About
A civilian and DoD federal contractor, based out of Arlington, VA, wanted to prepare for DoD contracts and the eventual CMMCv2 Level 2 requirements. This contractor provides IT services for the government and has more than 250 employees. Of these employees, 200 are onsite at government worksites using GFE. The remaining employees all have Client provided resources that need to adhere to CMMCv2 Level 2 and the current NIST SP 800-171 standards. Trying to prepare for the eventual CMMCv2 Level 2 compliance and a cyber-insurance renewal, the Client partnered with V2 Systems leveraging its Managed Compliance Services offering.
The Challenge
The Client primarily works as a distributed workforce under a telework agreement. To tackle this challenge, the Client leverages a remote workforce management service to perform human resource management, asset tracking, and basic device management services. Additionally, the Client subscribes to Google Workplace Business Standard. While the Client had sufficient remote management capabilities, there were significant gaps in compliance found in the Identify function of the Managed Compliance Services Examples of the gaps ranged were:
- No drive encryption
- Local admin users on endpoints
- No multi-factor authentication (MFA)
- Unmanaged endpoint protection,
- Incomplete or missing polices & procedures
- No FIPS enforcement
- No vulnerability scanning
- No Security Information and Event Management (SIEM)
The Solution
The Client chose to engage with V2 Systems on our Managed Compliance Services offering to provide a full scope analysis, remediation, and ongoing maintenance of their compliance requirements. First, V2 Systems performed a gap analysis on the systems and services to identify areas that were not in compliance. The resulting SPRS score from the gap analysis was -81.
Leveraging the Client’s workforce management service and Google Workplace subscription, V2 Systems brought the Client into NIST compliance. Heavy focus was placed on our Managed Compliance Services Protect and Detect functions. Examples include:
- Replacing Norton with SentinelOne Complete for Endpoint Detection and Response (EDR) and vulnerability scanning;
- Upgrading Google Workplace to Business Plus;
- Implementing Windows and Mobile Device management through Google to push password, login and encryption policies;
- Deploying Google Credential Provider for Windows to centralize access controls to the endpoints and implement MFA; and,
The last part of the Managed Compliance Services is maintaining compliance and being able to Respond and Recover. These functions are provided through the V2 Systems Managed IT Services and frequent review of required controls including:
- Annual Incident Response planning and exercises;
- Quarterly technology reviews, risk assessments and review of the SSP;
- Audit of logged data, analytical capabilities, and alignment with changes; and,
- Response to system defects, updates, and system events.
The result of this initial project was bringing the system to a SPRS score of 105. The remaining control of FIPS compliance was reserved for future testing and added to the Plan of Action and Millstones (POA&M).