We’ve been there, done that
To become authorized as a C3PAO, Kieri Solutions needed to pass our own CMMC Level 2 assessment by the DoD. But we were a small company without extra money. So we created a compliance program for ourselves that was as efficient and easy as possible. Policies and procedures where they were needed, but only where needed. We analyzed every requirement to figure out not just how to do it, but how to prove we were doing it. And we passed our assessment with flying colors.
We can’t say for sure that John Ellis was talking about us, but the timing was spot on, and we were a five person company when his team assessed us.
We started helping clients with CMMC compliance
Companies of all sizes started reaching out to Kieri Solutions for assistance with CMMC preparation. We noticed that one thing was consistent – every defense contractor that we talked to had serious problems with their documentation and manual processes for compliance. For some reason, they would focus on the technical migrations for years and ignore documentation as long as possible. (Something about IT people hating documentation.) The irony is that documentation and good processes (like having a user onboarding form and an account management database) raises CMMC compliance scores dramatically – typically more than 100 points.
Our CMMC consultants were constantly poaching from Kieri Solution’s internal documentation to share with clients. We were constantly screen sharing from our environment to demonstrate how we performed change management and software inventories. It became obvious that the best way we could help the DIB was to make our CMMC compliance program available to the public.
Our documentation templates became the Kieri Compliance Documentation (KCD).
CMMC Preparation Project
In response to demand, we started offering a combination of services we call a CMMC Prep Project:
Kieri Compliance Documentation – access to our compliance templates, our training library, and monthly Q&A and newsletters.
Consulting to prepare your documentation and processes – one of our certified assessors, with experience doing real 800-171 Joint Surveillance Assessments, works with your company to create version 1.0s of all needed compliance documents and procedures. Data flow diagrams. Policies. FIPS documentation. System Security Plan. IT databases. User agreements. Risk assessment. Change Approval Board meeting notes, and more. As our assessor is working with you to review and update this documentation, they provide training to your team about CMMC requirements and recommendations for meeting them. If we see you doing something wrong, we will let you know immediately, and help you create a plan to fix it. If you already have compliance documentation, we will work with you to decide whether to update it in place or to start fresh.
Gap analysis – our certified assessor will perform an efficient assessment of your readiness after the easy stuff (documentation) is fixed. You’ll get to experience the assessment planning, scoping, and evidence review process so that your team gets an understanding of what a real assessment will be like. Because we are an Authorized C3PAO, performing real assessments, all of our assessors have an excellent understanding of what can pass and what won’t. The Gap Analysis is more efficient because we have a reduced team size to perform the assessment – one assessor rather than three. This reduces the cost dramatically while still finding issues before your formal assessment. Because we perform the Gap Analysis last, after working to fix processes and documentation, most of the problems will be resolved before we even start.
A CMMC Prep Project normally takes 6 months to complete. Our typical Prep Project client sees their SPRS score increase by 100+ points.
Need a team on the inside?
We also offer part-time and full-time consultant teams if you need inside assistance running your CMMC program until you’re through the assessment (or beyond). We have experts at getting executive buy-in, building enterprise CUI management programs, ongoing monitoring, and ensuring that siloed teams take ownership of their compliance responsibilities.
Is Kieri the right fit for your CMMC needs?
Contact us – we will be glad to set up a call to discuss your needs.