POAMs and Their Significance in CMMC Assessments

Provincia Government Solutions

POAMS and CMMC

By Sese Bennett

December 19, 2022

The use of POAMs are ubiquitous in the world of cybersecurity. As we get closer to the release of CMMC 2.0, many are wondering about POAMs and their significance in CMMC assessments. Providing a clear answer is difficult, but in this article, we will attempt to shed some light on the expected standards regarding POAMs and CMMC.

The National Institute of Standards and Technologies (NIST) defines a Plan of Action and Milestone (POAM) as “A document for a system that “identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.”

POAMs are used across many different groups in an organization including IT, risk management, governance, risk, and compliance. POAM also applies to the CMMC ecosystem, including Organization Seeking Certification (OSC). As OSCs prepare for a CMMC certification assessment, they must consider any existing POAMs that currently have, understand how CMMC 2.0 defines acceptable POAM criteria, and how POAMs impact certification efforts.

How Does CMMC Define POAM?

CMMC defines a POAM as a document to remediate deficiencies and the respective timeframe for doing so. “The POAMs purpose is to identify, assess, prioritize, and monitor the progress of corrective efforts for security weaknesses found in an organization’s programs and systems.” (CAP)

The legitimacy and validity of a prospective POAM will be decided by the Lead Assessor at the time of assessment closeout. The CAP provides a list of criteria that must be included in a credible and effective POA&M

Why are POAMs So important to CMMC?

POA&M’s can make or break an assessment. Understanding a few key requirements will help you navigate the use of POA&M’s during your CMMC assessment. CMMC 2.0 was revised to make accreditation obtainable in situations where certain POA&Ms may be necessary. However, it is important to keep in mind that not all practices will be eligible for a POA&M. According to the CMMC Assessment Plan (CAP) version 1.0 (https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf) the following points must be considered when discussing POA&M’s:

  • CMMC will allow conditional use of Plans of Action and Milestones (POA&M) to remediate practices that are not fully or successfully implemented.
  • POA&Ms will be strictly time-bound with a validity period of no more than 180 days from the Assessment Final Recommended Findings Briefing (Phase 3).
  • POA&Ms will not be allowed for the highest-weighted CMMC requirements (currently understood to be level 5 requirements
  • The Department of Defense has established a minimum-score requirement to support Certification.
  • The Certified CMMC Assessor will validate the following criteria for an OSC to satisfy the requirements for receiving a CMMC Level 2 Conditional Certification:
  • 80% of all CMMC Level L2 practices scored “MET” (Current CMMC L2 scoring would result in 88/110 Practices must be found as “MET”). In addition to that minimum score, “If any, practices on the POA&M Review fail to result in a score of ‘MET’, the Lead Assessor will recommend the OSC NOT be recommended for a CMMC Level 2 Final Certification”.
  • All POA&M items must meet the criteria in Appendix K, “CMMC Scoring with DoD Assessment Scoring Methodology” (Appendix K -TBD)
  • Pre-existing POAM’s are not allowed and can result in a CMMC 2.0 assessment failure.

Summary

Cybersecurity is an ever-evolving organism and POA&M’s can be expected as new procedures and tools are implemented. CMMC will allow POA&M’s on a conditional basis, however, POA&M’s will not be allowed for the highest-weighted CMMC requirements. Also, to qualify for the POA&M process, a minimum score must be met (88/110 or 80%) and all qualified POA&Ms require remediation within 180 days.

 

The CMMC 2.0 POAM process makes CMMC Certification far more attainable than the previous model. This allows OSCs to mitigate less severe issues within their CMMC environment and continue their CMMC certification journey.

 

Other aspects of POAMs are still being finalized. PGS will keep you up to date as these aspects are finalized, but it is safe to say that minor updates and enhancements should be expected until CMMC’s final rulemaking is complete.

 

Here at Provincia Government Solutions, we believe knowledge is power. We make sure to stay informed regarding all things CMMC and pass this expertise on to you.  We are here to help you earn your CMMC 2.0 certification. Your success is our success.

Upcoming Blog

We will continue our CMMC theme with “Am I ready for CMMC”. We will discuss the most important things to consider before diving in to a CMMC assessment.

Be sure to subscribe to our blog and check out our podcast for more in depth discussion of all things cybersecurity.

Next Steps

Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!

Until then, be safe and stay secure!

About Us

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes  government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments,  security consulting, or CMMC certification, we have the expertise to help.  Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

  • P.O. Box 1685
    Spring Hill, TN 37064
    United States
  • +1 (615) 807-2822 | info@provincia.io

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a SBA certified Small  Business cybersecurity assurance firm and a CMMC Certified Third Party Assessment Organization (C3PAO).  We were the first organization to become a  C3PAO in the Middle Tennessee (Nashville) area and provide a full range of services including CMMC consulting and certification assessments. Our assessment team is trained in CMMC and other government assessment disciplines and we are experienced working with organizations of all sizes. Please reach out with any cybersecurity or CMMC related inquiries. We look forward to speaking with you!

 

5 C3PAO Red Flags

Provincia Government Solutions

5 C3PAO Red Flags

By Sese Bennett

November 14, 2022

In this blog, we discuss 5 C3PAO Red Flags that you should look for when interviewing a prospective C3PAO to perform your CMMC assessment.

Choosing the right Certified Third-Party Assessment Organization (C3PAO) for your CMMC assessment will take effort and time. This will be time and effort well spent if you find the right match and avoid companies that don’t have your best interest in mind

The Good, The Bad, and The Ugly C3PAO?

As the cybersecurity world gears up for CMMC, I was reminded not too long ago by a client, not all companies are the same. This includes how they approach CMMC assessments and what “style” of C3PAO works best for them. While it is true that most companies will perform the assessment correctly, the way they assess can feel like everything from a walk in the park to a root canal. Yes, compatibility of the two companies can make a huge difference. Although a company may have stellar recommendations, their approach and personalities may clash with the established culture of your organization.

But what about the bad eggs? As with any project or initiative your organization takes on, diligence is required with selecting a compatible C3PAO. Differing of opinion on implementation and requirements is common and normally not a showstopper. However, poor business ethics and ineptness are signals of future problems that could be major issues if you are not careful.

So how do you identify these bad eggs before they impact the success of your assessment? Awareness is key. Identification of these 5 C3PAO red flags will help you avoid C3PAO’s (or any other organization for that matter) who’s actions put the success of your CMMC certification efforts at risk.

5 C3PAO RED FLAGS

The missing puzzle piece means they are not complete and not a C3PAO.

Red Flag #1 Almost Certified

In the world of CMMC C3PAO’s there is authorized and not authorized.  C3PAO’s that have not officially completed the Cyber-AB authorization process cannot solicit business as authorized C3PAO’s. “As good as authorized” or “Almost Authorized” only means one thing – Not Authorized! There are so many things that could happen to delay or even prevent them from becoming authorized. If you make a “gentleman’s agreement” based on the expectation they will someday be authorized, this could leave you high and dry and place you in the back of the assessment queue.

Hiring a C3PAO with no Action plan feels like being lost in a maze.

Red Flag #2 No Action Plan

If your interview with a potential C3PAO leaves you with more questions than answers, that C3PAO may not have an adequate plan to execute your assessment. Coming up with a plan on the spot is not reassuring and could delay your assessment. Experienced C3PAO’s should be confident on what needs to be done. Although we are still in the early stages of rolling out CMMC, most experienced C3PAO have already allocated resources and created plans for executing successful CMMC assessments. You should leave any C3PAO preliminary discussion feeling confident that they can handle the assessment and the right fit for your organization.

Some CMMC questions are more important than others.

Red Flag #3 Not Asking the Right Questions

An interview with a C3PAO should be filled with questions from both sides of the table. The C3PAO most certainly should be asking questions about the size and scope of the assessment. They should be asking about System Security Plan’s and the maturity of your documentation process. How can anyone give a fair proposal without knowing how much work is involved? If they are underbidding, they may become frustrated, and the quality and integrity of the assessment could suffer. If they are overbidding, you are eating the cost of their poor calculations. Neither of these possibilities is a win for your organization.

Having a C3PAO you can trust is key to a successful CMMC assessment.

Red Flag #4 Promises, Promises, Promises

C3PAO’s should always be realistic in what they can deliver. Statements that over promise and under deliver will cause friction and frustration during an assessment. Promises such as “We will have you done in 10 days”, or “we guarantee that you will be at the front of the early assessment queue” sound great but are empty because C3PAO’s can’t guarantee what they don’t control such as how long an assessment takes, or which order the Department of Defense selects applicant organizations to be assessed.

Capable C3PAO’s present realistic documented expectations up front so that everyone is aware of engagement deliverables, activities, and timelines. If you start to hear promises that sound too good to be true, ask your C3PAO to back it up with facts and document it in your contract. If they cannot (or will not), run for the door!

Having little or no experience equates to more mistakes with your CMMC assessment.

Red Flag #5 Little or No Cybersecurity Assessment Experience

When hiring a C3PAO, it can be hard to gauge experience since CMMC 2.0 is relatively new for C3PAO’s performing assessments. However, CMMC 2.0 is based in NIST 800-171, which easily translates to the CMMC practices. This knowledge can come in handy when assessing the experience level of a potential C3PAO partner.

Basic questions you can ask to gauge the level of experience include:

  • What type of assessments have they done in the past?
  • Do these assessments include NIST based assessments such as 800-171, 800-53, FISMA, or similar?
  • What size organization have they work with in the past?
  • How many years have they been in the cybersecurity assessment field?

 The last question is a very important one. Managing cybersecurity and assessing cybersecurity are two very different skill sets. Just because an organization is experienced in supporting cybersecurity, it does not mean they know how to assess cybersecurity. Experience in assessment work is invaluable when it comes to CMMC assessments because it gives the experienced assessor the advantage in knowing what to look and what to ask.

Summary

As a certified C3PAO, Provincia Government Solutions prides itself in the straightforward honest approach we take towards each and every client. We welcome vetting questions and want you to feel confident in selecting us to participate in your CMMC journey. Feel free to reach out to us and ask any questions that will help you make the best decision.

In our next article, we will address POAM’s and the role they play in the CMMC ecosystem. Be sure to subscribe to this blog so you do not miss out on any of the great articles coming up!

Upcoming Blog

We will discuss the significance of POAM’s in the next article. This article will help navigate this precarious aspect of CMMC.

Be sure to subscribe to our blog and check out our podcast for more in depth discussion of all things cybersecurity.

Next Steps

Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!

Until then, be safe and stay secure!

About Us

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes  government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments,  security consulting, or CMMC certification, we have the expertise to help.  Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

  • P.O. Box 1685
    Spring Hill, TN 37064
    United States
  • +1 (615) 807-2822 | info@provincia.io

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a SBA certified Small  Business cybersecurity assurance firm and a CMMC Certified Third Party Assessment Organization (C3PAO).  We were the first organization to become a  C3PAO in the Middle Tennessee (Nashville) area and provide a full range of services including CMMC consulting and certification assessments. Our assessment team is trained in CMMC and other government assessment disciplines and we are experienced working with organizations of all sizes. Please reach out with any cybersecurity or CMMC related inquiries. We look forward to speaking with you!

 

Paying for a CMMC Pre-Assessment can Save Money

Provincia Government Solutions

Can a CMMC Pre-Assessment Save You Money?

By Sese Bennett

October 31, 2022

As you are reading and preparing for the DoD’s CMMC 2.0 assessment, you more than likely have observed that both assessment and consulting organizations are offering a pre-assessment for those interested in attaining CMMC 2.0 certification. Did you ever think that spending money might actually save money? While there are still some requirements and restrictions that are still unclear, this article will help you determine if paying for a CMMC Pre-Assessment saves money. Likewise, we will discuss what type of pre-assessment is most likely to best prepare your company for the CMMC 2.0 certification assessment.  Paying for a CMMC Pre-Assessment can save money

Choosing the right Certified Third-Party Assessment Organization (C3PAO) for your CMMC assessment will take effort and time. This will be time and effort well spent if you find the right match and avoid companies that don’t have your best interest in mind.

In this blog, we discuss 5 C3PAO red flags that you should look for when interviewing prospective C3PAO’s to perform your CMMC assessment.

What is a CMMC Pre-Assessement?

To begin with, let’s define what a pre-assessment is and what it is not. In the context of CMMC, pre-assessments are a service that can be provided by anyone with knowledge of the CMMC 2.0 requirements prior to the formal certification assessment. Pre-assessments can be done in several different ways, but we will discuss the three most common options when considering this path for your organization. The value you gain from a pre-assessment greatly depends on the way it is performed and the deliverables you receive. Just remember that a pre-assessment is not the same as the formal certification assessment, and therefore is not a required step for certification. However, it is preferred. Read on to see why.

Shown below is the PGS Cheat Sheet for CMMC Pre-Assessment Guide. We will go discuss each option in more detail in the sections that follow.

Met/Not Met Assessment – Option 1

The first approach to CMMC pre-assessments requires a knowledgeable CMMC resource to assess your CMMC environment for compliance. After accessing your environment, the assessor provides a report specifying the status of each practice reviewed for compliance. This report will specify a status of Met or Not Met (failed) but will not contain remediation advice, details, or steps to correct any issues identified. Although this information can be useful, it can leave companies with more questions than answers. 

This option is typically a less expensive but also a less valuable option when it comes to pre-assessments. This type of pre-assessment can be conducted by Certified Third Party Assessment Organizations (C3PAO) that is or is not conducting your certification assessment, a Registered Practitioner Organizations (RPO’s), an external non-CMMC certified individual knowledgeable about CMMC, or even an existing non-CMMC internal resource with CMMC knowledge. Non-certified CMMC resources can present unique challenges   for an organization. These can include lack of knowledge of revised CMMC requirements, over-familiarity with the environment, lack of management impact due to already being part of the organization (familiarity breeds contempt; no one can be a prophet in their own land, etc.)  – well, you get the point.

Detailed CMMC Pre-Assessment with Recommendations – Option 2

The second approach to CMMC pre-assessments also requires a knowledgeable CMMC resource to assess your CMMC environment for compliance. For this approach, it is recommended that OSC’s (Organizations Seeking Certification) work with a C3PAO to conduct a detailed assessment of the CMMC environment. Output from this assessment should include a detailed report that includes the status of each practice (Met or Not Met) along with the remediation recommendations for correcting and deficiencies identified during the pre-assessment. This in-depth report and associated advice are far more useful than just a Met/Not Met report as discussed previously. The detailed CMMC pre-assessment with recommendations may be the more expensive option, but the return on investment is invaluable. 

With this approach, there are a few additional things to consider. The rules surrounding the CMMC 2.0 assessment process address issues that could arise and be viewed as a “Conflict of Interest”. An example of this would be when a C3PAO performs a pre-assessment for a OSC that includes recommendation or remediation advice or assistance. In this example, that C3PAO cannot perform the certification assessment since they have provided consulting assistance to the OSC. If this is the case, the C3PAO would work with the OSC to identify a different and independent C3PAO to perform the actual certification assessment. C3PAO’s in this scenario do not collaborate or share any information regarding the pre-assessment or certification assessment.

The rule to keep in mind is that if your favorite C3PAO assists you with recommendations, remediation steps or advice, or issue resolution in any way, this is considered consulting and that C3PAO cannot perform your CMMC 2.0 certification assessment.

