Improve your business operations and make steady progress toward certification by working with a Virginia CMMC Registered Practitioner. We provide expert guidance and support tailored to your needs, capabilities, and budget.
Get started by reserving a complimentary Business Improvement Review with one of our veteran engineers.
Tailored solutions for small businesses
CMMC compliance is complex, costly, and soon to be required for federal defense contracts. The first Department of Defense contracts with a CMMC requirement are expected to appear in August 2024. Many Virginia companies are scrambling to meet the requirements so that they don’t lose business.
CMMC implementation will impact the way you do business in Virginia. You should feel confident and prepared for your assessment. That’s why we work with you throughout the process. As your Virginia-based Registered Practitioner, we will meet with you for an hour each week to guide you through the process and make sure all your bases are covered. Between our meetings, you will have tasks to work on with internal stakeholders.
Your SSP is detailed documentation on how cybersecurity is practiced in your organization. This document is critical during your assessment. We will collaborate with you to make sure that the document is complete, accurate, and a useful reference tool.
Incident Response Plan (IRP): Your IRP identifies the team responsible for handling cybersecurity incidents; describes how you prevent, detect, and respond to incidents; and details how you determine the severity of an event.
As part of gap analysis and remediation, we work with you to create your POA&M, a custom roadmap to compliance. We help you identify and prioritize security weaknesses, define corrective actions, establish milestones, and monitor progress. If your assessor finds items that need further attention, we’ll use the POA&M to work through them within the remediation window.
We’ll help you determine whether you need GCC High and make sure that your Microsoft 365 environment is properly configured for the type of data you handle.
Let a governance, risk, and compliance tool like FutureFeed do the heavy lifting. GRC tools for CMMC compliance simplify inventory, documentation, planning, CUI marking, and budgeting. We’ll help you get comfortable with and make the best use of your GRC tool.
CMMC requires re-certification every three years. As your business grows and changes, you’ll want to make sure that you stay compliant. Enjoy greater peace of mind when your next assessment comes around.
Making compliance attainable for small businesses
You’re more than welcome to have your existing IT partner or internal staff make the changes you need to become compliant. If you need a trusted IT partner in Virginia, though, our team of experts can take care of all the technical details.
Some consultants suggest CMMC solutions that are total overkill. Instead, we recommend solutions that take into consideration the type of information you handle, what systems it touches, and your budget. Your CMMC implementation will be the best fit for your organization.
Nine steps to achieving CMMC compliance
01
Form an implementation team. Identify key stakeholders and partners. This would also be a good time to bring on a CMMC consultant as a partner, particularly one who has been certified as a CMMC Registered Practitioner.
02
Identify the CMMC level you need. Do you need Level 1 or Level 2 CMMC compliance?
03
Define compliance scope. Identify all systems that protect or touch FCI or CUI.
04
Gap Analysis. Analyze your current security controls and itemize all deficiencies.
05
Gap remediation. Implement policies, procedures and systems to meet the CMMC standard. (This step alone will take one to two years.)
06
Select an assessor. Find a Certified Third-Party Assessor Organization (C3PAO). These organizations are currently in short supply for the expected demand so find one early.
07
Get assessed. An assessment for a smaller business will cost between $25,000 and $50,000.
08
Submit your report to the DoD. You must meet at least 80% of the criteria to go on to the next step.
09
Reach 100% compliance and become certified. You’ll have 180 days to correct any issues. The Cyber AB will issue you a certificate, which will be good for three years.
If you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of fulfilling a defense contract, you need to reach CMMC compliance. It is highly recommended that you work with a Registered Practitioner (RP) as you move toward this goal.
Registered Practitioners are experienced IT and cybersecurity professionals that have been specially trained to assist you with CMMC. These CMMC consultants bring several benefits:
Our Virginia CMMC consulting costs about $750 to $1500 per month, depending on factors like company size, your current IT environment, and whether you need to reach CMMC Level 1 or Level 2. It typically takes 12 to 18 months to reach CMMC compliance.
You’re not required to use a a Registered Practitioner or a Registered Practitioner Organization when seeking CMMC compliance. But it sure helps. And The Cyber AB, the certifying body for CMMC, recommends that you do.
“Navigating the CMMC certification process can be complex and time-consuming, especially for organizations that are new to the requirements and standards” according to The Cyber AB. “That’s why it’s crucial to leverage the expertise of a trusted third-party organization that has been authorized by the Cyber AB to assist you on this journey.”
E-N Computers is a Registered Practitioner Organization with headquarters in Virginia and has two Registered Practitioners. Ian MacRae and Thomas Kinsinger have worked with hundreds of small businesses to implement sound IT strategy with a focus on cybersecurity and compliance.
The best IT consultants have experience in both business and technology.
Ian MacRae, our founder, built the company from a small repair shop into a top-tier regional MSP. His passion for business and technology is instrumental in helping clients meet compliance regulations, improve security, and optimize systems and processes for continued growth. He is a CMMC registered practitioner, which authorizes him to provide CMMC implementation consulting services. This means meeting cybersecurity standards required by the Department of Defense.
Thomas Kinsinger, our director of technology, ran his own IT business for 10 years before joining our team in 2013.
His enthusiasm for technology and understanding of a variety of industries make him an excellent resource, someone who will take the time to explain technology and help you make the decisions that are best for your business. He holds several industry certifications including CompTIA A+ and Cisco CMNA.
CMMC consultants are IT professionals that specialize in cybersecurity and the Cybersecurity Maturity Model Certification program.
Registered Practitioners (RP/RPA) are recognized by The Cyber AB as having the experience and training “to assist in identifying gaps and providing mitigation strategies for an OSC preparing for an assessment.”
Registered Practitioner Organizations (RPO) are companies that have at least one RP on staff.
Read more: What are CMMC Registered Practitioners and do I need one?
The Cybersecurity Maturity Model Certification (CMMC) is a program created by the Department of Defense to protect sensitive information held by contractors that are part of the Defense Industrial Base (DIB). The program requires contractors to undergo assessment every three years and demonstrate that they comply with a range of cybersecurity practices. Companies that are not CMMC compliant will not be able to win federal defense contracts or subcontracts.
If your company handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of federal defense contracts, you need to be CMMC certified.
Read more: Is CMMC worth the cost?
Level 1 is manageable. It consists of 15 basic security requirements that your business should already be practicing. And you can be certified by completing an annual self-assessment. Every defense contractor handles FCI and must therefore practice CMMC Level 1.
Level 2 requires focused effort to achieve. There are 110 requirements that align with NIST SP 800-171. The NIST emphasizes that it is important to work with a qualified consultant to be compliant at this level. Most small businesses with defense contracts handle CUI and must practice CMMC Level 2. At this level, you must be assessed by a CMMC Third-Party Assessment Organization (C3PAO) every three years.
Level 3 applies to select prime contractors and involves a government-led assessment every three years. Most defense contractors will not be subject to CMMC Level 3.
CMMC assessments are completed by a CMMC Third-Party Assessment Organization (C3PAO).
Level 2 assessments must be performed by a Certified CMMC Assessor (CCA). Only US citizens can be on the assessor team.
The company you hire as your Registered Practitioner Organization (RPO) cannot also act as your C3PAO. An individual that acts as your Registered Practitioner (RP/RPA) cannot be one of your assessors.
How can we help?
