Understanding the NIST 800-171 Rev.3 Draft

NIST 800-171 is not a new concept, as it has been law since 2017 and is the standard for safeguarding Controlled Unclassified Information (CUI) in non-federal systems and organizations. NIST’s commitment to addressing emerging cyber threats and streamlining existing guidelines is signified by the release of the Rev.3 draft. Here are some of the fundamental changes created by the draft:

• Expanded scope: The updated draft expands the covered information to include additional CUI elements that widen the net for compliance requirements.
• Enhanced controls: The Rev.3 draft introduces new, refined controls to align with evolving threats and industry best practices.
• Simplified language: The guidelines have been made more accessible through clearer, more concise language to facilitate better understanding and implementation.

Moving Forward with CMMC Planning

CMMC builds upon NIST 800-171 to introduce a tiered approach to cybersecurity and focuses on assessing and certifying an organization’s security practices. But how does the NIST 800-171 Rev.3 draft align with CMMC planning?

• What remains true is that DFARS -7012 contractually requires NIST 800-171 (current Rev. 2) compliance NOW… and significant risk to non-compliance with the False Claims Act and contractual consequences for failing to comply.
• What DoD contractors should focus on NOW is the implementation of NIST 800-171 as it exists today… with an eye to meeting or upgrading to Rev. 3 requirements when they are incorporated in contracts in the future.
• If DoD contractors are focused on when third-party auditors (C3PAOs) may begin CMMC certification audits, they are missing the point and putting their businesses at risk.

SSE’s Expertise in NIST 800-171 and CMMC Compliance

At SSE, we stand ready to assist organizations with compliance. We offer expertise in data security and compliance, meaning we are well-equipped to guide organizations through the intricacies of NIST 800-171 and prepare them for successful CMMC certification. Our tailored solutions and hands-on approach ensure your organization’s sensitive information is safeguarded against emerging threats. Stay ahead in cybersecurity – contact SSE today for an initial consultation.

Check out our comprehensive guide for more information on NIST 800-171 Rev.3 draft and CMMC planning.

In this article, we’ll explore the benefits and challenges of cloud computing, evaluate the factors to consider when deciding whether to use the cloud and examine ways to improve your cloud performance.

Understanding the Benefits of Cloud Computing

Cloud environments allow businesses and organizations to access data and applications from anywhere with an internet connection. Additionally, cloud providers offer certain security measures to protect your data from cyber threats. Here are some benefits of cloud computing:

1. Scalability: Cloud services allow businesses to easily scale up or down based on their needs without the need for additional infrastructure.
2. Potential Cost Efficiencies: With cloud computing, you only pay for what you use, reducing the need for upfront hardware and software investments.
3. Efficiency: Employees can access data and applications from anywhere with an internet connection.
4. Security: Some cloud providers offer certain security measures, including data encryption, regular backups, and multi-factor authentication.

Evaluating Your Cloud Environment and Potential Challenges

While cloud computing offers certain benefits, it’s important to evaluate whether it’s the right fit for your business. Here are some factors to consider:

1. Workload: Is your workload consistent or does it fluctuate? If usage varies, so too could your related costs.
2. Compliance: Does your industry have specific compliance regulations? Cloud providers offer varying levels of compliance, so it’s important to ensure your provider meets your industry’s requirements.
3. Cost: While cloud computing can offer cost savings upfront, it’s important to evaluate the total cost of ownership, including the cost of data transfer, storage, and maintenance. Typically around the 2 ½ year mark, cloud solutions typically begin to exceed the cost of on premise hardware long term.
4. Security: While cloud providers offer certain security measures, it’s important to evaluate whether their security measures meet your specific needs and/or industry requirements. For example, businesses supplying Department of Defense contracts may require a government version of certain cloud aspects or tools.
5. Data Privacy: Do you have concerns about data privacy? It’s important to ensure that your cloud provider adheres to strict data privacy policies and procedures.
6. Performance: How important is performance to your business? Cloud computing may not be the best solution if you require high levels of performance or low latency.
7. Data Backup and Archiving. It is important to evaluate what the provider’s default package includes in terms of data backup and protection features. Often upon a deeper dive, included data protection may be limited to a short recovery window such as a rolling seven days in comparison to a long-term, multi-year retention data option.

Cloud Performance Optimization

While migrating away from the cloud may be necessary for the performance goals of some companies, others may find that with some adjustments and optimizations, their cloud environment can work better for them.

Optimize Cloud Resources

When it comes to optimizing storage and the high performance of your cloud resources, there are several strategies you can employ:

1. Right-size your resources: Over-provisioning resources can lead to unnecessary costs. Use monitoring tools to identify underutilized resources and adjust your allocation accordingly.
2. Use cost management tools: Cloud providers offer a variety of cost management tools to help you monitor your spending and optimize your resource usage. Take advantage of these tools to save money.
3. Use reserved instances: Reserved instances allow you to commit to using a certain amount of resources over a specific time period, typically resulting in a lower cost compared to on-demand instances.
4. Use spot instances: Spot instances are a type of on-demand instance that are significantly cheaper, but come with the risk of being terminated with little to no notice. Use spot instances for non-critical workloads to save money.

