CMMC ACCREDIDATION PREPARATION PROGRAM

To assist Organization(s) Seeking Certification (OSC) in meeting their NIST SP 800-171 requirements and achieving CMMC Accreditation, we have developed a phased approach towards compliancy. Our approach follows traditional assessment processes outlined in NIST frameworks, tailored towards a phased CMMC accreditation. Depending upon an OSC’s preparedness, we can conduct these phases at once or over time and OSC’s have the option to work with our cybersecurity professionals on remediation activities throughout the process.

Phase 1 – Test of Design, Assessment
Phase 2 – Remediation Activities
Phase 3 – Test of Effectiveness, Assessment
Phase 4 – Remediation Activities
Phase 5 – CMMC Accreditation



OUR PROCESS


Test of Design

When conducting a security control assessment, we need to determine if a control is designed properly (i.e., if it will prevent or detect a particular risk). During the Test of Design phase of our assessment preparedness we will review your documentation to ensure it meets all the CMMC requirements. Each control will be assessed and will receive a Pass or Fail based upon the documentation provided. 

As part of our Test of Design the following documentation will be requested: 

  • System Security Plan 
  • Policies (and Procedures) 
  • POA&Ms 

Upon completion, you will receive a report indicating a Pass or Fail of each security control, which can be used to develop a Plan of Action and Milestones (POA&M) and SPRS reporting.

Upon completion of the Test of Design you may engage our professionals to assist with remediation activities (correcting failed controls). Our professionals can assist with everything from simple updates of documentation to developing remediation plans and a strategy for CMMC compliance. If we are engaged in the remediation activities we will not have to reassess those controls before moving onto the Test of Effectiveness (otherwise, reassessment would be billed hourly). 


Test of Effectiveness


When conducting a security control assessment we need to determine if a control is working as intended.  During the Test of Effectiveness phase of our assessment preparedness we will schedule interviews with your system team to review the configuration of the controls in order to ensure they are working as intended. Each applicable control will be assessed and will receive a Pass or Fail based upon the implementation. 

In addition to interviews, Test of Effectiveness will be conducted by remote demonstrations and walk-throughs. System team members will be provided a list of items we will be discussing, to ensure your team is able to prepare and the individuals needed are available for discussion.

Upon completion and similar to the Test of Design, a report indicating pass or fail of the security control will be provided.

Upon completion of the Test of Effectiveness you may engage our professionals to assist with remediation activities (i.e., correcting the failed controls).  Our professionals are skilled in everything from developing and executing complex project plans, to developing a Backup and Disaster Recovery plan, to the configuration and implementation of a Security Information and Event Management (SIEM) solution (one of the more challenging tasks for an organization). We can execute the project for you or work as part of your system team.  If we are engaged in the remediation activities we will not have to re-assess those controls before moving onto the Test of Effectiveness (otherwise, reassessment would be billed hourly).


CMMC Accredidation

Once we have finished the remediation activities and we’ve verified both the Test of Design and Test of Effectiveness are in a passing state we can refer you to a partner for the CMMC Assessment, since we are unable to assess clients we have helped to prepare.   

 

'Precision Business Solutions has been a Cyber Security consultant to Gryphon Technologies, since 2017, when we engaged them to assist us in compliance with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

Since then, they have worked with our IT Department to build our Cyber Security program. Of the notable accomplishments, Gryphon Technologies received a very favorable High Confidence score from the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurty Assessment Center (DIBCAC), on our compliance with DFARS Clause 252-204-7012.

We continue to work with the professionals at Precision Business Solutions to maintain our compliancy and to prepare for our Cybersecurity Maturity Model Certification. I would recommend them to any organization working with the Department of Defense or other federal agencies.'