Certifications & Assessments
i3 Implementation Benefits
- Specialize in ISO and CMMI implementations for IT, Cyber, Engineering, and Services contractors.
- Support for ISO 9000, 20000, and 27000
- Support CMMI for Development and Services Models
- Assessments and Recovery Services for NIST 800-53 & 800-171.
- Approach focuses on value added process development and integration
- Remote Support to Full On-site Implementation Option
Quality and Security are paramount to delivering industry-leading products and services. i3 Design and Consulting LLC has over 17 years’ experience supporting public and commercial organizations to achieve their certification, maturity rating, and IT Security goals. Customers include Crystal Clear Technologies, Dynamic Software Solutions, L-3 Communications, American Cyber, U.S. Army, Okaloosa County Schools, Florida, Maryland Department of Transportation, and Montgomery County, Maryland. More importantly, we help organizations put in value added processes and business discipline that measurably improves their top and bottom lines. Our customers are our testament. Make an appointment to chat and check out the experiences of our customers.
U.S. Government Contractor Specialization
ISO and CMMI are designed to support any business or organization. While this facilitates the broad use of the frameworks, it often results in sub-optimal implementation results. i3 specializes in working with contractors that deliver IT, cyber, engineering, and (staff) services to the U.S. Government. Operating successfully in the government contracting arena requires specialized knowledge of government requirements, laws, and expectations. Also, it requires a deep content understanding for the types of products and services delivered by the contractor and the methods by which those products and services are developed, acquired, and delivered.
Solutions for (Staffing) Services Contractors
Nearly every U.S. Government IDIQ or GWAC vehicle requires or provides procurement advantages for firms with ISO certifications and CMMI ratings. Most prime contractors pass those requirements to their subcontractors through contract flow-down clauses. However, implementation of the ISO standards and achievement of an appropriate CMMI rating is challenging for companies providing staffing resources to the federal government because the standards are not written in a way that easily accommodates these types of businesses. i3 has custom solutions built specifically to achieve the required certifications and ratings for resource staffing services firms. Moreover, our solutions have proven to improve business performance by lowering operational costs, raising customer acceptance rates for candidates, and significantly improving customer satisfaction. We do not just provide you a path to certification; we improve your business. Our solutions focus on using the ISO standards and CMMI models to achieve business transformations that improve revenue, quality and margin. Utilizing our product accelerators, we achieve these results with a 75% cost and timeline reduction from standard implementations.
Engineering and Development Solutions
Over the past five years increasing numbers of software engineering and development projects have moved from the traditional waterfall and spiral development methods to agile and scrum. Integrating an agile development with government CMMI requirements is not a straightforward endeavor. i3 is experienced in developing agile SDLC’s that map to the CMMI for Development Level 3 requirements. If you have an existing agile SDLC, we can customize and integrate your existing solution to meet the model requirements. Our solutions embrace the spirit of agile and significantly streamline and consolidate the documentation and artifact requirements of the CMMI model. This approach means that the CMMI requirements are simply built into your agile implementation and do not create additional work outside of your development processes. Our consultants will work with your team to create solutions work with industry leading agile development tools, such as Jira, Version One, and Microsoft TFS & VSO.
IT and Cyber Solutions
i3 has extensive experience implementing ISO 20000 (IT Service Management) and 27000 (Information Security Management) solutions. We utilize our ITSM, ISO 20000, and ISO 27000 accelerators to jump-start your implementation. Using this approach, we are typically able to reduce the costs and implementation timeframes for ISO 20000 and ISO 27000 by nearly 75%. Our solutions are platform independent. However, as a certified ServiceNow Services Implementation partner, we have pre-built forms and extensions for the platform that can further reduce cost and improve the overall effectiveness of your implementation. Our consultants leverage the NIST Risk Management Framework for our government ISO 27000 implementations. This approach ensures consistency with current and future government cyber security requirements. Moreover, we leverage the controls compatibility between ISO 27000 and NIST 800-53 to ensure you are positioned for future work in this critical area.
i3 provides a range of consulting support for the following ISO standards:
- ISO 9000:2015 & 9000:2008
- ISO 20000
- ISO 27000
Our goal is to help your organization improve its business AND ensure you receive your certification. Our approach focuses on improving your current business processes and functions while using the standards as checkpoints to validate your success. For each project we identify measurable goals and return on investment expectations. The intent is to make sure that any process changes brought forth by the introduction of the standards into your environment improve the business performance.
