Approaches to Cybersecurity Compliance:
There are several different approaches your CMMC or NIST 800-171/53 compliance process can take using the Imprimis compliance tools, products, and services:
DIY (Do It Yourself):
Do It Yourself (DIY) Approach: Client completes the compliance process themselves by purchasing through the online store and using the:
-
I2ACT Compliance Software Tool (either i2ACT 800s for NIST 800-171 or i2ACT PRO for additional requirements and baselines to include NIST 800-53 DSS DAAPM) to perform the assessment and produce the list of remediation items required. The CMMC version of the tool is under development and is expected to be released early in Q2 of 2020.
-
I2ACT Policies and Procedures (P&P) template which provides a general template intended to be customized to match client’s organization. The P&P must address all security families in the NIST 800-171 standard and the procedures should be tailored to the specific requirements. If no IT/compliance policies and procedures are currently in place, this process will typically take a minimum of 1 man-month of client’s effort and in many cases, much more.
-
I2ACT Systems Security Plan (SSP) template – again a general template which requires customization on client’s part. Information and documents that need to be included in the SSP are the system description with diagrams and inventories of hardware and software, management structure, risk analysis, and the most recent assessment report.
-
I2ACT Incident Response Plan (IRP) template – a general template which requires customization on client’s part.
** Note: The document templates are designed for NIST 800-171/53 requirements
CMMC DIY templates are under review at this time. **
The DIY approach typically takes the longest particularly if the client is not familiar with the CMMC or NIST 800-171/53 requirements. However, if sufficient time and qualified personnel are available, this approach is usually the least expensive.
The assessment and design of the system to include security best practices requires cybersecurity expertise and if the client does not have internal resources with this expertise, it is strongly recommended that the needed expertise be acquired as needed. If Imprimis support is needed, client can retain Imprimis subject matter experts through a services agreement for as many hours as they deem appropriate – no minimum number of hours and no maximum – services will be tailored to your needs.
Fast Track Approach:
Fast Track Approach Using the i2 Express Packages: Imprimis has invested a good deal of time, effort and resources into developing compliance “packages” which can be tailored to each company with minimal effort and can be adopted without delay. The packages include: CMMC, NIST 800-171 or NIST 800-53 DSS AAPM assessments and accompanying P&P, SSP, POA&M, and IRP. The packages allow the rapid completion of the assessment and planning phases of compliance and documentation required for procurement.
-
CMMC | NIST Assessment: Imprimis would perform the initial assessment which would include all 110 requirements of NIST 800-171 plus the additional CMMC requirements or just NIST 800-171/53 as applicable. This would be done using the I2ACT 800s software tool prepackaged with remediation information. If needing a DSS DAAPM assessment, Imprimis would utilize the i2ACT 800 Pro software tool.
-
Policy and Procedure (P&P) Package: Designed to be adopted “as is” and will require only minor changes to finalize, if any. A Training briefing and video is included with the P&P package, so all employees can be trained on the adopted P&P immediately.
-
Plan of Actions and Milestones (POA&M) Package: Following the assessment and the identification of the remediation tasks, the POA&M is developed for migrating from client’s current configuration to a fully compliant state. Client will be required to select or specify solutions for compliance where necessary. One such example might be the selection of the vendor for two-factor authentication. These decisions need to be made before the remediation budget can be estimated and the schedule defined. The same decision process will apply to several other items such as the form of continuous monitoring, periodic vulnerability scanning, IDS, EPP, and others. The list of compliance actions will be set to a schedule to produce the final POA&M.
-
System Security Plan (SSP) Package: Once the POA&M has been finalized, the SSP will then be completed with the addition of 1) the management organization in responsible charge of the network; 2) a detailed description of the network and all assets included within the network; 3) a risk analysis performed jointly with the client; and 4) the most current assessment report. Imprimis also recommends that the POA&M be included in the SSP as an appendix.
-
An Incident Response Plan (IRP) Package: A final IRP will be provided for adoption by the client.
The Fast Track approach capitalizes on the experience and “lessons learned” Imprimis has gained during the 3 years that we have been helping companies become cybersecurity compliant and allows us to pass these efficiencies, both in time and in savings, on to the client.
All cybersecurity services and solutions will require that a Nondisclosure Agreement be executed between our two companies to protect company confidential and proprietary information on both sides. We will also request that a Pre-Assessment Questionnaire be completed which tells us a little more about your current network so that we can provide a quotation suitable for your company’s size and structure.
If you have completed any of the above milestones on your own, you may certainly only select the options you might be interested in.
Sustainment Services:
Sustainment Services (Offered Individually)
Imprimis offers a myriad of sustainment services that support continued compliance, to include:
-
Continuous Monitoring, Cyber Threat Analysis
-
CISO/Risk Management Advisory Services
-
Annual Reassessment Services
-
Supply Chain Support
-
Crisis Incident Response Services
-
Ongoing Cybersecurity Advisory Services
-
Recurring Training
-
Vulnerability Scanning and Penetration Testing
-
Red Team Validations for CMMC Pre-Certification or NIST Compliance Audits
Cyber Compliance Process - DFARS/NIST versus DFARS CMMC:
Assessments
Imprimis provides CMMC and NIST 800-171 | NIST 800-53 DSS DAAPM Assessment packages which combine use of the i2ACT-800s compliance tool with a complete assessment which can be performed either onsite or remotely. The packages offer a fast and cost-effective solution to cybersecurity compliance needs.
Vulnerability Scanning
Vulnerability scans are recommended sometime during the assessment process so that vulnerabilities can be identified and addressed during the remediation process.
Remediation
During remediation, all items flagged as non-compliant or partially-compliant and system vulnerabilities will be addressed and corrected. Supporting compliance documentation will also be updated.
Red Team Validation
An independent, objective pre-certification audit review or compliance validation is recommended following a CMMC or NIST 800-171/53 assessment and remediation process.
-
Reviews the status of all CMMC or DFARS requirements and assessment artifacts.
-
Annotates any areas of non- or partial compliance.
-
Provides a gap analysis report of findings, explanations and recommendations.
-
Produces a remediation plan identifying all necessary hardware, configuration and process additions/modifications and training required.
Penetration Testing
Penetration tests are recommended after the assessment and remediation process as due diligence and to further validate the strength of a company’s cybersecurity posture.
Sustainment
-
Vulnerability Scans (Periodic)
-
Monitoring
-
Incident Response & Forensic Analysis
-
Interim Chief Information Security Officer / Risk Manager Services
-
Advisory Service