The loss of sensitive data can cost a business millions of dollars and severely ...
Many organizations do not want to pay for a full-time CISO or do not know if they are ready...
Cybersecurity governance provides a strategic view of how your organization controls...
The Cybersecurity Risk & Maturity Assessment (CSMA) is a gap analysis and risk assessment...
A vulnerability assessment systematically reviews security weaknesses in IT ecosystems...
A penetration test, or pen test, actively identifies, tests, and highlights your organization’s...
Social engineering is the act of exploiting human weaknesses to gain access to...
With the growing threat of cyberattacks and data breaches—and the potential costs...
At any time, your organization might be running hundreds of security controls...
Is your manufacturing business prepared for CMMC compliance? Learn what CMMC compliance is...
At Right Hand, we understand what it takes for companies doing work within a defense industry ...
The National Institute of Standards and Technology (NIST), a division of the U.S. Department...
SOC is a suite of reports from the American Institute of Certified Public Accountants (AICPA)...
PCI DSS designs a set of security standards to ensure that all companies accepting...
ISO 27001 is a set of standards and requirements for an information security management...
Is your IT team stretched to the breaking point supporting your business? Have you had...
Is your in-house IT staff overworked and overburdened managing routine tasks? Do you have...
Our Help Desk Services provide businesses with fast, professional IT care at an affordable...
Cloud computing is transforming the way organizations buy and consume software...
Is your current IT strategy prepared for the threats that your organization faces every day? From human...
We are experts in supporting manufacturing companies with their cybersecurity posture and compliance needs such as CMMC so they can win DoD contracts!
You may have found that as your practice has grown, IT maintenance, security, and repair...
A better approach to IT support for law firms is known as Managed IT Services...
Cloud computing is transforming the way organization buy and consume software...
Is your current IT strategy prepared for the threats that your organization faces every day? From human..
The loss of sensitive data can cost a business millions of dollars and severely ...
Many organizations do not want to pay for a full-time CISO or do not know if they are ready...
Cybersecurity governance provides a strategic view of how your organization controls...
The Cybersecurity Risk & Maturity Assessment (CSMA) is a gap analysis and risk assessment...
A vulnerability assessment systematically reviews security weaknesses in IT ecosystems...
A penetration test, or pen test, actively identifies, tests, and highlights your organization’s...
Social engineering is the act of exploiting human weaknesses to gain access to...
With the growing threat of cyberattacks and data breaches—and the potential costs...
At any time, your organization might be running hundreds of security controls...
Is your manufacturing business prepared for CMMC compliance? Learn what CMMC compliance is...
At Right Hand, we understand what it takes for companies doing work within a defense industry ...
The National Institute of Standards and Technology (NIST), a division of the U.S. Department...
SOC is a suite of reports from the American Institute of Certified Public Accountants (AICPA)...
PCI DSS designs a set of security standards to ensure that all companies accepting...
ISO 27001 is a set of standards and requirements for an information security management...
Is your IT team stretched to the breaking point supporting your business? Have you had...
Is your in-house IT staff overworked and overburdened managing routine tasks? Do you have...
Our Help Desk Services provide businesses with fast, professional IT care at an affordable...
Cloud computing is transforming the way organizations buy and consume software...
Is your current IT strategy prepared for the threats that your organization faces every day? From human...
We are experts in supporting manufacturing companies with their cybersecurity posture and compliance needs such as CMMC so they can win DoD contracts!
You may have found that as your practice has grown, IT maintenance, security, and repair...
A better approach to IT support for law firms is known as Managed IT Services...
Cloud computing is transforming the way organization buy and consume software...
Is your current IT strategy prepared for the threats that your organization faces every day? From human..
On September 12th, 2024, Right Hand Technology Group hosted another insightful Office Hours session featuring Matt Gilbert, a CMMC Assessor from Baker Tilly. This session provided clients with valuable information on navigating the Cybersecurity Maturity Model Certification (CMMC) process, including updates, practical tips, and real-world scenarios. Here’s a recap for those who couldn’t attend.
Matt Gilbert highlighted the recently proposed CMMC rules that aim to clarify contract requirements for different CMMC levels. However, there is concern about the lack of flexibility these rules provide to contracting officers. Matt discussed how contracts involving both high-risk CUI (Controlled Unclassified Information) and low-risk tasks like janitorial services might end up requiring all subcontractors, even those handling low-risk tasks, to obtain Level 2 certification. He suggested that this could increase the burden on small contractors and limit participation, especially in services unrelated to CUI.