Planning for ISO Certification
At i3 Design and Consulting we specialize in helping organizations achieve their process improvement goals in record times. Most implementations do not need to take 9-12 months to implement, but they need more than a month. If you are an organization that requires an ISO implementation, you should be planning no less than three months in advance and if possible begin your implementation 4-6 months ahead of your deadlines. The driving factors in scoping the timing include:
- Type of Certification
- ISO 9000 is the quickest and easiest to achieve. Putting the system in place can often take as little a 3-4 weeks (depending on size and complexity), but you will need some objective evidence that the system is operating as intended. For simple systems, this can be as little as 2-3 months. Other more complex systems will require more time to instantiate and prove use.
- ISO 20000 and 27000 can typically be achieved within 3-5 months with a qualified consultant and dependent on the size and complexity of the organization.
- Scheduling Auditors. Qualified auditors can be a scarcity depending on the standard. There are firms that will promise an ISO 9000 (or other) certification but are not qualified registrars. For certification to be considered legitimate (especially for government proposals), you need to make sure the entity is approved by ANSI-ASQ National Accreditation Board (ANAB).
- ISO 9000 external auditors are the easiest to find and schedule. Scheduling is done through the qualified registrars. ISO uses a two-stage audit process with an on-site readiness review followed by the certification audit. There generally needs to be at least 30 days between these events. At a minimum, you should have your auditor under contract 60 days from the certification audit date.
- ISO 20000/27000 use the same two-step audit process as ISO 9000. However, due to the scarcity of qualified ISO 20000/27000 auditors, you should minimally plan to have your auditor under contract at least 90 days from the certification audit date.
- Registrar and CMMI Institute Quality Review. Once the audit is complete, the results must be validated by the ISO registrar before the organization officially can claim its qualification. You should plan for 2-3 weeks for these reviews although they often are completed faster.
i3 provides system and process design, implementation, quality assurance, and appraisal team support for CMMI for Development and CMMI for Services. Many organizations, especially those new to CMMI, begin by aligning their internal processes to the CMMI process areas. The result is inefficient system that forces the business to do unnecessary and resource consuming tasks. CMMI is not a set of requirements, it's a model containing practices that can be met in a mulitude of ways. Often organizations are currently executing many of the practices, but they are not either recognizing it (because it's called something different) or it's simply not documented. Our approach focuses on leveraging all the things that make your business successful and that you already do regularly and builds on it to help your achieve your desired maturity rating. In some cases, you may have missing processes or process documentation, other times you may just need to wrap measures around a particular function to focus and improve performance. In the end, we help you build, implement, and measure a robust and efficient set of business and technical processes that are uniquely you, but can be mapped during the appraisal process to meet the expectations of CMMI.
i3 Design and Consulting utilizes a proven 5-phase streamlined development approach to support your project:
- Phase 1- Understand the Environment and Plan for Success. Key deliverables include: Project plan and Gap Assessment
- Phase 2- Implement Process, Plan, and Tooling Infrastructure. Key deliverables include: System Framework, Process Assets, Process Support Tools, Risks and Mitigations
- Phase 3- Training, Execution, and Monitoring. Key deliverables include: Trained Staff, Process Artifacts, Business and Process Performance Measures, Risks and Mitigations
- Phase 4- Internal Audit and Recovery. Key deliverables include: Internal Audit Results, Practice Implementation Indicator Descriptions, System Improvements
- Phase 5- Improvement and Assessment. Key deliverables include: External Appraisal Team Support, System and Process Performance Improvements
i3 does not serve as the consultant AND appraiser for SCAMPI A or B appraisals. We are on board to support your organization and conducting an appraisal on work we helped design (to us) represents a conflict of interest. However, i3 can recommend high quality approved CMMI appraisers with a proven track record for exceptional support.
