SysAudits performs exclusive assessments such as ITAR and DOD CCRI. These assessments require unique experience and exclusive to in-depth understanding of the regulatory organizations that provide oversight and enforcement of specific controls.
Contractors and service providers who provide support to the U.S. federal government – whether it be a civilian agency or the Department of Defense (DoD) – Service providers information systems must meet requirements as specified in the Federal Acquisition Regulation (FAR) or the Defense Federal Acquisition Regulation Supplement (DFARS), and may also need to comply with the requirements of the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Non-compliance can result in significant fees and possibly loss of ITAR technology and licenses.
U.S. Department of State and DOD regulations are required to be met if a contractor or service provider:
Handles Controlled Unclassified Information (CUI). The CUI requirements recommended for use in Executive Order 13556 are derived from FIPS Publication 200 and specify NIST SP 800-171– “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
A NIST SP 800-171 assessment is needed for contractors and service providers who provide services for transmitting or storing these datatypes in non-federal information systems in a way that complies with applicable regulations. These requirements extend to all cloud service providers (CSPs) that are storing, processing and transmitting these datatypes on behalf of federal agencies, civilian contractors, or DoD contractors.
SysAudits provides services under an assessment or audit to include AICPA SSAE 16 SOC. SysAudits has experience in performing ITAR IT control and compliance assessments. Our assessments will assess ALL NIST 171 controls and will include a compliance of management, operational, and technical controls. SysAudits performs assessments for contractor/service providers or for a Federal Agency who is receiving contractor/service provider support who must comply with NIST 171.
SysAudits can support DOD organizations who desire a CCRI pre-assessment. USCYBERCOM directed Command Cyber Readiness Inspections. USCYBERCOM sets “Cyber policy” for the entire DoD enterprise. Cyber Policy and Standards are issued from DoD, DoN, DISA (Defense Information Systems Agency), NIST (National Institute of Standards & Technology). To ensure DoD networks are in compliance with directives and guidance, the Cyber Security Inspection (CSI) was created. CCRI assess the DOD organization’s Operational Behavior (OB) defined as “Day to Day Operations” of the network at the User and System Administrator levels. OB is a direct reflection of “command culture” as it relates to Information Assurance and Cyber Security. The following are examples OB: