AzureFeeds

Overview of the Current State of CMMC 

The Cybersecurity Maturity Model Certification (CMMC) is a framework designed to enhance the cybersecurity posture of companies working with the Department of Defense (DoD). As of today, companies are CMMC certified of the expected 300,000 that will need to complete annual assessments. The DoD has emphasized the importance of CMMC in protecting sensitive information and ensuring the resilience of the defense industrial base. Companies are now in various stages of implementing CMMC, with many focusing on achieving Level 2 certification, which requires a higher degree of cybersecurity practices and processes. 

Overview of Sonalysts 

Sonalysts, Inc. is defense contractor based in Waterford, Connecticut. Founded in 1973, the company has grown to become a leader in providing innovative solutions to complex problems. Sonalysts offers a wide range of services, including systems engineering, software development, training, and simulation. The company is known for its expertise in human factors, analytics, and its ability to deliver high-quality solutions to its clients, which include various branches of the U.S. military and other government agencies. With a strong focus on research and development, Sonalysts continues to push the boundaries of technology and innovation. 

This transcript is the result of a recent meeting where Sonalysts’  Manager of IT and Security, Jeff Francoeur, shared insights with Microsoft about their experience pursuing CMMC certification.  

Lessons Learned from CMMC: A Q&A with Jeff Francoeur 

Justin Orcutt (GOV CLOUD): Jeff, thank you for joining us today. To start, can you tell us a little bit about your company and why CMMC is important to you? 

Jeff Francoeur: Absolutely! I work for employee stock-owned company called Sonalysts headquartered in, Waterford, CT. About 95% of our business is with DoD clients, covering all branches of the military. We do a lot of analytics and human factors work, and we’re known for our bright minds and innovative solutions. CMMC is crucial for us because if we don’t get certified, we risk losing a significant portion of our business.  

Justin Orcutt (GOV CLOUD): Can you tell us about your role at Sonalysts and how it relates to CMMC compliance? 

Jeff Francoeur: I joined Sonalysts in 2023 as the cybersecurity manager, and later I also took on the role of managing IT. My primary responsibility is to ensure that our cybersecurity practices meet the stringent requirements of CMMC. This involves coordinating with various departments, overseeing the implementation of security controls, and preparing for audits. It’s a challenging role, but it’s essential for maintaining our DoD contracts and protecting sensitive information.  

Justin Orcutt (GOV CLOUD): That’s impressive! Now we met years ago when CMMC was just getting started. You truly were one of the early adopters of CMMC. Can you share your journey into the world of CMMC compliance? 

Jeff Francoeur: My journey started before I joined Sonalysts. Back in 2017, I was at a larger company involved in a pilot program. We passed the assessment and learned a lot about what the government wants to see from contractors as related to NIST 800-171.  Fast forward and CMMC became a thing. When I joined Sonalysts in 2023, they were already looking into CMMC compliance. I took over as the cybersecurity manager and later asked to also take over managing  IT. I took on the expanded role under the condition that we would bring on additional staff to focus on CMMC, which was crucial for meeting our deadlines and business goals.  

Justin Orcutt (GOV CLOUD): What were some of the biggest lessons you learned from your initial NIST 800-171 government audit that you brought over to Sonalysts? 

Jeff Francoeur: Three key lessons stand out. First, having a point person is essential. This person should filter all evidence through them to avoid confusion and ensure consistency. Second, training is critical for those participating on the audit but also all employees in privileged roles. Everyone involved in the audit needs to know how to communicate effectively with auditors. Lastly, be prepared with evidence for all controls. Have screenshots and documentation ready to go.  

Justin Orcutt (GOV CLOUD): Relationships seem to play a big role in successful CMMC implementation. Can you elaborate on the importance of building relationships during this process? 

Jeff Francoeur: Definitely. Building trust with the CFO and other executives is crucial because they control the budget. You need to show them that the investments are necessary and not just for getting new toys. It’s also important to get buy-in from the IT team. If they don’t support the initiative, it won’t succeed. Lastly, having good relationships with your auditors and technology partners can make the process smoother.  

Justin Orcutt (GOV CLOUD): As the cybersecurity manager, how did you use CMMC to improve the business’s efficiency and security? 

Jeff Francoeur: One major initiative was setting up a Security Operations Center (SOC). We had tools in place, but they weren’t being utilized effectively. We also established change control boards with business elements involved, which improved our processes. It’s all about getting everyone moving in the same direction and showing the benefits of these changes. 

Justin Orcutt (GOV CLOUD): Smaller contractors often struggle with CMMC compliance. What advice do you have for them? 

Jeff Francoeur: For smaller companies, it’s essential to have a dedicated person or team for CMMC compliance. If your IT staff is already stretched thin, you won’t make it. Consider bringing in outside consultants who are certified and experienced with CMMC. It’s also important to show that your cybersecurity program is maturing and that you’re not just checking boxes.  

Justin Orcutt (GOV CLOUD): What do you think the future holds for companies working towards CMMC compliance? 

Jeff Francoeur: I think we’ll see some smaller companies either drop out or get absorbed by larger ones. There’s also an opportunity for companies with CMMC certification to take on more work as others fall behind. It’s a challenging process, but those who get it right will have a significant advantage.  

Justin Orcutt (GOV CLOUD): How did you handle the challenge of scoping CMMC compliance for a company with diverse operations like Sonalysts? 

Jeff Francoeur: Scoping was indeed a challenge. We had to identify which parts of our business were involved with DoD contracts and ensure that those areas were fully compliant. For smaller companies, creating a separate enclave for CUI can be a practical solution. This way, only the necessary parts of the business need to meet the stringent requirements, which can save time and resources. 

Justin Orcutt (GOV CLOUD): What role did technology play in your CMMC compliance journey? 

Jeff Francoeur: Technology was a critical component. We leveraged tools like Security Information and Event Management (SIEM) systems and Network Access Control (NAC) to enhance our security posture. It’s important to choose technology that not only meets compliance requirements but also integrates well with your existing infrastructure.  

Justin Orcutt (GOV CLOUD): Can you share any specific strategies for building a strong cybersecurity culture within the organization? 

Jeff Francoeur: Building a strong cybersecurity culture starts with training and awareness. We conducted regular training sessions and phishing simulations to keep our employees vigilant. It’s also important to communicate the value of cybersecurity to the entire organization, so everyone understands their role in protecting sensitive information.  

Summary and Recommendations 

From Jeff’s insights, it’s clear that successful CMMC compliance requires a combination of strong leadership, effective communication, and strategic use of technology. Here are three steps companies can take to progress their CMMC compliance journey: 

1. Establish a Dedicated Compliance Team: Having a dedicated team or point person for CMMC compliance is crucial. This team should be responsible for coordinating all compliance activities, ensuring consistency, and maintaining clear communication with auditors. https://www.cyberab.org/. 


2. Invest in Training and Awareness: Regular training and awareness programs are essential to ensure that all employees understand their role in cybersecurity. This includes training on how to communicate with auditors and recognizing phishing attempts. https://www.defense.gov/. 


3. Leverage Technology Effectively: Utilize technology solutions that enhance your security posture and streamline compliance efforts. Tools like SIEM systems and NAC can help monitor and control access to sensitive information. https://www.microsoft.com/en-us/security/business. 

You can connect with Justin Orcutt on https://www.linkedin.com/in/justinorcutt and Jeff Francoeur on https://www.linkedin.com/in/jefffrancoeur.