Kieri Solutions offers the following assessment services

ASSESSMENT FOR CERTIFICATION — If you are ready, we can sponsor your company for a DIBCAC High Joint Surveillance Voluntary Assessment now, or we can schedule you to be one of the first true CMMC Level 2 assessments in 2025. The DoD intends for these assessments to convert into a CMMC Level 2 certification if all requirements are performed.

GAP ANALYSIS – Want an accurate but cost-effective check on your CMMC and NIST SP 800-171 compliance status? We use Certified CMMC Assessors to perform all of our Gap Analyses. 320 assessment objectives with real C3PAO assessment plan, detailed findings, and final report. Includes scoping review, evaluation of your cloud vendors, and review of your CUI data flows. Don’t wait until your contracts are on the line to find out that you aren’t compliant!

ASSESSMENT FOR LETTER OF ATTESTATION – Kieri Solutions, using our authority as an authorized C3PAO, can perform an assessment of your compliance with NIST SP 800-171. In addition to the assessment report and detailed findings, we will issue a Letter of Attestation which can be shared with your clients. This offering is also ideal for companies that want a “Mock” CMMC assessment before they sign up for a certification assessment.

Ready to discuss?

Kieri Solutions’ CMMC Assessors are certified by the Cyber-AB and recognized by the Department of Defense.

What is it like to be assessed by Kieri Solutions?

We’ve completed several successful (eligible for CMMC certificate) Joint Surveillance Assessments so far. Our clients say that Kieri assessment teams are well organized, professional, easy to work with, reasonable, and compassionate.

FAQs

If we miss a requirement, will Kieri Solutions provide enough detail to know what is wrong? Yes! Every assessment and Gap Analysis we do has a detailed findings report about the evidence that was reviewed for each assessment objective, and whether it met the requirement or not. If a requirement isn’t met, we describe why, which system is involved, and pinpoint exactly what part of the assessment objective wasn’t performed. We will also do our best to explain how we interpret the requirement if there appears to be a misunderstanding. If all else fails, we can point you toward some smart consultants in the CMMC ecosystem who should be able to help.

What is the pass rate for Kieri Solution’s clients? We are glad to report that as of May 2024, all of our Joint Surveillance Voluntary Assessments (JSVA) will convert into full CMMC Certifications (this means they got perfect 110 scores or closed out all problems during their remediation assessment). This is a testament to our customer-friendly processes – we ensure your planned scope has no major problems and review your implementation at a high-level before we schedule you for the assessment. We also provide our customers full information about what to expect and how to prepare very early in the process. If a problem is found, we can recommend knowledgeable experts to help you fix it. We include a short remediation assessment for free with every formal assessment.

What type of companies or system environments does Kieri Solutions specialize in? Our assessors are more technical than average, so we do well in high-tech and distributed environments. Most of our assessment clients utilize cloud services such as Office 365 or AWS. But we have a pool of over 20 assessors, each with experience in different areas: large enterprise, shipyards, Linux, higher education, virtual desktops, software development, manufacturing, zero trust, laboratories, etc., so we can handle almost anything you might want to throw at us.

When should we reach out to Kieri Solutions for an assessment? If you are seeking a formal assessment, we recommend waiting until you’ve identified your scope and are not going to add any new systems to it, before asking for a quote. If you are looking for a Gap Analysis or Mock assessment, then it is totally fine if you aren’t ready – though you will get better information about your solutions and readiness the closer you are to fully compliant.

What happens if we sign up for Joint Surveillance but the DoD doesn’t choose us? Kieri Solutions will do your CMMC Level 2 assessment as soon as we are allowed to, in the order that each of our clients signed up.

If we miss a requirement during a formal assessment, what happens? In most cases, our clients are able to fix problems almost immediately and we schedule a POA&M re-assessment within a few days. Assuming that the problems are fixed, we will issue an assessment report that shows your final score and results, provide a letter of attestation, and if applicable: provide CMMC certification.

How hard is it to get a quote? Once you contact us, we will send you a questionnaire which asks questions about your readiness and the complexity of your environment. We will set up a call with our sales team to help fill out the questionnaire and answer any questions you have. After we understand how complex your information system is, we will send you a firm fixed-price quote.

How will Kieri Solutions assess _________? We are glad to discuss precedent from previous 800-171 and CMMC assessments and how we interpret gray areas. Overall, you should find us to be very reasonable. We’ve been advocating for common sense assessments and scoping since the early days of CMMC. Reach out and we will be glad to have a call to discuss.

Will there be enough assessors available to meet demand when CMMC goes live? We’re not sure. It doesn’t sound likely. We have multiple teams of Certified CMMC Assessors available and are growing to meet demand. If you sign up for an assessment with us, we will guarantee your schedule once CMMC goes live.

We are not a DoD contractor, but we need to be 800-171 compliant. Can Kieri assess us? Absolutely. Don’t be confused by all the talk about CMMC. At our core, we are a NIST SP 800-171 assessment and readiness company. CMMC is simply a DoD program to assess NIST SP 800-171 compliance for DoD contractors. There are only a few small differences between the two. We do both at an expert level.

More about Gap Analysis

Kieri Solutions is a leader in performing NIST SP 800-171 assessments which will turn into CMMC certifications under the Joint Surveillance Voluntary Assessment program. Because our certified assessors are performing real assessments, we have the best knowledge of what it takes to pass. Don’t waste your time getting a Gap Analysis from an untrained “professional”.

Our standard Gap Analysis is +consulting, where we tell you how to fix your problems. If you’d like to use Kieri Solutions to perform your formal assessment later, let us know and we will only tell you our findings, not how to fix them. This preserves our independence for the certification assessment.

Practice with the varsity team so that you are prepared for game day.

More about Joint Surveillance

The DoD has a special program available now, called the Joint Surveillance Voluntary Assessment Program (JSVA).

Certified 3rd Party Assessment Organizations (C3PAOs) like Kieri Solutions can schedule CMMC assessments in conjunction with DoD’s cybersecurity assessment team. The C3PAO leads the assessment and generally determines the results. The DoD’s cybersecurity assessment team may ask additional questions and may overrule the results if they feel the C3PAO was wrong in their judgement (either too stringent or too lax).

After the JSVA, the assessed company is given up to 6 months to fix any problems and get re-assessed against just the problem requirements by the Authorized C3PAO. The DoD’s cybersecurity assessment team does not participate in the re-assessment.

If the assessed company is able to show that they met every CMMC Level 2 / 800-171 requirement (a score of 110) either during the initial assessment or during the re-assessment, their JSVA will convert into a CMMC certification once CMMC rulemaking (32CFR) is final*. Kieri Solutions also immediately provides a Letter of Attestation which can be shared with customers and partners, but not all C3PAOs do this.

The CMMC certification will expire 3 years after the date of the JSVA.*

A JSVA costs roughly the same as a future CMMC assessment.