A Small Security Firm You Can Trust - Greater Boston
Cyberfox Security is a CMMC approved Registered Provider Organization (RPO). We provide professional cybersecurity consultation and services to Defense Industrial Base (DIB) and Defense Supply Chain (DSC) contractors. We specialize in CMMC and NIST 800-171 Gap reviews and remediation. Our experienced CMMC Registered Providers (RPs) work alongside clients to simplify the web of CMMC requirements and help them meet CMMC compliance. We have extensive experience working with DoD, Defense Industrial Base (DIB) contractors, and Federally Funded Research and Development Centers (FFRDCs) in the areas of cybersecurity and compliance.
Why Cyberfox Security?
Our experts have been in this industry for over 25 years, and include Air Force veterans, who have worked with DoD and the US Intelligence Community, and have advised many defense contractors to include ACS Defense Inc., Lockheed Martin Corp., Northrop Grumman Corp., and several Federally Funded Research and Development Centers (FFRDCs) in the areas of cybersecurity and compliance with DoD and Intelligence Community Directives and standards such as ICD 503, NIST 800-53, NIST 800-171, and others. We know how government auditors and assessors interpret directives and standards, what they are looking for and the best way to prepare for audits because we have served in these capacitis. You can trust the knowledge and experience that we bring to your table.
In addition, we are a CMMC 2.0 Registered Provider Organization (RPO) with CMMC 2.0 Registered Practitioners (RP) and CISSPs on staff. Most recently, one of our consultants completed Certified CMMC Professional (CCP) Training. This is the first requirement in becoming a Certified CMMC Auditor (CCA).
Our Gap Assessment Deliverables Include (required by DoD)
• Gap Assessment Report of Findings.
• System Security Plan (SSP).
• Tailored Plan of Actions and Milestones.
• Supplier Performance Risk Score (SPRS).
Recent CMMC 2.0 Changes
Responsibility for CMMC has moved from under DoD Office of Undersecretary of Acquisition and Sustainment to the DoD Chief Information Officer.
The DoD CIO is responsible for the security of all DoD systems, Army, Navy, Air Force and Marine Corps, including classified system. This change means the office is now also responsible for Defense Industrial Base Contractors (DIBS) systems that are subject to CMMC. Under the DoD CIO all DIB contractors that have CUI in their contracts will be required to be assessed by a Thirty Party Assessor Organization (3CPAO) and achieve CMMC 2.0, Level 2 Certification. The DoD CIO streamed a townhall session on February 10 to discuss these changes and other pending changes. Other DIB contractors that have only Federal Contract Information (FCI) requirements can still self-assess under FAR 52.204-21.
A note of caution: we have worked with several companies at both CMMC Level 1 and Level 2 that have conducted self-assessments and calculated a SRPR score in the (+40 to +60) range and submitted those scores to DoD. These companies subsequently ask Cyberfox to conduct gap reviews for them. Results of our gap reviews yielded SPRS scores ranging from (-18 to -200). Under CMMC 2.0 company executives will be required to certify with a signature that scores they submit are accurate. This potentially leaves them at risk of violating the False Claims Act.
Additional CMMC Related Services Include
- CMMC Security and Compliance Program Development.
- vCISO Services to advise and help maintain compliance after a CMMC Assessment.
