The MCGlobalTech Managed Security Compliance Program helps small business government contractors meet the DFARS/NIST 800-171 compliance requirements by managing their security and compliance. Save Money. Run your business. Leave it to the experts.

1. Mission Critical Global
Technology Group
Managed Security Compliance Program
(MSCP)

2. About Us
MCGlobalTech
– Mission Critical Global Technology Group (MCGlobalTech) is
a minority owned, small business founded by industry
leaders to provide strategic advisory and security consulting
services to public and private sector business managers to
better align technology and security programs with
organizational mission and security compliance goals.
– The Principals at MCGlobalTech have provided Information
Security services to the Federal Government and private
sector for over 25 years

3. Our Values
At MCGlobalTech, we believe strong values create long
term relationships with our customers, employees,
partners and the communities we serve. At the heart
of everything we do are our corporate values:
– Providing customer satisfaction
– Delivering innovative solutions
– Empowering staff for success
– Promoting Entrepreneurial spirit
– Maintaining technical excellence
Staff
Skills
Success

4. What we offer
MCGlobalTech builds and manages efficient, cost-effective
information security programs to protect client systems,
network and data against cyber threats, meet regulatory
compliance requirements and improve organizational IT
governance. We continually demonstrate excellence in the
following core competencies:
– Security Program Development
– Enterprise Risk Management
– Governance and Compliance
– Systems Security Monitoring
– Security Engineering
– Vulnerability and Penetration Testing
– Network and Systems Security

5. Combating Cyber Threats
The Federal government is making a concerted effort combat
growing threats to our national security from both internal
and external cyber threat actors including nation-state,
terrorists, malicious insiders, etc..
Cybersecurity requirements are increasingly being introduced
through the FAR and DFARS to the companies providing
services to US government entities.
The DFARS Clause 252.204-7012 is aimed at protecting
contractor information and systems used to deliver services
to the US Department of Defense.

6. REQUIREMENTS FOR CONTRACTORS
The DFARS Clause 252.204-7012 established a requirement for
“adequate security” for the information(differs based on the
type of data)
– Covered Defense Information (CDI)
– Controlled Technical Information
– Critical Information
– Export Control Information
– Other information identified in the contract
The DFARS clause also grants DoD personnel access to the
contractor’s system to investigate the incident

7. REQUIREMENTS FOR CONTRACTORS
Under the DFARS provisions, contractors were directed to
implement NIST 800-171 standards “as soon as practical, but
not later than December 31, 2017.”
Compliance Requirements
• Assess against 110 controls defined in NIST SP 800-171
• Document compliance status with respect to each control (SSP)
• Document areas of non-compliance and remediation plans (POA&M)
• Be prepared for audits and/or requests for compliance attestation
• Implement breach reporting requirements (within 72 hours)

8. REQUIREMENTS FOR CONTRACTORS
Compliance is not a one-time activity – It requires building an
enterprise information security program that continuously
assesses and manages risks, protects covered information and
systems used for processing, storage and transmission, and
monitors and detects threats with the ability to report incidents
with 72 hours.
Organization Size is not a consideration – All companies must
comply. It only takes one user, one system to cause a cyber breach.
Not just IT – The requirements covers your People, Policies,
Processes, Technologies, Physical and Environmental, Supply Chain,
etc..
You can’t outsource your compliance responsibility. You have be
able to document how your service providers/cloud services meet
the control requirements.

9. CONSEQUENCES FOR CONTRACTORS
Companies unable to demonstrate NIST 800-171 compliance
will be severely impacted as Contracting Officers and Prime
Contractors will require DFARS compliance as a pre-requisite
to [continue] doing business with the DOD.
For companies currently doing business with the DOD,
consequences of non-compliance may include contract
termination for default or convenience, suspension or
debarment, breach of contract damages, liquidated damages,
and False Claims Act damages.

10. Managed Security Compliance Program
Our Managed Security Compliance Program (MSCP)
provides full life-cycle security compliance support to help
fellow small businesses meet regulatory and business
security goals.
Regardless of company size or service offering, the MSCP
helps you build and mature an enterprise information
security program that protects your mission-critical People,
Processes and Technologies necessary to protect you and
your customers from growing cyber threats and
increasingly complex regulatory requirements.

11. Full Life-Cycle Security
Security
Requirements
Definition
Security Design
and Engineering
Security Test,
Validation and
Reporting
Security
Documentation
and Response

12. Full Life-Cycle Security
Security Requirements Definition
– The initial phase of the life cycle defines the
security management, operational and technical
requirements for the security program.
– The MCGlobalTech Compliance Team defines the
requirements of the program in accordance with
the applicable regulatory framework (FISMA/NIST,
ISO, CoBit, PCI DSS, etc.). We also take into
account business goals and structure, leadership
risk tolerance and organizational culture.

