There are right paths to a complete compliance program, and wrong paths. Regardless of where an organization is with the cybersecurity maturity, an accurate understanding of where they are today, helps define what the correct path forward should be. There are two frequent ways Beryllium helps organizations seeking certification (OSC) do this: A gap assessment and Readiness Assessment.
Gap Assessment – The goal of a gap assessment is to identify insufficient practices and processes needed to satisfy a compliance requirement or framework. For NIST SP 800-171, there are 110 controls and over 320 practice objectives that need to be in place, for an OSC to give itself credit for each control, thus impacting the score they enter in to SPRS. With Beryllium’s cybersecurity advisory team, our gap assessment is a guided engagement to review and identify what is met, partially met, and not met. Using that information, Beryllium delivers a moment in time compliance progress report, list of recommendations and road map to meeting full compliance, along with an updated SPRS score.
Compliance Review – With a compliance review, our team takes a little deeper dive in to an organization’s interpretation of NIST SP 800-171 and CMMC. We dive a little deeper in to audit evidence already in place, business process being performed, network diagrams, scope, and assessment boundary, etc. Whether an OSC is at the beginning of their cybersecurity journey, or further down the road, a compliance review is intended to bring more detailed information to an OSC so their strategic plan can give them a realistic, and most affordable, path to completing and managing that plan.
Readiness Assessment – A true readiness assessment’s purpose to confirm that an OSC is ready for a thorough independent/third-party audit. A readiness assessment will review all 17 domains making up NIST SP 800-171 and CMMC Level 2 (advanced), looking at all three forms of objective evidence (document, interview, and test) for each practice and process objective within the CMMC assessment guides. Beryllium does not recommend any OSC engage in a true readiness assessment, unless they are truly ready to prove their compliance program is fully in place. Why? Because the time, effort and cost are the same whether an OSC is or isn’t ready. If an organization has yet to perform an independent gap assessment or compliance review, they’re often not ready.