Business IT Compliance

Does your business have compliance regulations?

Our compliance team is ready to help.

Whether you’re a healthcare provider needing HIPAA compliance, or a contractor/subcontractor to the Department of Defense and are required to comply with DFARS 252.204.7012, Exsenic IT Solutions team of security experts help clients across the United States meet their specific compliance requirements.

We understand these things can be a bit overwhelming and that your time is extremely valuable. Our team will gladly take this burden off your shoulders as we walk you and your employees down the road to compliance.

U.S. Department of Defense Prime and Subcontractors

Contractors and subcontractors that work with the U.S. Department of Defense must ensure adequate security by implementing the 110 controls NIST SP 800-171 as part of the process for ensuring compliance with DFARS clause 252.204-7012.

Contractors are required to complete a self-assessment of their own compliance which the DoD interprets as an admission of compliance. Proof of compliance relies heavily on two documents: A Systems and Security Plan (SSP) and a Plan-of-Action and Milestones (POA&M)

To aid in this compliance process, the Department of Defense has released their final guidance on assessing contractor compliance during the contract award process.

If you are a Contractor with the Department of Defense and have questions about the DoD’s compliance guidance or on how to develop the required SSP and POA&M documents, one of our compliance consultants will be happy to guide you through this process.

What is the CMMC?

The Department of Defense announced that it is developing a new cybersecurity standard and certification for defense contractors. It is named the “Cybersecurity Maturity Model Certification” (CMMC). 

The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.”

The CMMC is expected to combine relevant portions of various cybersecurity standards, such as NIST SP 800-171, NIST SP 800-53, ISO 270001, and ISO 27032, into one unified standard for cybersecurity. Unlike NIST SP 800-171, which measures a contractor’s compliance with a specified set of controls, the CMMC will more broadly “measure the maturity of a company’s institutionalization of cybersecurity practices and processes.

What will certification look like?

The current DFARS clause does not require third-party audits, allowing contractors to self-certify when implementing the controls of NIST SP 800-171. With the coming of the new CMMC, contractors will be required to certify by means of third-party audits.

What does all this mean?

Coming in January 2020, all businesses that do work with the Department of Defense will be required to have a 3rd party auditor assess their cyber-hygiene for certification of the new CMMC, regardless if they handle CUI or not. The level of certification will depend on the CUI that company processes or handles. This process does not only encompass the business’s cyber security but also their processes and procedures for data and network security. Companies that are not certified will not be able to bid for work with the Department of Defense.

It’s unreasonable to expect all businesses to be able to afford the incredibly high costs of hiring an in-house cyber security team. A security specialist can rate upwards of $150,000 per year in just salary alone. Add in the cost of tools and systems required like antivirus, firewall, backup server, penetration testing and vulnerability testing, the cost of these systems has typically been unreachable by small and medium businesses.

This means businesses need simple, cost efficient solutions with the SMB budget in mind. That’s where Exsenic IT Solutions can help you save time, and money while making sure your business is prepared to certify with the new CMMC and get an edge on other businesses not fully prepared.

Who needs to be HIPAA compliant?

If your business has access to electronic Protected Health Information (ePHI), your organization is required to be HIPAA compliant. Such organizations include hospitals, clinics, regional health services, and other medical practitioners.

HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, all amendments, and any related legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

Also, as stated in the American Recovery and Reinvestment act of 2009, requires the Department of Health and Human Services to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.

If your business is a Covered Entity or Business Associate that handles PHI, you are subject to these audits. Exsenic IT Solutions compliance experts and partners can help guide you through this overwhelming process

Need help getting your business compliant to avoid penalties or loss of contract?

Our experts can help you navigate these overwhelming processes.