Based upon Imprimis, Inc.’s experience in the cybersecurity compliance field; and the need of Department of Defense contractors to become compliant with the new CMMC requirements which include Assessments, System Security Plans (SSP), Incident Response Plans (IRP), and supporting Policies and Procedures (P&P); Imprimis has developed compliance packages to achieve those goals quickly while minimizing the expense.

 

These packages take into consideration accepted cybersecurity principles and “Best Practices” that can greatly reduce remediation costs and time it takes to reach compliance.

 

 

CMMC EXPRESS PACKAGES

I2 CMMC ARCHITECTURAL DEVELOPMENT & DESIGN EXPRESS PACKAGE

 

Imprimis highly recommends that an architectural review be performed of the in-scope system, and that the future architectural design of the CMMC compliant to-be system be performed, reviewed and approved immediately following the assessment process. This allows for easy and effective progression to the Plan of Actions and Milestones needed to complete the remediation process. The network architecture and design of security controls will either impact or be included in required documentation such as the Policies and Procedures and System Security Plan.

DELIVERABLE:

  • Architecture Documentation (network diagram, identification of all major components, and a bill of materials)

  • Documented Approach to Security Control Implementation

I2 CMMC PLAN OF ACTIONS AND MILESTONES (POA&M) EXPRESS PACKAGE

 

The POA&M will be developed based upon the assessment findings and the ‘to-be’ architecture as follows:

 

  • Provide the customer a tailored POA&M which will include all remediation actions required to implement the new architecture and security controls required for compliance with CMMC will be identified and organized according to the recommended precedence.

  • Imprimis will lead a facilitated meeting with customer to define options, including cost and implementation lead times, to achieve the final schedule for all tasks.

  • The customer will make decisions on key elements which include network changes required, key technology/system selections such as multi-factor authentication, backup, monitoring and scanning selections, and will make the final decisions on schedule based on the customer’s needs and resources available.

 
DELIVERABLE:

 

  • Customer POA&M in MS Project or Excel (can apply to open source project management tools).  If customer cannot define schedule when POA&M items are defined, it will be their responsibility to insert the schedules later.

I2 CMMC SYSTEM SECURITY PLAN (SSP) EXPRESS PACKAGE 

 

​Utilizing the Imprimis SSP Express Template and working closely with the customer, a CMMC | DFARS compliant SSP will be developed for the requested Level as follows:

  • System definition including diagrams and hardware/software inventories

  • Identification of the customer’s management organization with responsibility for the protecting the business, Information Technology, and controlled Unclassified Information (CUI) 

  • A documented Risk analysis/assessment

  • Inclusion of the most current Assessment Report

  • Recommended inclusion of, or reference to,  the customer’s Policies and Procedures and Incident Response Plan and any other pertinent information

 
DELIVERABLE:

 

  • Draft customer SSP (to be completed by client once remediation has been completed)

I2 CMMC POLICY AND PROCEDURE (P&P) EXPRESS PACKAGE

 

CMMC P&P:  The CMMC is organized by domains, each of which has one or more capabilities which in turn call for security practices to be implemented.  Each domain requires processes to be implemented that ensure the integrity of the security controls and indicates maturity.   Even though the CMMC was strongly informed by NIST 800-171, the CMMC increases the total number of items that need to be implemented, tracked, maintained, and eventually audited. 

 

The Imprimis CMMC P&P document is organized by all 17 domains and at least one policy per domain is documented and domain sub-policies are provided when needed.  The policies will be cross-referenced to the procedures needed to ensure the security practices are implemented and maintained. The procedures document will be a separate volume and will contain the basic procedures and processes required by compliant organizations. The procedures are written in sufficient detail to ensure proper implementation of all practices and processes included in the CMMC.   Both the policies and the procedures documents will provide direct mapping of the CMMC practices, processes, and capabilities.  They will also provide cross-mapping to the NIST 800-171r1 or 800-53 requirements.

 

A training briefing and video are included with these packages so all employees can immediately be trained on the adopted P&P.

 

DELIVERABLE:

 

A final tailored P&P package as follows:

  • Two separate documents – a Policy document and a Procedure document which allows for easy future additions/deletions

  • Facilitated review of the P&P package with the customer  

  • Incorporation of minor changes after customer review if necessary

  • Assistance with customer’s approval process for P&P adoption

  • Overview of the training briefing and video 

 

**Note: This P&P Package does not include completely customized P&P preparation, re-writing of existing customer policies and procedures, or actual training of employees. 

**NIST 800-171 OR NIST 800-53:  Imprimis continues to offer a P&P Express Package applicable to the NIST 800 171/53 requirements only.  These P&P are organized by requirement. The 800-171 P&P will be adapted to NIST 800-53 if required.  As a side note, more than 100 of the 110 requirements in NIST 800-171 call for governing policies and procedures.  

I2 CMMC INCIDENT RESPONSE PLAN (IRP) EXPRESS PACKAGE

 

The purpose of the IRP is to plan, implement, and maintain a robust incident-handling capability for organizational information and operational systems.  This capability includes preparation, detection, analysis, containment, recovery, and user response activities.   The IRP Package will be prepared working jointly with client, taking into account their existing corporate culture, processes and IT knowledge base and will include a detailed definition of the incident response process, key personnel and contacts, and detailed procedures for:

  • Identification of incidences

  • Isolation procedure,

  • Evidence gathering and chain of evidence protection

  • Media preservation

  • Malware capture and isolation

  • Forensic analysis

  • A communications plan which defines roles, responsibilities, and all communications protocol and details

 

Once the IRP is in place, the client will be responsible for training their management and staff on incident response and developing mock incident response exercises multiple times per year.

 

DELIVERABLE:
 
  • Final tailored Incident Response Plan

(719) 785-0320

CONTACT 

  • Imprims Inc
  • Imprimis Inc
  • Imprimis Inc | i2ACT-800 Compliance
  • Imprimis Inc | i2ACT-800 Compliance

Customer Support: 

Sales Support: 

Technical Support: 

Colorado Springs, CO © 2018 Imprimis, Inc.