38North Security: A CMMC Registered Provider Organization (RPO)
As a designated RPO, 38North’s US Department of Defense (DoD) security expertise has been validated by the CMMC-Accreditation Body (AB). We prepare organizations to advance along the maturity model and position themselves for success supporting US DoD.
38North is a Proven US DoD Security Provider
CMMC is in its infancy. No organization – including 38North – can claim to have much experience applying the CMMC.
However, 38North’s team of Senior Advisors have decades of experience helping the private sector interpret and implement DoD directives and security policy. From applying the RMF for DoD IT to field deployed systems, to designing secure cloud architectures for sensitive applications, we help complex organizations rapidly meet DoD security requirements.
CMMC: A Complex, Pass-Fail Approach to Cybersecurity
The US DoD is starting an aggressive cybersecurity review of companies within the Defense Industrial Base (DiB). The 100,000+ companies that do business with DoD must earn a Cybersecurity Maturity Model Certification (CMMC) by being assessed against one of the five designated Maturity Levels.
The CMMC is unique among security standards in that companies are encouraged to continuously advance their security programs in order to achieve ever higher CMMC Maturity Levels. Sensitive, more advanced DoD programs will require higher maturity, making progress along the CMMC maturity model an important differentiator for defense contractors.
The CMMC requires that Maturity Level achievement be independently tested by Certified Assessors (CA) and validated by an accredited CMMC Third-Party Assessment Organization (C3PAO). Additionally, CMMC operates using a pass-fail model, where all practices and processes must pass at time of assessment to achieve CMMC certification. Any individual weakness is enough to halt a company’s CMMC progress.
CMMC Approach
38North can help you climb the CMMC maturity ladder. CMMC compliance is a moving target. While the individual controls are finalized, no one really knows how the CMMC-AB and DoD will interpret compliance. Much of this uncertainty, including proper use of external services, metadata security, scan coverage requirements and boundary guidance, has a major impact on system design and operation.
Backed by our experience supporting DoD, and our network of partnerships across the C3PAO community, we can help you navigate this uncertainty. We design enduring architectures and evidence-based approaches that will withstand DoD scrutiny.
Our CMMC approach begins by tracing flows of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within your organization. This helps us define a system boundary of in-scope assets, while excluding those that do not fall under the CMMC’s purview.
With the boundary scoped we then help you identify and resolve gaps. Our CMMC services include:
CMMC Workshops:
Our workshops combine introductory CMMC training with boundary development and hands-on consulting to get you started on your CMMC journey. We also help make sense of lingering CMMC confusion by drawing on DoD best practices to help you design systems and approaches that will withstand CMMC assessments.
CMMC Gap Analysis:
Gap analyses help defense contractors wrap their heads around what they’ll need to do to comply with the CMMC. Our CMMC gap analysis will determine your gaps against the various maturity levels. We also deliver a prioritized roadmap of actions required to close gaps and ensure a clean assessment.
CMMC Advisory Support:
38North’s senior DoD security advisors can help you design, deploy, document and maintain a scalable security approach that efficiently meets your desired CMMC maturity level. We can also help you plan for a more secure future by laying the groundwork for the achievement of ever higher maturity levels.
CMMC Pre-Assessment Support:
If you’re preparing for your first CMMC assessment but need some assistance, let our experienced CMMC consultants handle the hassle of dealing with a C3PAO. We are well-versed with the quirks of the formal assessments and can expeditiously resolve findings and streamline the authorization process. We also have relationships across the C3PAO community to help resolve misunderstandings and facilitate a smooth assessment.
CMMC Remediation Support:
This service is for those defense contractors that recently fell short on their CMMC assessment. We help plan, develop and implement remedial measures. This may come in the form of new technologies, policies, plans, procedures or training and awareness sessions. It may also mean tailoring current organizational processes to squeeze a little more out of existing investments.
Next Steps
Contact us to get started. The first step is a one hour introductory and readiness session, to understand your business landscape and gather technical details, while also making sure that we’re a mutual fit. We also offer unbilled follow up calls if you have any additional questions, or need consulting advice as you gear up for CMMC.
Following our initial meetings, formal proposals and pricing are submitted within approximately one week. We can kick-off with a dedicated senior-level team within two to three weeks of contract signature.