There are a number of key areas that form the core of any successful cybersecurity program. Addressing these fundamentals is critical, whether your organization is big or small, or whether it is defense-related or a commercial business. Larger enterprises typically have ample resources available from both a fiscal and human resources perspective, but for smaller companies, this can be a big challenge. Obtaining the expertise needed to achieve this requires a multi-disciplinary approach – a problem for companies with a small IT staff and a limited budget.
LogiCore’s cybersecurity team is highly credentialed and qualified. As a Prime Contractor in the defense sector we have a mandatory requirement to meet and maintain stringent compliance and security standards. Our team also has substantial experience in the commercial sector. As federal and non-federal standards continue to align, commercial cybersecurity needs are increasingly coming under more regulatory focus, and in today’s hostile cyber landscape, a strong cybersecurity program is as business-essential as ever.
OUR CYBERSECURITY TEAM’s CREDENTIALS
CISSP- Certified Information Systems Security Professional
CCISO – Certified Chief Information Security Officer
CEH - Certified Ethical Hacker
CFE - Certified Fraud Examiner
CISM - Certified Information Security Manager
CISA -Certified Information System Auditor
Certified Third-Party Risk Professional
PMP - Project Management Professional
Sr. Third Party Risk Management Professional
CompTIA – Security+
MCSE - Microsoft Certified Systems Engineer
ITIL V4 certification
AREAS OF EXPERTISE
NIST 800-171 & NIST 800-53
System Security Planning (SSP)
Policies & Procedures
Business Impact Analysis (BIA)
Risk Assessments (RA)
Audit & Assessor preparedness
Business Continuity Planning
Plan of Actions & Milestones (POA&M)
Incident Response prep
SOX, PCI DSS, ISO, HIPAA
Frameworks & Regulations
CYBERSECURITY FOR DEFENSE CONTRACTORS
Prime Contractors: Every prime contractor is subject to an assessment on NIST 800-171a compliance by DCMA (Defense Contractor Management Agency). The compliance assessment consists of two stages – a Medium-Level assessment and a follow-on High-Level assessment (also known as a High Confidence Assessment).
Note: Because of current government travel restrictions due to COVID-19, most of these assessments are being carried out virtually, but some portions of the assessment are conducted live on-site by an assessor.
Being properly prepared for these assessments is crucial. There are 110 NIST controls you will be assessed on and failing to satisfy them results in points being deducted from your overall score. All scores are published in the SPRS (Supplier Performance Risk System) which is the database that federal customers refer to when determining if a contractor is practicing compliance a due diligence. Lower scores may result in not being selected in a competitive bidding environment. It is important to understand what DCMA looks for. It’s a lot more than checking boxes and providing generic policies.
Sub-Contractors: Sub contractors are not subject to government auditing on NIST 800-171a by DCMA at this time (note: if you are prime on any other contract, you will be audited). This does not mean that sub-contractors need not be as prepared as a prime contractor – it is incumbent on every government contractor to meet NIST 800-171a compliance regardless of whether you will be subject to a government audit. Prime contractors are subject to the flow-down clause which means they are responsible nevertheless for non-compliance by their sub-contractors. This may influence their selection choices for team partners.
Cybersecurity Maturity Model Certification (CMMC): This is changing the compliance landscape substantially. Regardless of whether you are a prime or sub-contractor, any company wanting to do business with the government must become CMMC certified. Some new contracts already specify this and eventually, all will. There are five levels and RFP’s and contracts will specify which level must be met. Any contract involving CUI (Controlled Unclassified Information) will need to meet CMMC Level 3 at a minimum. CMMC Level 3 builds upon all of the 110 controls of NIST 800-171 which further substantiates the need to be fully NIST compliant as described above. The CMMC program is still evolving, but the time to start preparing to be certified is now.
For further information, please contact LogiCore.