Planning for a CMMI appraisal
At i3 Design and Consulting we specialize in helping organizations achieve their process improvement goals in record times. Most implementations do not need to take 9-12 months to implement, but they need more than a month. If you are an organization that requires a CMMI appriasal, you should be planning to begin your implementation 4-6 months ahead of your deadlines. The driving factors in scoping the timing include:
- Type of Required Appraisal.
- CMMI for Development and Services (Level 3 or higher) are longer implementations because there are simply more requirements to implement and your organization is going to have to generate the appropriate data artifacts to satisfy the appraisal requirements. For planning purposes, you should allow 4-6 months for a CMMI implementation. More complex implementations will add to that estimate.
- Scheduling Auditors and Appraisers. CMMI uses independent appraisers to provide recommendations for a staged or capability-based rating. It is not uncommon for the schedules of the better and more experienced appraisers to fill up 6-9 months in advance. Finding an appropriate appraiser should be one of the first steps in your implementation plan. Otherwise, it will quickly become the key dependency on your critical path.
- CMMI Institute Quality Review. Once the audit or appraisal is complete, the results must be validated by the CMMI Institute before the organization officially can claim its qualification. In particular, the CMMI Institute has strict rules around public release of declarations before final review approval that could result in invalidating your results and having to redo the appraisal process. You should plan for 2-3 weeks for these reviews although they often are completed faster.
ISO & CMMI Consulting and Support Options
We know that companies, capabilities, and budgets vary. As such, we've created multiple consulting options based on our experiences from working with customers of all shapes, sizes, and situations. Picking the right engagement strategy is often as important as the engagement itself. Make an appointment to talk with us about choosing the best option for your company. If you have already determined your path forward, you can purchase the Pay-As-You-Go option directly on this site and have access to resources today.
FISMA-based Security Assessments
Information security (and specifically cybersecurity) continue to grow in importance. With the continued and increasing threat to critical infrastructure, the requirements for improved security for government contractors has also increased. Over the past five years, U.S. Government contractors have seen additional requirements certified systems that can meet requirements of the NIST Cybersecurity Framework (CSF).
Originally, the CSF was intended for U.S. companies that are considered part of U.S. critical infrastructure (e.g., communication, information technology, defense industrial base, etc.). Many companies, especially service companies, have had limited interaction with CSF because they did not operate systems requiring independent NIST SP 800-53 based FISMA or FedRAMP accreditations. With high profile, cyber incidents on the rise, requirements for implementation of the CSF are becoming more frequent for government contractors.
On December 30, 2015, DoD amended both DFARS 252.204.7008 (Compliance with Safeguarding and Covered Defense Information Controls) and DFARS 252.204.7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) giving contractors until December 31, 2017, to fully implement all NIST SP 800-171 requirements on the covered contractor information system. Notwithstanding the 12/31/2017 phase-in period, contractors must notify DOD within 30 days after contract award “of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award”. The NIST SP 800-171 organizes requirements into 14 families, with each family containing basic security requirements derived from both NIST SP 800-53 and FIPS 200.
i3 supports the assessment of your security controls utilizing the 800-53 or 800-171 standards, as applicable. We conduct organizational risk assessments using the NIST 800-37 Risk Management Framework and appropriately classify information systems using FIPS 199 and NIST 800-60. We categorize security controls using FIPS 200 and conduct assessment of security controls using NIST 800-53 or 800-171. Based on the results of the assessment, i3 develops fully compliant policies and procedures to support FISMA compliance and meet government security compliance documentation. We support the recovery of any findings by utilizing the Plan of Action and Milestones (POA&M) process. For a full assessment and recovery project, we follow the 6-step process summarized in our 'i3 FISMA Security Assessment and Recovery Roadmap'.