CMMC 2.0 and What It Means for DoD ContractorsThe Road to CMMC 2.0 CMMC was first announced in 2019 by …
Continue reading "CMMC 2.0 and What It Means for DoD Contractors"
Enterprise grade Cyber Security
Solutions designed for small
to medium sized organizations.
Whether your organization is a DoD contractor seeking to obtain CMMC certification or another industry standard such as ISO 27001, PCI DSS, HIPAA etc., cybersecurity compliance is a critical component of your business. Even if your organization does not have to adhere to any specific compliance requirements, cybersecurity should still be a top priority for your business.
Cyber threats continue to evolve and become more malicious every day. Organizations that don’t take these threats as seriously as they would with any other external forces will risk the demise of their business.
OSIbeyond offers comprehensive cyber security solutions to help your organization stay ahead of cyber threats. Our compliance services are focused on helping your organization meet compliance standards, while our managed cybersecurity services help maintain compliance on an ongoing basis. The combination of both services offers an end to end cyber security solution for organizations in Washington D.C., Maryland, and Virginia area.
OSIbeyond specializes in CMMC compliance and is a Registered Provider Organization (RPO) authorized by the CMMC accreditation body (Cyber-AB) to provide consulting services to DoD contractors seeking CMMC certification. In addition, with multiple Registered Practitioners (RP) available on staff, we have the credentials and expertise to guide your organization in becoming CMMC audit ready and maintaining compliance post certification.
Regulatory compliance is often the driver behind a cybersecurity program within an organization. This consists of developing a cybersecurity program that is based on specific controls to protect the integrity, confidentiality, or availability of sensitive data.
Cybersecurity compliance can be complicated, not only requiring technical knowledge but also the resources and ability to properly document the activities in the technology environment of an organization.
OSIbeyond can help simplify the daunting task of cybersecurity compliance. Our compliance experts specialize in leading industry technical standards such as CMMC, NIST 800-171, NIST Cyber Security Framework, and others.
The first step towards cybersecurity compliance with any standard is to conduct a thorough Risk Assessment to analyze how sensitive data is used by your organization and where it is stored. OSIbeyond’s Risk Assessments determine an organization’s security posture relative to the standard they must be in compliance with. A Gap Analysis is conducted to identify the gaps in security, then a System Security Plan (SSP) along with a Plan Of Actions And Millstones (POAM) is developed to determine the path toward full compliance.
The new Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) requires some companies in the Defense Industry Base (DIB) to be assessed by an independent third party and certified at one of three maturity levels to continue to be awarded DoD contracts or subcontracts. OSIbeyond provides CMMC solutions and assessment preparation services that can help expedite the time it takes for your organization to reach CMMC cybersecurity requirements. Contact us to get started.
While the DoD is implementing the new CMMC standard over the course of 5 years, they have released what is sometimes known as the “Interim Rule”, based on the National Institute of Standards and Technology (NIST) 800-171 standard. The interim rule applies to new contracts and modifications. It requires all contractors who may possess Controlled Unclassified Information (CUI) to conduct a self-assessment based on the NIST 800-171A assessment guidelines and upload their score to the Supplier Performance Risk System (SPRS). Contact OSIbeyond to help your organization implement the 110 controls required in the 800-171 standard, in addition to the supplemental controls required by DFARS 252.204-7012.
The NIST CSF is widely used in the commercial sector as the benchmark standard for Cybersecurity. The Framework integrates industry standards and best practices to help organizations manage their cybersecurity risks. If your organization is looking to implement a cybersecurity program and does not have specific regulatory requirements, the NIST CSF is the leading standard to follow. Contact OSIbeyond to help your organization implement the Framework.
Documentation is a central part of compliance and an established cybersecurity program. However, most IT personnel do not possess the expertise or time required to develop proper documentation. In addition, documented policies and procedures should be reviewed and updated annually to reflect an organization’s current technology state. OSIbeyond will help develop the necessary documentation to meet compliance standards and controls required of your company.
Training is another major component of compliance. Once the technical solutions have been implemented and the policies and procedures have been documented, you must ensure that your employees, both end users and admins are properly trained in order to maintain compliance. This starts with developing a training program that consisting of documentation, videos, or in person training. In addition, training will include Security Awareness Training, new employee onboarding training, as well as annual security refresh training for all employees. Contact OSIbeyond to help develop an effective training program to help keep your organization in compliance.
