSP knows about your company, it is a good idea to have a non-disclosure agreement (NDA) in place to ensure that information stays confidential.
  3. Complete list of all assets currently managed. This will help your new MSP understand your environment.
  4. Network topology diagram to include current IP mappings and ports used for day-to-day operations. CyberSheath recommends that you review this diagram on a quarterly basis or as you change components within your infrastructure. For example, if you moved on-premise servers to the cloud, be sure to ask for an updated diagram.
  5. Knowledge base information specific to or used in the support of your company’s infrastructure. The importance of this cannot be overstated. All companies have IT skeletons in their closets. Moving to a new MSP and not helping them with understanding the unexpected, sets the stage for failure.
  6. Backup schedules and access to the location where backup data is stored. Also be sure to have access to credentials to retrieve those backups and applications used to perform these tasks, as well as the most recent full backup.
  7. Licenses schedule and account information associated with those licenses so that the licenses can be transferred to your onboarding MSP. Companies should always document and maintain this information. You cannot renew or transfer software licenses without a company’s account number and approval. It is also recommended to have a quarterly review of your licensing footprint as unused licenses incur unnoticed expenses.
  8. Technical Point of Contact (TPOC) that can be available for the dates of the transition (usually 30 to 60 days). It is important that the person in this role understands technical issues to ensure the onboarding company has access to the client’s IT dependencies.

If you are still searching for your new MSP, CyberSheath offers a unique managed service combining security and IT services, which bring our customers a complete, protected service solution. Our MSP offering is secure, contains no ransomware, and allows our customers to keep their data.

We keep our customers up and running. Learn more about our managed services to help you with CMMC compliance, DFARS/NIST 800-171 compliance, or managed IT for defense contractors.

As your organization works to determine the meaning and application of the various levels of the newly enacted Cybersecurity Maturity Model Certification (CMMC), questions arise. One particular issue surrounds the issue of SIEM as it pertains to the first level of CMMC. The short answer to whether it is required or not is: it’s complicated.

A Closer Look at Level 1 SIEM Requirements

The key word in the assessment guide and in the CMMC practice for Systems and Communication Protection (SC) found at SC.1.175 is ‘Monitor.’ This practice requirement is heavily focused on perimeter and boundary defense, meaning that your cyber boundaries must be controlled, protected, and monitored.

What it means to your company – Chances are, you already have a firewall. Consequently, the most common compliance issue the CyberSheath team sees with this particular requirement is a lack of proactive monitoring. In CMMC level 1, you only need to address the one SC requirement–boundary protection and control services, such as firewall, intrusion detection system (IDS), intrusion prevention system (IPS), and web proxy if it exists.

How CyberSheath can help – At CyberSheath, we monitor your IT infrastructure with Azure Sentinel. Level 1 monitoring is cost-effective as there is less activity required, with less log integration, less log consumption, and less Azure Sentinel cost.

For Level 1, the monitoring cost is mostly based on storage, and excludes licensing, deployment, and management of Microsoft Defender or the Log Analytics Agent, since only the boundary and perimeter devices need to be monitored. Also, typically Level 1 does include government community cloud (GCC) requirements, as there is no controlled unclassified information (CUI) to contend with, only federal contact information (FCI). The result is commercial Microsoft services are appropriate for the SIEM requirements of Level 1.

Requirements Shift as You Advance to Level 3

As your organization moves to higher levels of CMMC, more controls need to be enacted around monitoring users including detecting unauthorized use of accounts, responding to support incidents, tracking log correlation requirements, and more.

At Level 3, your organization needs the right log sources to support the investigative process, such as endpoint protection, perimeter monitoring, authentication logs, and other security tools. As you can see, the resources needed to achieve Level 3 are more advanced, and also carry higher Azure Sentinel data costs.

Another Consideration for SIEM Requirements

The System and Information Integrity control family requires the ability to detect malware, and update signatures, at appropriate locations. The assessment guide specifies items like the ability to detect malware on the network (IDS/IPS) and on endpoints (Anti-Virus/endpoint detection and response (EDR)).

If your company wants to use basic, built-in Windows Defender, this can meet a Level 1 requirement. However, if your organization wants to license Microsoft Endpoint Defender to solve for this, you have the opportunity to easily integrate with Sentinel for monitoring on Commercial licensing at a fairly low cost. While not a necessity for CMMC level 1, this solution is good to have and also better prepares you should you seek CMMC Level 3 in the future.