13. Full Life-Cycle Security
Security Design and Engineering
– To be effective , security goals and requirements
must be “built” into organization policies,
processes, operations and technical environments.
– The MCGlobalTech Security Engineering Team
provides expert support to include security
architecture design, security control identification
and implementation and security risk analysis and
assessment.

14. Full Life-Cycle Security
Security Test, Validation and Reporting
– MCGlobalTech offers a full range of application,
system and network testing to include security
controls testing, risk assessments, vulnerability
assessments and penetration testing.
– The MCGlobalTech Security Assessment Team
provides Independent Validation and Verification
(IV&V) testing to ensure that the security program
meets the defined security and compliance
requirements.

15. Full Life-Cycle Security
Security Documentation and Response
– During the operational phase of the program, the
MCGlobalTech Compliance Team creates and/or
maintains the security compliance program
documentation to include security policies,
security plans, risk assessments, plan of action
and milestones, etc.
– MCGlobalTech implements our Managed
Compliance Service (MCS) and Managed Security
Service (MSS) to ensure regulatory compliance,
system confidentiality, reliability and security.

16. MCGlobalTech MSCP Goals
Security and Compliance Goals
qMaintain compliance documentation
qBuild security policy framework
qPerform vulnerability management
qPerform security controls testing
qTrack and manage security risks
qEducate and train users and system administrators
qProvide security monitoring throughout environment

17. Managed Compliance Service
The MCS provides a NIST 800-171 baseline compliance audit against all 110
required controls and generates the required compliance documentation i.e.
System Security Plan (SSP) which documents state of compliance and Plan of Action
and Milestones (POAM) which documents identified gaps and remediation plans
and timelines.
POAM remediation is then tracked, validated and documented with quarterly
assessments thus improving compliance posture and mature security program.
Required on-going security controls assessments, vulnerability and risk assessments
continuous monitoring, and penetration tests are scheduled as appropriate
intervals.
Baseline
Assessment
Monthly/Quarterly
Checks
Full
Compliance

18. Managed Compliance Service
MCS Compliance Schedule (Annual)
Quarter 1 q Conduct Compliance Audit
q Findings tracking and reporting (eg. POAM)
q Create/Update Policies and Procedures
q Generate Compliance Artifacts (eg. SSP, Letter of Attestation)
q Vulnerability Assessment
q Security Awareness Training
Quarter 2 q Plan of Action & Milestone (POAM) Review/Update
q System Security Plan (SSP) Review/Update
q Vulnerability Assessment
q Security Controls Assessment
Quarter 3 q Plan of Action & Milestone (POAM) Review/Update
q System Security Plan (SSP) Review/Update
q Vulnerability Assessment
q Security Controls Assessment
Quarter 4 q Plan of Action & Milestone (POAM) Review/Update
q System Security Plan (SSP) Review/Update
q Enterprise Security Risk Assessment
q Network Penetration Test

19. Managed Security Service
The MCGlobalTech Managed Security Service (MSS) provides 24/7
monitoring of all end user systems (laptops, desktops, mobile
devices, servers) and Internet-facing devices (routers, firewalls,
webservers) for near real-time detect and response to cyber threats
and vulnerabilities.
Our MSS also helps small business clients meet security audit,
monitoring and incident reporting compliance requirements of the
DFARS 7012/NIST 800-171.
MSS
Internal &
External Audits
Federal
Guidelines and
Directives
Threats and
Vulnerabilities

20. Past Performance
MCGlobalTech’s Principals have worked for and with large
and small contracting and consulting firms. We have provided
security expertise throughout the federal government
including the Department of Defense, Intelligence and
Federal Civilian Agencies. We have also provided security
services to financial, healthcare and various commercial
sector organizations throughout the country.
A list of some of our clients we’ve helped meet the DOD
DFARS/NIST 800-171 compliance requirements is listed in the
following table.

21. Some of our DOD Contractor Clients

22. Contact Us
Mission Critical Global Technology Group
1325 G Street, NW
Suite 500
Washington, District of Columbia 20005
Phone: 202.355.9448
Email: Info@mcglobaltech.com
Wiliam J McBorrough Regine Bonneau
Co-Founder/CEO Director, Risk & Compliance
wjm4@mcglobaltech.com rbonneau@mcglobaltech.com
(202) 355-9448 x101 (202) 355-9448 x104