CMMC Solutions: A journey of continual evolution

Clarity of thought, built over 100 years of international experience

CMMC Europe is a group of experienced and qualified partners in cyber security, cyber risk management, legal, consulting and executive placement.  Who provide organisations with advisory services for the design and delivery of CMMC compliance, cyber risk management, cyber security oversight and assurance and organisational design.  CMMC Europe is a group of experienced and qualified partners in cyber security, cyber risk management, legal, consulting and executive placement.  Who provide organisations with advisory services for the design and delivery of CMMC compliance, cyber risk management, cyber security oversight and assurance and organisational design.

We have all held senior leadership positions and are experienced in board advisory.  Educating board in cyber security.  As the Founding Partner Andy has provided board level cyber education and awareness to executive and non-executive directors across a range of industry sectors.  He is also qualified as a Chartered Security Professional (CSyP) and CSyP assessor, one of only 2 Professional qualifications recognised by the UKs Centre for the Protection of National Infrastructure (CPNI) and holds a place on the UKs Register of Chartered Security Professionals.

Executive cyber education and awareness programmes

The regulatory and legislative environment surrounding cyber security and cyber risk management is changing rapidly.  With a range of regulations such as NYDFS, CCPA, HIPAA, GDPR and PCI-DSS having consequences internationally.  The most striking regulatory change comes from the US DoD in the form of its Cyber Maturity Model Certification (CMMC) regulation.  Which proposes to strengthen the already enforced DFARS 48 CFR § 252.204-7012 and it requirements to embed NIST 800 – 171 cyber security across the US DoDs Defence Industry Base.

It is important for the board to understand cyber risk management and the threat it poses to their organisations.  For boards to Set appropriate levels of risk appetite, assure the effectiveness of cyber practices and oversee the management of cyber risk.  For listed and non-listed companies, securing shareholder value and securing corporate IP, FCI, CUI and PII is critical to maintaining the security of an organisation’s financial statements.

We deliver bespoke cyber education and awareness programmes to executives and non-executive directors, and board advisory services

  • What is CMMC and what are its implications?
  • What is cyber security and cyber risk management?
  • How should the board assure and oversight their cyber security capabilities?
  • What does a good CMMC and cyber risk management programme?
  • What does cyber governance look like and how do you implement it?

Executive governance

Cyber security sits as a significant risk at the feet of the board table.  The long-term prognoses for cyber and the board is that cyber will only become a more significant risk as the digital economy grows.  The cost of cyber compliance is high as is the costs of cyber remediation post incident.  Regulatory compliance is increasing, with regulators from many sectors focusing on cyber risk management.  The EU GDPR,  California’s data protection regulations (CCPA, 01.01.2020), New York Department of Financial Services (NYDFS) cyber regulation and China’s internet security law (01.06.17). CMMC will implement cyber regulation across the US DoDs DIB. Require independent and on-going oversight and assurance of an organisations cyber maturity. Cyber requires board oversight and assurance to ensure the board room remains up to date on cyber related issues, manage the organisations cyber maturity in line with FCI and CUI requirements and manage the potential damage to financial statements in the event of a cyber attack.
We we work organisations from various industry sectors delivering board programmes for the oversight and assurance or cyber risk.
  • Define board governance policies and procedures for the oversight of cyber and technology risk.
  • Implement cyber and technology oversight including appetite setting and associated KPIs and KRIs for  risk oversight.
  • Work with organisation to develop control effectiveness testing programmes
  • Develop cyber risk remediation programmes, to close gaps in cyber security maturity.

CMMC oversight and assurance

Current FAR (48 CFR 52.204-21) and DFARS (48 CFR § 252.204-7012) requirements apply to organisations and agencies who supply services to Federal and non-federal agencies.  They require the implementation of cyber security practices including NIST 800 – 171 (r2).  If and when additional CMMC changes are added to DFARS regulations they will add requirements for independent accreditation over organisations, assuring that the appropriate CMMC practices to the Level (1-5), defined by the DoD have been applied.  Prior to the commencement of contract fulfilment for DOD contracts.
We work with corporates and government clients.  Providing oversight and assurance of existing data protection, cyber security and cyber risk management programmes.  Including
  • The oversight and assurance of data security programmes including  GDPR, CCPA, FCI & CUI.
  • Cyber capability reviews and organisational design.
  • Cyber practice & control assurance (ISO 27001, NIST 800- 171r2)
  • Cyber risk oversight and assurance.
  • Cyber incident assessment and expert witness.

Cyber risk management

Cyber risk oversight and assurance is critical for an organisation to manage cyber risks.  Providing a clear understanding of the organisations inherent risk exposure, the effectiveness of the risk mitigation practices and programmes and the residual risk accounting for effective controls.  Cyber risk management is a continual process of risk evaluation, measurement and reporting.  Providing executive committees with the appropriate information so that assurance over the risk exposure.

We deliver global cyber risk and operational risk management programmes within regulated markets.

  • Delivery of cyber risk management strategy.
  • Design and delivery of cyber risk evaluation, assurance and oversight strategy.
  • Design and delivery of global 2nd Line of defence cyber and technology risk oversight and assurance programmes.
  • Cyber risk and technology risk appetite setting and executive committee reporting.
  • Cyber risk regulatory reporting.

Cyber security strategy and programmes

Cyber security is not a technology problem.  It is a practice which touches all aspects of an organisation.  International standards and frameworks such as ISO 27001 and NIST 800-171r2 identify over 171 enterprise wide practices/ controls which can be applied to secure information.  Cyber security programmes are complex to design, deploy and manage. As demonstrated through the CMMC programme which sets out a cyber security maturity path from level 1 basic cyber hygiene, to level 5 proactive cyber protection.
We deliver global cyber security programmes including ISO 27001 and NIST within regulated markets
  • Evaluation of cyber security maturity and practice/ control remediation (ISO 27001 and NIST 800 – 171)
  • Delivery of global cyber security strategy.
  • Design, delivery and management of ISO 27001 and NIST 800 – 171 programmes.

Chartered Security Professional (CSyP)The Institute of Mechanical Engineers (IMECHE). The UKs largest professional body representing Mechanical Engineers and Chartered Engineers.Security Institute (MSyI)Worshipful Company of Security ProfessionalsAcademy of Experts