CYBER
SECURITY

Enterprise grade Cyber Security
Solutions designed for small
to medium sized organizations.
Contact Us

LEARN MORE
Overview

Whether your organization is a DoD contractor seeking to obtain CMMC certification or another industry standard such as ISO 27001, PCI DSS, HIPAA etc., cybersecurity compliance is a critical component of your business. Even if your organization does not have to adhere to any specific compliance requirements, cybersecurity should still be a top priority for your business.

Cyber threats continue to evolve and become more malicious every day. Organizations that don’t take these threats as seriously as they would with any other external forces will risk the demise of their business.

OSIbeyond offers comprehensive cyber security solutions to help your organization stay ahead of cyber threats. Our compliance services are focused on helping your organization meet compliance standards, while our managed cybersecurity services help maintain compliance on an ongoing basis. The combination of both services offers an end to end cyber security solution for organizations in Washington D.C., Maryland, and Virginia area.

CMMC Registered Provider Organization

OSIbeyond specializes in CMMC compliance and is a Registered Provider Organization (RPO) authorized by the CMMC accreditation body (Cyber-AB) to provide consulting services to DoD contractors seeking CMMC certification. In addition, with multiple Registered Practitioners (RP) available on staff, we have the credentials and expertise to guide your organization in becoming CMMC audit ready and maintaining compliance post certification.

Cybersecurity Compliance Services

Regulatory compliance is often the driver behind a cybersecurity program within an organization. This consists of developing a cybersecurity program that is based on specific controls to protect the integrity, confidentiality, or availability of sensitive data.

Cybersecurity compliance can be complicated, not only requiring technical knowledge but also the resources and ability to properly document the activities in the technology environment of an organization.

OSIbeyond can help simplify the daunting task of cybersecurity compliance. Our compliance experts specialize in leading industry technical standards such as CMMC, NIST 800-171, NIST Cyber Security Framework, and others.

Risk Assessment

The first step towards cybersecurity compliance with any standard is to conduct a thorough Risk Assessment to analyze how sensitive data is used by your organization and where it is stored. OSIbeyond’s Risk Assessments determine an organization’s security posture relative to the standard they must be in compliance with. A Gap Analysis is conducted to identify the gaps in security, then a System Security Plan (SSP) along with a Plan Of Actions And Milestones (POAM) is developed to determine the path toward full compliance.

  • CMMC
  • NIST 800-171
  • NIST CSF

The new Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) requires some companies in the Defense Industry Base (DIB) to be assessed by an independent third party and certified at one of three maturity levels to continue to be awarded DoD contracts or subcontracts. OSIbeyond provides CMMC solutions and assessment preparation services that can help expedite the time it takes for your organization to reach CMMC cybersecurity requirements. Contact us to get started.
Contact Us

While the DoD is implementing the new CMMC standard over the course of several years, they have released what is sometimes known as the “Interim Rule”, based on the National Institute of Standards and Technology (NIST) 800-171 standard. The interim rule applies to new contracts and modifications. It requires all contractors who may possess Controlled Unclassified Information (CUI) to conduct a self-assessment based on the NIST 800-171A assessment guidelines and upload their score to the Supplier Performance Risk System (SPRS). Contact OSIbeyond to help your organization implement the 110 controls required in the 800-171 standard, in addition to the supplemental controls required by DFARS 252.204-7012.
Contact Us

The NIST CSF is widely used in the commercial sector as the benchmark standard for Cybersecurity. The Framework integrates industry standards and best practices to help organizations manage their cybersecurity risks. If your organization is looking to implement a cybersecurity program and does not have specific regulatory requirements, the NIST CSF is the leading standard to follow. Contact OSIbeyond to help your organization implement the Framework.
Contact Us

Documentation Development

Documentation is a central part of compliance and an established cybersecurity program. However, most IT personnel do not possess the expertise or time required to develop proper documentation. In addition, documented policies and procedures should be reviewed and updated annually to reflect an organization’s current technology state. OSIbeyond will help develop the necessary documentation to meet compliance standards and controls required of your company.
Contact Us

Cybersecurity Training

Training is another major component of compliance. Once the technical solutions have been implemented and the policies and procedures have been documented, you must ensure that your employees, both end users and admins are properly trained in order to maintain compliance. This starts with developing a training program consisting of documentation, videos, or in person training. In addition, training will include Security Awareness Training, new employee onboarding training, as well as annual security refresh training for all employees. Contact OSIbeyond to help develop an effective training program to keep your organization in compliance.
Contact Us

Security Consulting

Not all organizations have the benefit of having a Chief Information Security Officer (CISO) on staff. That’s why OSIbeyond offers vCISO services consisting of monthly plans that will provide your organization with part time, high level security consulting to address incidents, provide guidance, and assist with tasks such as 3rd party security questionnaires. Our vCISO services will help ensure that your organization’s security program is properly managed.
Contact Us

Managed Security Services

A Managed Security Services Provider (MSSP) is an independent, outside entity who has the resources and expertise to provide continuous monitoring of an organization’s technology environment. This consists of central log aggregation through a Security Information Event Management (SIEM) platform which is in turn monitored by a team of analysts in a Security Operations Center (SOC). An MSSP will be able to detect most threats and respond to incidents rapidly in order to prevent or mitigate a cyber breach.

