Improve your business operations and make steady progress toward certification by working with a CMMC Registered Practitioner. We provide expert guidance and support tailored to your needs, capabilities, and budget.
Get started by reserving a complimentary CMMC initial assessment with one of our veteran engineers.
Tailored solutions for small businesses
CMMC compliance is complex, costly, and soon to be required for federal defense contracts. Many companies are scrambling to meet the requirements so that they don’t lose business.
CMMC implementation will impact the way you work. You should feel confident and prepared for your assessment.
That’s why we work with you throughout the process. As your Registered Practitioner, we will meet with you for an hour each week to guide you through the process and make sure all your bases are covered. Between our meetings, you will have tasks to work on with internal stakeholders.
We’ll help you scope your systems, review and document your current security setup, decide what systems are in-scope for each CMMC level and create a System Security Plan (SSP) and Plan of Action and Milestones (POA&M)
Your SSP is detailed documentation on how cybersecurity is practiced in your organization. This document is critical during your assessment. We will collaborate with you to make sure that the document is complete, accurate, and a useful reference tool.
Incident Response Plan (IRP): Your IRP identifies the team responsible for handling cybersecurity incidents; describes how you prevent, detect, and respond to incidents; and details how you determine the severity of an event.
We help you identify and prioritize security weaknesses, define corrective actions, establish milestones, and monitor progress. If your assessor finds items that need further attention, we’ll use the POA&M to work through them within the remediation window.
We’ll help you determine whether you need GCC High and make sure that your Microsoft 365 environment is properly configured for the type of data you handle.
Governance, risk, and compliance tools for CMMC compliance simplify inventory, documentation, planning, CUI marking, and budgeting. We’ll help you get comfortable with and make the best use of your GRC tool.
Making compliance attainable for small businesses
You’re more than welcome to have your existing IT partner or internal staff make the changes you need to become compliant. If you need a trusted IT partner, though, our team of experts can take care of all the technical details.
Some consultants suggest CMMC solutions that are total overkill. Instead, we recommend solutions that take into consideration the type of information you handle, what systems it touches, and your budget. Your CMMC implementation will be the best fit for your organization.
CMMC requires re-certification every three years. As your business grows and changes, you’ll want to make sure that you stay compliant. Enjoy greater peace of mind when your next assessment comes around.
Nine steps to achieving CMMC compliance
01
Form an implementation team. Identify key stakeholders and partners. This would also be a good time to bring on a CMMC consultant as a partner, particularly one who has been certified as a CMMC Registered Practitioner.
02
Identify the CMMC level you need. Do you need Level 1 or Level 2 CMMC compliance?
03
Define compliance scope. Identify all systems that protect or touch FCI or CUI.
04
Gap Analysis. Analyze your current security controls and itemize all deficiencies.
05
Gap remediation. Implement policies, procedures and systems to meet the CMMC standard. (This step alone will take one to two years.)
06
Select an assessor. Find a Certified Third-Party Assessor Organization (C3PAO). These organizations are currently in short supply for the expected demand so find one early.
07
Get assessed. An assessment for a smaller business will cost between $25,000 and $50,000.
08
Submit your report to the DoD. You must meet at least 80% of the criteria to go on to the next step.
09
Reach 100% compliance and become certified. You’ll have 180 days to correct any issues. The Cyber AB will issue you a certificate, which will be good for three years.
Case Study
Our client – a Richmond area aviation contractor – is well on the road to CMMC compliance – without killing their business with overwhelming IT costs. Here’s how they did it.
This particular government contractor (who also serves commercial clients) came to us about six years ago. At first, they were looking for a full-time IT person but then saw the value of our staff augmentation services. Not long after, they hired us as a managed IT services provider.
Six years may seem like an incredibly long time to be on the road to CMMC compliance, but we weren’t just working on CMMC over those years. A lot of what we’ve been doing is day-to-day user support that includes everything from onboarding to setting up conference room phone systems to refreshing their VPN, computers and server.
As far as compliance is concerned, our client started off with a negative SPRS score, which is not unusual.
An SPRS score can range from -203 to 110. To achieve CMMC certification, you’ll have to reach a minimum score of 88 and a Plan of Action and Milestones (POA&M) for the remaining items. Our client is now in the 80s or 90s, and we’d like to reach 110. We’ve been staying on top of their System Security Plan and their Plan of Action & Milestones and preparing them for their audit.
We took a huge step last year when we moved this client into a Department of Defense approved cloud product. Moving to a FedRAMP-approved tenant like Microsoft GCC High reworks everything – your email and all your settings have to be redone, all of your devices need to be managed, and you have to build out more policies than before – and document them.