Implement Security Best Practices

Security is the top concern most companies and organizations have for cloud computing. Here are some best practices you can implement to ensure your data and storage space is secure:

1. Encryption: Encrypting your data in transit and at rest can help protect it from unauthorized access.
2. Access controls: Implementing access controls such as role-based access control (RBAC) can limit who can access your cloud resources.
3. Regular security audits: Regular security audits can help identify vulnerabilities and ensure compliance with industry standards.
4. Incident response plan: Having an incident response plan in place can help you respond quickly and effectively to security incidents.

Alternatives to Cloud Computing

If you’ve evaluated your cloud environment and determined that it’s not the right fit for the users in your business or to meet industry requirements, there are several alternatives to consider:

1. On-Premises Computing: With on-premises computing, all hardware and software are located on-site, providing greater control and security. While on-premises computing can be more expensive, it may be the best solution for businesses that require high levels of control or have regulatory compliance requirements.
2. Hybrid Cloud: A hybrid cloud environment combines both cloud and on-premises computing, providing the best of both worlds. This can be a good option for businesses that need the flexibility of the cloud but also require on-premises control.
3. Managed Service Provider (MSP): With managed services, a provider manages and maintains your infrastructure, providing greater security and uptime. MSPs can be a good option for businesses that want the benefits of security without the management overhead.

Migrating Away from the Cloud

If you’ve determined that it’s time to migrate away from the cloud, it’s important to have a plan in place. Here are some steps to consider:

1. Evaluate your current cloud environment: Identify the reasons why the cloud isn’t working for your business and what your specific needs are.
2. Choose an alternative solution: Evaluate the alternatives to cloud computing and choose the best solution for your business needs.
3. Plan the migration: Develop a plan for migrating away from the cloud, including timelines, resources, and potential risks.
4. Test and validate: Before fully migrating away from the cloud, test and validate your new solution to ensure it meets your business needs.
5. Execute the migration: Once you’ve tested and validated your new solution, execute the migration in a controlled and methodical manner.
6. Monitor and optimize: After the migration is complete, monitor and optimize your new solution to ensure it’s performing as expected.

Let SSE Help Assess the Right Options For Your Business

It’s important to evaluate your business needs, consider the benefits and drawbacks of using cloud-based computing, and explore alternative solutions.

At SSE, we help businesses evaluate their IT needs and find the best solutions for their specific business. Don’t let a mistake you made in the past decide your business goals and future.

Contact us today and learn how we can help you move forward confidently with high-quality IT solutions.

CMMC Level 1 Physical Protection Practices

Four Physical Protection Practices are implemented at CMMC Level 1. These practices include:

PE.L1-3.10.1 Limit physical access to authorized individuals to organizational information systems, equipment, and the respective operating environments

To comply with this control, companies must identify all the areas within their physical premises that they want to block unauthorized individuals from accessing. This could include rooms, building floors, network infrastructure, server rooms, and computers and laptops. Then, only authorized staff or third parties who need physical access to do their jobs should be allowed to contact these spaces. To effectively limit physical access control, companies can use biometrics, badge readers, key cards, human guards, and so on.

PE.L1-3.10.3 Escort visitors and monitor visitor activity

This practice mandates that companies never allow site visitors/non-employees, even if known to them, to “wander” unescorted around their facilities should prominently wear visitor badges and/or be escorted by a properly trained employee at all times while on the property.

PE.L1-3.10.4 Maintain audit logs of physical access

To comply with this practice, companies must keep records of everyone physically accessing their data storage, premises, organizational systems and equipment. This could be as simple as a sign-in/sign-out book.

PE.L1-3.10.5 Control and manage physical access devices

This control refers to physical devices: locks, keys, lock combinations, card readers, etc. Such devices only offer protection if companies know who has them and what level of physical access devices they’re configured to permit. Therefore, companies need to manage who can physically access them carefully. Ensuring employees leaving the organization turn in their ID and office keys, disabling old badges, etc., are also primary considerations.

Companies should implement appropriate Access Control policies and procedures to comply with these controls, such as background checks, employee training, employee off-boarding, and a strong visitor management program. Companies should also monitor secured areas of their physical environment for any signs of unauthorized access or suspicious activity.

To view the full text of each CMMC control, view the Level 1 Self-Assessment Guide here.

CMMC Level 2 Physical Protection Practices

At CMMC Level 2, there are two Physical Protection practices:

PE.L2-3.10.2 Protect and monitor the physical facility and support infrastructure for organizational systems.

“Monitoring” includes protections like video surveillance gear, sensors/alarms, and human guards. “Support infrastructure” could consist of physical security controls like data transmission wires and power lines inside the facility. The goal is to prevent physical tampering and accidental damage or disruption to infrastructure carrying sensitive data. This might require companies to put in place physical infrastructure to protect assets within scope like locked wiring cabinets, physical protection around cables or conduits, or even wiretapping sensors. A typical example would be installing video cameras and secure locks at the entrance to the server room.