Continuous Monitoring

The key to an effective cybersecurity operation is having the ability to see what is happening inside the entire technology ecosystem of your organization. Continuous Monitoring will provide the insight to help detect and prevent cyber-attacks. Most organizations do not have the resources or the expertise to continuously monitor their technology environment. Having logging enabled on a firewall is one thing, but analyzing the traffic coming in and out of your organization in real-time is another level of cybersecurity. OSIbeyond’s Continuous Monitoring services provide your organization with comprehensive managed security solutions offered for CMMC 2.0 Level 2 and NIST CSF compliance.

CMMC NIST CSF

PRICING

Please enter the number of users in your organization to obtain exact pricing. You can also hover over each item to read the description of that service. The CS1 package can be further customized by selecting additional items not included in that package.

Continuous Monitoring

  • Monitoring of data from multiple systems
  • Human analysis of alerts to determine validity (identifying false positives)
  • Notification of verified threats for example:
    • Indications of active ransomware
    • Suspicious remote-control session
    • Malicious file being downloaded
    • Indication of email account compromises (forwarding rules etc.)
  • Guidance on remediation of detected threats
  • Leveraging intelligence from other organizations
  • Expert Cybersecurity professionals
  • Second set of eyes on your systems/network
  • Benefits of using a Continuous Monitoring

SIEM Solution

  • Web-based monitoring application
  • Works with sensors placed inside your technology ecosystem (monitoring all traffic)
  • Real time reporting of any signs of threat activity found in the monitored network
  • Provides enhanced threat analysis
  • Detecting and investigating threats within log metadata
  • Store logs for compliance (30 days)
  • Seamless deployment for workstations (no software/agents etc.)
  • Lightweight agent on servers (DCs only)
  • Analysis of combined data from multiple sources
  • Comprehensive visual on security posture

Office 365 Monitoring

  • Analysis of Office 365 logs and ingestion into the SIEM platform
  • Defend against business email compromise (BEC), account takeovers, and have visibility beyond network traffic.
  • Analyzing data from 365 in conjunction with other network assets

Dark Web Monitoring

  • Personal information can be stolen and purchased on the Dark Web, such as login credentials (username, password, emails etc.)
  • Employee may use work email address on personal websites (LinkedIn, Shopping, Newsletters, etc.)
  • When a password is re-used, one breached account can turn into many
  • If an employee’s personal account is breached, your business is also at risk
  • All it takes is one employee to cause a data breach
  • We monitor employee work email addresses on the Dark Web
  • Alert if breached accounts are found

Multi-Factor Authentication

  • Provides second layer of security
  • Prevents account compromise even if user password is stolen
  • Deployed on all compatible applications, for example:
    • VPN
    • Email
    • Cloud based services (Dropbox, OneDrive etc.)
  • Mobile app or token devices

Security Awareness Training

  • Randomized simulated phishing tests
  • Intended to catch users off guard
  • Conducted continuously
  • Includes training content such as for new hire orientation, annual refresher training etc.
  • Designed to decrease social engineering fraud

Advanced Email Filtering

  • Sophisticated algorithm detects and prevents phishing/spam threats
  • Focuses on CEO Impersonation/ Fraud attacks
  • Monitors outbound email to build profile of trusted contacts within the organization

Advanced Endpoint Protection

  • Next-Generation Antivirus Solution
  • Uses AI algorithm to detect and prevent threats
  • Able to isolate infection systems immediately
  • In the event of infection, provides rollback capability, for example:
    • Restoring infect system back to previously good state

Endpoint Encryption

  • Centrally managed encryption of storage on workstations (PC & Mac)
  • Protects data in the event of stolen or lost device
  • Common Cyber Security configuration requirement (audits/insurance etc.)

