Is a CMMC Pre-Assessment right for your organization?

Cyber attackers can find and exploit weaknesses even in the best defenses. As attacks become increasingly sophisticated, it’s more important than ever to identify and mitigate those weaknesses before they get hacked—and build a corporate culture that makes cybersecurity a priority. An ISSI Cybersecurity Pre-Assessment identifies and quantifies security vulnerabilities in your IT environment. Our security experts evaluate weaknesses that attackers will target and provide mitigation options to eliminate or reduce your risk.

ISSI consultants collect information about your on-premises and cloud-based computing environments, identify potential non-compliance, and offer prioritized recommendations in a custom report used by executives and technical staff.

A CMMC Pre-Assessment from ISSI can help your organization:

• Recognize new attack vectors
• Identify and prioritize vulnerabilities
• Evaluate the extent of potential business and operational impacts of non-compliance
• Ensure comprehensive System Security Plans (SSP)’s are in place
• Provide justification for increasing security investment
• Meet CMMC requirements
• Achieve CMMC compliance
• Realize a competitive edge

Access to our CMMC webinar

Identify system and network weaknesses and non-compliance

Your security solution should evolve with changing threats. However, many IT departments, facing “do more with less” mandates, may not have the time or resources to perform an accurate pre-assessment.

To pass a CMMC assessment your organization must meet regulatory security standards and ensure total compliance with industry best practices or risk failing the assessment. As a CMMC-AB Registered Provider Organization (RPO) our professionals are equipped to properly identify areas of risk and establish a remediation plan, taking you one step closer to passing the assessment!

Our Methodology

ISSI conducts on-premise, virtual, or hybrid assessments. Our experts work with your company’s IT staff to guide and provide mentoring on CMMC security controls. It starts with a one hour kick-off meeting that includes the senior leadership team to review the cybersecurity environment and ensure it is part of corporate culture, and not just a checklist.

Our team of professionals conduct the pre-assessment using one, two, or all three methods of examining, testing, and interviewing to obtain a body of evidence. This is organized and turned into a summary report by ISSI that provides an evaluation of the cyber maturity of the organization and identifies vulnerabilities that require remediation to comply with CMMC security controls. Additionally, the assessment team determines and verifies the company’s Supplier Performance Risk System (SPRS) score.

Companies receive a breakdown of the 17 domains and the current number of practices required at each of the CMMC levels. Security controls that do not meet CMMC standards are summarized and organized into a prioritized list to help IT staff determine which practices to remediate in order of precedence or level of importance.

ISSI has the expertise to evaluate each of the CMMC security controls. By partnering with ISSI, companies can benefit from a CMMC pre-assessment to strengthen their cybersecurity posture. Using a Good, Better, Best format, ISSI enables companies to evaluate remediation options for cost and effect.

Need to prepare for a CMMC Assessment? Get CMMC Ready with an ISSI Cybersecurity Maturity Model Certification (CMMC) Pre-Assessment and Consulting

The aggregate loss of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB) sector increases risk to national economic security and in turn, national security. In order to reduce this risk, the Department has continued to work with the DIB sector to enhance its protection of CUI in its unclassified networks.

The Council of Economic Advisers, an agency within the Executive Office of the President, estimates that .malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016 [Ref: “The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” in February 2018].

The Center for Strategic and International Studies (CSIS), in partnership with McAfee, reports that as much as $600 billion, nearly 1% of global GDP, may be lost to cybercrime each year. The estimate is up from a 2014 study that put global losses at about $445 billion. [Ref: “Economic Impact of Cybercrime – No Slowing Down” in February 2018].

Source: Cybersecurity Maturity Model Certification (CMMC) (

Our Expertise

With 50+ years of collective experience, our consultants are at the forefront of cybersecurity innovation for the Department of Defense. As a CMMC-AB RPO, we have extensive experience with and have contributed to the standard being implemented within CMMC.

Our Subject Matter Experts

Mark Tellier

Mark Tellier Colonel (r) is a senior professional with over 31 years of military service in the United States Army and over 14 years of experience providing Information Technology development, operations, maintenance, and enhancement support services built around the Department of Defense Information Network (DoDIN) and Cybersecurity Risk Management Framework.

Mark has held extensive progressive executive leadership positions that emphasized strategic and change management. He served 5 years as the Chief Information Officer leading the Michigan ARNG Cyber Protection Team and Defensive Cyber Operations Element, partnering with Michigan State Police Cyber Crime Unit, MiC3, and MC3. His expertise includes managing Cybersecurity framework for government networks consisting of Classified and Unclassified networks.

Fern Tillman

Fern Tillman is a professional senior consultant and auditor with over 30 years of experience implementing and auditing management systems, including five years as a certification body auditor. She has decades of experience auditing supply chain programs for companies such as Cisco Systems, Microsoft Azure, Google Cloud Platform and Oracle MSE. She specializes in implementing Information Security (ISO 27001) and quality (ISO 9001) management systems.

In addition to serving as the Program Manager and sole external resource to develop the Oracle Managed Service Expertise Audit Program Requirements, she has held key roles in the initial audit of the Oracle, Microsoft Azure MSE and Google Cloud Platform MSE audit programs.

Fern was part of the first group of individuals to become a Certified Lead Cloud Security Manager and Lead Implementor for Compliance Management Systems (a new ISO Standard). She is also a certified Sr. Lead Auditor and Lead Implementer for ISO 27001 and 9001, as well as an Accredited Certified Trainer for ISO implementation and auditor courses.

With more than 300,000 private DoD contractors, NOW is the time for companies within the DoD ecosystem to begin preparing for CMMC.

Contact us today at to schedule a pre-assessment consultation.

CMMC Levels

There are five levels of CMMC certification, corresponding to different cybersecurity processes and practices.

Level 1

Processes: Performed

Practices: Basic Cyber Hygiene

Requires that an organization perform the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.

Corresponds with the 17 basic cybersecurity processes that must be performed to protect FCI in NIST SP 800-171 Rev 2 and 48 CFR 52.24-21.

Level 2

Processes: Documented

Practices: Intermediate Cyber Hygiene

Requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented.

Serves as a progression from Level 1 to Level 3 and corresponds to 72 cybersecurity requirements including all 17 Level 1 practices. Consists of a subset of the security requirements specified in NIST SP 800=171 as well as practices from other standards and references.

Level 3

Processes: Managed

Practices: Good Cyber Hygiene

Requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation.

Focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats. Corresponds to 130 cybersecurity processes including all Level 1 and 2 requirements.

Level 4

Processes: Reviewed

Practices: Proactive

Requires that an organization review and measure practices for effectiveness. Organizations must also be able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.

Focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. Corresponds to 156 cybersecurity practices including all Level 1, 2 and 3 requirements. Adds ability to defend CUI from APT-style attacks by enhancing the detection and response capabilities to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.

Level 5

Processes: Optimizing

Practices: Advanced/Progressive

Requires an organization to standardize and optimize process implementation across the organization.

Focuses on the protection of CUI from APTs and the increased depth and sophistication of cybersecurity capabilities. Corresponds to 171 cybersecurity processes, including all Level 1, 2, 3 and 4 requirements.

Contact Us

We look forward to hearing from you.