Do Nothing (a.k.a. – Stick Your Head in the Sand) - Option 3

Of course, there is an option 3. That is to forgo the pre-assessment altogether. From a “likelihood of CMMC success” perspective, this seems to be the riskiest choice The chance of failing the assessment altogether is greatest with this option. Yes, with this option you will save money up front, but the cost of failing, remediation, and a second assessment is far more expense and time consuming in the end.

Summary

The CMMC pre-assessment is a critical part of your preparation process for successfully achieving your goal of CMMC certification. While achieving certification is possible with a pre-assessment, why risk it? Paying for a CMMC Pre-Assessment saves money and time.

Bypassing the opportunity for a pre-assessment significantly reduces your chances of certification on your first try and increases the likelihood that you will spend more on re-assessment activities in the future. Overall, a net loss for your organization.

Here at Provincia Government Solutions, we partner with a network of experienced and knowledgeable C3PAO’s. Whether we are preforming the pre-assessment or the formal certification assessment, we can recommend multiple C3PAO partners for your consideration. We are here to help you earn your CMMC 2.0 certification. Your success is our success.

Upcoming Blog

We will discuss the top 5 questions you should ask any prospective C3PAO in the next article. This article will help you hire the best C3PAO to do the CMMC Assessment for your company.

Be sure to subscribe to our blog and check out our podcast for more in depth discussion of all things cybersecurity.

Next Steps

Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!

Until then, be safe and stay secure!

About Us

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes  government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments,  security consulting, or CMMC certification, we have the expertise to help.  Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

  • P.O. Box 1685
    Spring Hill, TN 37064
    United States
  • +1 (615) 807-2822 | info@provincia.io

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a SBA certified Small  Business cybersecurity assurance firm and a CMMC Certified Third Party Assessment Organization (C3PAO).  We were the first organization to become a  C3PAO in the Middle Tennessee (Nashville) area and provide a full range of services including CMMC consulting and certification assessments. Our assessment team is trained in CMMC and other government assessment disciplines and we are experienced working with organizations of all sizes. Please reach out with any cybersecurity or CMMC related inquiries. We look forward to speaking with you!

 

CMMC – Acronyms to Know

Provincia Government Solutions

CMMC: Acronyms to Know

By Heather Bennett

October 24, 2022

Have you ever been in a conversation where everyone used letters instead of words and you had no clue what they were talking about? This happens quite often in the IT and cybersecurity world. Groups of people that specialize in these areas shorten frequently used terms to make conversations go faster. Someone from outside that group may not be familiar with those acronyms and they may be lost as to the relevance of those acronyms to the conversation.

The first time I heard this happening, I thought my colleagues were speaking a foreign language. Luckily, with time and exposure I began to understand what the acronyms meant. This will happen to you as you begin to use and understand the language of CMMC. But until then, I have compiled a list of acronyms and their meanings to help increase your knowledge about CMMC and fast-track you to CMMC conversation excellence!

See the Cyber-AB CMMC Glossary and Acronyms for additional detail

Helpful Guide

CMMC Acronyms to Know


You can now download this PDF for future use!

DOWNLOAD

Next Steps

Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!

Until then, be safe and stay secure!

About Us

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes  government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments,  security consulting, or CMMC certification, we have the expertise to help.  Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

Be The First

to Know

When New Blog Content is Published

Contact Information

  • P.O. Box 1685
    Spring Hill, TN 37064
    United States
  • +1 (615) 807-2822 | info@provincia.io

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a SBA certified Small  Business cybersecurity assurance firm and a CMMC Certified Third Party Assessment Organization (C3PAO).  We were the first organization to become a  C3PAO in the Middle Tennessee (Nashville) area and provide a full range of services including CMMC consulting and certification assessments. Our assessment team is trained in CMMC and other government assessment disciplines and we are experienced working with organizations of all sizes. Please reach out with any cybersecurity or CMMC related inquiries. We look forward to speaking with you!

