Cybersecurity Services

Complete Cyber Monitoring, Vulnerability Scanning, Remediation, Incident Response, and Interim CISO / Risk Manager Services...

CybertechspacetechTrainingpiccyberblogcompcentinsider

Approaches to Cybersecurity Compliance:

There are several different approaches your NIST 800-171 compliance process can take using the Imprimis compliance tools, products, and services:

DIY (Do It Yourself):

  1. Do It Yourself (DIY) Approach :Client completes the compliance process themselves by purchasing through the online store and using the:
  • I2ACT compliance software tool (either i2ACT 800s for NIST 800-171 or i2ACT PRO for additional requirements and baselines to include NIST 800-53 DSS DAAPM) to perform the assessment and produce the list of remediation items required.
  • I2ACT Policies and Procedures (P&P) template which provides a general template intended to be customized to match client’s organization. The P&P must address all security families in the NIST 800-171 standard and the procedures should be tailored to the specific requirements.  If no IT/compliance policies and procedures are currently in place, this process will typically take a minimum of 1 man-month of client’s effort and in many cases, much more.
  • I2ACT Systems Security Plan (SSP) – again a general template which requires customization on client’s part. Information and documents that need to be included in the SSP are the system description with diagrams and inventories of hardware and software, management structure, risk analysis, and the most recent assessment report. 
  • Plan of Actions and Milestones (POA&M) – a POA&M must be developed and can either be included in the SSP or as a stand-alone document. The POA&M would be developed by the client to guide their remediation which client could do themselves or have done by a third party such as an existing Managed Service Provider (MSP).  The POA&M must reflect the new design of the network and the tasks to implement it, all management actions to include policy and training activities in addition standard management efforts. 
  • I2ACT Incident Response Plan (IRP) – a general template which requires customization on client’s part.
The DIY approach typically takes the longest particularly if the client is not familiar with the NIST 800-171 requirements.  However, if sufficient time is available, this approach is usually the least expensive.
The assessment and design of the system to include security best practices requires cybersecurity expertise and if the client does not have internal resources with this expertise, it is strongly recommended that the needed expertise be acquired as needed.  If Imprimis support is needed, client can retain Imprimis subject matter experts through a services agreement for as many hours as they deem appropriate – no minimum number of hours and no maximum – services will be tailored to your needs.

Fast Track Approach:

  1. Fast Track Approach Using the i2 Express Packages:  Imprimis has invested a good deal of time, effort and resources into developing compliance “packages” which can be tailored to each company with minimal effort and can be adopted without delay.  The packages include:  NIST 800-171 or NIST 800-53 DSS AAPM assessments and accompanying P&P, SSP, POA&M, and IRP.  The packages allow the rapid completion of the assessment and planning phases of compliance and documentation required for procurement – often in as little as 1 month.
  • NIST Assessment: Imprimis would perform the initial assessment which would include all 110 requirements of NIST 800-171 – this would be done using the I2ACT 800s software tool prepackaged with remediation information.  If needing a DSS DAAPM assessment, Imprimis would utilize the i2ACT 800 Pro software tool.
  • Policy and Procedure (P&P) Package: Designed to be adopted “as is” and will require only minor changes to finalize, if any.  A Training briefing and video is included with the P&P package, so all employees can be trained on the adopted P&P immediately. 
  • Plan of Actions and Milestones (POA&M) Package: Following the assessment and the identification of the remediation tasks, the POA&M is developed for migrating from client’s current configuration to a fully compliant state.  Client will be required to select or specify solutions for compliance where necessary.  One such example might be the selection of the vendor for two-factor authentication.  These decisions need to be made before the remediation budget can be estimated and the schedule defined.  The same decision process will apply to several other items such as the form of continuous monitoring, periodic vulnerability scanning, IDS, EPP, and others. The list of compliance actions will be set to a schedule to produce the final POA&M.
  • System Security Plan (SSP) Package: Once the POA&M has been finalized, the SSP will then be completed with the addition of 1) the management organization in responsible charge of the network; 2) a detailed description of the network and all assets included within the network; 3) a risk analysis performed jointly with the client; and 4) the most current assessment report.  Imprimis also recommends that the POA&M be included in the SSP as an appendix.
  • An Incident Response Plan (IRP): A final IPR will be provided for adoption by the client.
Approach 2 capitalizes on the experience and “lessons learned” Imprimis has gained during the 3 years that we have been helping companies become cybersecurity compliant and allows us to pass these efficiencies, both in time and in savings, on to the client.
The approaches described in 2 will require that a Nondisclosure Agreement be executed between our two companies to protect company confidential and proprietary information on both sides.  We will also request that a Pre-Assessment Questionnaire be completed which tells us a little more about your current network so that we can provide a quotation suitable for your company’s size and structure.
If you have completed any of the above milestones on your own, you may certainly only select the options you might be interested in.

Sustainment Services:

  1. Sustainment Services (Offered Individually)
Imprimis offers a myriad of sustainment services that support continued compliance, to include:
  • Continuous Monitoring, Cyber Threat Analysis
  • CISO/Risk Management Advisory Services
  • Annual Reassessment Services
  • Supply Chain Support
  • Crisis Incident Response Services
  • Ongoing Cybersecurity Advisory Services
  • Recurring Training
  • Vulnerability Scanning and Penetration Testing
  • Red Team Compliance Verifications

 

Cyber Compliance Services:

  

Compliance Life Cycle graphic

 

 

Assessments

Imprimis provides NIST 800-171 Assessment packages which combine the i2ACT-800s compliance tool with a complete assessment which can be performed either onsite or remotely.  The packages offer a fast and cost-effective solution to cybersecurity compliance needs.

Vulnerability Scanning

Vulnerability scans are recommended sometime during the assessment process so that vulnerabilities can be identified and addressed during the remediation process. 

Remediation

During remediation, all items flagged as non-compliant or partially-compliant and system vulnerabilities will be addressed and corrected. Supporting compliance documentation will also be updated. 

Red Team Validation 

An independent, objective Red Team validation is recommended following the NIST 800-171 assessment and remediation process.
  • Reviews the status of all DFARS requirements and assessment artifacts.
  • Annotates any areas of non- or partial compliance.
  • Provides a gap analysis report of findings, explanations and recommendations.
  • Produces a remediation plan identifying all necessary hardware, configuration and process additions/modifications and training required.

Penetration Testing 

Penetration tests are recommended after the assessment and remediation process to ensure compliance with the Defense Industrial Base-Information Sharing and Analysis Center (DIB-ISAC) CyberVerify requirements as due diligence and to further validate the strength of a company’s cybersecurity posture. 

Sustainment

  • Vulnerability Scans (Periodic)
  • Monitoring
  • Incident Response & Forensic Analysis
  • Interim Chief Information Security Officer / Risk Manager Services
  • Advisory Service