To comply with security requirements for this control, companies should conduct regular physical security assessments to identify vulnerabilities and areas for improvement. Physical access controls should also be implemented to restrict or limit access to sensitive areas only to authorized individuals and ensure that all visitors are properly vetted and monitored while on the premises.

PE.L2-3.10.6 Enforce safeguarding measures for CUI at alternate work sites.

Especially since COVID-19, “alternate work sites” often include government facilities, temporary office spaces, and employees’ private homes. This practice says companies must define physical or electronic security safeguards to protect CUI “beyond the perimeter” at specific alternate work sites or site types, depending on the work-related activities that take place there. For example, staff working with CUI from home could be considered an alternate work site.

CMMC Level 3 Physical Access Control

At CMMC Level 3, the final physical access control is:

PELL2-3.10.6 Enforce safeguarding measures for CUI at alternate work sites.

Especially since COVID-19, “alternate work sites” often include government facilities, temporary office spaces, and employees’ private homes. This practice says companies must define physical or electronic security safeguards to protect CUI “beyond the perimeter” at specific alternate work sites or site types, depending on the work-related activities that take place there. For example, staff working with CUI from home could be considered an alternate work site.

Unsure About Your Physical Protection Compliance?

Navigating the world of CMMC compliance can be overwhelming. Ensuring your organization’s electronic logs and physical access controls meet the requirements is just one piece of the puzzle. That’s why it’s essential to partner with a reliable and experienced CMMC compliance service provider to ensure you meet all the requirements.

At SSE, we offer a CMMC readiness assessment to evaluate your current level of compliance and identify any gaps that need to be addressed. Then, our team of experts will work with you to create a customized plan to help you achieve and maintain compliance with CMMC guidelines, including physical facility access controls.

Our comprehensive services include the following:

• Developing and using security standards
• Implementing policies and procedures
• Using organizational systems
• Conducting security awareness training
• Providing ongoing support to ensure your organization stays updated with evolving CMMC requirements

Don’t risk non-compliance with CMMC requirements, which could result in lost contracts and reputational damage. Instead, contact SSE today to schedule your CMMC readiness assessment, and let us help you navigate the complex world of CMMC compliance.

Understanding the different types of computer viruses and how to protect your company from them is crucial. This blog post will delve into the various types of computer viruses, their unique characteristics, and how you can prevent them from wreaking havoc on your company’s systems and data.

What is a Computer Virus?

A computer virus is a program or code that attaches itself to an executable file, replicates itself, and spreads from one computer to another. A virus can cause a wide range of problems, including stealing sensitive data, damaging the operating system, and deleting files. Computer viruses can spread through email attachments, downloads from the internet, and even through physical devices such as USB drives.

Different Types of Computer Viruses

There are several types of computer viruses, each with its own unique characteristics and method of attack. Here are the most common types of computer viruses:

• File Infectors

File infectors are the most common type of computer virus. They attach themselves to executable files such as .exe, .com, and .sys file types. Once the infected file is executed, the virus code is activated, and the virus will spread to other files and computers.

• Boot Sector Viruses

Boot sector viruses infect a hard drive’s boot sector, which is read first when a computer boots up. Once infected, the virus can spread to other disks and files. Boot sector viruses were prevalent in the past, but modern operating systems have built-in protections to prevent them.

• Macro Viruses

Macro viruses infect Microsoft Office documents such as Word or Excel. They spread through macros or small programs that automate tasks in these programs. Once the macro virus infects a document, it can spread to other documents and computers.

• Multipartite Viruses

Multipartite viruses are particularly hazardous because they can infect multiple parts of a computer system, including the boot sector and executable files. Additionally, they’re challenging to detect and remove and can cause significant damage to a computer system.

• Polymorphic Viruses

Polymorphic viruses are viruses that can change their code to avoid detection. The virus code rewrites itself each time it replicates, making it difficult for antivirus software to detect and remove. Polymorphic viruses are becoming more prevalent as hackers become more sophisticated in their attacks.

10 Ways to Protect Your Company from Computer Viruses

It’s essential to take steps to protect your company from computer viruses. Here are some tips to keep your company safe:

• Back-Up Your Data

Regularly backing up your data is crucial in the event of a virus infection. Make sure to back up your company’s data to a separate location or device to ensure you can recover your data if it’s lost or corrupted. This should be one of your first lines of defense, as it will ensure you have the ability to recover.

• Enable Two-Factor or Multi-Factor Authentication

Next, consider implementing Multi-Factor Authentication (or MFA), which adds an extra layer of security by requiring users to enter a code sent to their phone or another device in addition to their password. Enabling MFA for all company devices can help prevent unauthorized access.

• Use Firewalls

Firewalls can help prevent unauthorized access to your company’s network. Ensure all devices are protected by a firewall and monitor their performance.

• Keep Software and Operating Systems Up to Date

Software updates often include security patches that address known vulnerabilities. An automated patching tool vs. a manual application can help ensure patches are applied quickly. In addition, ensure all software and operating systems are updated to ensure the best possible protection against viruses.