Every time you change out a system, you’re going to have to revisit policies and procedures, so we are helping our client write those, which takes substantial time and effort.
If you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of fulfilling a defense contract, you need to reach CMMC compliance. It is highly recommended that you work with a Registered Practitioner (RP) as you move toward this goal.
Registered Practitioners are experienced IT and cybersecurity professionals that have been specially trained to assist you with CMMC. These CMMC consultants bring several benefits:
Our CMMC consulting costs about $800 to $1500 per month, depending on factors like company size, your current IT environment, and whether you need to reach CMMC Level 1 or Level 2. It typically takes 12 to 18 months to reach CMMC compliance.
You’re not required to use a a Registered Practitioner or a Registered Practitioner Organization when seeking CMMC compliance. But it sure helps. And The Cyber AB, the certifying body for CMMC, recommends that you do.
“Navigating the CMMC certification process can be complex and time-consuming, especially for organizations that are new to the requirements and standards” according to The Cyber AB. “That’s why it’s crucial to leverage the expertise of a trusted third-party organization that has been authorized by the Cyber AB to assist you on this journey.”
E-N Computers is a Registered Practitioner Organization with three Registered Practitioners. Ian MacRae and Thomas Kinsinger have worked with hundreds of small businesses to implement sound IT strategy with a focus on cybersecurity and compliance. Security Engineer Jonathan Lambert is our newest RP.
The best IT consultants have experience in both business and technology.
Ian MacRae, our founder, built the company from a small repair shop into a top-tier regional MSP. His passion for business and technology is instrumental in helping clients meet compliance regulations, improve security, and optimize systems and processes for continued growth. He is a CMMC registered practitioner, which authorizes him to provide CMMC implementation consulting services. This means meeting cybersecurity standards required by the Department of Defense.
Thomas Kinsinger, our director of technology, ran his own IT business for 10 years before joining our team in 2013.
His enthusiasm for technology and understanding of a variety of industries make him an excellent resource, someone who will take the time to explain technology and help you make the decisions that are best for your business. He holds several industry certifications including CompTIA A+ and Cisco CMNA.
CMMC consultants are IT professionals that specialize in cybersecurity and the Cybersecurity Maturity Model Certification program.
Registered Practitioners (RP/RPA) are recognized by The Cyber AB as having the experience and training “to assist in identifying gaps and providing mitigation strategies for an OSC preparing for an assessment.”
Registered Practitioner Organizations (RPO) are companies that have at least one RP on staff.
Read more: What are CMMC Registered Practitioners and do I need one?
CMMC consulting services guide you while your in-house IT staff or your current IT MSP executes the work. CMMC managed IT services means that we are doing the IT work for you.
Working with you to reach compliance as a managed IT services provider is similar to maintaining your existing house while building you a more complicated new house.
In four to six weeks, we can set you up with managed IT services. On the other hand, clients should expect the journey to full CMMC compliance to take up to two years. Now is the best time to start the process
The Cybersecurity Maturity Model Certification (CMMC) is a program created by the Department of Defense to protect sensitive information held by contractors that are part of the Defense Industrial Base (DIB). The program requires contractors to undergo assessment every three years and demonstrate that they comply with a range of cybersecurity practices. Companies that are not CMMC compliant will not be able to win federal defense contracts or subcontracts.
If your company handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of federal defense contracts, you need to be CMMC certified.
Read more: Is CMMC worth the cost?
Level 1 is manageable. It consists of 15 basic security requirements that your business should already be practicing. And you can be certified by completing an annual self-assessment. Every defense contractor handles FCI and must therefore practice CMMC Level 1.
Level 2 requires focused effort to achieve. There are 110 requirements that align with NIST SP 800-171. The NIST emphasizes that it is important to work with a qualified consultant to be compliant at this level. Most small businesses with defense contracts handle CUI and must practice CMMC Level 2. At this level, you must be assessed by a CMMC Third-Party Assessment Organization (C3PAO) every three years.
Level 3 applies to select prime contractors and involves a government-led assessment every three years. Most defense contractors will not be subject to CMMC Level 3.
CMMC assessments are completed by a CMMC Third-Party Assessment Organization (C3PAO).
Level 2 assessments must be performed by a Certified CMMC Assessor (CCA). Only US citizens can be on the assessor team.
The company you hire as your Registered Practitioner Organization (RPO) cannot also act as your C3PAO. An individual that acts as your Registered Practitioner (RP/RPA) cannot be one of your assessors.
Not sure if you need CMMC consulting services?
Talk with a veteran engineer who is also a CMMC Registered Practitioner
How can we help?
