Services for the Defense Industrial Base
Your Business is Unique!
The risks associated with doing business with small organizations has skyrocketed. Because of this, the the Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC). In recent months and years, the
adoption of this model has accelerated throughout the DoD and many non-defense sectors of government.
Many Managed Service Providers (MSPs) cannot comply with CMMC security controls and requirements. Often it is the tools, software, and lack of processes employed by the MSP that cause it to fail compliance.
If you need to establish and maintain CMMC or 800-171 compliance, We can get you there on a budget, on time, and with demonstrable results. Our unique assessment methodology allows for mapping between most common control frameworks including those required by the DoD and numerous regulatory agencies, including PCI and HIPAA.
CIT doesn’t oversell or push requirements that you don’t need, we secure you for your unique business needs and information assets!

NIST Special Publication 800-171 (NIST 800-171)
Current Version: R2.0
The document can be directly viewed
here.
This Special Publication was created specifically to address confidentiality concerns for federal data that resides on computer and information systems that are outside of the control of the federal government. Specifically, the information systems of 3rd party contractors and the organizations they sub-contract with.
NIST 800-171 outlines what steps should be taken by non-federal entities to secure Controlled Unclassified Information (CUI). It breaks these steps into fourteen families of security controls.
The document closely aligns with the catalog of security controls specified by both NIST SP800-53 and ISO 27001. Ultimately, NIST 800-171 requires an organization to create a System Security Plan (SSP) that details the technical boundaries in which CUI will be stored, accessed, and processed. Additionally, the SSP must detail how an organization meets security requirements of SP 800-171, how technical systems that are outside of the CUI boundaries (including that of 3rd party services) interact with the organization, and the relationships between technical systems as viewed by the security requirements of SP 800-171.
Once these elements are formalized and codified into a SSP, SP 800-171 goes on to require that an organization identify any gaps in coverage (“mapping”) between the required security controls and those that are in-place and in-effect.
Importantly, only security controls that are in-place are considered – there’s no credit or consideration given for a future-state. This gap-analysis must meet several basic requirements that include identifying a prioritized
order by which all gaps will be closed, identifying a date by which each gap will be closed, and naming an individual within the organization as the responsible party to close each gap. This set of information comprises
the organization’s Plan of Action and Milestones (POA&M or POAM).
What Does Your Business Really Need?
Have you been approached about DFARS 252.204 certifications or NIST 800-171? Have a lengthy questionnaire issues by your contracting officer or customer?
We can help you understand your requirements, submit accurate and timely information, and relieve the burden of uncertainty that surrounds such critical responses.
Instead of paying for something you may not need through an MSP who may not fully understand, CIT can help assess your real compliance needs!
Serious about Support
At CIT, we view technology support extending from the desktop through the datacenter and into the cloud. Regardless of how an organization defines “office”, we are here to equip, enable, and support the productive use of technology
to deliver on its mission and objectives.
Check out some of the recent articles we’ve published relating to the end-user community and equipping users to succeed in the modern business.