Not all organizations have the benefit of having a Chief Information Security Officer (CISO) on staff. That’s why OSIbeyond offers vCISO services consisting of monthly plans that will provide your organization with part time, high level security consulting to address incidents, provide guidance, and assist with tasks such as 3rd party security questionnaires. Our vCISO services will help ensure that your organization’s security program is properly managed.
A Managed Security Services Provider (MSSP) is an independent, outside entity who has the resources and expertise to provide continuous monitoring of an organization’s technology environment. This consists of central log aggregation through a Security Information Event Management (SIEM) platform which is in turn monitored by a team of analysts in a Security Operations Center (SOC). An MSSP will be able to detect most threats and respond to incidents rapidly in order to prevent or mitigate a cyber breach.
The key to an effective cybersecurity operation is having the ability to see what is happening inside the entire technology ecosystem of your organization. Continuous Monitoring will provide the insight to help detect and prevent cyber-attacks. Most organizations do not have the resources or the expertise to continuously monitor their technology environment. Having logging enabled on a firewall is one thing, but analyzing the traffic coming in and out of your organization in real-time is another level of cybersecurity. OSIbeyond’s Continuous Monitoring services provide your organization with comprehensive managed security solutions offered for CMMC Level 3 and NIST CSF compliance.
An effective cyber security program not only assumes a defensive posture but also takes offensive measures to stay ahead of hackers. Penetration Testing is an effective offensive method designed to simulate a cyberattack on a computer system or network in order to evaluate security and identify vulnerabilities. Penetration testing is typically conducted on an annual, semiannual, or quarterly basis. OSIbeyond offers penetration testing as a one-time project or on a subscription basis.
Please enter the number of users in your organization to obtain exact pricing. You can also hover over each item to read the description of that service. The CS1 package can be further customized by selecting additional items not included in that package.
|How many users?|
|Office 365 Monitoring|
|Dark Web Monitoring||-|
|Security Awareness Training|
|Advanced Email Filtering|
|Advanced Endpoint Protection|
|Device Configuration Backups||-|
|Executive Summary Reports||-|
|Mobile Device Management (MDM)||-||-|
Read our latest featured articles.
Continue reading "CMMC 2.0 and What It Means for DoD Contractors"
Continue reading "6 Cybersecurity Policies Every Organization Must Have"
Continue reading "5 Reasons Why Your Cybersecurity Could Fail in 2022"
Have questions about CMMC?
The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the DIB. It is designed to protect sensitive unclassified information that is shared by the Department of Defense with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the DoD increased assurance that contractors and subcontractors are meeting these requirements.
The framework has three key features:
In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period.
In March 2021, the DoD initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation.
In November 2021, the DoD announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:
With the implementation of CMMC 2.0, the DoD is introducing several key changes that build on and refine the original program requirements. These are:
The changes reflected in CMMC 2.0 will be implemented through the rulemaking process. Companies will be required to comply once the forthcoming rules go into effect. The DoD intends to pursue rulemaking both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. Both rules will have a public comment period. Stakeholder input is critical to meeting the objectives of the CMMC program, and the Department will actively seek opportunities to engage stakeholders as it drives towards full implementation.
While these rulemaking efforts are ongoing, the DoD intends to suspend the current CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in any DoD solicitation.
The DoD encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway. The Department has developed Project Spectrum to help DIB companies assess their cyber readiness and begin adopting sound cybersecurity practices.
The DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period. Additional information will be provided as it becomes available.
The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The DoD does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process.
Once CMMC 2.0 is codified through rulemaking, the DoD will require companies to adhere to the revised CMMC framework according to requirements set forth in regulation.
The publication of materials relating to CMMC 2.0 reflect the DoD’s strategic intent with respect to the CMMC program; however, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.
The DoD took into consideration feedback from industry, Congress, and other stakeholders and received over 850 public comments in response to the interim rule establishing CMMC 1.0. These comments focused on the need to enhance CMMC by (1) reducing costs, particularly for small businesses; (2) increasing trust in the CMMC assessment ecosystem; and (3) clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards. CMMC 2.0 was designed to meet these goals, which also contribute toward enhancing the cybersecurity of the defense industrial base.
The DoD will publish a comprehensive cost analysis associated with each level of CMMC 2.0 as part of rulemaking. Costs are projected to be significantly lower relative to CMMC 1.0 because the DoD intends to (a) streamline requirements at all levels, eliminating CMMC-unique practices and maturity processes, (b) allow companies associated with the new Level 1 (Foundational) and some Level 2 (Advanced) acquisition programs to perform self-assessments rather than third-party assessments, and (c) increase oversight of the third-party assessment ecosystem.