Opening up new opportunities with CUI and CMMC guidance and NIST framework alignment
Snapshot
Companies that handle U.S. government Controlled Unclassified Information (CUI) are required to safeguard it according to certain regulations and clauses. Grasping the scope of these requirements can be a challenge, and companies seeking to work with CUI often reach out to consultants for guidance. Â
A Seattle-based research and product development firm specializing in high-tech electronics identified new opportunities that would require alignment with U.S. government standards for handling CUI. Some of these could potentially require Cybersecurity Maturity Model Certification (CMMC). Kalles Group helped the company develop a practical, strategic roadmap for security compliance. Â
Challenge
A quick breakdown of CUI, CMMC, and NIST 800-171 — and how demonstrating compliance boosts businessÂ
The protection of CUI has been a growing concern within the U.S. Defense Industrial Base (DIB), sparking an effort to implement a unified set of cybersecurity recommendations to deal with sensitive information. These recommendations rely on National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), which includes 110 specific controls that are grouped into 14 families. CMMC is a certification program that measures against these controls.  Â
Here are a few risk management-related definitions that businesses working with the U.S. government must understand:Â
- Controlled Unclassified Information (CUI) refers to unclassified information that must be protected from unauthorized disclosure while remaining available to anyone who has a legitimate need to use it. This could be a contractor, grantee, or another outside entity. Â
- Cybersecurity Maturity Model Certification (CMMC) is mandatory for all DIB contractors and subcontractors, and it involves meeting 17 Federal Contract Information (FCI) controls plus an additional 93 cybersecurity requirements for CUI. Â
- NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” is a Special Publication formulated to minimize the risk of unauthorized access and disclosure of CUI that has been shared with state and local governments, private sector organizations, and other nonfederal entities.Â
 For any private company in a position to win lucrative Department of Defense (DoD) contracts, the advantages of getting CMMC certified are obvious. However, even businesses that do not interact with the DIB stand to benefit from the increased credibility and marketability that proven compliance can bestow. Organizations that improve their cybersecurity practices by identifying strengths and remedying weaknesses are more likely to have efficient and future-proof operations. Â
A tailored approach to cybersecurity requirements in alignment with an innovative company’s needsÂ
The client’s electronics systems incorporate cutting-edge technology that requires rock-solid IT systems to fully support the innovation and build process. Layering on modern cybersecurity requirements to meet U.S. Government standards necessitated a pragmatic and thoughtful approach that matched the company’s operational pace. Â
Kalles Group also needed to make sure that the resulting roadmap would align with the client’s commercial and government compliance requirements over time. As a growing company in a growing field, they wanted to lay the groundwork for compliance while maintaining an ability to rapidly scale up their operations without draining resources from growth initiatives. Â
Approach
Assembling a team and filling consultant roles to provide “control-by-control” planningÂ
The CMMC alignment project required Kalles Group to assemble a team with broad experience in risk management and specific exposure to U.S. Government regulatory enforcement. This team provided the core advisory block. Additionally, Kalles Group layered in some senior consultants in cyber assessments and cybersecurity engineering to provide the deep technical knowledge necessary for “control-by-control” planning.  Â
Finally, the KG team included a seasoned program manager to coordinate weekly activities and structure delivery. With this team of experts, which had a flexible structure to bring necessary resources into the project as needed, Kalles Group was ready to provide tactical and strategic guidance to build a compliance roadmap. Â
Â
Constructing a cybersecurity compliance roadmap with immediate, practical first stepsÂ
Over the next 18 months, Kalles Group built out a strategic roadmap for cybersecurity that included practical steps that the client could take immediately. These were combined with “strategic levers” that would be pulled as opportunities converted into commitments with their customers. This roadmap advanced NIST framework alignment towards CMMC Level 1 compliance, which included mini-projects to strengthen the security capabilities of IT systems and enhance staff education and training.   Â
Upon completion of the first building blocks of NIST 800-171 alignment, an assessor analyzed existing controls and produced a preliminary Supplier Performance Risk System (SPRS) score. Progress was then marked with the re-evaluation of the SPRS score and a self-assessment for CMMC Level 1.Â
Results
Clear visibility into CMMC certification readiness just in time for new opportunitiesÂ
When the project wrapped up in 2023, the research and project development firm enjoyed much better visibility into their readiness to move forward with further CMMC alignment and certification. New opportunities were converting into engagements at this time, making the roadmap for certification preparation a vital component of winning new customers. Â
The roadmap is also ideal for the company’s growth trajectory, allowing them to pause and preserve CMMC readiness while waiting for key growth markers to hit. This puts the company in a solid position to scale up operations as their industry and market opportunities expand in the future. Â