Need Help?

As your organization moves to become compliant with any level of CMMC, challenges can arise.  Join Eric Noonan and Carl Herberger, VP of Security Services, on Wednesday, April 21st, 2021 at 9:00am (PST) | 12:00pm (EST), for “CMMC – How It Started. How It’s Going,” when they will talk through five common pain points experienced by organizations tackling DoD regulations.

No matter where you are on your path to compliance – calculating your assessment scores, navigating SPRS, implementing the controls, or writing you SSP – this webinar will accelerate your journey. Register Now.


Webinar CMMC - How It Started. How It's Going.

Many defense contractors outsource their IT to a Managed Service Provider (MSP), who generally deliver the IT required and allows a business to focus on their core competency. IT managed services through MSP’s have been around for a long time now and rarely include service or commitments to meet compliance requirements like the Cybersecurity Maturity Model Certification (CMMC). It has only been in the last several years that MSPs have moved into the cybersecurity space to expand on their IT service offerings. At best, the MSP market for defense contractors offers IT and cybersecurity in one provider but completely ignores CMMC compliance requirements. This is a big problem, and Department of Defense (DoD) contractors, as their future revenue opportunities are dependent upon achieving compliance.

Most MSP’s are brand new to CMMC but unfortunately for their customers’ asset management, patching, and media sanitization stand in the way of CMMC compliance and DoD revenue opportunities. Defense contractors who have an MSP, or are looking at an MSP, are putting their revenue opportunities in the hands of a third party. It is time to rethink your MSP relationship and possibly start searching for alternatives.

The Role of IT in achieving CMMC

Much of the thinking to date around MSP’s and CMMC gets into nuanced legal issues around the MSP’s access to Controlled Unclassified Information (CUI). Still, the real problem is much more fundamental and easy to understand. Your MSP is responsible for many of the requirements tied to your eventual CMMC objective. If your MSP is not delivering their services in a way that produces evidence of compliance with CMMC you won’t achieve certification; it is truly that simple. Many of the requirements of CMMC fall into the information technology category when it comes to delivering them on a day-to-day basis. All of the attention so far has been focused on the cybersecurity requirements of CMMC. Still, as anybody in an operational role knows, much of CMMC falls to the IT delivery organization. If your IT delivery organization is an MSP, are you comfortable trusting them with your future revenue opportunities? Will they learn about the CMMC on your dime? Do they even mention CMMC services on their current website?    

You need an MSP that can marry the delivery of IT, cybersecurity, and governance in one comprehensive, measurable package to ensure compliance. CMMC stands in the way of all future revenue opportunities with the DoD; it is too important to be an add-on to your existing MSP services. 

A potentially worse scenario is having one vendor do your IT services delivery as an MSP, and another vendor responsible for cybersecurity as your MSSP, with you, stuck in the middle playing referee. There is no way around it; achieving CMMC is difficult, costs money, and requires the coordination of IT, cybersecurity, and governance activities. Most small to medium businesses don’t have the resources to coordinate or even know how to evaluate vendor claims around CMMC. Asking an MSP to unpack the nuances and complexities of NIST 800-171, SPRS submission, and CMMC is generally a bridge too far for any MSP that wasn’t created exclusively to service the defense industrial base and their unique regulatory requirements.

So, what should small and mid-sized defense contractors do?

At our upcoming webinar, we will talk about bringing order to the chaos of achieving NIST 800-171 and CMMC compliance. We discuss strategies through the lens of working with an MSP because few are equipped to meet all NIST 800-171 and CMMC requirements on their own. We will detail solutions to key pain points felt by defense contractors contractually obligated to meet DoD requirements giving you insights into implementing these solutions with internal resources or through your MSP.

No matter where you are on your path to compliance – calculating your assessment scores, navigating SPRS, implementing the controls, or shopping for an MSP – this webinar will accelerate your journey. Register Now.


Webinar CMMC - How It Started. How It's Going.

The Department of Defense (DoD) has provided Florida’s business community with a $22 billion opportunity, but there’s a catch. Before Florida’s prime and sub-contractor defense companies can win those contracts; they must meet cybersecurity regulations. These standards have become minimums that must be complete before contract award and include the Defense Acquisition Regulation Systems (DFARS) regulations and DoD’s new Cybersecurity Maturity Model Certification (CMMC). With more than $22 billion a year spent on contracted defense procurement across Florida and more than $95 billion in total annual economic impact from the state’s military defense presence, meeting these requirements is critical to the warfighter and the state economy. CMMC is the DoD’s effort to ensure all defense contractors are practicing and maintaining the proper security level to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Moving forward compliance with meeting these requirements stands in front of any revenue opportunities with the DoD.

