CorpInfoTech has utilized the CIS Controls, an industry standard security framework since the controls' inception in 2008. This list of actionable, and dynamic controls has helped small-medium sized businesses secure their organizations from the most common and dangerous cyber threats. Alongside the controls, CorpInfoTech has spent years following and preparing for the implementation of CMMC into the Defense Industrial Base (DIB). As CorpInfoTech achieves re-accreditation under the CIS Controls by CREST, it is important to outline how the controls and a CMMC compliant MSP like CorpInfoTech can help organizations achieve both compliance and security.
Achieving and maintaining CMMC compliance can be an arduous and difficult task. The CIS Controls offer a practical playbook that helps organizations with their CMMC implementation. If CMMC is a list of requirements and assessment criteria, then the CIS Controls offer an implementation roadmap that helps shape your organizations security program. Many of the CMMC level 1 and 2 expectations require not just policies, but repeatable security operations (asset inventory, secure configuration, vulnerability management, access control, etc.). The CIS Controls translate those requirements into day-to-day engineering and IT practices.
CMMC Level 1 is concerned with Federal Contract Information (FCI) and foundational cyber practices. The CIS Controls "Implementation Group 1(IG1)" can provide a list of actionable tasks to help an organization implement basic cyber hygiene consistently and generate the evidence necessary to demonstrate it. The CIS Controls emphasize asset inventory, access control, and basic hardening-- all of which align with level 1 requirements.
CMMC Level 2 is heavily concerned about where controlled unclassified information (CUI) lives and how it flows. The CIS Controls prioritize strong asset inventory and data governance habits that make defining and protecting CUI significantly easier.
Prioritizing a framework like the CIS Controls can also help your organization close CMMC gaps faster. The Controls are designed to be implemented in a sequence that tends to reduce risk quickly. This helps when your organization is:
The CIS Controls also provide a solid foundation to support audit readiness. To achieve CMMC compliance, documenting your security posture and providing supporting evidence is just as important as meeting the requirements themselves. The Controls help the evidence collection process by encouraging:
CorpInfoTech was the first, and remains one of the few, MSPs to achieve CIS accreditation under CREST. We utilize the controls in everything we do, both in our client's organization and our own. Our accreditation offers external validation of the experience and skills required to implement the controls into any business. Utilizing the CIS Controls IG1 safeguards, CorpInfoTech can help organizations achieve CMMC level 1 compliance and create the required documentation and evidence. Alongside our CIS accreditation, CorpInfoTech was able to achieve CMMC L2 compliance via a C3PAO audit. This certification allows us to flow down 200+ of the 320 objectives required by NIST 800-171 and offer flexible compliance solutions that apply to on-prem technologies. Between CorpInfoTech's CIS accreditation and CMMC L2 certification, we are able to ensure our clients remain both secure and compliant.
CorpInfoTech's founder and President, Lawrence Cruciana, had this to say about our reaccreditation:
“Nearly twenty years ago we chose the CIS Controls as the governing framework for our cybersecurity program and made them the north star for our clients’ security architectures. Our recent CREST reaccreditation for the CIS Controls confirms that these practices remain measurable, repeatable, and independently validated. In parallel, our CMMC Level 2 certification by a C3PAO shows that we can operate credibly within one of the most demanding regulatory environments. For small and mid-market organizations, where a single misstep can have outsized consequences, this distinction matters. In a landscape where cybersecurity is often presented as a generic capability, our work is anchored in a transparent control framework, implemented in our own environment, verified by independent assessors, and sustained by a culture that treats cybersecurity as a core business discipline rather than a checkbox exercise.”
To learn how CorpInfoTech’s CIS-accredited and CMMC Level 2 certified team can help your organization achieve and sustain CMMC compliance while strengthening your security posture, contact us today.
Key Takeaways:
CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are a CMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture. CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.