SysArc, a leading provider of cybersecurity and compliance solutions for the Defense Industrial Base (DIB), has proudly announced that four of its clients—Mantech, FN America, Honeycomb Company of America (HCOA), and Hunatek—have successfully completed their CMMC DIBCAC High Assessments through the Joint Surveillance Voluntary Assessment (JSVA) Program, each receiving an SPRS score of 110.

In a period marked by heightened activity and productivity, SysArc has demonstrated its expertise and dedication to preparing clients for CMMC compliance. This achievement underscores SysArc’s commitment to providing tailored solutions and unwavering support to businesses aiming to protect sensitive information and meet stringent cybersecurity standards.

Mantech

SysArc collaborated with Mantech in the final stages of their assessment, providing expert CMMC Consulting Services. Mantech notably implemented a zero-trust architecture across its environment, a testament to their dedication to cybersecurity. SysArc’s team played a critical role in finalizing the SSP, Policies and providing critical evidence during the Assessment.

FN America

FN America, a U.S. subsidiary of FN Herstal, S.A., worked closely with SysArc over two years to ensure readiness for their assessment. Leveraging SysArc’s CMMC Program Management Consulting Services, FN America successfully navigated the complexities of compliance, as detailed in their case study.

Honeycomb Company of America

For Honeycomb Company of America (HCOA), SysArc developed a comprehensive CMMC Program from the ground up.  As a mature MSP/MSSP focused on the DIB, SysArc manages the IT infrastructure for HCOA and our Compliance and SecOps teams run their Security Program. With SysArc managing their IT infrastructure and running their Security Program, HCOA was well-prepared for the CMMC assessment.    

Hunatek

Similarly, Hunatek benefited from SysArc’s dedicated team of IT, Security, and CMMC experts, who provided a complete outsourced solution to achieve their compliance requirements.

SysArc’s work has earned them high praise within the industry. A Director of CMMC from Redspin, a leading C3PAO, commented, “You are doing a fantastic job, so keep it up. In fact, I think you may be the only RPO that has had more than one client pass JSVA. That is a big deal.”

SysArc’s success is further highlighted by their recent CMMC Mock Assessment for External Service Providers (ESP) conducted by an independent C3PAO, where zero gaps were identified, and a Plan of Actions & Milestones (POA&M) was not required.  SysArc currently has an SPRS score of 110 out of a possible 110 and SysArc’s ability to assist the DIB and/or bid on existing or new DoD contracts remains in place.

All of the hard work and these recent wins for our customers has proven SysArc’s ability to fully support many different sized organizations and approaches with customized solutions to fit their compliance and security requirements knowing that they will successfully achieve CMMC compliance when the time comes.

About SysArc

SysArc is a trusted cybersecurity and compliance partner for the DIB, offering customized solutions to meet the unique needs of each client. With a focus on protecting sensitive information and achieving industry certifications, SysArc delivers expert guidance and support to organizations of all sizes. For more information, visit sysarc.com and experience compliance for yourself.

 

Safeguarding lives on physical and cyber battlefields.

FN America, LLC, is a U.S. subsidiary of FN Herstal, S.A., a global leader in developing and manufacturing high-quality, reliable firearms for military, law enforcement, and commercial customers worldwide. True to its vision to be the firearm industry’s most innovative company, the company makes cybersecurity one of its main priorities. They have been at the forefront of the U.S. Department of Defense’s latest mission to protect America’s defense industrial base from foreign and domestic cyber breaches and attacks with the rollout of the Cybersecurity Maturity Model Certification (CMMC).

“Cyberattacks targeting systems and data throughout the world are constantly increasing in both volume and sophistication. Our purpose is to safeguard the lives of American service members and its allies, and we understand that this purpose extends to the cyber battlefield as well. Therefore, we strive to take the same innovative approach to cybersecurity as we do with our firearms.”

— Jason Britton, IT Director, FN America

The Challenge

In 2016, the Department of Defense (DoD) announced a new cybersecurity requirement for DoD suppliers—DFARS 252-204-7012. This requires all companies who provide products and services to the DoD to implement NIST 800-171 cybersecurity controls within their IT systems.  FN America promptly conducted a self-assessment to determine their compliance gaps and found issues they tried to correct themselves.

FN America’s IT leadership initially over complicated the process and implemented controls that were difficult to understand and implement. Like many other manufacturers, FN America’s shop floor also presented challenges and complexities to secure compared to development or service floors—sensitive information was often left exposed on unattended computers, and new procedures disrupted their productivity.

