Protect your data, ensure compliance, and strengthen your security posture...
The loss of sensitive data can cost a business millions of dollars and severely ...
Many organizations do not want to pay for a full-time CISO or do not know if they are ready...
The Cybersecurity Risk & Maturity Assessment (CSMA) is a gap analysis and risk assessment...
A vulnerability assessment systematically reviews security weaknesses in IT ecosystems...
A penetration test, or pen test, actively identifies, tests, and highlights your organization’s...
With the growing threat of cyberattacks and data breaches—and the potential costs...
At any time, your organization might be running hundreds of security controls...
With rapidly changing regulations, maintaining compliance isn’t just a box to check—it’s essential...
Move beyond one-time assessments. Our coaching program provides continuous...
Is your manufacturing business prepared for CMMC compliance? Learn what CMMC compliance is...
At Right Hand, we understand what it takes for companies doing work within a defense industry ...
The National Institute of Standards and Technology (NIST), a division of the U.S. Department...
SOC is a suite of reports from the American Institute of Certified Public Accountants (AICPA)...
PCI DSS designs a set of security standards to ensure that all companies accepting...
ISO 27001 is a set of standards and requirements for an information security management...
Is your IT team stretched to the breaking point supporting your business? Have you had...
Is your in-house IT staff overworked and overburdened managing routine tasks? Do you have...
Cloud computing is transforming the way organizations buy and consume software...
Is your current IT strategy prepared for the threats that your organization faces every day? From human...
Protect your data, ensure compliance, and strengthen your security posture...
Manufacturing operations face intense competitive pressures, increasingly complex supply chains, and strict compliance requirements like CMMC and ITAR...
Healthcare providers face mounting pressures from ever-evolving technology...
Accounting firms handle sensitive financial data—from tax filings to audit...
Law firms operate under strict confidentiality obligations and face evolving...
Auto dealerships handle a wealth of customer information, from financing details...
In Oil & Gas, uptime, safety, and data integrity are paramount. Whether you’re managing offshore rigs,...
Financial institutions bear a heavy responsibility: they hold sensitive client information and manage...
In the insurance sector, safeguarding sensitive policyholder information is essential—not just to meet...
Auto dealerships handle a wealth of customer information, from financing details...
Small and medium-sized businesses are the backbone of our economy, but they often face...
Protect your data, ensure compliance, and strengthen your security posture...
The loss of sensitive data can cost a business millions of dollars and severely ...
Many organizations do not want to pay for a full-time CISO or do not know if they are ready...
The Cybersecurity Risk & Maturity Assessment (CSMA) is a gap analysis and risk assessment...
A vulnerability assessment systematically reviews security weaknesses in IT ecosystems...
A penetration test, or pen test, actively identifies, tests, and highlights your organization’s...
With the growing threat of cyberattacks and data breaches—and the potential costs...
At any time, your organization might be running hundreds of security controls...
With rapidly changing regulations, maintaining compliance isn’t just a box to check—it’s essential...
Move beyond one-time assessments. Our coaching program provides continuous...
Is your manufacturing business prepared for CMMC compliance? Learn what CMMC compliance is...
At Right Hand, we understand what it takes for companies doing work within a defense industry ...
The National Institute of Standards and Technology (NIST), a division of the U.S. Department...
SOC is a suite of reports from the American Institute of Certified Public Accountants (AICPA)...
PCI DSS designs a set of security standards to ensure that all companies accepting...
ISO 27001 is a set of standards and requirements for an information security management...
Is your IT team stretched to the breaking point supporting your business? Have you had...
Is your in-house IT staff overworked and overburdened managing routine tasks? Do you have...
Cloud computing is transforming the way organizations buy and consume software...
Is your current IT strategy prepared for the threats that your organization faces every day? From human...
Protect your data, ensure compliance, and strengthen your security posture...
Manufacturing operations face intense competitive pressures, increasingly complex supply chains, and strict compliance requirements like CMMC and ITAR...
Healthcare providers face mounting pressures from ever-evolving technology...
Accounting firms handle sensitive financial data—from tax filings to audit...
Law firms operate under strict confidentiality obligations and face evolving...
Auto dealerships handle a wealth of customer information, from financing details...
In Oil & Gas, uptime, safety, and data integrity are paramount. Whether you’re managing offshore rigs,...
Financial institutions bear a heavy responsibility: they hold sensitive client information and manage...
In the insurance sector, safeguarding sensitive policyholder information is essential—not just to meet...
Auto dealerships handle a wealth of customer information, from financing details...
Small and medium-sized businesses are the backbone of our economy, but they often face...
In the latest edition of Right Hand Technology Group’s (RHTG) office hours, Matt Gilbert, a seasoned principal from Baker Tilly, provided invaluable insights into the complexities of Cybersecurity Maturity Model Certification (CMMC) compliance. Drawing on his extensive experience, Gilbert shared practical advice for companies striving to meet CMMC standards, addressing common concerns and highlighting key strategies. Here are the key takeaways from the session.