 

CMMC – Understanding Maturity Levels

Provincia Government Solutions

CMMC: Understanding Maturity Levels

By Heather Bennett

October 17, 2022

In keeping with our CMMC theme, we are going to delve into a topic that has seen some change. There are many articles on this topic online. Sadly my most recent google search revealed that the old inaccurate information is quite prevalent. Hopefully this will alleviate some confusion and get everyone on the same page.

If you have spent any time trying to figure out where you belong in the CMMC ecosystem, you have more than likely heard the term CMMC Maturity Level. This is not an “act your age, not your shoe size” thing. This is the level at which your company will be assessed against the CMMC standards.

CMMC Maturity Levels: Then and Now

The original goal of the CMMC was to safeguard sensitive information. CMMC 2.0 was introduces in November of 2022 with some significant changes. Most notably was the change in Maturity levels. This change was facilitated to minimize barriers to compliance with DoD requirements while still ensuring accountability for companies to implement cybersecurity.

The first version of CMMC had 5 Maturity levels ranging from Basic to Advanced. The assessment requirements for this model were confusing and impractical for most small businesses operating as contractors or subcontractors. After much consideration, the levels were simplified and better defined. CMMC 2.0 was born.

CMMC 2.0 has only three maturity levels which are Foundational, Advanced, and Expert. However, the reduction in levels is not that only notable change. The change in assessment requirements was also huge change that was much needed for small businesses. This change made it easier for compliant small businesses to meet the CMMC requirements. Why is that the case?

How Mature Are You?

Level 3

As mentioned previously, CMMC 1.0 included five maturity levels including a level 4 and a level 5 Maturity Level. These two levels were defined by the type of CUI and FCI they protected with levels 4 and 5 earmarked for protecting the most sensitive CUI data types. CMMC version 2.0 combines these two levels into what we now know as CMMC 2.0 Maturity Level 3.

CMMC 2.0 Maturity Level 3 is still intended to protect the same sensitive CUI but with a simplified approach. But Additionally, CMMC 2.0 Maturity Level 3 will now require the DIB contractor to have a government-led assessment.

Level 2

What was once known as CMMC 1.0 Maturity Level 3 and Level 2, has now become CMMC 2.0 Maturity Level 2. Level 2 handles CUI and FCI of a less sensitive nature. With 110 practices, this level is required to have an assessment every three years by a C3PAO, and an annual self-assessment for some programs.

Level 1

The new CMMC 2.0 Maturity Level 1 retains much of the same parameters as the previous CMMC 1.0 Maturity Level 1.  CMMC 2.0 Maturity Level 1 remains at 17 practices to be assessed. The big change here is that these companies will be able to perform an annual self-assessment. This drastically reduces the cost for small businesses that handle only FCI. This new approach also allows them to demonstrate that they are protecting the FCI without incurring the cost of a third-party assessment.

Upcoming Blog

We will discuss some need-to-know acronyms in the next article. This article will help you learn the language of CMMC.

Be sure to subscribe to our blog and check out our new podcast for more in depth discussion of all things cybersecurity.

Next Steps

Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!

Until then, be safe and stay secure!

About Us

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes  government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments,  security consulting, or CMMC certification, we have the expertise to help.  Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

  • P.O. Box 1685
    Spring Hill, TN 37064
    United States
  • +1 (615) 807-2822 | info@provincia.io

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a SBA certified Small  Business cybersecurity assurance firm and a CMMC Certified Third Party Assessment Organization (C3PAO).  We were the first organization to become a  C3PAO in the Middle Tennessee (Nashville) area and provide a full range of services including CMMC consulting and certification assessments. Our assessment team is trained in CMMC and other government assessment disciplines and we are experienced working with organizations of all sizes. Please reach out with any cybersecurity or CMMC related inquiries. We look forward to speaking with you!