Vulnerability Assessments

  • Conducted biannually
  • Agentless scanning of network subnets
  • Identifying the most relevant threats to your environment
  • Remediation tracking and guidance for your IT staff
  • Fulfillment of audit/insurance requirements (historical record)
  • Scanning based on compliance requirements
  • Scanning of 3rd party hosted applications

WAF/DNS Protection

  • Protects public facing web sites/applications against malicious attacks
  • Provides filtering of inbound connection requests for example:
    • Mitigate denial of service attacks
    • Prevent Customer Data Breach
    • Prevent malicious bots from abusing site or application

Device Configuration Backups

  • Automated backups of supported network devices, for example:
    • Firewalls
    • Switches
    • Routers
  • If device is compromised, allows for rapid restoration of validated configuration
  • Provides change control/documentation of device configuration changes

Executive Summary Reports

  • Monthly Executive Summary Reports
    • Identified Threats
    • Remediation actions taken
    • Recommendations and guidance
  • Monthly Status Calls

How many users?

CSF1
Package

$40p/m

CSF2
Package

$50p/m

CMMC-L2
Package

$45p/m
Continuous Monitoring
SIEM Solution
Office 365 Monitoring
Dark Web Monitoring-
Multi-Factor Authentication
Security Awareness Training
Advanced Email Filtering
Advanced Endpoint Protection
Endpoint Encryption
Vulnerability Assessments
WAF/DNS Protection-
Device Configuration Backups-
Executive Summary Reports-
  • No risk commitment
  • Cancel anytime
  • Month to month contract
 GET STARTED

CYBER SECURITY BLOG

Read our latest featured articles.

FAQ

Have questions about CMMC?

  • CMMC Overview

    The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the DIB. It is designed to protect sensitive unclassified information that is shared by the Department of Defense with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the DoD increased assurance that contractors and subcontractors are meeting these requirements.

    The framework has three key features:

    • Tiered Model:CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
    • Assessment Requirement:CMMC assessments allow the DoD to verify the implementation of clear cybersecurity standards.
    • Implementation through Contracts:Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
  • CMMC 2.0 Evolution

    In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period.

    In March 2021, the DoD initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation.

    In November 2021, the DoD announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:

    • Safeguard sensitive information to enable and protect the warfighter
    • Dynamically enhance DIB cybersecurity to meet evolving threats
    • Ensure accountability while minimizing barriers to compliance with DoD requirements
    • Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
    • Maintain public trust through high professional and ethical standards
  • CMMC 2.0 Key Features

    With the implementation of CMMC 2.0, the DoD is introducing several key changes that build on and refine the original program requirements. These are:

    Streamlined Model
    • Focused on the most critical requirements: Streamlines the model from 5 to 3 compliance levels
    • Aligned with widely accepted standards: Uses National Institute of Standards and Technology (NIST) cybersecurity standards
    Reliable Assessments
    • Reduced assessment costs: Allows all companies at Level 1 (Foundational), and a subset of companies at Level 2 (Advanced) to demonstrate compliance through self-assessments
    • Higher accountability: Increases oversight of professional and ethical standards of third-party assessors
    Flexible Implementation
    • Spirit of collaboration: Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification
    • Added flexibility and speed: Allows waivers to CMMC requirements under certain limited circumstances

     

  • CMMC 2.0 Rule Making Timeline

    The changes reflected in CMMC 2.0 will be implemented through the rulemaking process. Companies will be required to comply once the forthcoming rules go into effect. The DoD intends to pursue rulemaking both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. Both rules will have a public comment period. Stakeholder input is critical to meeting the objectives of the CMMC program, and the Department will actively seek opportunities to engage stakeholders as it drives towards full implementation.

    While these rulemaking efforts are ongoing, the DoD intends to suspend the current CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in any DoD solicitation.

    The DoD encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway. The Department has developed Project Spectrum to help DIB companies assess their cyber readiness and begin adopting sound cybersecurity practices.

    The DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period. Additional information will be provided as it becomes available.

  • Is CMMC 1.0 Still Valid?

    The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The DoD does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process.

    Once CMMC 2.0 is codified through rulemaking, the DoD will require companies to adhere to the revised CMMC framework according to requirements set forth in regulation.

  • When Will CMMC 2.0 Be Required For DOD Contracts?

    The publication of materials relating to CMMC 2.0 reflect the DoD’s strategic intent with respect to the CMMC program; however, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.

  • Why Did The DOD Make These Changes?

    The DoD took into consideration feedback from industry, Congress, and other stakeholders and received over 850 public comments in response to the interim rule establishing CMMC 1.0. These comments focused on the need to enhance CMMC by (1) reducing costs, particularly for small businesses; (2) increasing trust in the CMMC assessment ecosystem; and (3) clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards. CMMC 2.0 was designed to meet these goals, which also contribute toward enhancing the cybersecurity of the defense industrial base.

