When considering CMMC, partial compliance means non-compliance. It’s imperative that your organization meet all the requirements as outlined in the mandate if you want to be a federal contractor now or in the future.
At CyberSheath, we recognize that each customer is in a different place in their compliance journey. We work with you to understand your current state in terms of cybersecurity, IT, and regulatory controls; formulate a plan to close the gaps; and work with you to achieve compliance.
What is managed compliance?
We define managed compliance as all of the people, processes, and technologies you need to meet CMMC compliance. On the security side, this encompasses the logging and monitoring, vulnerability management, 24/7 incident response, and more. For IT, this convers identity and access management, help desk activities, patching and maintenance, and asset and configuration management. In terms of the regulatory concerns, it’s auditing, annual assessments, having a plan of action and milestones, and system security planning.
We offer any one or all three of these components depending on where you are in your journey or if you want to tackle any of these challenges internally. The flexibility of this model gives you the ability to get compliant on a timeline and a budget that you can afford. We deliver this service as a firm fixed price within your budget which offers cost predictability year over year.
Let’s dig deeper on the three components.
Managed IT Services
When people think of managed IT, they’re typically picturing a managed IT help desk. It’s much more than that when it comes to compliance. In our model, IT encompasses those IT help desk resources performing in a compliant fashion and operating with the organization’s compliance and key components of security in mind.
With our managed IT services, we’re implementing compliance solutions for you. We’re working with the security and compliance teams on our side to identify solutions that need to be put into place to achieve your compliance goals by closing your gaps one at a time. A lot of those gaps are technical controls that are implemented by the IT team.
Our major capabilities relative to managed IT services include:
- Managed IT Helpdesk Support – A single point of contact providing proactive support, enhanced security, and scalable solutions for seamless technology operations.
- Client Device Support – Seamless remote client device support to ensure that users have the highest levels of availability and productivity, including patch management and incident management services.
- Office 365 Tenant Management – Comprehensive cloud services support from initial setup of the Microsoft Azure tenant and configuring the cloud-based environment to support your needs as well as provide ongoing operational support to ensure that the IT environment has the highest levels of availability.
- Microsoft Office 365 Licensing – Full lifecycle procurement, provisioning and management of Microsoft licensing focused on cost savings and efficient utilization of software assets.
- Additional Cloud Drive Azure Managed Security Solutions – Implementation of Azure Information Protection (data leakage protection), Microsoft Endpoint Manager, and Multi-factor Authentication.
- Server and Storage Management – Configuration of key windows components such as Azure Active Directory and group policy configuration settings to ensure that appropriate policy is applied across the tenant.
- Network Management – Comprehensive network management ensuring seamless connectivity, security, and optimal performance.
- Backup and Disaster Recovery (BDR) – People, processes, and technologies required to plan for and recover from incidents that affect IT systems and data.
Managed Security Services
We start by gaining an understanding of what’s happening within the walls of your systems and acquiring those answers as quickly as we can. To do that, we implement our logging and endpoint detection and response tooling to gain insight into your IT environments through the auditable data and the movements within the systems. We also gather relevant information from your stakeholders about any concerns that you may have.
At the same time as we’re building that baseline for your security logs, we’re doing the same thing with your assets in our vulnerability management platform. There is no end state relative to compliance or security—you have to have an ongoing capability to continue to monitor for threats.
Once we get onboarded and everything’s up and running, we deploy 24/7/365 monitoring. If we need to remediate any issues, we notify you and proceed with the action plan.
Capabilities in this sector include:
- Security Log Aggregation and Monitoring – Security management platform providing a unified approach to threat detection and compliance management.
- Incident Response Services – Monitoring program to assess the environment for intrusions or misuse of assets.
- Vulnerability Management – Program to continuously assess your environment for vulnerabilities and patch compliance.
- Endpoint Detection and Response – Endpoint security solution to help secure against ransomware, file-less malware, and other sophisticated attacks on Windows, macOS, Linux, Android, and iOS.
Managed Regulatory Compliance Services
A foundational component for us when it comes to the delivery of compliance services is a NIST 800-171 assessment, which essentially measures your CMMC readiness. During the process of this assessment, we use NIST 800-171 A to examine the implementation of your controls.
The second kind of threat when it comes to CMMC readiness is how mature is the implementation of your controls? There’s a set of documentation-related actions that we take including developing your POAM and SSP, both of which are required by the DFARS clause for submission of your SPRS score. Maturity is more than that, however, as your controls need to be governed by policy.
Whatever it takes to implement those controls, if there are steps to achieve that, it should be documented in a procedure. The things that answer ‘how?’ versus ‘why?’ on the policy side, all need to be in place for CMMC readiness.
Capabilities in this area include:
- Annual Assessment – An annual CMMC gap assessment to score your compliance and provide SPRS scoring.
- POAM / SSP Documentation – Generation and update of compliance documentation as necessary to align with changes in the environment and closure of gaps.
- Continuous Remediation – Ongoing remediation support to maintain a compliant posture as business conditions, CUI boundaries, or other factors change.
- Annual Incident Response Exercises – Annual incident response tabletop exercises as required by CMMC compliance requirements.
- Audit Support – Dedicated, onsite audit support, at no additional cost.
As your organization pursues CMMC compliance, contact the experts at CyberSheath to learn more about how our managed compliance services can help. Leveraging our managed compliance offering, you can get further on your journey to achieving and maintaining compliance faster.