top of page
  • LinkedIn

Regulated Entity Security & Compliance Assessment CMMC, HIPAA, NIST CSF.

BorderHawk delivers Cyber Risk Consulting and related services to assist organizations build cybersecurity programs that meet risk and regulatory requirements. Our team of experts provides tailored solutions to address cyber threats and vulnerabilities, ensuring the security and resilience of your digital assets. We are dedicated to helping our clients navigate the complex landscape of cyber risks and develop robust defense strategies.

CMMC Assessment (Cybersecurity Maturity Model Certification) 

CMMC (Cybersecurity Maturity Model Certification) is a framework developed by the National Institute of Standards (NIST), published under SP 800.171 and implemented under arrangement with the Cybersecurity Accreditation Body (CyberAB). The CMMC model has been adopted by the U.S. Department of Defense (DoD) to assess and improve the cybersecurity posture of organizations in its supply chain and builds on existing trust-based regulations (DFARS 252.204-7012) by adding a verification component for cybersecurity requirements. Therefor, CMMC is a verification process intended to validate the correct implementation of DFARS 252.204-7012.

 

The BorderHawk CMMC readiness assessment and preparation service, is a process through which OSC's, (e.g. Organizations Seeking Certification) in order to begin or continue working with the DoD as primes or subcontractors are evaluated against the CMMC framework. BorderHawk's process, guidance, and support is designed to increase the confidence that an OSC has a fully developed and implemented program and that the organization is prepared to schedule and conduct an audit via a C3PAO of their choice.

The main goal of CMMC is to improve the overall cybersecurity posture of the defense industrial base (DIB) and verify that OSC's have controls in place for the protection of controlled unclassified information (CUI) and federal contract information (FCI) that is shared with the Defense Industrial Base as this data flows down through its supply chain. 

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA is a federal law that sets a national standard to protect medical records and other personal health information. The HIPAA Security Rule establishes national standards for the protection of electronic PHI (ePHI) and requires covered entities to implement a variety of safeguards to ensure the confidentiality, integrity, and availability of ePHI.

Regular assessments ensure adherence to these rules and reduce the risk of non-compliance, which could lead to significant penalties, fines, and legal consequences.

The BorderHawk HIPAA assessment involves a thorough review of an organization’s administrative, physical, and technical safeguards to identify vulnerabilities, gaps, and areas that may pose risks to the security of ePHI. The goal is to determine if the entity is meeting the necessary requirements to protect sensitive health data and avoid potential breaches.

  • Healthcare Providers: Doctors, hospitals, clinics, nursing homes, pharmacies, and other medical professionals who transmit health information electronically.

  • Health Plans: Insurance companies, HMOs, and employers who provide health benefits.

  • Healthcare Clearinghouses: Organizations that process health information and act as intermediaries between healthcare providers and health plans.

  • Business Associates: Any third-party service providers who handle, store, or transmit ePHI on behalf of covered entities. Examples include IT vendors, cloud service providers, billing companies, and medical transcription services.

NIST CSF (Cybersecurity Framework)

NIST CSF is often recommended, or required based on certain contracts, for organizations in critical sectors like telecommunications, healthcare, utilities, state and local governments, and manufacturing, where cybersecurity risks could have severe consequences. These sectors must protect against cyber threats to ensure the safety and continuity of essential services.

The framework helps organizations better understand their cybersecurity risks and prioritize their mitigation efforts. NIST CSF specifies organizations conduct a risk assessment in addition to the 101 subcategory-based objectives assessment. This risk-based approach where the organization identifies its critical assets, and documents explicitly what it is currently doing to meet each and every subcategory objective is vital for optimizing organizational awareness of their holistic enterprise cybersecurity posture. From this understanding of critical assets and the current (As-Is) posture, a targeted (To-Be) posture becomes clearer enabling proper resource allocation and where to focus in order to address the most critical vulnerabilities first. By following the NIST CSF 2.0 process accurately, organizations can implement best practices and build a robust cybersecurity strategy to protect against evolving threats, such as data theft, ransomware, phishing, and other cyberattacks.

The NIST CSF is scalable and can be used by small, medium, and large organizations alike. It is designed to be flexible enough to meet the unique needs of different organizations, whether they are a small business or a large multinational corporation.

The NIST CSF 2.0 (Current Version) consists of six core functions:

  1. Govern: The organization's cybersecurity risk management strategy, expectations, and policy are established, communicated and monitored.

  2. Identify: The organization's current cybersecurity risks are understood.

  3. Protect: Safeguards to manage the organization's cybersecurity risks are used. 

  4. Detect: Possible cybersecurity attacks and compromises are found and analyzed.

  5. Respond: Actions regarding a detected cybersecurity incident are taken. 

  6. Recover: Assets and operations affected by a cybersecurity incident are restored.

bottom of page