The Solution

When CMMC was first announced in 2019, FN America decided to rethink their approach to implementing NIST 800-171 in order to avoid their previous pitfalls of incorrectly interpreting the standard with the goal of becoming  one of the first companies to be CMMC certified. After a thorough search of the market for NIST 800-171/CMMC experts, they partnered with SysArc in early 2020 to provide CMMC Advisory Services including Program Management of their CMMC Project.  As a first step, SysArc provided a comprehensive NIST 800-171 gap assessment that identified FN America’s compliance gaps.  From there, SysArc assisted with the SSP, POAM items, Policies & Procedures and Assessment preparation.  

The Result

FN America’s early and consistent collaboration with the compliance experts at SysArc allowed them to secure their CMMC certification through the Joint Surveillance Voluntary Assessment Program (JSVAP), positioning them ahead of their competitors. Fewer than 100 companies worldwide have successfully navigated this process and achieved certification, making FN America a leader in their industry.

“FN America was successful in their compliance journey because they received a solid  commitment of support from their overseas parent company, FN Herstal, and they were diligent about working through all of the requirements, no matter how challenging.”

— Bernhard Bock, SysArc CISO and CMMC Program Manager

Since completing certification and starting their program with SysArc, FN America is not only compliant with their customers’ requirements, but are more secure and have reduced their risk of a serious breach. Through this process, they have become more committed to continuous improvement with an ongoing effort to maintain high-security standards and compliance moving forward. By improving the security of sensitive information, FN America can now better serve the war fighter and are doing their part to protect the DIB supply chain from bad actors.

Do you need help preparing for CMMC?

We’ve helped over 1,500 DoD contractors throughout the U.S. navigate the complexities of DFARS, NIST 800-171, and now CMMC. Through our many experiences, we’ve fine-tuned several solutions that enable our clients to prepare to achieve compliance faster and at a lower cost compared to other solutions that have been popping up in the market recently. If you need help preparing for CMMC, give us a call or request a consultation today.

As we recently reported, The Department of Defense (DoD) has outlined its four (4) phase approach for the inclusion of Cybersecurity Maturity Model Certification (CMMC) Program requirements in solicitations and contracts.

The first phase, which is expected to begin in the 1st quarter of 2025, will require all companies who engage with the DoD to include their CMMC Level 1 or Level 2 Self-Assessments. The DoD also states that they reserve the right to enforce these requirements before this date and/or require companies to complete a CMMC Level 2 Certification Assessment instead of a Self-Assessment. The Certification Assessment is an assessment conducted by CMMC enforcement officials themselves.

The bottomline is that companies will need to have completed an assessment, either by themselves or by a certified third-party, like SysArc, by Q1 of 2025 in order to be considered for contract awards.

Why You Should Act Now

Because the CMMC assessment and readiness process can take 12 to 18 months (depending on system complexity) to complete, it is crucial that DoD contractors act as soon as possible if they have not already started the process. Companies who have already prepared may have a significant competitive advantage in the contract award process.

How to Prepare

There are two routes companies can take to prepare:

1. Use In-House Resources: Companies with internal IT resources may be able to complete the CMMC Self Assessment themselves. The DoD has provided both CMMC Level 1 and Level 2 Self Assessment Guides that can aid in the process. Those can be found here.
2. Hire a CMMC RPO: For those companies who lack the time and resources, a CMMC Registered Provider Organization (RPO), like SysArc, can perform a readiness assessment or a mock assessment for you and guide you through the process of preparing for all phases of the CMMC rollout. If this option sounds best for your organization, request a consultation here.  

How We Can Help

As a CMMC RPO, SysArc has helped over 1,500 DoD contractors navigate the complexities of CMMC since 2017. We can conduct a CMMC readiness assessment or mock assessment and develop a roadmap for you to achieve CMMC certification so you can continue to do business with the DoD without delay. Our years of experience in supporting DoD contractor IT systems has made us a leader in the space, able to offer CMMC preparation faster and for less cost than other options on the market. Request a free consultation here.

The Department of Defense (DoD) has outlined its four (4) phase approach for the inclusion of Cybersecurity Maturity Model Certification (CMMC) Program requirements in solicitations and contracts. The first phase is expected to begin in the 1st quarter of 2025, after The Office of Information and Regulatory Affairs (OIRA) approval, and conclude with the fourth phase expected around September 2027.

