Kroll has extensive experience assessing compliance with the underlying regulatory and cyber security frameworks that make up CMMC, having conducted hundreds of assessments based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, 800-53, ISO 27002 and many others. We have a deep bench of experts with backgrounds in a variety of industries, including law enforcement and governmental agencies, that can assess compliance and assist organizations with determining what is reasonable for their organization’s size and sector.
Designed to provide additional assurance to the DoD that a Defense Industrial Base (DIB) contractor follows basic cyber hygiene and is able to protect controlled unclassified information (CUI) at a level commensurate with the size, type and sensitivity of the contracts it bids on, the CMMC helps create justified confidence in DIB partners.
With over 300,000 businesses, non-profits and academic institutions of all sizes conducting development, research, development, design, delivery and maintenance of military weapon systems, the DIB represents a treasure trove to domestic and foreign cybercriminals. It is imperative that the DoD better understand the cyber security maturity level and overall resilience of its supply chain.
Version 2.0 of the CMMC offers three maturity levels, reduced from version 1.0’s five levels, for DIB contractors. Maturity Level 1 covers 17 practices, just as the previous version of the framework did. Organizations will be able to self-assess at Maturity Level 1. Maturity Level 2 focuses on the 110 controls from NIST SP 800-171. Third-party assessors will conduct assessments at this level, while certain exceptions will allow some organizations to self-assess at Level 2 as well. Maturity Level 3 will be based on NIST SP 800-172, and government-led technical assessments will be required. In a departure, CMMC 2.0 removes entirely the maturity processes that were previously required above Maturity Level 1.
Kroll has conducted hundreds of NIST-based assessments and understands that the initial focus ahead of a CMMC audit should be to assess your current state of compliance, determine your required level of future compliance and then prepare clear, concise plan of actions and milestones (POA&M) to meet that goal ahead of your audit.
Evaluate Current Maturity and Develop Roadmap to Meet Desired CMMC Level Requirements
Once we understand your organization’s goals and the level of maturity needed for its DoD work, our cyber risk experts will:
Finally, our team identifies gaps in critical security controls according to your desired CMMC maturity level, organized by the appropriate domains or families, along with clear recommendations for both improving your security posture and meeting CMMC requirements. Our deliverables for a Maturity Level 2 assessment are organized using the NIST SP 800-171 families:
An organization aiming at high levels of CMMC compliance must understand its scope and responsibilities go far beyond the information security and IT teams. Once the CMMC Preparedness Assessment is complete, your team is able to easily map each of the controls in your desired maturity level to its owner group, which will help streamline implementation ahead of the audit. Control owners can be segmented by:
As the DoD updates the CMMC, DIB contractors must internalize cyber security across the entire organization. Regardless of your existing maturity level or the standards currently adopted by your team, our experts can help you prepare for the CMMC. In addition to assistance with the CMMC, our highly trained information security professionals offer penetration testing, cloud security assessments and vCISO services. Talk to a Kroll expert today via our 24x7 cyber incident hotlines or our contact page.
Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.
Assess the design, configuration and implementation of your web apps for critical vulnerabilities. Kroll’s scalable pen testing services consider the business case and logic of your apps, providing more coverage and an optimized program based on risk.
Kroll’s certified pen testers find vulnerabilities in your APIs that scanners simply can’t identify. Protect your business and keep sensitive data secure by leveraging our knowledge and experience in testing modern API infrastructures.
Integrated into your software development lifecycle (SDLC), Kroll’s agile penetration testing program is designed to help teams address security risks in real time and on budget.
Kroll’s team of certified cloud pen testers uncover vulnerabilities in your cloud environment and apps before they can be compromised by threat actors.
Kroll’s product security experts upscale your AppSec program with strategic application security services catered to your team’s culture and needs, merging engineering and security into a nimble unit.
Red team security services from Kroll go beyond traditional penetration testing, leveraging our frontline threat intelligence and the adversarial mindset used by threat actors to push the limits of your information security controls.
Kroll helps development teams design and build internal application threat modeling programs to identify and manage their most pressing vulnerabilities.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
by Laurie Iacono, George Glass, Keith Wojcieszek
by Krystina Lacey
by George Glass, Dave Truman
by Alex Cowperthwaite, Pratik Amin, Kassidy Marsh