Eric Noonan, CyberSheath’s CEO, will be speaking at Florida Space Coast Cybersecurity Forum 2021, with a focus on the “how” behind achieving compliance. Register for the event here and tune in on March 23, 2021 at 9:00 am EST, to learn more.

As founder and CEO of CyberSheath, a Sponsor of Florida Space Coast Cybersecurity Forum 2021, Eric is well versed in the goals and efforts behind the CMMC. CyberSheath has been delivering audit-ready, compliance-focused managed services for NIST 800-171 requirements for 8+ years, and the CMMC is the next evolution of those standards. CyberSheath has been a part of the DoD public/private partnership since the beginning and is a CMMC Registered Provider Organization (CMMC-RPO), focused on enabling defense contractors to achieve compliance.

CMMC is one of the most comprehensive and impactful moves by the DoD to better secure sensitive data on defense contractors’ systems and networks. As a new set of requirements, many defense contractors are still working to understand the complexities and nuances of the standards, what they are responsible for, and how to implement those changes.

CyberSheath launched our compliance managed services for CMMC to assist DoD contractors through the process. Through our managed services, we are able to meet contractors where they are, identify gaps in CMMC compliance, implement the changes, and maintain and assure their compliance at the proper level.

We wanted to Sponsor Florida Space Coast Cybersecurity Forum 2021 because it’s advancing important conversations around the state of security and where we can go from here.

While the U.S. faces cyber threats from around the world, we have plenty of lessons to learn from and a new bar for effective cybersecurity.  We don’t know what attacks might be coming, but we do know how to prepare. We hope this year’s conference will spur all in attendance to advance the cybersecurity goals that will defend American innovation and infrastructure.

CyberSheath is excited to announce the availability of a new service offering specifically designed for Defense Contractors required to ensure compliance from their managed IT providers. This new Managed IT Services for Defense Contractors future-proofs your environment to changes in regulatory scope, interpretation and / or increased scrutiny of your compliance to DoD contracting in the long-term. It is clear that the US Government is becoming less patient with lapses in the Defense Industrial Base (DIB) regulatory compliance of IT management and, paradoxically, cyberthreats are increasing at the same time. Legacy IT delivery models are failing every day as the lines between IT and security have permanently blurred as to who is accountable for specific requirements.

With big picture strategic challenges like avoiding nation-state cyber-attacks and industrial espionage sorting out roles and responsibilities between IT and security is the last thing defense contractors need to worry about. 

CyberSheath has long recognized that a large part of IT delivery, things like patching and asset management, are foundational to NIST 800-171 and CMMC compliance, which is why we are offering a force-multiplying solution for Managed IT services. This offering is only available to defense contractors and uniquely built to make CMMC and NIST 800-171 compliance a natural outcome of day-to-day operations.

What is the DIB Managed Service Provider Compliance Problem?

Defense contractors have a special responsibility to the DoD in ensuring supply chain integrity and trustworthiness and as a result must adhere to cybersecurity requirements outlined across variety of Federal Regulations including:

FAR: 52.204.21 (calls for 15 cybersecurity controls inclusive of specific verbatim pass through / down verbiage to subcontractors and service providers handling Federal Contracting Information (FCI)-Type data)

DFARS: 252.204-7012 (calls for 110 cybersecurity controls inclusive of specific verbatim l pass through / down verbiage to subcontractors and service providers handling Controlled Unclassified Information (CUI)-type data)

DFARS: 252.204-7019-21 directs the DIB to the newly created CMMC Advisory Board for guidance on third-party-providers (TPPs). For refence, the latest guidance from the CMMC AB is as follows:

OSC’s who use cloud services must meet requirements that differ from C3PAO’s.

 1) Companies under the current DFARS 7012 using cloud services or products that receive, transmit, store, and secure CUI on or behalf of the contractor must meet requirements as described in the DoD Procurement Toolbox, Cybersecurity FAQ (Below in part in comments). Remember-The DoD prime/subcontractor is responsible to ensure that the CSP meets the requirements at 252.204-7012 (b)(2)(ii)(D). 