• Use Email Filtering

Since the vast majority of malware is received via email, it is one of the primary methods used by hackers to spread viruses. Use email filtering to block emails with suspicious attachments or links, and make sure employees are familiar with email best practices to help prevent infection.

• Install Business-Class Antivirus Software

After you have done all of the above, ensure you have an active, business-class anti-virus tool installed. It is essentially your last line of defense after a virus has gone through your firewall and made it past your SPAM filter to your actual computer. Also, take security up a notch by deploying behavior-based anti-virus software on all company devices. Behavior-based security is a cutting-edge approach to cybersecurity. It seeks to identify and protect against malicious activity by monitoring potential malware behavior, such as trying to infect a file or your computer and stopping it in its tracks.

• Use Strong Passwords

Weak passwords are an easy target for hackers. Establish a password management policy that educates and encourages all employees to use strong passwords and to change them regularly.

• Educate Employees

Employees are often the weakest link in the security chain. Therefore, educate all employees about the dangers of computer viruses, how to recognize them, and how to avoid them.

• Implement Network Segmentation

Network segmentation is the process of dividing a network into smaller subnetworks. By implementing network segmentation, you can limit the spread of a virus in case of an infection. This way, even if one network segment gets infected, it can’t spread to other parts of the network.

• Conduct Regular Security Audits

Regular security audits can help identify your company’s potential vulnerabilities. Conduct security audits at least once a year and take corrective measures to address any weaknesses or vulnerabilities found.

By implementing the tips outlined above, you can significantly reduce the risk of a virus infection and keep your company’s data and systems safe. Remember, it’s always better to be prepared than to deal with the consequences of a virus attack.

Keep Viruses at Bay with Pretecht by SSE

Protecting your company from computer viruses requires a proactive approach involving technical and organizational measures. At SSE, we know the importance of cybersecurity. Antivirus is a core part of our solution set, so partnering with us means fortifying your defenses against the rising virus threats with our comprehensive technology stack of cybersecurity tools called Pretecht.

Contact us today to discuss how SSE can help assess your potential vulnerabilities and protect your company’s data.

Non-compliance with the standard can result in the loss of government contracts and legal and financial consequences. Therefore, it is essential to understand what CMMC level your company needs to achieve and take the necessary steps now to plan for and achieve this compliance.

What is the Difference Between CMMC levels?

Per CMMC 2.0, the CMMC standard has three levels representing different requirements for cybersecurity maturity. The higher the level, the more advanced and comprehensive cybersecurity measures must be in place.

The levels are as follows:

• Level 1: Foundational

CMMC Level 1 consists of 17 controls and is based on FAR 52.204-21. These controls protect covered contractor information systems and limit access to only authorized users. The 54 page assessment guide is only applicable to companies that focus on protecting Federal Contract Information (FCI). 

• Level 2: Advanced

CMMC Level 2 consists of 110 controls (inclusive of Level 1), 320 assessment objectives, and a 270-page assessment guide that applies to companies working with Controlled Unclassified Information (CUI). It is based on DFARS 252.204.7012. This level in CMMC is now completely aligned with the 110 controls of NIST SP 800-171.

• Level 3: Expert

CMMC Level 3 focuses on reducing risk from Advanced Persistent Threats (APTs) and is designed for companies working with CUI on the DoD’s highest priority programs. Specific security requirements are still being determined by the DoD, but will most likely be based on the 110 controls of NIST SP 800-171 in addition to a subset of NIST SP 800-172 controls.

What Level of CMMC Do I Need for My Company?

The level of CMMC your company needs to achieve will depend on your scope, or the type of information your company handles and the type of government contracts you support.

The following questions will help you determine what level of CMMC you need:

• Does your company only handle Federal Contract Information (FCI)?

If your company handles FCI, you must achieve at least CMMC Level 1.

• Does your company handle CUI?

If your company handles CUI, you must achieve at least CMMC Level 2 and…you are already subject to meeting the requirements of NIST 800-171. 

• Does your company handle CUI related to national security systems or critical infrastructure?

If your company handles CUI related to national security systems or critical infrastructure, you will need to achieve CMMC Level 3.

What steps can I take to achieve CMMC compliance?

To achieve CMMC compliance, you will need to take several steps, including:

• Assess your current cybersecurity measures: Before achieving CMMC compliance, you need to assess your current cybersecurity measures to identify any gaps in your security and determine what steps you need to take to achieve compliance.
• Develop a plan: Based on your assessment, develop a plan for achieving CMMC compliance. This plan should include a timeline, a budget, and a list of actions to take.
• Implement cybersecurity measures: Once you have a plan, start implementing the cybersecurity measures you need to achieve compliance. This may include installing new software, implementing new policies and procedures, and providing employee training.
• Continuously monitor and improve: CMMC compliance is not a one-time process. To remain compliant, you must continuously monitor and improve your cybersecurity measures. This may involve conducting regular assessments, implementing new technologies, and updating your policies and procedures as needed.
• Seek outside help: There are companies that specialize in assisting companies in attaining CMMC compliance, like SSE, and can provide you with the expertise and resources you need to succeed.

