IT/Managed Service Providers
CMMC for IT/MSP Companies: We help you determine where you’re at in CMMC. And bring you all the way to “Assessment Ready” through flexible consulting services and today’s best CMMC technology solutions.
Do You Handle CUI?
Don’t assume that NIST 800-171 and CMMC for IT/MSP Companies apply just because you received one of the many compliance form letters sent out by your prime customers. If you don’t handle CUI (or your customer’s CUI) you can avoid an unnecessary CMMC 2.0 Level 2 compliance program.
However, if you do handle CUI, we provide consulting services to navigate you through the compliance process.
CMMC For IT/MSP Companies That Handle CUI
Background
$600 billion dollars or about 1% of global gross domestic product each year is lost through cyber theft. Adversaries know that in today’s great power competition environment, information and technology are both key cornerstones and — and attacking a sub-tier supplier is far more appealing than a prime.
Source: defense.gov
Because there are fewer controls over CUI as compared to classified information, CUI is the path of least resistance for our geopolitical adversaries. Loss of aggregated CUI is one of the most significant risks to national security, directly affecting the lethality of our warfighters.
Cybersecurity Regulatory Compliance Phase-In
December 31, 2017
The U.S. DoD requires Defense Industrial Base companies to provide “reasonable security” for Covered Defense Information, including CUI via DFARS 252.204-7012. Many small-medium size companies are slow to implement due to a lack of resources and technical expertise.
November 30, 2020
Compliance enforcement strengthens through interim rules (DFARS 252.204 -7019 & -7020). The DoD sets requirements to submit NIST 800-171 self-assessment results into the Supplier Performance Risk System (SPRS). The SPRS enables DoD contract officials to consider a company’s self-assessment score (or failure to report it) in their contract award process.
Prime contractors seek confirmation from their IT/MSP subs about their compliance progress and status of their SPRS submission due to compliance flow down requirements.
DFARS 252.204-7021 ushers in CMMC (Cybersecurity Maturity Model Certification). And CMMC requires independent certification by an authorized C3PAO company.
November 04, 2021
The DoD releases CMMC 2.0 to simplify the CMMC standard while still safeguarding sensitive information. The previous 5 CMMC maturity levels are reduced to 3 and the number of controls is reduced to align with NIST 800-171.
What’s Next?
You help your U.S. DoD customers manage their I.T. equipment
You may not touch your customers Controlled Unclassified Information (CUI). Still, the CMMC 2.0 Scoping Guide requires all security protection assets (including the equipment you manage) to be “in scope” of your customer’s CUI.
If you handle your customer’s CUI
We’ll perform a CMMC Gap (Readiness) Assessment to identify your CMMC/NIST 800-171 compliant and non-compliant practices:
- We’ll help you create a customer responsibility matrix
- Develop policies, procedures, and artifacts to document compliance
- Remediate gaps
We offer a CUI Scoping service to begin your CMMC 2.0 compliance program.
If you DON’T handle your customer’s CUI
- We’ll help you scope and document the services you provide to your customers
- Identify the CMMC/NIST 800-171 practices you may follow
- Document policies and procedures, and roles and responsibilities
- Document how you monitor systems to ensure they’re secure and not compromised
SPRS DoD
Have you made your SPRS submission?
If you haven’t made your SPRS submission, we offer an affordable consulting package with a 30-day turnaround time.
CMMC Consulting
Have a low SPRS score? You’re not alone. Let us help you remediate NIST 800-171 POAM deficiencies and develop a CMMC 2.0 Level 2 compliance program just for you.
Gap Assessment
Want to confirm you’re ready for CMMC 2.0 assessment by a C3PAO? KLC Consulting evaluates readiness by simulating an independent C3PAO assessment.
CMMC For IT/MSP Companies: Challenges We Solve
- How do I create a customer responsibility matrix for CMMC / NIST 800-171 customers?
- Getting my staff trained in CMMC
- How do I ensure that my customers’ solutions are compliant with CMMC/ NIST 800-171?
- Does my incident response plan comply with DFARS 252.204-7012 requirements?
- Do I need to get FedRAMP certified? And at what level?
- Are my tools certified to support CMMC / NIST 800-171?
- Uncertainty about flow down compliance requirements to subcontractors
- Uncertainty responding to cybersecurity and compliance-related questions from:
- DoD agencies
- Prime contractors
- Subcontractors
- Cybersecurity insurers
- Incident response plan development and handling (DFARS 252.204-7012)
- Incident response plan testing (tabletop exercise)
- Penetration testing/vulnerability testing
Secure Your CMMC
C3PAO Assessment
Don’t Get Left on the Ground. With limited C3PAOs and a growing number of DIB companies requiring CMMC Level 2 certification, securing your assessment spot is crucial. Reserve your assessment with KLC Consulting today and avoid delays.