  • How Much Will It Cost To Implement CMMC 2.0?

    The DoD will publish a comprehensive cost analysis associated with each level of CMMC 2.0 as part of rulemaking. Costs are projected to be significantly lower relative to CMMC 1.0 because the DoD intends to (a) streamline requirements at all levels, eliminating CMMC-unique practices and maturity processes, (b) allow companies associated with the new Level 1 (Foundational) and some Level 2 (Advanced) acquisition programs to perform self-assessments rather than third-party assessments, and (c) increase oversight of the third-party assessment ecosystem.

Schedule a call with one of our experts.(301) 312-8908Schedule a call
Continuous Monitoring

  • Monitoring of data from multiple systems
  • Human analysis of alerts to determine validity (identifying false positives)
  • Notification of verified threats for example:
    • Indications of active ransomware
    • Suspicious remote-control session
    • Malicious file being downloaded
    • Indication of email account compromises (forwarding rules etc.)
  • Guidance on remediation of detected threats
  • Leveraging intelligence from other organizations
  • Expert Cybersecurity professionals
  • Second set of eyes on your systems/network
  • Benefits of using a Continuous Monitoring

SIEM Solution

  • Web-based monitoring application
  • Works with sensors placed inside your technology ecosystem (monitoring all traffic)
  • Real time reporting of any signs of threat activity found in the monitored network
  • Provides enhanced threat analysis
  • Detecting and investigating threats within log metadata
  • Store logs for compliance (30 days)
  • Seamless deployment for workstations (no software/agents etc.)
  • Lightweight agent on servers (DCs only)
  • Analysis of combined data from multiple sources
  • Comprehensive visual on security posture

Office 365 Monitoring

  • Analysis of Office 365 logs and ingestion into the SIEM platform
  • Defend against business email compromise (BEC), account takeovers, and have visibility beyond network traffic.
  • Analyzing data from 365 in conjunction with other network assets

Dark Web Monitoring

  • Personal information can be stolen and purchased on the Dark Web, such as login credentials (username, password, emails etc.)
  • Employee may use work email address on personal websites (LinkedIn, Shopping, Newsletters, etc.)
  • When a password is re-used, one breached account can turn into many
  • If an employee’s personal account is breached, your business is also at risk
  • All it takes is one employee to cause a data breach
  • We monitor employee work email addresses on the Dark Web
  • Alert if breached accounts are found

Multi-Factor Authentication

  • Provides second layer of security
  • Prevents account compromise even if user password is stolen
  • Deployed on all compatible applications, for example:
    • VPN
    • Email
    • Cloud based services (Dropbox, OneDrive etc.)
  • Mobile app or token devices

Security Awareness Training

  • Randomized simulated phishing tests
  • Intended to catch users off guard
  • Conducted continuously
  • Includes training content such as for new hire orientation, annual refresher training etc.
  • Designed to decrease social engineering fraud

Advanced Email Filtering

  • Sophisticated algorithm detects and prevents phishing/spam threats
  • Focuses on CEO Impersonation/ Fraud attacks
  • Monitors outbound email to build profile of trusted contacts within the organization

Advanced Endpoint Protection

  • Next-Generation Antivirus Solution
  • Uses AI algorithm to detect and prevent threats
  • Able to isolate infection systems immediately
  • In the event of infection, provides rollback capability, for example:
    • Restoring infect system back to previously good state

Endpoint Encryption

  • Centrally managed encryption of storage on workstations (PC & Mac)
  • Protects data in the event of stolen or lost device
  • Common Cyber Security configuration requirement (audits/insurance etc.)

Vulnerability Assessments

  • Conducted biannually
  • Agentless scanning of network subnets
  • Identifying the most relevant threats to your environment
  • Remediation tracking and guidance for your IT staff
  • Fulfillment of audit/insurance requirements (historical record)
  • Scanning based on compliance requirements
  • Scanning of 3rd party hosted applications

WAF/DNS Protection

  • Protects public facing web sites/applications against malicious attacks
  • Provides filtering of inbound connection requests for example:
    • Mitigate denial of service attacks
    • Prevent Customer Data Breach
    • Prevent malicious bots from abusing site or application

Device Configuration Backups

  • Automated backups of supported network devices, for example:
    • Firewalls
    • Switches
    • Routers
  • If device is compromised, allows for rapid restoration of validated configuration
  • Provides change control/documentation of device configuration changes

Executive Summary Reports

  • Monthly Executive Summary Reports
    • Identified Threats
    • Remediation actions taken
    • Recommendations and guidance
  • Monthly Status Calls

    Ready to talk?

    Just provide your contact information and submit your request.