MISSION INSIGHT Security Management Office (SMO) Solutions

CyberService - Planned 2020: Cybersecurity Maturity Model Certification Assessments

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.

OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC).

  • The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
  • The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
  • The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
  • The intent is for certified independent 3rd party organizations to conduct audits and inform risk.

CMMC Third Party Assessment Organizations (C3PAOs) and CMMC Training

The Department is aware that some entities have made claims of being able to provide CMMC certifications for the purposes of contracting with the DoD. The requirements for becoming a CMMC Third Party Assessment Organization (C3PAO) are not yet established. As a result, there are no third-party entities at this time that have been credentialed to conduct a CMMC assessment which will be accepted by the CMMC Accreditation Body. Similarly, at this time, only training materials or presentations provided by the Department will reflect the Department’s official position with respect to the CMMC program.

Cybersecurity Maturity Model Certification (CMMC) FAQs

What are the concerns regarding cybersecurity in the Defense Industrial Base (DIB)?

The aggregate loss of controlled unclassified information (CUI) from the DIB sector increases risk to national economic security and in turn, national security. In order to reduce this risk, the DIB sector must enhance its protection of CUI in its networks.

The Council of Economic Advisers, an agency within the Executive Office of the President, estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 Billion in 2016 [Ref: “The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” in February 2018].

The Center for Strategic and International Studies (CSIS), in partnership with McAfee, reports that as much as $600 Billion, nearly 1% of global GDP, may be lost to cybercrime each year. The estimate is up from a 2014 study that put global losses at about $445 Billion. [Ref: “Economic Impact of Cybercrime - No Slowing Down” in February 2018].

_________________________________________________

How will MISSION INSIGHT become certified to perform the required CMMC Assessments to vendors that have, or plan to execute contracts with the Department of Defense (DoD)?

The CMMC Accreditation Body (AB), a non-profit, independent organization, will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. The CMMC AB will provide the requisite information and updates on its website (www.cmmcab.org).

The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs as well as other information. After the CMMC Marketplace is established, DIB companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.

____________________________________________

What is the relationship between NIST SP 800 - 171 rev.1 and the CMMC?

CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev1. CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.

_____________________________________________

What other Federal (non-DoD) contracts use CMMC?

The initial implementation of the CMMC will only be within the DoD.

______________________________________________

Why is the CMMC being created?

DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

_______________________________________________

What is Controlled Unclassified Information (CUI)?

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui and includes the following organizational index groupings:

  • Critical Infrastructure
  • Defense
  • Export Control
  • Financial
  • Immigration
  • Intelligence
  • International Agreements
  • Law Enforcement
  • Legal
  • Natural and Cultural Resources
  • NATO
  • Nuclear
  • Privacy
  • Procurement and Acquisition
  • Proprietary Business Information
  • Provisional
  • Statistical
  • Tax

Resources, including online training to better understand CUI can be found on National Archives’ website at https://www.archives.gov/cui/training.html

-

CyberService: GRC Management

GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.

GRC as an acronym denotes GOVERNANCE, RISK, and COMPLIANCE — MISSION INSIGHT has experience in GRC program management deployments building Security Governance programs that deploy tools such as Tanium to manage security support tools that include zScaler to manage end-point security perimeters, Trend Micro Apex One to manage end-point AV and Trend Micro encryption using BitLocker & Symantec DLP to manage data across the enterprise.

CyberService: Cyber Maturity Management

Implementing a comprehensive and innovative CyberResiliency Baseline & Improvement Assessments that align to the NIST CSF and COBIT frameworks.

-

CyberService: Cyber Risk Management

Risk management is a fundamental principle of cybersecurity. It is the basis of the NIST Framework for improving Critical Infrastructure Cybersecurity. Agencies of the U.S. Government certify the operational
security of their information systems against the requirements of the FISMA Risk Management Framework (RMF). The alternative to risk management would presumably be a quest for total security –
both unaffordable and unachievable.

MarketIntell

IntelService: Competitive Intelligence

Competitive Intelligence (CI) is the collection and analysis of information to anticipate competitive activity, see past market disruptions and dispassionately interpret events.

It is an essential component to developing a business strategy. CI analysis provides insight into marketplace dynamics and challenges in a structured, disciplined, and ethical manner using published and non-published sources.

-

CyberSecurity Training & Webinars

-

MISSION INSIGHT NAICS Codes

541611 - Administrative Management and General Management Consulting Services

MISSION INSIGHT' s core capability is to provide Market Intelligence 'INSIGHTS' to drive business & operational strategies to strengthen your bottom line.

  • Program & Project Management
  • Site selection consulting services
  • Financial management (except investment advice) consulting services
  • Strategic planning consulting services
  • General management consulting services
  • Administrative management consulting services

541613 - Marketing Consulting Services

With the 'INSIGHTS' obtained with our break-through approach in Market Intelligence, we are armed with the most current & actionable data to drive your marketing demands.

  • Customer services management consulting services
  • New product development consulting services
  • Marketing management consulting services
  • Sales management consulting services
  • Proof of concept
  • Feasibility studies
  • Gap & risk analysis studies

541614 - Process, Physical Distribution, and Logistics Consulting Services

With the business & operational processing 'INSIGHTS' obtained with our break-through approach in Market Intelligence, we have the capabilities to deploy a Lean/Six Sigma approach to your processes and remove process inefficiencies that are draining your bottom line.

  • Productivity improvement consulting services
  • Inventory planning and control management consulting services
  • Governance & reporting metrics management consulting services
  • Manufacturing management consulting services

541512 /541513 - Computer Facilities Management Services

MISSION INSIGHT operating under our ITILv3 ITSM Service Offerings can address all your IT Service performance with process efficiencies, such as Incident Management, Disaster Recovery, Change & Release & Availability Management to name a few of the ITILv3 processes.

 

541618 - Other Management Consulting Services

MISSION INSIGHT is positioned to be your partner in all of your 'problem-solving' projects. Our experience below highlights our 'plug & play' capabilities that have generated positive results in many different industries.

How do we do this?  It is all about sticking to the 'forensic data' available.  As in most cases, when quality data is not available, we have the 'know-how' to embed our team where it matters most - with those that are working the process!

Request MISSION INSIGHT Capability Statement

For more information about MISSION INSIGHT capabilities, please request MISSION INSIGHT Capability Statement using this request tool.

-

MISSION INSIGHT Market Base

Capitol Dome Gov Contracting

CyberSecurity Services: Government Agencies

CyberSecurity security governance services for all levels of government (Federal, State, Tribal & Territory)

CyberSecurity Services: Corporation - Large Business

CyberSecurity Services: Large businesses have Cyber requirements that can exceed your particular domain and strategy position. The Cyber threats & risks are the same as those for the public sector. We can work with your business to define the correct risk appetite that matches your budget and strategy to ensure your risk is identified and mitigated.

qtq50-ZonXG3

CyberSecurity Services: Corporation - Small Business

CyberSecurity Services: Small businesses have Cyber requirements that can be managed collectively with other similar businesses. The Cyber threats & risks are the same as larger corporations. We can work with your business to define the correct risk appetite that matches your budget and strategy

services-2
Smart Home 3

CyberSecurity Services: Private SMART Homes

CyberSecurity security governance services for the home owner that has a SMART home or deployed IoTs such as SONOS, Amazon ALEXA, Google SIRI.

-

Next Steps...

Contact MISSION INSIGHT to assist in managing your business mission