2) Organizations Seeking Certification (OSC) for CMMC L3 using external service providers/cloud services involving CUI must apply the DOD FAQ and consider the impact/evidence required for inherited practice or process objectives as discussed in the v1.10 CMMC L3 Assessment Guide, “A practice or process objective that is inherited is met because adequate evidence is provided that the enterprise or another entity, such as an External Service Provider (ESP), performs the practice or process objective.” See for official policy/guidance. 

Introducing CyberSheath’s New Managed IT for Defense Contractor Service!

CyberSheath’s Managed IT Services for Defense Contractors delivers world-class IT service delivery, integrated with cybersecurity and enabling the documented evidence required to successfully pass a compliance audit or prove certifiable to the next government RFP / RFI. Andy Shooman, CyberSheath’s COO opines, “We’ve been future proofing our customers from policy and technology changes related to CMMC since our managed services debuted in 2015 and our managed IT services eliminates the finger pointing between IT and security giving our customers one vendor to hold accountable. The fact is 60% or more of cyber security requirements touch IT in some way and that has to be accounted for Part of an overall compliance posture.”

Our Managed IT Services for Defense Contractors solution transforms the disconnected IT and security functions into a compliant, integrated, and auditable. 

Base Service Offering: Manage the following in a compliant cost-effective manner for a US Defense Contractor:

    • Endpoint Management/Support Remote Access via VPN
    • Email
    • Identity & Access Management
    • Firewall & Network Management
    • Operating System and Network Device Patch Management
    • Infrastructure Configuration Management

Provide 24/7/365 Support for the following:

    • Support Ticket Management
    • Help Desk / Problem Resolution
    • End User Support Requests
    • Change Management
    • Asset/Configuration Management
    • System Availability / Outages

 Our Premium Service, in addition to the services above, is to manage the following in a compliant manner for a US Defense Contractor:

    • VOIP Telephony
    • Data Storage
    • System Backups
    • O/M365 Office Suite (beyond Mail)

Benefits of the Managed IT Service for Defense Contractors include the following:

It is easy to deploy and maintain (fully outsourced) and You are COMPLIANT!  

  • With CyberSheath’s Assured Compliance Commitment. We commit to having our infrastructure and managed IT services continuously assessed and certified as compliant with DFARS.
  • It is comprehensive technology, security, and governance to DFARS:
    • The Managed IT for Defense Contractors is a solution that is designed from the ground up to comply with DFARS cybersecurity requirements holistically.   
  • End-to-end deployment. 
    • You can combine this service with a world class MSSP / SECURITY!! Leveraging CyberSheath’s 24x7x365 Security Operations Center means someone is always watching the client’s network – freeing up resources so they can get on with other important business. Its Effective Risk Management Traditional information security / antivirus solutions will not stop polymorphic and zero-day threats. We also understand that providing defenses against nation-state’s unique offensive capabilities requires strong security programs. CyberSheath deploys best of breed, compliance technology baselines, SIEM, Phishing Defense, cloud workload protections, threat and endpoint detection and response (EDR), continuous monitoring and cyber threat intelligence (CTI) solutions coupled with our experts in threat analysis and intelligence (i.e., you) that deliver actionable information to mitigate risks to a client’s organization.
    • We adjust to the changing threats automatically! Through robust managed Compliance we can adjust to a very robust compliance landscape and allow for your program to rest-assured that the proper descriptions, documentations, and adjustments are made as to quickly identify potential threats. We combine the best of human and known toolsets to keep a client’s organization up to date with compliance.
  • There are easy procurement options.  
    • Customize Solutions – Although we have preconceived compliance levels, we know every customer is different. So, in the end, our solutions are Tailored to Every Client’s Needs! We know deeply that different organizations require different levels of security. CyberSheath has packaged offerings, allowing you to easily ramp up your security for greater protection, without having to deal with multiple vendors or security resellers.  
    • Flexibility – We have been on the ground floor of NIST/DFARS/CMMC for 12 years shaping, interpreting, and implementing DoD policy and requirements in a way that meets our customers where they are and keeps them in the game. There is no one size fits all and ridged implementation and interpretation will cripple your business with excessive cost and best guess interpretations as to what the DoD is looking for.

 Why CyberSheath as a Managed IT Services Organization?

CyberSheath has over 8 years of providing information security services for our clients. 

Moreover, CyberShealth’s personnel all have military or defense contracting (or both) as their heritage. Threats are global, ever changing, and require a specialized skillset to truly protect organizations. Our managed services staff include experts with previous impressive roles at global defense contracting, managed security services organizations, security software and hardware manufacturers, Military Cyber Operations experience and have multiple security and technical certifications including CISSP.

