The Client
The client is a managed service provider specializing in support for government contractor clients. The client began an internal project to achieve compliance with Cybersecurity Maturity Model Certification (CMMC).
CMMC is a new US Department of Defense (DoD) standard for handling CUI or Controlled Unclassified Information.
A key challenge for the company was the absence of a road map. Very few enterprises in this domain were trying to achieve CMMC compliance. Finding anyone willing to share information was tough. The support from vendors supplying relevant security and data management services was also limited. The company was keen to understand how the existing technologies could be fitted into new compliance regulations.
The client implemented a phased project to evaluate internal and external applications to discover the best ways to address the gaps. They want to complete the remaining requirements as quickly as possible to achieve improved internal security and educate their staff about handling sensitive information.
The Compliance Components
The client gained substantial knowledge through its support for DoD with the help of the main contractors. As a subcontractor providing managed security services provider (MSSP), it currently supports compliance to specific levels. They are providing clients with primary assessments and remediation efforts. They also offer ongoing support and maintenance services.
The CMMC Framework
The CMMC was designed to work as a consolidated cybersecurity standard. The aim was to ensure that DoD contractors would have the desired levels of control to protect CUI and other sensitive data. The CMMC structure combines methods and best practices pulled in from various cybersecurity criteria and contexts.
The Challenges
There were two major challenges that the client faced.
It needed to fulfill prime contracts to support the mission of its customers to service the DoD.
If a primary contractor looks to subcontract MSSP or MSP services to the client, they must have the same level of certification.
The client had already achieved compliance with NIST 800-171 and was working toward achieving complete compliance. The internal team started creating its own road map in the absence of any reference points or resources.
The client also needed a definitive mobile strategy. Developing a mobile device management plan and associated policies were also indispensable.
Staff retraining was also becoming a major hurdle. Changes were required in the data and information processing methods. A shift in mindset was imperative for staff.
The Solution
We began with an internal gap analysis. The client wanted to know how close they were to meeting minimum CMMC requirements. Their analysis included information access, current capabilities of the information system, security controls, data storage, security controls, and incident response planning. The aim was to identify the shortfalls that might require them to make the appropriate changes to meet comprehensive CMMC requirements.
Some employees did not envisage the gravity of the business operations and the critical type of services it provides. We held a review session with the staff working on these projects to make them understand the potential CUI.
We arranged to train all staff to understand the changes and their immediate and long-term impact. The CMMC outlines security awareness training in a control group. It covered aspects such as reporting incidents and handling issues quickly.
Key Compliance Benefits
While the client is still in the nascent stages of the CMMC rule, they can visualize concrete benefits. As a consequence of the steps taken to achieve basic compliance, they could balance the costs.
The most significant benefit in the path to achieving CMMC compliance is mitigating the risk of data breaches from both external and internal sources.
The eventual purpose of CMMC is the protection of data. That’s because the data and network of any government contractor/subcontractor can have direct consequences for the personnel in the military and government services.
We convinced the client that CMMC compliance comes with an unavoidable cost, as compliance will be mandatory. Despite having faced financial and operational hassles, our client now has gained the ability to support its associates on a deeper level.
CMMC compliance will also help our client achieve compliance with many other regulations.
Our client can now enjoy a competitive advantage and gain a position at the top of the line for new DoD contracts.
"CMMC compliance makes it easy for us to bid for contracts that would have been impossible to obtain under the existing regulations. As DoD contracts typically run for five years, we can enjoy five years of recurring revenue with little competition in sight. We are delighted with the support provided by Cascade right through the complex and time-consuming process of attaining CMMC compliance."
Comments