One of the session’s first topics was the handling of legacy paper documents and physical copies of code. Gilbert emphasized the Department of Defense’s (DoD) pragmatic approach, noting that while companies are not expected to relabel all stored documents, any accessed documents should be treated as Controlled Unclassified Information (CUI) and labeled accordingly. For physical copies, robust protection measures, such as locked cabinets or strong perimeter security, are essential.
Gilbert clarified how to handle COTS products in relation to CUI. He advised that while standard catalog parts might not need CUI designation, any unique specifications, testing data, or quality reports likely would. It’s crucial to confirm with customers if certain information should be classified as CUI to ensure compliance.
When it comes to subcontractors, Gilbert explained that subcontractors must ensure that they meet the CMMC requirements applicable to their level of access to CUI. They may need to undergo certification if their role involves handling or processing CUI in a significant way. Ensuring that contract clauses allow for this approach is vital. Similarly, Managed Service Providers (MSPs) must comply with CMMC requirements if they handle CUI or security protection data. However, if MSPs only provide remote management without possessing data, they may not need the same level of CMMC certification.
Gilbert provided an update on the progress of the CMMC rule. The DoD has submitted the proposed rule for public comment, and after responding to comments and making necessary adjustments, it is expected to be finalized and published in the Federal Register by the end of the year. The timing for when official assessments will begin is subject to the final publication of the rule and may vary. Companies should stay updated with DoD announcements for precise timelines. Gilbert advised companies to start planning for compliance now to avoid any disruptions in DoD contract pursuits.
For companies preparing for assessments, Gilbert recommended engaging in preliminary discussions with potential assessors. Officially certified assessors must follow DoD guidelines and should not accept deposits or schedule assessments before the rule is finalized and they are officially allowed to perform CMMC assessments. He emphasized the importance of readiness assessments, following the DoD’s assessment guides and scoping guidance meticulously to ensure all aspects are covered.
Gilbert touched on the categorization of specialized assets and the preparation of SSPs. He advised that companies might choose to have multiple SSPs for different systems, but in many cases, a single comprehensive SSP might be more user-friendly and effective. Each organization must decide based on its unique environment and operational complexity.
When asked about the duration of assessments for small businesses, Gilbert estimated a couple of weeks of preparation, followed by a week of fieldwork and another week for wrap-up activities. Depending on the company’s setup, assessments could be conducted remotely or require on-site visits, particularly for physical security evaluations.
With the rise of remote work, companies must have robust policies and training to manage CUI effectively. Gilbert highlighted the importance of acceptable use policies, training programs, and ensuring employees understand and follow these guidelines. While assessors won’t visit employees’ homes, they will review policies and conduct interviews to verify compliance.
Gilbert emphasized that while CMMC assessments are technically point-in-time evaluations, assessors will look for evidence of historical compliance. Companies need to demonstrate that processes have been in place and followed consistently, rather than just implemented last-minute.
Matt Gilbert’s insights during RHTG’s office hours provided a comprehensive overview of the steps companies need to take to achieve CMMC compliance. From handling legacy systems and CUI to managing subcontractors and preparing for assessments, his expert advice is invaluable for organizations navigating this complex landscape. As the finalization of the CMMC rule approaches, companies must act proactively to ensure they are well-prepared to meet the stringent requirements and secure their position in the defense contracting ecosystem. For more detailed guidance and assistance, companies can reach out to Right Hand Technology Group or explore resources provided by experts like Matt Gilbert and Baker Tilly. As Gilbert aptly noted, preparing for CMMC compliance is a critical step in safeguarding sensitive information and maintaining competitiveness in the defense industry.
Discover strategies to defend your SMB against Black Basta ransomware, including employee education, multi-factor…
Navigate CMMC compliance complexity with our master guide. Explore key documents like SSP and…
Explore Shadow IT risks and benefits, and learn how consistent MSP support can help…
The Certified Information Systems Security Professional is an information security certification with extremely high standards. Less than 132,000 people worldwide had this certification at the end of 2018.
It has also been formally approved by the DOD and is globally recognized in the field of IT security.
It covers the following topics:
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations
Software Development Security
This a system engineer certification and tests the user’s knowledge on the following topics:
Windows
SQL Server
Exchange Server
SharePoint
System Center (SCCM)
Lync
The A+ Certification demonstrates that the computer technician has the skill set needed to customize, install, maintain, and operate PCs.
In addition to these certifications, Right Hand also has strategic partnerships with some of the biggest names in the industry like Microsoft, Dell, Citrix, and Fortinet.
What could be more assuring than having these industry giants on your side?
As the name suggests, this certification is for Network Engineers. Everything from the installation and maintenance to troubleshooting of networks including the understanding of all related technologies is a part of the course.
This certification shows that the technician who has passed the Microsoft exam is capable of managing, migrating, deploying, planning, and assessing the technology, security, and compliance needs associated with Microsoft Office 365.
The CompTIA Security Plus SY0-501 course provides certifications in the following topics:
Threats
Vulnerabilities
Attacks
System Security
Network Infrastructure
Access Control
Cryptography
Risk Management
Organizational Security