Feeling Overwhelmed by the CMMC Journey?

If tackling CMMC certification seems daunting, let the experts at SSE guide you through your journey. We are an accredited Registered Provider Organization (RPO) by the CYBER AB (formerly the CMMC Accreditation Body). 

SSE has expertise in managing classified data and Controlled Unclassified Information (CUI) through evolving cybersecurity regulations for more than 12 years and has maintained our and our clients’ NIST 800-171 compliance since it became law in 2017.

Contact us about an initial and complimentary CMMC Readiness Assessment today!

Simply put, a zero trust security model assumes that every user, device, and network connection is potentially untrusted and therefore must be validated before access is granted. This approach contrasts the traditional “perimeter defense” model, which assumes that everything inside the perimeter is trusted and only external threats must be guarded against.

Let’s dive deeper into what the zero trust approach to cybersecurity can look like. 

Why Is The Zero Trust Approach Gaining Popularity?

The zero trust approach is gaining popularity because it addresses many challenges organizations face with traditional cybersecurity models. One such challenge is the growing number of cyber threats, which are becoming more sophisticated and difficult to detect. The zero trust approach focuses on continuously verifying a user’s identity and monitoring for suspicious activity, making it more effective at detecting and responding to threats.

Another challenge is the increasing use of cloud-based services, making it difficult to maintain a secure perimeter around an organization’s assets. The zero trust approach is well-suited to cloud environments, focusing on securing individual assets and networks rather than creating a single, secure perimeter.

Why Should an Organization Adopt Zero Trust?

There are several reasons why an organization should consider adopting a zero trust security model:

• Better protection against insider threats: As mentioned above, a zero trust model assumes that all users and devices are potentially untrusted, so it is more effective at detecting and preventing attacks from within the network.
• Enhanced security for remote work: With the increasing number of remote workers, ensuring that all access to company resources is secure, regardless of location is important. A zero trust model can help to accomplish this.
• Improved efficiency: A zero trust model can reduce the time and effort needed to manage security and access controls by only granting access to the specific resources that a user needs.
• Increased visibility: With a zero trust model, all access to resources is logged and can be monitored, providing greater visibility into potential security threats.

Finally, the zero trust approach can help organizations meet regulatory compliance requirements and reduce their overall risk. By implementing the key principles of zero trust, such as continuous monitoring and microsegmentation, organizations can demonstrate that they are taking a proactive approach to cybersecurity and protecting their assets and data.

Discuss Zero Trust with SSE

A zero trust approach to cybersecurity is a proactive and effective way to protect against threats, improve compliance, and enhance security for remote work. If your organization is considering adopting this approach, it is important to work with a trusted security provider to address your organization’s specific needs.

At SSE, we offer various services, including security assessments and training. Our team of experienced security professionals helps organizations with our vetted IT and cybersecurity tools as managed services to ensure their systems and networks are secure.

If you are interested in learning more about SSE’s cybersecurity services, please get in touch with us today for a complimentary initial network assessment!

This article will discuss the importance of patch management, the risks associated with poor patch management policies, and best practices for efficient and painless patch management. We will also touch on antivirus management and the importance of managed and unmanaged software.

But First, What is Patch Management?

Patch management services are vital to maintaining the security and performance of your company’s computer systems. It involves keeping software updated by installing the latest patches and updates to fix bugs and vulnerabilities and improve the system’s overall performance.

Best Practices for Efficient and Painless Patch Management

A strong patch management strategy allows companies to proactively protect their systems from known vulnerabilities and mitigate potential risks. Furthermore, many regulatory compliance frameworks and industry standards, such as PCI-DSS and HIPAA, require regular software updates and patches to protect sensitive information and systems.

Therefore, keeping software up-to-date through a well-implemented patch management process is crucial to overall IT security and regulatory compliance.

• Regularly check for updates

Upgrades may be optional. Updates are not, or at least they shouldn’t be.  An update that is not applied places your computer, network, and critical data at risk. Organizations should establish a schedule for checking for updates and installing them. Depending on the organization’s needs, this could be weekly, bi-weekly, or monthly.  

• Prioritize patches based on risk

Not all patches are created equal. Security patches, for example, should be prioritized over software patches.

• Test patches before deployment

Organizations should test patches before deploying them in a production environment. This will help ensure that the patches do not cause any issues and are compatible with the organization’s systems.

• Automate patch management

Automating patch management can save organizations a lot of time and resources. Automation can also ensure that patches are installed consistently and on schedule. SSE offers an automated patch management process and tool to simplify things for our clients.

• Implement a patch management policy

Organizations should implement a patch management policy that outlines their patch management processes, including the schedule for checking for updates, the process for testing and deploying patches, and the process for keeping an inventory of installed software.

• Keep an inventory of installed software

Organizations should keep an inventory of the software installed on their systems. This inventory should include the version number, the vendor, and the installation date. This inventory can help organizations track which systems must be patched and which patches have been installed.

