Alpine Security will provide a select set of cybersecurity audit and compliance services to collaboratively assist the client with becoming compliant with DFARS Clause 252.204-7012, NIST 800-171, and CMMC security requirements.
Our approach to DFARS Clause 252.204-7012, NIST 800-171, and CMMC compliance is centered around three stages, or “evolutions”. With each evolution your cybersecurity maturity evolves into a stronger program:
- Evolution 1 is the Discovery: Understanding your level of compliance and building out the Cybersecurity Roadmap
- Evolution 2 is the Plan of Action and Milestones: Your team’s remediation efforts are supported by our experiences and subject matter experts
- Evolution 3 is the Audit: We conduct a final DFARS audit, develop any further actionable tasks (on POA&M) and begin CMMC compliance
Evolution 1: DFARS Clause 252.204-7012, NIST 800-171, and CMMC Assessment (Discovery)
- Identify DFARS CUI Inventory
- Conduct Readiness Assessment
- Compile Self-Assessment Documentation
- Determine or confirm critical CUI assets and critical systems
Evolution 2: Remediation Assistance (Plan of Action and Milestones or POA&M)
- Develop DFARS Clause 252.204-7012, NIST 800-171, and CMMC Compliance Roadmap
- Tactical advisory services for POA&M execution
- Guide your organization’s current IT personnel as they perform the necessary tactical tasks to implement the System Security Plan
- Access to Alpine Security Subject Matter Experts (SMEs)
- Manage the development of Incident Response Plan (IRP) DFARS 252.204-7012
Evolution 3: Final Compliance Assessment (Audit) and CMMC Roadmap
- Final DFARS Compliance Assessment
- Review outstanding milestones
- Review the overall effectiveness of controls
- Recommended next steps (CMMC Roadmap)
In conducting the Final Compliance Assessment (Audit), we collect information in the form of policies, procedures, workflow diagrams, and any other supporting documentation used by your organization in its day to day operations. Your assistance with providing this documentation is key to getting the most thorough, complete analysis possible. The most common methods used to obtain information are via email, secure file sharing, telephone conferences, and online meetings. The information you provide is then compared to a comprehensive list of all the current NIST 800-171 families and sub-controls and analyzed to identify areas where, and to what extent, your organization has addressed each of these controls. The result of the assessment will be a ranked list of security recommendations to mitigate all non-compliant controls.
The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. The security requirements apply to all components of nonfederal systems and organizations that process, store, or transmit CUI, or that provide security protection for such components. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. It is our intent to move the organization to a “compliance-ready” position with an assessment of each requirement and corroborating a set of evidentiary materials to meet the DFARS Clause 252.204-7012, NIST 800-171, and CMMC security requirements.
We strive to understand and document the complete “big picture” security posture of your organization, specifically related to the DFARS Clause 252.204-7012, NIST 800-171, and CMMC requirements. The people, processes, and technologies are all assessed to provide a holistic view of the security flaws and strengths. As we perform our evaluation, we rate how well your organization addresses each of the controls regarding documentation.