  • Hundreds of successful NIST 800-171 / DFARS 252.204-7012 engagements over the last 8 years
  • CyberSheath was founded to deliver this solution and “born” out of a Fortune 500 defense contractors experience influencing and implementing evolving DoD cybersecurity policy and requirements.
  • “Skin in the game” – We have been through DoD audits, many, with DoD components validating our approach and the work we do. We will be onsite with your team throughout assessment, remediation, managed services, and your eventual audit.

If you are looking for DFARS compliant Managed IT Services we look forward to providing you a single point of accountability for not only providing the requisite controls, but also for implementing across your IT infrastructure, true one stop shopping.

RESTON, Va.—February 2, 2020—CyberSheath Services International today launched its Managed IT Services for Defense Contractors to ensure compliance with the new cybersecurity standards for commercial contractors of the United States government. The managed services include a Shared Security Compliance Framework to ensure compliance for both DFARS Clause 252.204-7012 / NIST SP 800-171 and the new DFARS 252.204-7019-7021 CMMC requirements.

When combined with CyberSheath’s existing Managed Compliance and Security Services, the new Managed IT Services cover the full spectrum of managed services needs for most U.S. Defense Industrial Base (DIB) contractors. CyberSheath has long recognized that a large part of IT delivery, tasks such as patching and asset management, are foundational to NIST 800-171 and CMMC compliance, and customers need a force multiplying solution for Managed IT services. This offering is only available to defense contractors and uniquely built to make CMMC and NIST 800-171 compliance a natural outcome of day-to-day operations.

This new consolidated solution is anchored on Microsoft technology or Microsoft Solution Partner technology, but flexible enough to “meet you where you are.” It has the distinct ability to add compliance or security-as-a-service either upon initial onboarding, or at any time during the subscription period. As a “Hosted Compliance,” it combines elements of MSSP and Managed IT and uses a Microsoft-focused technology stack, including Azure Government Blueprints, Microsoft 365 Government (GCC High), and the full strength of the vast Department of Defense (DoD)-approved Microsoft security portfolio. CyberSheath’s CMMC Managed Services future-proof clients against CMMC policy changes and new implementation requirements.

“Any defense contractor that fails to comply with the CMMC will not be doing business with the DoD moving forward as the DoD now prevents non-compliant contractors from participating in DoD contract awards,” said Andy Shooman, COO at CyberSheath Services International. “Our IT managed services are built for the many defense contractors, both Primes and Subs, that still don’t fully understand the DFARS requirements and believe that their weakest link to compliance may be their existing IT services. Simply put, the new DFARS rules raise the stakes and companies that don’t quickly become compliant will be left out of DoD contracts. Our IT managed services ensure that doesn’t happen.”

The U.S. Department of Defense (DoD) established the CMMC as a new security measure to protect Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and other sensitive data residing on systems and networks owned by defense contractors. The DoD requires all of its contractors and suppliers to comply with the new CMMC standards at a given level and undergo a certification process based on review by an accredited third-party assessment organization prior to contract award.

CyberSheath uses a proven AIM™ (Assess – Implement – Manage) methodology to meet defense contractors where they are and bring them up to standard both for existing regulatory requirements and CMMC. CyberSheath offers five CMMC levels of assured compliance, ranging from premise-based technology companies to cloud-driven FedRAMP High environments. Leveraging AIM™ to identify gaps against CMMC requirements, CyberSheath quickly implements any needed changes and revises architectures to maintain desired levels of CMMC compliance.

CyberSheath takes ownership of CMMC compliance, leveraging a Shared Responsibility Model, a concept uniquely adapted from cloud providers and applied to CMMC Managed Services. This management framework dictates the security obligations of a CMMC compliance environment and its users to ensure accountability and define where and how security measures should be applied, with a special focus on CUI and other sensitive government data. The result is a self-reinforcing model that reduces the burden on government contractors and ensures compliance.

“Frankly, defense contractors have seen a lot of changes in cybersecurity compliance over the past year, but we have been delivering audit-ready, U.S. DoD compliance-focused managed services for more than five years in response to the original NIST 800-171 requirements and know we can assist contractors expeditiously with their needs,” said Mr. Shooman.