Please note: These dates reflect our expectations based on the information provided by the DoD. Therefore, these dates may change. We will update our site as soon as new information becomes available.

Phase Timeline: 

• Phase 1 (1st quarter of 2025): Begins on the effective date of the CMMC revision to DFARS 252.204–7021
• Phase 2: Begins six months following the start date of Phase 1
• Phase 3: Begins one calendar year following the start date of Phase 2.
• Phase 4: Full Implementation. Begins one calendar year following the start date of Phase 3.

Each Phase In Detail:

Phase 1 (1st Quarter of 2025):

The DoD plans to incorporate either CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment as a prerequisite for contract award in all relevant DoD solicitations and contracts. Additionally, DoD reserves the right, at its discretion, to include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment as a condition for exercising an option period on contracts awarded before the effective date. Furthermore, DoD may choose, at its discretion, to replace CMMC Level 2 Self-Assessment with CMMC Level 2 Certification Assessment in applicable DoD solicitations and contracts.

Phase 2 (6 Months After Start of Phase 1):

In addition to the Phase 1 requirements, the DoD plans to incorporate CMMC Level 2 Certification Assessment for all relevant DoD solicitations and contracts, making it a prerequisite for contract award. DoD retains the discretion to defer the inclusion of CMMC Level 2 Certification Assessment to an option period instead of making it a condition for contract award. Moreover, DoD may, at its discretion, introduce CMMC Level 3 Certification Assessment for applicable DoD solicitations and contracts.

Phase 3 (1 Year After Start of Phase 2):

Building upon Phase 1 and 2 prerequisites, the Department of Defense (DoD) aims to mandate CMMC Level 2 Certification Assessment for all relevant DoD solicitations and contracts, both as a requirement for contract award and for the exercise of an option period on contracts awarded before the effective date. Additionally, DoD plans to enforce CMMC Level 3 Certification Assessment for all applicable DoD solicitations and contracts as a prerequisite for contract award. However, DoD reserves the right, at its discretion, to postpone the inclusion of CMMC Level 3 Certification Assessment to an option period rather than making it a condition for contract award.

Phase 4 (1 Year After Start of Phase 3):

This phase is full implementation. As such, the DoD will incorporate CMMC Program requirements into all relevant DoD solicitations and contracts, encompassing option periods for contracts awarded before the commencement of Phase 4.

Get a CMMC Readiness Assessment and Prepare Today

Many DoD contractors lack the resources to conduct their own assessment to effectively prepare for CMMC. That’s why many choose to outsource the task to a qualified CMMC consultant like SysArc. We can conduct a CMMC readiness assessment or mock assessment and develop a roadmap for you to achieve CMMC certification so you can continue to do business with the DoD. SysArc has helped over 1,500 DoD contractors navigate the complexities of CMMC and would love to help you. Request a free consultation here.

According to a Washington Technology article, the White House’s Office of Information and Regulatory Affairs’s (OIRA) agenda says that the Department of Defense (DoD) expects to release its final proposed rules on CMMC in June 2023. Since these rules will be open to the public for comment, we will likely see CMMC operational in 2024. 

With that said, the time to prepare is now.

How to Get Prepared:

The following options are available for DIB suppliers:

1. Meet requirements in-house: DoD contractors or suppliers who have the resources and IT staff available can meet the appropriate CMMC level of cybersecurity in-house. Internal IT departments can use the “Self Assessment Handbook – NIST Handbook 162” provided by the National Institute of Standards and Technology (NIST). This handbook was created by NIST with the intention of assisting U.S. DoD contractors who provide products and services for the Department of Defense. Unfortunately, this handbook only covers NIST SP 800-171 Rev. 1 and there is currently not a Self Assessment Handbook for NIST SP 800-171 Rev. 2. NIST has also made available a System Security Plan (SSP) template, and a template — two required documents for compliance.
2. Get assistance from a CMMC RPO: If the contractor does not have the in-house expertise to meet the requirements of NIST SP 800-171, DoD contractors have the option of working with  a third-party CMMC consultant, like SysArc, who offers CMMC compliance services. There are many qualified and experienced Managed Security Service Providers (MSSP) in the U.S. who specialize in compliance services and monitored cyber security for DoD contractors who need to implement NIST cybersecurity controls. A qualified MSSP will be able to perform this assessment and perform any remediation work necessary to pass a CMMC Audit. Look for MSSPs who have obtained CMMC RPO status AND have qualified and experienced CMMC experts on staff.  An updated list of verified RPOs by the CMMC Accreditation Body can be found here.