Antivirus Management

Antivirus software is a program that scans a computer or network for malware and removes it if found. Antivirus software is vital for protecting organizations from malware, such as viruses, Trojans, and worms, which can cause harm to a system.

There are two types of antivirus software – managed and unmanaged. 

Managed antivirus software

This type of antivirus software is managed by a third-party service provider like SSE, which keeps the software up to date and provides support. We install, configure, and maintain the software on our clients’ devices. This means that our clients do not have to worry about the technical aspects of the antivirus software and can focus on their core business. Additionally, we regularly report to our clients on the software performance and any issues detected.

Unmanaged antivirus software

The organization itself manages this type of software. This means the company must install, configure, and maintain the software on their own devices and handle the software’s incident response and regular reporting. There are more cons than pros regarding unmanaged antivirus software, not to mention no notification of failed updates or suspicious activity. End users can often interrupt, disable, and remove the software.

Stay On Top of Patch and Antivirus Management with SSE

If your resources are stretched thin, consider patch management and/or antivirus services at SSE. At SSE, we’ll ensure that your patch management process is efficient, effective, and fully compliant with relevant regulatory frameworks and industry standards. This will reduce the risk of security breaches, improve the performance of your systems, and maintain regulatory compliance.

SSE’s expertise in cybersecurity allows us to provide tailored solutions to implement the best patch management practices and to keep your systems and data secure and up-to-date. Let the experts manage your IT. Schedule a complimentary Network Assessment and begin securing your infrastructure with SSE.

Below we’ll discuss what you can expect from SSE’s NIST 800-171 and CMMC Gap Assessment process and what you can do to prepare for your certification audit.

What is a Gap Assessment?

SSE’s NIST 800-171 and CMMC Level 2 Gap Assessment is a detailed evidence collection, assessment and analysis of a company’s existing environment and its readiness state for an audit or assessment submission.  

The output is the identification and documentation of all gaps in the form of a complete Security Assessment Report (SAR) that includes the following deliverables:

• A NIST 800-171 Basic Assessment and Scoring
• Detailed Compliance Matrix for both NIST 800-171 and CMMC
• Security Findings Traceability Matrix – information for an SSP
• Plans of Action and Milestones (POAMs) for unmet requirements

With the completion of the Gap Assessment, SSE would be able to recommend potential and customized remediation solutions as needed to assist your organization in meeting compliance.

How long does a CMMC Gap Assessment take?

Several factors affect the time to perform a CMMC Gap Assessment, including your company environment, the number of active directory domains, locations, the availability of resources and input, and your current security posture.

However, it is typically a four-week engagement, requiring granular evidence collection and review of the following:

• Verification against all 110 NIST 800-171 and CMMC 2.0 Level 2 practices

• Review and verification of existing IT tools
• Review of any existing System Security Plan (SSP)
• Review of any existing Plans of Action and Milestones (POAMs)
• Review of any existing policies/procedures and physical security practices

Why is NIST 800-171 and Gap Assessment important?

A NIST 800-171 and CMMC Gap Assessment is critical in the compliance process, helping you understand which security controls need adjusting or adopting to meet compliance requirements. 

A Gap Assessment can uncover weak spots in your organization’s security practices, such as:

• Weak access controls

• Improper data storage or backup controls

• Insufficient cybersecurity awareness training for employees

• Incomplete incident response plan

• Unsecured storage for data records

• Insufficient network segmentation
• Insufficient policy and procedure documentation around all of the above.

What to expect during a CMMC Gap Assessment?

During the Gap Assessment, which SSE can conduct onsite, remotely, or both, organizations should expect the following:

• Review of existing policies or procedures within the organization.

Examples include:

1. Access control
2. Password policy
3. Incident response procedures
4. Awareness training

• Review of documentation practices within the organization.  This portion includes, but is not limited to, reviewing your company’s documentation process that requires handling CUI.

Examples include:

1. Inventory management
2. Access restrictions
3. Document marking

• Review of physical security practices.  This portion includes, but is not limited to, reviewing your company’s physical security practices that require handling CUI.

Examples include:

1. Data storage devices
2. Storage rooms
3. Offboarding

• Review of information systems inside determined boundaries.  This portion includes, but is not limited to, reviewing your company’s IT systems that operate within the scope or boundaries that require handling CUI.

• Once all evidence has been collected, SSE will audit and document gaps against NIST 800-171 controls and CMMC practices in a Security Assessment Report or SAR.  

Next Steps After a NIST 800-171 and CMMC Gap Assessment

Following a Gap Assessment, you’ll know exactly where your organization stands on NIST 800-171 and CMMC compliance. Also, you’ll have the documentation needed to support a NIST 800-171 basic assessment score and submission to the DoD’s Supplier Performance Risk System (SPRS).

SSE can then assist with recommendations and solutions to assist with the remediation of gaps, or we can do it for you!

When You’re On the Road to Compliance, Let SSE Be Your Guide

No matter where you are on the road to compliance, SSE has the expertise to help your organization become compliant. SSE has been accredited by The CYBER AB (formerly the CMMC Accreditation Body) as a Registered Provider Organization (RPO). Our team is up to speed on the latest changes and upcoming CMMC implementation.

