Winsor has two branches of security assessments: CMMC assessments and regular security assessments. With the requirement for the CMMC certification, we recognize the importance for your company to implement the certification as soon as possible. We want to help you achieve your certification and help you meet other compliances as well.

Thorough CMMC Assessment

Identify Current Security Needs

Recommendation of Improvements

System Security Plan and Plan of Action & Milestones

Present Findings and Security Reports

Ongoing Cybersecurity Monitoring

CMMC Assessments

CMMC stands for Cybersecurity Maturity Model Certification. Since the Department of Defense (DoD) announced the CMMC requirement, Winsor has taken the steps to implement the requirements for this certification with our clients and inform businesses of any possible risk. The goal of this certification is to comply to the DoD’s standards and to reduce the cyber threats for your company. Along with reducing the threats, the CMMC is intended to ensure that the cybersecurity practices and processes are in place to protect controlled unclassified information (CUI).

(Source: CMMC v1.0 Public Breifing) There are 5 levels within the CMMC. As identified in the chart above, as the levels increase, the practices and processes increase.

3 Steps to Achieve Your CMMC

No matter the size of your business, whether you are a Prime or a Subcontractor, you will need to comply with the CMMC requirements. Winsor will perform a thorough cybersecurity assessment based on the NIST framework and the controls set forth in CMMC. Then we will assist or perform remediation on the findings from the assessment. In order to stay compliant, we must then continue to adhere to the CMMC requirements.


We perform a detailed assessment of your current network and compare this with the cyber security controls required in NIST SP 800-171. We then prepare an SSP and POAM so that you can provide documented evidence to the DoD or your Prime that you’re on your way towards compliance. This step then serves as the basis for creation of the remediation plan.


In this step the items called out in the POAM need to be addressed. Depending on the current state of your IT systems, this can be as simple as implementing multi-factor authentication and security awareness training or as complex as refreshing an entire aging infrastructure.


Ongoing Compliance

Ongoing advanced cybersecurity monitoring and incident response capabilities are required to remain compliant. If a cyber incident occurs you must notify the DoD through the DIBNet Portal within 72 hours. You must also constantly assess and maintain the NIST 800-171 controls over time as systems change and fall out of alignment.


How can Winsor help you?

We will perform a thorough Assessment based on CMMC requirements. We then will prepare a System Security Plan (SSP) and Plan of Action and Milestones (POAM) to comply with basic requirements. Based on findings in the POAM, we will assist with remediation. Lastly, we will assist with ongoing cybersecurity monitoring and incident response efforts.
(Source: CMMC v1.0 Public Breifing)

Release Dates

Included in RFIs starting June 2020
Included in RFPs starting Fall 2020

How does it affect government contracts?

The government determines the appropriate tier for the contracts they administer. A goal for having this is to make cybersecurity an ‘‘allowable cost’’ for DoD contracts. The Defense Counterintelligence and Security Agency (DCSA) will include CMMC assessments as part of their holistic security rating score.

Do I need an assessment?

If your company works with the DoD, it has to be CMMC certified. The majority of the estimated 300,000 businesses requiring the certification fall into the small and mid-size business range. You must also comply if your company is working directly or indirectly with the DoD as a Prime or Subcontractor.

Why does anyone need an assessment?

Your company has to hit specific levels of compliance within the CMMC requirements for certain contracts through the DoD. The specific level will be determined based on the amount of CUI your company manages or processes.

Regular Security Assessments

Not only do we offer you CMMC assessments, but we also want you to use our regular security assessments to comply with any other standard or regulations. To keep your company secure, we offer you regular security assessments that can help meet other compliances, such as HIPAA, SOC2, and GLBA. If you are wondering about your business’s vulnerabilities, risks, or preparedness, you should receive our regular security assessments. Small business’s can carry the biggest potential for falling victim to a security breach or attack, so maintaining an assessment can eliminate the risks.


Health Insurance Portability and Accountability Act




Why you need this assessment

Any business wanting a better understanding of their current IT environment.

  • Merger and acquisition or divestiture activity

  • System failures or security breech

  • An employee has recently resigned, and you want objective, 3rd party documentation of the current environment and the health of the systems

  • You have slow application performance, or intermittent network outages, and unsure of the source

  • It has been several years since an investment has been made in your IT infrastructure, and you want a prioritized list of projects that will deliver the greatest value with the least investment

  • You are considering using managed services to delivery some of your IT systems, and need an accurate inventory to obtain pricing

  • Leadership has asked for a benchmark of your current IT systems relative to cyber security threats and Cloud IT opportunities