For more information on SysArc’s solutions for CMMC compliance, consider requesting a consultation here. Our team is happy to learn about your business and walk you through our process and associated costs to prepare for CMMC.

In a recent interview between Robert Metzger and GovExec360 president Troy Schneider, Metzger urged DoD contractors to not wait for a final rule to come out on CMMC to start meeting compliance requirements — a stance that SysArc has taken for the last several years.  

Metzger is considered to be the ‘father’ of the Cybersecurity Maturity Model Certification (CMMC) due to the fact that he co-authored the “Deliver Uncompromised”, a report from Mitre, a nonprofit research firm behind many of the principles of CMMC. 

When asked about the date he would expect CMMC requirements to show up in contracts, Metzger said, “It doesn’t really matter. The smart move is to protect yourself. Now. Not because you have to comply but because you want your enterprise to stay in business. Don’t let yourself think that it matters what day you happen to get a request for information or request for proposals that requires an assessment. Be secure beforehand for the sake of your employees, your lenders, your clients, your customers, your investors. And then also your regulator.”

Many DoD contractors say they find CMMC to be too difficult, expensive, and complex to implement. This sentiment has led many contractors to shy away from implementing the very important requirements. In response to this, Metzger said, “We cannot decide that security is unimportant for small businesses. We cannot give them a waiver. But we must facilitate a means by which small businesses can accomplish security economically. That takes us away from on premise measures and towards external service providers. But we haven’t yet established a means by which a smaller company can look at a managed service provider, a managed security as a service provider, or some other external resource and say — “If I do my part and they do their part, then I’m going to accomplish some percentage of the CMMC requirements. We need that.”

What many small and mid-size businesses might not be aware of is that the market has been rapidly developing solutions for businesses to meet requirements already for the last several years. SysArc, for example, has been at the forefront of implementing cybersecurity requirements for our DoD contractor customers since 2017 when DFARS first became law. Since then we’ve been able to refine our offerings and considerably reduce the time and expense required to secure contractor information systems and get them properly prepared for CMMC — whenever the final rule is made. 

For more information on SysArc’s economical solutions for CMMC compliance, consider requesting a consultation here. Our team is happy to learn about your business and walk you through our process and associated costs to prepare for CMMC.

Since the beginning of the rollout of the Defense Federal Acquisition Regulation Supplement (DFARS) and now the Cybersecurity Maturity Model Certification (CMMC), much of the emphasis on the necessity of these programs has been on protecting national security. Also, the top down enforcement of these programs has led many DIB suppliers to focus less on the benefits of implementing cybersecurity controls within their organizations, and more on simply trying to “follow the law” so that they can continue to win government contracts — what many of these suppliers depend on to survive.

This article will cover two underemphasized benefits of DFARS and CMMC for DIB suppliers:

1. Protection from ransomware, data loss, downtime and liability
2. Ability to qualify for cyber insurance

Protection From Ransomware, Data Loss, Downtime and Liability

While protecting national security should be a priority for all DIB suppliers to embrace, additional emphasis might be placed on the fact that the cybersecurity controls in NIST 800-171 will help businesses protect themselves against ransomware, data loss and operational downtime — something that every business (even those outside of the defense supply chain) should be concerned about.

• Ransomware: This is when hackers infiltrate an DIB supplier’s computer systems. Once inside, they can lock out all authorized members of the organization from gaining access to data required to keep the business operational. They’ll then demand a ransom in exchange for the keys to unlock the data.
• Data Loss: Even if the ransom is paid, there’s no guarantee that an organization’s data will be fully or partially restored.
• Downtime: Even if organizations have backed up their data in a location that was not infiltrated by hackers, the process of restoring data and getting computer systems back online can be a substantial amount of time leading to financial and reputation losses.
• Liability: DIB suppliers can be held liable for the damages stemming from the theft of third-party data.

Ability to Qualify for Cyber Insurance

In the past two years, cyber insurance underwriters have significantly stepped up their requirements to ensure organizations have a certain level of cybersecurity solutions in place before they can qualify for cybersecurity insurance. Implementing NIST 800-171 controls will more easily enable DIB suppliers to qualify for cyber insurance and at a potentially lower rate due to their cyber risk being decreased.