About CyberSheath Services International, LLC

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at


Press Contact:


The Department of Defense (DoD) suppliers were notified at the end of September about the new DFARS Interim Rule designed to collect NIST 800-171 assessment scores from all DoD contractors through submittal to the Supplier Performance Risk System (SPRS). As mentioned in a previous blog post, starting in mid-October, Northrop Grumman, Lockheed Martin, General Dynamics, BAE, and other prime contractors sent letters to suppliers asking them to determine their current DoD assessment score and upload it to the SPRS by November 30th. As of December 1st, the DFARS Interim Rule has become law reinforcing suppliers need to submit their NIST 800-171 assessment score to the government to avoid lost DoD revenue.

The CyberSheath team works with our clients to ensure they meet all DoD cybersecurity requirements, and to that end, have assisted our clients in the submittal of their assessment to the SPRS.  To help suppliers navigate a potentially overwhelming process, we have created a step-by-step guide to showing how to successfully create an account and submit your assessment score to the government.


Step-by-Step Guide to SPRS Assessment Submittal

Step 1: Set up Your Account

First, you will want to visit the PIEE website. Click on REGISTER button on the top right of the screen.

PIEE Account Set Up

Next, accept the Privacy Act Statement and Terms and Conditions.

Select VENDOR from the options.

PIEE Vendor Options

If your company has a Common Access Card or Certificate, you can choose this option from the drop down. However, you can choose User ID\Password if you do not have the other information readily available.

PIEE Captacha

Enter in your security questions.

PIEE Security Questions

Provide your name and contact information.

PIEE User Profile

Enter supervisor (not required) and company contact information.

PIEE Supervisor Contacts

STEP 2: Access the Supplier Performance Risk System (SPRS)

Select SPRS (Supplier Performance Risk System) from the drop-down menu.

PIEE SPRS Drop Down Menu

STEP 3: Select SPRS Cyber Vendor User

PIEE SPRS Cyber Vendor

STEP 4: Add Roles

Next, click ADD ROLES. You will see a line at the bottom with a LOCATION CODE field. This is where you will enter the CAGE code for your company.

PIEE Add Roles

Enter in your CAGE code. If you have multiple CAGE codes, you will need to repeat Step 3 to add those additional lines.

PIEE Add Cage Code

Enter the justification for your account. Attachments would be used for justification and/or identification. However, do not attach your self-assessment here.

Step 5: Complete the Agreement

From here you will need complete the Agreement portion of the application. You should receive approval for your account promptly after completion. If you do not have a CAGE code or if the CAGE code, you have not been registered with an in-use DoD contract you may not be able to successfully create an account. If you run into this issue or your company has never won a contract, you can submit your self-assessment to *NOTE* Remember to submit your self-assessment via encrypted email.

Step 6: Admin Approval of Cage Code

Once you register you will have to have the admin who is linked to the cage code approve your account.

PIEE Log In Credentials

If you are not the Contract Administrator of the cage code and are unsure who that person is, you can look it up by going to the PIEE homepage and selecting FIND MY ACCOUNT ADMINISTRATOR from the NEED HELP WITH YOUR ACCOUNT? menu.

On the next screen you will need to input your cage code under the LOCATION CODE. You do NOT select any options from the APPLICATION or ROLE options. After the cage code has been inputted type in the numbers from the CAPTCHA Image and click SUBMIT.

PIEE Location Code

The next screen will populate who the Administrator of the cage code is and who you will need to contact for account approval. If there has not been an Administrator linked to the cage code you will need to contact PIEE support (1-866-618-5988) to get that provisioned.

You have successfully created your account. Once the account registration is approved by the cage code administrator you are ready to submit your score.

Step 7: Submit Your Assessment Score

Now that you have an account you will need to go to the PIEE website and click LOG IN.

Login Btn

Select the SPRS Icon. Then select NIST SP 800-171 Assessment from the options.


You will need to select the company name at the desired level (BASIC will be the most common unless your company went through an audit consisting of Government personnel). Once selected click ADD NEW ASSESSMENT from the menu.

PIEE Attach Assessment

Enter assessment details and click SAVE.

PIEE Enter Assessment Details

Next Steps

You have successfully submitted your assessment meeting the requirements under the DFARS rule and can now begin working toward your Plans of Actions and Milestones (POAM).

If you have not done an NIST 800-171 assessment and do not know your score, we are here to help. Please do not hesitate to reach out with any questions or talk through a project plan to avoid penalties and remain competitive in the DoD acquisition process.