3Comply, LLC

Comply Simply – this is our motto. The founders of 3Comply each spent over 13 years designing, implementing, maintaining, and monitoring complex compliance regimes for heavily regulated industries that flowed down requirements through the contracts with us as a Managed Service Provider. As a result, we learned firsthand what is involved in assessments, implementation of complex control frameworks, developing and maintaining policies and procedures and above all, training, training, and more training!  Consequently, it became very clear that in order to be successful, you needed to develop a method that was complete but simple or people just couldn’t do it correctly. Thus, our motto was formed when we began our consulting firm in 2018 which is focused on small to medium sized companies with limited compliance resources.

Having spent our time since founding 3Comply in 2018  working with multiple companies in the DIB supply chain, we are very proficient in the requirements for CMMC and how to develop the requisite policies, procedures, monitoring and assessments to ensure a small to mid-sized firm can maintain the program while focusing on their products and services. This is what makes us stand out from the rest.

Depending on how mature your current program for cybersecurity is (from really not much to fully functioning) defines the services you may need.  If your program is fairly mature, we can conduct a pre-assessment to identify any areas needing more work, or that could be simplified, giving the “all clear” to recommend to the senior officials that are going to sign up for self-attestation that the program is ready to go. Or, if you are striving for Level 2 certification, the pre-assessment results get you ready for the actual assessment. Our goal is to ensure you have few or no POAM items so that you are successful the first time.

On the other end of the spectrum, you may need to start with writing policies and procedures that reflect your operation and how the controls integrate into your environment. There is not much point in using generic procedures that do not reflect your actual operating environment as when it comes time for assessment, your procedures will not match what people are actually doing. This is an unnecessary risk and complication that will cost more overall than developing policies and procedures that match your operation.

Examples of our services include:

  • Define the Security Boundary designed to protect FCI and/or CUI
  • Conduct Security Risk Assessments
  • Perform Business Impact Analysis specifically around threats and vulnerabilities
  • Populate a Plan of Actions and Milestones (POAM) with strategies to close out the items
  • Development of System Security and Privacy Plan (SSP or SSPP following NIST 800-53 Rev 5)
  • Security Incident Response Plan and Procedures
  • Contingency, Business Continuity, Disaster Recovery Plans as germane to your business
  • Security Policy and Procedure development and implementation assistance
  • Role based training program developed, implemented, and tracked
  • Provision of Periodic Assessments / Monitoring
  • Audit preparation and guidance
  • Audit support and management
  • Post Audit - POAM Management
  • Updating documentation based on results (as required)