Why would DIB suppliers need cyber insurance? While having cybersecurity controls in place substantially reduces the risk of cyber criminals wreaking havoc on a business, it does not 100% guarantee that a cyber breach will not occur. People within organizations make mistakes or can be malicious. Having cyber insurance can help organizations recover from the financial loss when all else fails.

Next Steps…

If your organization offers products and services to the DoD, then implementing NIST 800-171 is on your list of to dos. For organizations that would like to pursue implementation themselves, read our guide to CMMC compliance. If you lack the resources to implement controls yourself, consider outsourcing the task to a CMMC consultant, like SysArc. We’ve consulted with over 1,000 DIB suppliers on complying with DFARS and helping them get prepared for CMMC.

For those that want the key pieces of information of this article up front, here’s the key takeaways:

1. Expect an interim rule by March 2023
2. Expect CMMC requirements in DoD contracts in May 2023
3. All DIB suppliers who handle CUI (both non-prioritized or prioritized) will need to implement NIST 800-171 controls

Keep in mind that the dates above are not official and are only estimates based on the information we’ve been able to gather at the moment. For more context, please keep reading.

Where We’re At Now

CMMC requirements are currently within the federal rulemaking process for the Code of Federal Regulations (CFR) and Defense Federal Acquisition Supplement (DFARS). These two processes are required before CMMC requirements can be implemented.

Where We’re Going

According to a FedScoop article, Stacy Bostjanick, the Pentagon’s director of CMMC policy said, “We’re hoping by March of 2023, they will give us an interim rule. Now that’s not guaranteed. They could come back and say, ‘No, we don’t see the urgency of this meeting to be an interim rule and you will not be allowed to implement until you go through final rule.’” If an interim rule decision is made, there will be a 60-day public comment period, but the DoD would be able to implement CMMC requirements in contracts by May 2023, Bostjanick said.

Prioritized CUI and Non-Prioritized CUI

Though not explicitly referenced in the official CMMC 2.0 documentation, Bostjanick shared some insights regarding prioritized and non-prioritized controlled unclassified information, or CUI.

“For those companies that would handle non-prioritized CUI, the thinking is that they could merely do a self-assessment, an annual affirmation that they meet the requirements of the NIST 800-171 to handle the non-prioritized CUI. From our analysis, the non-prioritized CUI is going to be a smaller subset of the CUI that we deal with,” she said.

“Since companies don’t ever normally just do one contract with the DOD, they bid on multiple contracts, eventually, anybody who handles CUI and bids on more than one contract will most likely have to have a third-party assessment, because it’s only ever going to take one contract that you bid on that requires that third-party assessment to drive you to that level,” she added.

While definitions are currently being worked on, our understanding is that non-prioritized CUI is information that wouldn’t present much of an issue if it fell into the wrong hands. Prioritized CUI, rather, is sensitive information that if leaked, could present a national security risk or cause a loss of defense capabilities and/or competitive advantage.

Why All DIB Suppliers Need to Make CMMC Preparations Now

If they haven’t already, all businesses that provide products and services to the defense supply chain should not delay any further in their preparation to meet the requirements of CMMC regardless of whether they think they will have prioritized or non-prioritized CUI.

In light of the information that Bostjanick shared, SysArc CEO offers advice for DIB suppliers who are navigating CMMC. “The problem is that no DIB supplier is going to know ahead of time whether the contract they’re bidding on will have prioritized or non-prioritized CUI. Therefore it’s important that every contractor treats all contracts as if they will be dealing with prioritized CUI. Otherwise, they might find themselves potentially less likely to take CMMC preparation seriously and leave them unprepared for a third-party audit,” said Tim Brennan, CEO of SysArc.

“At the end of the day, the concern for businesses shouldn’t be whether they will deal with prioritized and non-prioritized CUI. That’s because all businesses who handle CUI, regardless of prioritized or non-prioritize, are required by law to have NIST 800-171 controls in place. The only question then is whether they will be required to pass a third-party assessment or only need to self-attest compliance. Ultimately it’s up to each company how much risk they want to take on,” he added.

Need Help Preparing for CMMC?

We’ve helped over 1,000 DoD suppliers and their primes navigate the complexities of DFARS, NIST 800-171, and CMMC. If you’re concerned about your company’s ability to prepare, feel free to give us a call or request a consultation. We’re happy to walk you through our process for getting companies like yours CMMC compliant faster and for less cost than other solutions on the market.

Reference:

Pentagon updates timeline for CMMC cybersecurity initiative