A new feature mentioned in the proposed rule is the introduction of a Unique Identifier (UID) for certified systems. This UID will be linked to the systems that handle CUI and must be provided during contract bidding. Matt explained that once an organization registers and gets certified, that UID becomes essential for tracking compliance throughout the contract’s lifecycle. However, he noted concerns over what constitutes a “significant” system change, such as moving from one cloud provider to another, and whether such changes would necessitate recertification.
When discussing companies with shared IT systems between a parent and subsidiary, Matt explained that if a parent company handles any CUI or security protection data on behalf of the subsidiary, they would be considered an External Service Provider (ESP) and
must be CMMC certified. He warned of potential timing challenges if certifications need to be obtained in sequence, creating a “domino effect” where the parent must be certified before the subsidiary can begin its own certification process.
A frequent question in the session was whether outsourced IT providers need to be CMMC certified. Matt clarified that if an IT provider takes possession of CUI or security protection data, they qualify as an ESP and must be certified. However, if the IT provider is simply managing on-premise systems without accessing CUI directly, they may not need certification. He emphasized that each scenario should be carefully scrutinized to ensure compliance.
One of the pressing concerns raised was the potential burden the CMMC requirements could place on small businesses. With certification costs possibly exceeding profits for certain contracts, some small businesses may opt out of bidding on DoD contracts altogether. Matt pointed out that this could result in less competition and might favor larger defense contractors. Despite the cost burden, he emphasized the importance of protecting critical information and that proper compensation should be provided for ensuring compliance.
When asked about VoIP (Voice over IP) and virtual meetings like those conducted via Teams, Matt noted that discussions involving CUI must be protected with appropriate encryption. He recommended ensuring that VoIP systems are segmented from networks handling CUI and that users follow acceptable use policies (AUPs) to avoid sharing sensitive data over non-secure channels. Additionally, any tools that interact with meetings, such as AI note-takers, should be vetted to ensure they meet compliance standards.
Start Early with Certifications: If you share systems with a parent or external provider, ensure those parties are certified first to avoid delays.
Regular Affirmations: Even though certifications last three years, consider reassessing annually, especially after major system changes, to avoid unnecessary compliance risks.
Scrutinize ESP Agreements: If using third-party IT services, ensure they meet the definition of an ESP and understand what qualifies them as in-scope for CMMC.
Keep Data Boundaries Clear: If making changes to your information systems, document them thoroughly to defend whether or not they necessitate recertification.
As CMMC continues to evolve, it’s important to stay informed about updates and best practices. Right Hand Technology Group is committed to helping organizations navigate this complex landscape.
Join us for our next Office Hours session!
We host these sessions every month to keep you informed and answer your questions directly. Don’t miss the opportunity to gain valuable insights and guidance from industry experts.
Explore three significant AI trends shaping 2025: content creation, small business adoption, and strategic…
Protecting Your Organization from Black Basta Ransomware: Strategies for Business Executives In a shocking…
Explore vulnerabilities in energy sector cybersecurity, third-party risks, sophisticated cyber threats, and effective mitigation…
The Certified Information Systems Security Professional is an information security certification with extremely high standards. Less than 132,000 people worldwide had this certification at the end of 2018.
It has also been formally approved by the DOD and is globally recognized in the field of IT security.
It covers the following topics:
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations
Software Development Security
This a system engineer certification and tests the user’s knowledge on the following topics:
Windows
SQL Server
Exchange Server
SharePoint
System Center (SCCM)
Lync
The A+ Certification demonstrates that the computer technician has the skill set needed to customize, install, maintain, and operate PCs.
In addition to these certifications, Right Hand also has strategic partnerships with some of the biggest names in the industry like Microsoft, Dell, Citrix, and Fortinet.
What could be more assuring than having these industry giants on your side?
As the name suggests, this certification is for Network Engineers. Everything from the installation and maintenance to troubleshooting of networks including the understanding of all related technologies is a part of the course.
This certification shows that the technician who has passed the Microsoft exam is capable of managing, migrating, deploying, planning, and assessing the technology, security, and compliance needs associated with Microsoft Office 365.
The CompTIA Security Plus SY0-501 course provides certifications in the following topics:
Threats
Vulnerabilities
Attacks
System Security
Network Infrastructure
Access Control
Cryptography
Risk Management
Organizational Security