General Technical Services, LLC Overcomes the CMMC Challenge with NJMEP Expertise and Support
Background
General Technical Services, LLC (GTS) provides technical, management, and administrative support to US Government agencies, universities, and industry partners. Their staff of scientists and engineers have an incredible breadth of knowledge and experience to support the development of advanced RF technologies and sensors, advanced electro-optical technologies, directed energy weaponry, electronic materials and devices, and power sources. With a track record of success, they support clients through complex R&D program management, providing Engineers, Scientists and Technical Staff to DoD laboratories and technical centers which helps ensure the US remains a technical leader. GTS leadership is not only innovative but incredible proactive. Since they work closely with the Department of Defense, they are continuously monitoring the latest policies and regulations to ensure they remain compliant and provide the highest level of service. Cybersecurity policies and regulations have now taken a very high profile role for companies under contract or seeking to do business with the Federal Government.
Challenge
Contract clauses and regulations are flowing down from the DoD that will impact every organization that handles Controlled Unclassified Information (CUI) on their contracts. Businesses that handle CUI will need to comply with the Cybersecurity Maturity Model Certification (CMMC) to qualify for DoD contracts as well as retain their current contracts. GTS is a New Jersey business that is required to abide by CMMC regulations. Ensuring a facility is compliant with the correct CMMC control level requires a significant effort. The process requires a (NIST 800-171) self-assessment which results in a score that gets posted in the Suppliers Performance Risk System (SPRS) database. Contracting officers can now check this database prior to contract award or exercising an option year to ensure the self-assessment is complete, a score is posted and a plan of action and milestones is available to close any gaps found in the self-assessment. It doesn’t stop with the self-assessment. Contract Requests for Proposal will soon be requiring CMMC compliance to be considered for award. The CMMC level will depend on the contract and type of work. Bringing an organization up to CMMC compliance is a big ask for a Firm that isn’t in the Cyber Security business and really requires a credible, experienced partner to get there. The consultive support required to get a business in-line with all the separate controls required at any CMMC level can be costly. Many service providers will also not offer the comprehensive consultive support required to ensure the client succeeds. Although GTS’ self-assessment resulted in a highly favorable score, they were facing the challenge of finding a partner to help close identified gaps and get positioned for a CMMC audit without overspending on this extraordinarily specific service.
Solutions
Knowing CMMC enforcement was upon them, GTS began shopping around in search of a partner that could provide the support they required at a reasonable price. During the search, they found plenty of businesses that said they could help but the services they would provide was either incomplete or exorbitantly overpriced.
“I started searching for programs around the state and came across NJMEP. Once I made contact, I became educated about their relationship with NIST and the relationship they had with expert vendors, it was all the things we needed in addition to an incredibly fair rate!” Kurt Kovach, EVP of Strategy and Business Development, GTS explained.
A CMMC project requires substantial commitment on the part of the service provider as well as the client. This journey required multiple steps to ensure GTS complied with the correct CMMC requirements.
The following steps were taken:
- Cybersecurity Assessment – Based on the DFARS 252.204-7012 and the DoD designed set of controls as prescribed in the NIST SP800-171 revision 2
- NIST SP 800-171 Rev2 Gap Analysis and cross reference with CMMC V1.02 Level 1-3
- Cybersecurity Monitoring and Detection Services – Monitoring and Detection Service based on the DFARS and DoD controls
- Cybersecurity Security Operations Center Service (SOC) – Providing outsourced monitoring and detection to include real-time visibility of data reflecting the state of risk to security posture, the network, endpoints, cloud devices, and specific applications.
Each of the above points requires dozens of individual steps to complete. CMMC is not an easy certification to achieve without the right support and partner. However, with the right team, a manufacturer will be guided through every individual requirement to ensure compliance and audit readiness will be reached as quickly and efficiently as possible.
Results
GTS completed its CMMC requirements and has fulfilled the Cyber Security requirements to secure future contracts and have options on current contracts exercised. Through the support of NJMEP and their Cyber Security service provider, GTS was able to quickly and efficiently meet their contractual requirements and stands ready for inspection and audit. Without reaching the correct CMMC level, they could be at risk of losing business. The below results reflect the impact GTS experienced while engaging with NJMEP over the past 12 months:
- Retained Sales: Greater than $15,000,000
- Jobs Created: 1
- Employees Retained: 7
“NJMEP made this [CMMC compliance] as painless as it could be,” Kovach stated.