Our process follows a 7-step process that reviews current policy, maps the given policy to the assessment controls, and outlines a recommended roadmap for the organization to meet CMMC compliance.
1) Network Assessment
Before we dig deep into the organization, we need to know as much about the organization as possible. To accomplish this, we have our customers fill out a Preliminary Network Assessment.
2) Policy/Procedure Review
Once JLGOV has an idea of the company and its assets, the assessment really begins. JLGOV works with the organization to get a complete view of the policy and procedure in place within the company.
3) Conduct Pre-Assessment
Using the information we have gathered, we create an initial CMMC Pre-Assessment document that highlights all the current policy and procedure gaps in compliance with CMMC standards within the company. This helps highlight any gaps that are addressed in practices within the organization but are not defined by policy or procedure documentation.
4) Vulnerability Scanner
While we are reviewing the documentation and policies provided we simultaneously run a Vulnerability Scanner powered by SolarWinds that scans your systems for real time risks within the current organizational systems.
5) Review Initial Findings
Once the Vulnerability Scanner has had time to run on the organizational systems and we have completed our initial CMMC Pre-Assessment Document, we meet with the organization to highlight what we have found in their policy and how it would map to the CMMC as it stands today.
6) Policy Creation
If the initial review highlights policy that needs to be created, the organization can choose to write out and implement policy or JLGOV can help the organization transcribe policy for an added fee.
7) Final Reports
Once we have completed creating policy or the organization provides its updated policy we re-complete our CMMC pre-assessment to properly assess the gaps in CMMC compliance.
• POA&M Creation
A Plan of Actions & Milestones (POA&M) document is a document highlighting weaknesses and gaps within the organization and a timeline for addressing these gaps and weaknesses. This document is not a requirement of the CMMC but, given that this is a pre-assessment, a POA&M gives the organization a road map and timeline to better prepare for their eventual CMMC assessment.
• System Security Plan (SSP) Creation
A System Security Plan (SSP) document is the list of policy and procedure that pertains to the security of the company, the network topography of the organization, and pertinent financial information. This document is a vital requirement of NIST SP 800-171 which has been included in the CMMC.
• Operational Summary
The final documentation JLGOV provides to the organization is the Company Summary. This document provides a quick summary of the assessment process and additional information provided by industry best practices and professional experience.
Click Here to Contact Us for Free Consultation