Services

9

IT Managed Services

9

Compliance

9

Cybersecurity

9

Cloud & Network

9

Backup & Disaster Recovery

9

Business Communications

9

Web Design

9

Web Services

Expertise

9

Manufacturing

IT & Compliance support tailored for Manufacturers

9

Healthcare

IT & HIPAA support for Healthcare Practices

9

Public Sector

Specialized technology solutions & support for the particular needs of Government and other Public Sector entities

About

9

About Us

9

Legacy Brands

9

CloudTotally

9

River City Digital

9

MyRealTown

9

SilverGear

9

Testimonials

Resources

9

Hey Soteria blog

9

Events

9

Videos

9

Books

9

Referral Program

9

Partner Resources

9

Bill Pay

Contact

9

Contact Service

Call 316.448.7944

help@heysoteria.com

9

Contact Sales

Call 316.816.2600

sales@heysoteria.com

 

9

1815 E Central • Wichita, KS • 67214

Services

Compliance at Soteria

Talk With an Expert

CMMC • HIPAA • SOC 2 • NIST-800

Compliance Consulting, Policy & Procedure Development

Offered in Partnership with EMBER TECHNOLOGY

Soteria is proud to partner with Ember Technology

Achieving regulatory compliance can be daunting, especially when the rules keep changing.

That’s why we partner with Ember Technology, an experienced, trained, and detail-oriented team who knows all the ropes – so you don’t have to.

Ember Technology is an experienced provider of consulting services to government contractors and other companies in preparation for their CMMC assessments.

Ember’s Registered Practitioners (RPs) and Certified CMMC Professional (CCP-pending) have the expertise to help you navigate the regulations and processes to prepare, maintain, and improve your regulatory compliance.

While primarily geared towards CMMC/NIST compliance, Ember has expertise in helping organizations achieve HIPAA and SOC 2 compliance as well.

Did you know:

With the final revisions to CMMC 2.0, third parties helping your business with protected information (like your MSP) doesn’t need to be as CMMC compliant as you are.

 

 

But the process will be a whole lot smoother for everyone if they are.

It’s true.

 

 

In the world of CMMC, Managed Service Providers (MSPs) as they are commonly known, are defined in section 170.4 as ESPs: External Service Providers.
External Service Provider (ESP) means external people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization. In the CMMC Program, CUI or Security Protection Data ( e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP. (CMMC-custom term)
https://www.federalregister.gov/d/2024-22905/p-2003

Later, in section 170.19, the final rule states that:
(ii) The use of an ESP, its relationship to the OSA, and the services provided need to be documented in the OSA's SSP and described in the ESP's service description and customer responsibility matrix (CRM), which describes the responsibilities of the OSA and ESP with respect to the services provided. Note that the ESP may voluntarily undergo a CMMC certification assessment to reduce the ESP's effort required during the OSA's assessment. The minimum assessment type for the ESP is dictated by the OSA's DoD contract requirement.
https://www.federalregister.gov/d/2024-22905/p-2336

So what does this mean?

While the exact answer has a lot to do with what access the ESP has to the CUI, and whether it is in cloud storage or on premises, in many cases it is a safe bet that “The MSP must satisfy all security requirements related to the processing, storage, or transmission of CUI.”*

Which is to say, that their operation may have to be assessed as part of your assessment.

Do you trust that your MSP isn’t going to hang up your assessment with their own?  Ember Technology has been putting in the work to become CMMC Level 2 compliant, so we are part of solution, not part of the problem.

*https://dodcio.defense.gov/Portals/0/Documents/CMMC/CMMC-FAQs.pdf

What is CMMC / NIST-800?

The Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) program in 2019; based on the cybersecurity guidelines already laid out in the National Institute of Standards and Technology’s Special Publications 800 series (NIST 800 or NIST SP800).

 

CMMC is a set of cybersecurity standards that contractors in the Defense Industrial Base (DIB) need to adhere to in order to win and service DoD aquisition contracts. CMMC is there to protect sensitive information involving DoD projects, the contractors themselves, and the final products against the increasing threat of cyberattack, malware, and compromise.

 

The DoD’s incorporated CMMC into it’s acquisition programs to ensure that all contractors and subcontractors are trusted and secure. However, several major changes and updates to the program have made keeping full compliance difficult.

 

That is where Ember comes in, to assist contractors and subcontractors with keeping current, compliant, and secure.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted in 1996, intended to modernize the handling of healthcare information and ensure patient privacy. 

 

Among other things, HIPAA stipulates how personally identifiable information (PII) or protected health information (PHI) needs to be handled and maintained by the healthcare and health insurance industries, in order to protect it from fraud and theft.

 

HIPAA’s Privacy Rule prohibits healthcare providers and related businesses from disclosing protected personal information to anyone other than a patient and the patient’s authorized representatives without their consent.

Less well known is HIPAA’s Security Rule, which dictates how entities handle PHI in electronic form (e-PHI).

To comply with the HIPAA Security Rule, all covered entities must:

  • Ensure the confidentiality, integrity, and availability of all e-PHI
  • Detect and safeguard against anticipated threats to the security of the information
  • Protect against anticipated impermissible uses or disclosures that are not allowed by the rule
  • Certify compliance by their workforce

What is SOC 2?

The American Institute of Certified Public Accountants (AICPA) developed the System and Organization Controls (SOC) security framework to help ensure that service organizations such as payroll services, accountants, and other data processors manage data and systems responsibly and to establish a layer of trust between service providers and the businesses they serve. SOC 2 is one of three types of SOC reports.

 

The SOC 2 framework contains five categories of Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity and Privacy.  These criteria judge the service providers’ ability to safely and securely handle and process sensitive data.  Compliance is judged by an Audit performed by a CPA or other certified auditor.

 

The SOC 2 Audit provides a detailed report comparing the organization’s internal controls with the 5 trust service criteria. SOC 2 reports are intended to be made available for the customers and other stakeholders only, to provide assurance that the organization’s services are secure and reliable. The report is not intended for the general public.

Get Started

For more information about Compliance, CMMC, HIPAA, NIST 800, or more about how Ember can help your business,

please visit Ember’s website:

Visit embertechnology.com