Risk/Compliance/Security

1 SERVICE OFFERING 1 (NON-TECHNICAL) Service Offering Name: Cybersecurity Compliance: CMMC/ISO 27K Non-Technical Implementation (Documentation, Evaluation, & Process)

Short Summary: To support organizations’ CMMC and/or ISO/IEC 27001 compliance efforts, R3 provides cybersecurity compliance implementation, management, and maintenance solutions. This service offering provides non-technical control implementation (documentation, evaluation, and process) to meet specific compliance requirements.

Description: R3's Cybersecurity Compliance as a Service (CaaS) service offerings allow customers to have consistent assistance to maintain the integrity of their compliance program(s). To achieve the most seamless and successful cybersecurity compliance outcomes, R3 recommends combining this non-technical implementation service offering with our separate technical control implementation service (Cybersecurity Compliance: CMMC/ISO Technical Control Implementation). Additionally, R3 offers managed IT and cybersecurity services that complement compliance efforts by helping fulfill many requirements.

Common tasks of this non-technical CaaS engagement can include: • Internal audit/gap assessment • Policy/process development and documentation management • Plan and manual development (e.g., SSP) • Remediation plan development (e.g., POA&M) • Process-related remediation/implementation support • Cyber incident response (IR) tabletop exercise • Cybersecurity training and awareness support • Risk/security assessment • Other documentation-related items as required

R3 provides these compliance services for standards including: • CMMC: R3 assists defense contractors in achieving Cybersecurity Maturity Model Certification, enabling your participation in government contracts. • NIST: R3 ensures your alignment with NIST frameworks, fortifying your cybersecurity stance and adhering to industry best practices. • ISO/IEC 27001: R3 ensures your alignment with this globally-recognized standard, establishing an information security management system that safeguards your data. • SOC 2 Type 2: R3 helps you meet the rigorous requirements for safeguarding customer data, establishing trust in your data privacy controls. • Other Standards: Additionally, we can tailor both our non-technical and technical service offerings with other standards and implement integrated systems based on each organization’s unique compliance requirements, including but not limited to ISO 9001, ISO/IEC 20000-1, CMMI for Services and Development, HIPAA, PCI, and ITIL.

R3’s CCaaS non-technical implementation service offering, when executed in conjunction with the technical control implementation service offering (Cybersecurity Compliance: CMMC/ISO Technical Control Implementation), captures the application of Microsoft products (as applicable) in the fulfillment of the technical framework requirements. These products may include: • Microsoft Purview: This suite helps manage and monitor data, protect information, minimize compliance risks, and meet regulatory requirements. • Microsoft Sentinel: Microsoft Sentinel is a cloud-native security information and event management (SIEM) solution that provides intelligent security analytics and threat intelligence across the enterprise. It helps organizations detect, investigate, and respond to security threats in real-time by collecting and analyzing data from various sources, including users, applications, servers, and devices. Microsoft Sentinel leverages machine learning and artificial intelligence to enhance threat detection capabilities, automate responses, and streamline security operations, making it easier for security teams to manage and mitigate risks. • Azure Government: R3 is an authorized reseller of Azure Government cloud solutions, which are used to migrate, develop, and manage government cloud environments. • Microsoft 365: This includes tools like Microsoft Teams, SharePoint, and OneDrive, which help in maintaining compliance with various standards. • Dynamics 365: Used for managing customer relationships and ensuring compliance in data handling. • Power Platform: This includes Power BI, Power Apps, and Power Automate, which help in automating compliance processes and generating compliance reports.