CMMC - Assessment & Remediation: On avg 8 weeks

ATS will provides consulting services to our government contractor clients with the purpose of assisting these companies in reaching the necessary level of compliance to satisfy government regulations and standards to perform NIST 800-171 self-assessment and prepare for CMMC compliance. This engagement has a multi-phase approach.

Phase 1: Assessment & Gap Analysis Through existing document review and analysis, phone calls, and video calls and emails with employees, the first step would be for ATS to provide a gap analysis of the CMMC controls to figure out what the government contractor is doing to address CMMC compliance. This phase typically takes three weeks to complete, depending on the maturity of the organization’s current policies and security posture. The output from this phase is a SSP and a POAM.

Phase 2: Development of a POA&M and Remediation After identifying gaps in the cybersecurity compliance program, ATS will assist the government contractor with developing a plan of action and associated milestones for closing those gaps. As part of the remediation, ATS recommends that the client migrate to Azure for Government, while assisting with the analysis, planning, and budgeting. Solutions utilize the security and compliance monitoring features of Azure Government. ATS can manage and monitor closely the systems in Azure Government. Other efforts include migration to Microsoft 365 GCC and SharePoint Online efforts for more stringent controls over content. The time for this phase is dependent on resources and client availability. The output from this phase is a more secure environment in Azure for Government.

Phase 3: Documentation Finalization Once ATS and client have remediated all or most of the items in the Plan of Action & Milestones, the team will review and verify the work performed to finalize the bundle of documentation created in Phase 1. These docs will be required for the client’s compliance needs. This phase typically takes one week.