Frequently Asked Questions (FAQ)

 
 

HOW TO CREATE A SYSTEM SECURITY PLAN, AND SOME OF OUR LESSONS LEARNED.

We eat our own dog food. We only sell what we use or do. We handle cybersecurity for several defense contractors, so we decided to prepare for and undergo our own C3PAO CMMC Level 2 audit. We do not do government contracting work, but we do offer cybersecurity services for those who do. It seemed a natural, common-sense approach. Here are three lessons learned in going through the process. I'll post along the way. Follow us for more lessons learned as we discover them.

Read more (on our blog)

HOW FAST CAN YOU GET US TO an SPRS Score of 90 or CMMC LEVEL 2?

This is one question that we get on every call. The answer? That all depends on you.

Trusted Internet can deploy most security tools in a few weeks, but it takes time to author policies and procedures, bake them in, and prove to an auditor that you’re doing what you say.

Should we be looking for a service?

Smaller companies benefit from hiring an external service like Trusted Internet. Where it might cost several hundred thousand dollars to build your own team, with tools, benefits, and all the costs that go along with that, Trusted Internet has already invested and sells it as a shared service.

What is the difference between NIST 800-171 (r2), sprs and cmmc?

NIST 800-171 is (today) the basis by which SPRS is scored and CMMC is going to be audited.

DO WE NEED TO HIRE A CHIEF INFORMATION SECURITY OFFICER AND SECURITY TEAM?

Maybe. Many of the controls require oversight and auditing. For this, it might be more cost effective to a part time Virtual CISO™ through Trusted Internet for a few hours per month until you are big enough that it would be more cost effective to hire a full time CISO and team.

What’s all this going to cost?

During testimony to Congress, one small business owner talked about $10,000 for the SMB initial gap analysis, followed by $80-100K for security tools, and ongoing costs or maintaining security and audits every three years.

One SMB owner mentioned roughly $300 per endpoint for a NIST 800-171 compliant virtual desktop environment.