If you are still determining where you are in the process, contact our team for an initial consultation to discuss how our NIST 800-171 and CMMC Gap Assessment could help your 2023 planning.

Companies must have a plan in order to meet these challenges, and many will look to their trusted MSP partners for help. But do MSPs fully understand these DoD requirements and are they prepared to advise and assist their clients in achieving compliance?

In this article, we’ll review the evolving DoD requirements, what MSPs should consider with respect to their current partnerships and how best to support them moving forward.

Requirements are getting stronger…

Since becoming law in 2017, NIST 800-171 has governed the protection of Controlled Unclassified Information (CUI) by DoD contractors and subcontractors. Companies must adhere to the specific 110 controls of NIST 800-171 in order to be eligible for and complete government projects that involve CUI.  Some examples of CUI include:

• Emails
• Electronic Files
• Blueprints or Drawings
• Sales or Purchase Orders
• Contracts

While companies may have been able to ‘’self-attest’’ to NIST 800-171 requirements in the past, the DoD has strengthened its review and enforcement. With the implementation of the DFARS Interim Final Rule in 2020, companies are now required to submit a scored self-assessment into the DOD’s Supplier Performance Risk System (SPRS) based on their compliance with the 110 requirements of NIST 800-171.

And, later this year as currently outlined by the DOD, Defense contractors and subcontractors will have to certify—and potentially overhaul—their cybersecurity controls and policies to comply with Cybersecurity Maturity Model Certification (CMMC). Companies that fail to abide by the cybersecurity standards required by their contracts may face hefty penalties. Penalty fines, which can be as much as the entire contract value, combined with the potential loss of government contracts, could create substantial risks to businesses’ revenue streams.

Are MSPs prepared?

MSPs, as trusted advisors, are often tasked with assisting their clients with assessing and planning for compliance. What many companies (and their MSP partners) fail to realize is that in addition to having the right cybersecurity tools in place, having a documented System Security Plan (SSP) with Plans of Action and Milestones (POAMs) for any unmet controls is essential. Without this documentation, NIST 800-171 self-assessments would be considered invalid, the company not in compliance and upcoming CMMC audits would be failed.

Key questions every MSP should ask themselves when supporting DOD Clients:

• Does your client have a System Security Plan (SSP)?
• Has your client submitted a scored NIST 800-171 self-assessment to the DoD? Did you assist in preparing this submission?
• Could your client provide documentation (SSP and POAMs) supporting their compliance to the DoD upon request?
• Do you know what your client needs (think policies, procedures, processes to ensure compliance, tools, monitoring, on-going evidence collection, etc.) to meet requirements and do you have the expertise to help them?

If you answered ‘’no’’ to any of the above, seeking assistance from outside expertise could be invaluable to protecting your and your clients’ existing revenue and mitigating potential risks.

SSE can help MSPs help their DoD clients…

In addition to being a MSP, SSE is also a DoD contractor. We have managed our and our clients’ networks to both NIST 800-171 as well as NIST 800-53 standards since 2009. We have assisted dozens of companies in assessing their current state and developing a customized compliance plan based on their specific needs. It all starts with an assessment.

SSE’s NIST 800-171 and CMMC Gap Assessment is a detailed evidence collection, assessment and analysis of a company’s environment and its readiness state for an audit or assessment submission. It includes:

• Verification against all 110 NIST 800-171 and CMMC 2.0 Level 2 (includes Level 1) practices
• Review and verification of existing IT tools
• Review of any existing System Security Plan (SSP)
• Review of any existing Plans of Action and Milestones (POAMs)
• Review of any existing policies/procedures and physical security practices

The output is the identification and documentation of all gaps in the form of a complete Security Assessment Report (SAR) that includes the following deliverables:

• DoD NIST 800-171 Assessment and Scoring
• Detailed Compliance Matrix for both NIST 800-171 and CMMC Levels 1 and 2
• Security Findings Traceability Matrix – information for a SSP
• Plans of Action and Milestones (POAMs) for all unmet requirements

With the compliance gaps identified and documentation in place, SSE’s Cybersecurity as a Service offering can be customized and added to the existing IT and cybersecurity services provided by MSPs in order for their clients to meet requirements. SSE has also developed Model Policy Templates for customization to a client’s environment for all IT and non-IT controls. These services were vetted to ensure compliance with the 110 controls defined by NIST 800-171 requirements and scoped to meet the evolving CMMC standards in a cost effective manner.

With the complexities around NIST 800-171, the DFARS Interim Final Rule and CMMC, SSE can help supplement your existing service offerings and validate your approach to meeting your clients’ NIST 800-171 and CMMC compliance needs.

SSE has been accredited by the Cyber AB (formerly the CMMC Accreditation Body) as a Registered Provider Organization (RPO). Let us demonstrate how we can help.  Schedule an initial consultation with our team to get started.

We took some key questions from the FTC’s cybersecurity quiz and used them to create our own cybersecurity awareness quiz. By taking our quiz, you and your team can test your knowledge and get better tips on protecting your business from cyber threats.

