Kieri Solutions offers the following assessment services:
ASSESSMENT FOR CERTIFICATION — If you are serious and ready, we can sponsor your company for a DIBCAC High Joint Surveillance Voluntary Assessment now, or we can schedule you to be one of the first true CMMC Level 2 assessments when rulemaking is complete. A down payment, scoping call, and readiness review are required to schedule.
800-171 ASSESSMENT FOR SUPPLY CHAIN PARTNERS – Kieri Solutions, using our authority as an authorized C3PAO, can perform an assessment of your compliance with NIST SP 800-171. This is not a CMMC assessment and it will not result in a certification recognized by the DoD or the Cyber-AB. It will not convey any reciprocity or advanced standing with the CMMC certification. The target audience is subcontractors who wish to provide their primes and the Government assurance that they are performing required cybersecurity. In addition to the assessment report, we will issue a Letter of Attestation which can be shared with your clients. This assessment is available now.
CMMC LEVEL 2 PRE-ASSESSMENT — Commonly known as a Mock Assessment, this assessment is intended to find all problems that a full assessment would, so that your organization has time to resolve the problems. The pre-assessment closely follows the Assessment for Certification process so that you have a chance to practice in a realistic environment. We expect the same amount of evidence and perform the same tests during a pre-assessment as during an Assessment for Certification.
High quality, no surprises
|All assessments||Authorized C3PAO, not an RPO. We don’t use assessments as the first step to selling services. We’ve had to prove our expertise.||✅|
|All assessments||Fixed price quotes – no price uncertainty. Includes travel costs for assessors.||✅|
|All assessments||New assessment clients are provided detailed FAQs about what to expect and how to prepare for assessment. Customer friendly process.||✅|
|All assessments||Terms and conditions are clearly written. No gotchas||✅|
|All assessments||We are happy to discuss our interpretations before you sign for assessment||✅|
|All assessments||Assessment planning and scoping included||✅|
|All assessments||Option to cancel or postpone assessment if readiness review shows obvious deficiencies||✅|
|All assessments||Evidence plan identifies which systems will be reviewed for each assessment objective||✅|
|All assessments||Evidence plan identifies expected evidence for each assessment objective||✅|
|All assessments||Quality review of assessment plan (including scoping and evidence expectations per system)||✅|
|All assessments||Easy to use secure file share for uploading evidence and downloading assessment docs||✅|
|All assessments||Assessors are 100% CMMC oriented. (Unfortunately, many C3PAOs are still using CMMI-oriented assessors for CMMC. This often results in excessive scrutiny of documentation rather than a technical assessment.)||✅|
|All assessments||Participates in C3PAO Stakeholder Forum for consistency of interpretation among assessors.||✅|
|Formal assessment||Includes 4 hours of remediation (POA&M) assessment for free (this gives time to re-assess several practices to improve your score)||✅|
|Formal assessment||Assistance writing your Joint Surveillance request so that it is obvious how important your company is to the DoD||✅|
|Formal assessment||First-in-first-out guarantee for CMMC assessment if not chosen for Joint Surveillance||✅|
|Formal assessment||Letter of Attestation (shareable with partners and government) provided for passing all formal assessments (in addition to applicable CMMC certificate, SPRS score, etc.)||✅|
|Pre-Assessments||Mock assessments discount planning cost for future assessments ($8-12k value)||✅|
|Pre-Assessments||Mock assessments performed by real assessors – the same ones doing formal assessments (so they know what will pass or not)||✅|
|Pre-Assessments||Mock assessments performed with same process as formal assessments. Educates your internal team on how to be assessed and the level of evidence required for the real thing.||✅|
|Pre-Assessments||Mock assessments performed with same rigor as formal assessments. Get a high-quality review so that you know what is broken. Don’t use unqualified “assessors” and find out what is wrong for the first time during your real assessment.||✅|
What is it like to be assessed by Kieri Solutions?
Jose Rojas from TTC (a defense contractor) and Ozzie Saeed from IntelliGRC (their cybersecurity provider) discuss their Joint Surveillance Voluntary Assessment performed by Kieri Solutions.
You’re signed up for an assessment, now what?
Amira Armond (Kieri Solutions Quality Manager) and Jil Wright (Kieri Solutions Lead Assessor) discuss the steps between signing up for an assessment and the actual assessment start.
If we miss a requirement, will Kieri Solutions provide enough detail to know what is wrong? Yes! Every assessment we do has a detailed findings report about the evidence that was reviewed for each assessment objective, and whether it met the requirement or not. If a requirement isn’t met, we describe why, which system is involved, and pinpoint exactly what part of the assessment objective wasn’t performed. We will also do our best to explain how we interpret the requirement if there appears to be a misunderstanding. If all else fails, we can point you toward some smart consultants in the CMMC ecosystem who should be able to help.
What type of companies or system environments does Kieri Solutions specialize in? Our assessors are more technical than average, so we do well in high-tech and distributed environments. Most of our assessment clients utilize cloud services such as Office 365 or AWS. But we have a pool of over 20 assessors, each with experience in different areas: large enterprise, shipyards, Linux, higher education, virtual desktops, software development, manufacturing, zero trust, laboratories, etc., so we can handle almost anything you might want to throw at us.
Will we need to pre-pay for the assessment or can we wait to pay until we see the results? Nice try <grin>. Since sometimes assessments don’t end happily, we need to be paid in advance so that payment (or lack of) doesn’t influence our results.
When should we reach out to Kieri Solutions for an assessment? If you are seeking a formal assessment, we recommend waiting until you are fully ready to pass an assessment before asking for a quote. If you are looking for a mock assessment, then it is totally fine if you aren’t ready – though you will get better information about your solutions and readiness the closer you are to fully compliant.
What happens if we sign up for Joint Surveillance but the DoD doesn’t choose us? Kieri Solutions will do your CMMC Level 2 assessment as soon as we are allowed to, in the order that each of our clients signed up.
If we miss a requirement during a formal assessment, what happens? In most cases, our clients are able to fix problems almost immediately and we schedule a POA&M re-assessment within a few days. Assuming that the problems are fixed, we will issue an assessment report that shows your final score and results, provide a letter of attestation, and if applicable: provide CMMC certification. If the re-assessment will be extensive (more than 4 hours), we will provide a quote for the re-assessment based on the time we expect it to take.
How hard is it to get a quote? Once you contact us, we will send you a questionnaire which asks questions about your readiness and the complexity of your environment. At the same time, we will give you a brochure which has some rough pricing information. We will set up a 30 minute call to answer any questions and can help fill out the questionnaire with you during that call. After we understand how complex your information system is, we will send you a firm fixed-price quote.
How will Kieri Solutions assess _________? We are glad to discuss precedent from DIBCAC assessments and how we interpret gray areas. Overall, you should find us to be very reasonable. We’ve been advocating for common sense assessments and scoping since the early days of CMMC. Reach out and we will be glad to have a call to discuss.