Cybersecurity Quiz

Which of the following should you do to restrict access to your files and devices?

A. Update your software once a year.

B. Share passwords only with colleagues you trust.

C. Have your staff members access information via an open Wi-Fi network.

D. Use multi-factor authentication.

• Correct answer: D. Implementing multi-factor authentication for access to sensitive areas of your network effectively protects important data. This security measure involves more than just entering a password, such as requiring a temporary code sent to a smartphone or inserting a physical key into a computer.

Which is the best answer for which people in a business should be responsible for cybersecurity?

A. Business owners. They run the business, so they need to know cybersecurity basics and put them in practice to reduce the risk of cyber attacks.

B. IT specialists because they are in the best position to know about and promote cybersecurity within a business.

C. Managers, because they are responsible for making sure that staff members are following the right practices.

D. All staff members should know some cybersecurity basics to reduce the risk of cyber attacks.

• Correct answer: D. All staff should know to follow basic cybersecurity practices for a culture of security – and everyone should get regular training.

Physical Security Quiz

Which one of these statements is true?

A. It’s best to use multi-factor authentication to access areas of the business network with sensitive information.

B. You should use the same password for key business devices to guarantee that high-level employees can access them in an emergency.

C. The best way to protect business data is to ensure no one loses any device.

D. You shouldn’t limit login attempts on key business devices because getting locked out for having too many incorrect attempts would leave you unable to access your accounts.

• Correct answer: A. Always use multi-factor authentication to access areas of your network and devices with sensitive information. This requires additional steps beyond logging in with a password — like a temporary code on a smartphone or a key inserted into a computer.

Ransomware Quiz

What is ransomware?

A. Software that infects computer networks and mobile devices to hold your data hostage until you send the attackers money.

B. Computer equipment that criminals steal from you and won’t return until you pay them.

C. Software used to protect your computer or mobile device from harmful viruses.

D. A form of cryptocurrency.

• Correct answer: A. Ransomware attacks can have serious consequences for individuals and organizations, including loss of access to important data, disruption of business operations, and financial losses. It is important for individuals and organizations to take steps to protect themselves from ransomware attacks, such as regularly backing up data, keeping software and security measures up to date, and being cautious about opening emails or clicking on links from unknown sources.

Which of these best describes how criminals start ransomware attacks?

A. Sending a scam email with links or attachments that put your data and network at risk.

B. Getting into your server through vulnerabilities and installing malware.

C. Using infected websites that automatically download malicious software to your computer or mobile device.

D. All of the above.

• Correct answer D. Criminals may use a variety of tactics to start ransomware attacks. One common method is to send a phishing email with links or attachments that, when clicked on or opened, put the victim’s data and network at risk by installing malware on the victim’s device. Another tactic is to exploit vulnerabilities in a victim’s server or network to gain access and install malware. Criminals may also use infected websites that automatically download malicious software to a victim’s computer or mobile device when the victim visits the site. It is important for individuals and organizations to be cautious about opening emails or clicking on links from unknown sources and about keeping their software and security measures up to date to protect against ransomware attacks.

Phishing Quiz

Which one of these statements is correct?

A. If you get an email that looks like it’s from someone you know, you can click on any links as long as you have a spam blocker and anti-virus protection.

B. You can trust an email from a client if it uses the client’s logo and contains at least one fact about the client that you know to be true.

C. If you get a message from a colleague who needs your network password, you should never give it out unless the colleague says it’s an emergency.

D. If you get an email from Human Resources asking you to provide personal information immediately, you should check it out first to ensure they are who they say they are.

• Correct answer: D. This email could be a phishing scam, where you get a message that looks like it’s from someone you know, asking you urgently for sensitive information. Before responding, call Human Resources and confirm they sent the message.

Secure Remote Access Quiz

Before connecting remotely to the company network, your personal device should meet the same security requirements as company-issued devices. 

True

False

• Correct answer: True. When connecting remotely to the company network, your device should meet the same security requirements as company-issued devices that connect directly to the network.

Which of the following describes the best way to ensure you securely access the company network remotely?

A. Read your company’s cybersecurity policies thoroughly.

B. Use a VPN when connecting remotely to the company network.

C. Use unique, complex network passwords and avoid unattended, open workstations.

D. Do all of the above.

• Correct answer: D. There are several steps that individuals can take to ensure they are securely accessing the company network remotely. Using a VPN when connecting remotely to the company network can help encrypt the connection and protect against potential cyber threats. Additionally, using unique, complex network passwords and avoiding unattended, open workstations can help to prevent unauthorized access to the network. By following these best practices, individuals can help to ensure the security of the company network when accessing it remotely.

SSE is Your Cybersecurity Partner

It’s important to regularly educate yourself and stay up to date on the latest trends and developments in the field. As cybersecurity experts, SSE makes it our business to keep your company secure with our comprehensive cybersecurity services.

Get in touch with us to schedule a complimentary assessment of your current cybersecurity posture, and let us fortify your business today!