Government contractor takes proactive CMMC compliance stance

RSM’s IT and cybersecurity strategy and managed services elevate client success

For U.S. government contractors, information technology optimization and cybersecurity compliance are never complete, given how innovations rapidly advance and regulatory demands evolve and require constant attention. These organizations operate in a complex environment, with the commercial expectations that all businesses face, as well as additional expectations from the Department of Defense (DOD). They often need support to keep up with technology and compliance requirements necessary to grow the business while they focus on day-to-day business operations.

Our client is a large government contractor with over 2,000 employees and $10 billion in assets. Several acquisitions over the years introduced a significant amount of disparate technology, which was costly and challenging to maintain while also creating challenges with managing controlled unclassified information (CUI).

CMMC readiness assessment highlights need for change

RSM US LLP has a long-standing relationship with the client’s parent company and conducted a readiness assessment for the DOD’s Cybersecurity Maturity Model Certification (CMMC) for nearly 20 of the parent’s subsidiaries. That assessment identified Defense Federal Acquisition Regulation Supplement (DFARS)/CMMC compliance gaps and defined a future-state roadmap for ongoing success.

The assessment highlighted several compliance challenges facing the client, a subsidiary that lacked a deep understanding of the DOD’s regulatory requirements and struggled to identify cybersecurity risks in their processes and systems. In addition, they were working with their parent company’s internal shared IT infrastructure, which did not have the depth of experience and resources to handle the client’s infrastructure needs. The client quickly understood that a change was necessary.

“We were not in a good position at that point,” says the client’s director of contracting and compliance. “With the challenges we had ahead of us, we knew that we needed a more robust organization to help us get over the compliance hump.”

The company's CEO selected RSM to conduct the project. The decision was based on RSM’s depth of experience with program oversight; understanding of the client’s requirements for cybersecurity enhancements, operational transformation, and managed IT and security services; and ability to quickly ramp up and phase in solutions to meet ongoing business, audit and operational needs.

“We needed to do this to ensure compliance,” the client says. “And we needed RSM to do it.”

Establishing a modern, streamlined and secure IT strategy

With the CMMC compliance clock ticking, RSM quickly got to work to develop and establish a more effective IT and security framework. Leveraging the future-state roadmap from the initial assessment, RSM designed and implemented a Microsoft Azure/Microsoft 365 Government Community Cloud High (GCC-H) environment to govern the IT transformation efforts. The team configured Microsoft 365 and Active Directory for all employees and third parties to provide identity protection for key business operations.

In addition, RSM developed a roadmap for increased alert fidelity, enabling access to more accurate data about potential security incidents by taking the company from one to 40 sources of data/truth and integrating threat intelligence into all investigations.

“Our technology was decades behind, but RSM took us from on-premises and limited file sharing to the cloud in a matter of six months,” says the client. “It’s where businesses need to move, and RSM got us there quickly.”

With the effective transition to new technology, the client now has a more modern IT approach with increased accessibility, security and scalability. In addition, the new strategy provides an effective foundation for CMMC compliance.

“They know the CMMC regulations backwards and forwards,” the client says. “The whole team understands how the regulations will apply to our organization and how our infrastructure aligns with those requirements.”

Continuing momentum with managed services

After revamping and modernizing their IT and security infrastructure, the client sought a managed IT and security services provider to continue maintaining and optimizing their technology, security and compliance approach. Once again, RSM quickly emerged as the clear choice.

“We sought multiple bids for managed IT services, and RSM again came through with a top-notch team,” the client says. “Their solution was not only price competitive, but also provides us with first-rate service.”

The RSM team deployed a managed IT services strategy to create more value from the new IT infrastructure and implemented the RSM Defense managed security services solution for ongoing vulnerability scanning of the client’s more than 4,000 assets. With the two outsourcing solutions in place, the client has confidence that their IT, security and compliance demands are in good hands, while internal personnel can focus on reaching business goals and managing ongoing growth.  

The client has appreciated the responsiveness and efficiency RSM’s managed services resources have brought to the business.

“I can call my contact and ask if they have someone that can provide Power BI programming,” the client says. “He might not know how to do it, but he will find someone for me. RSM’s organization clears away the red tape to get what I need.”

In addition, the managed services solution provides the client with a depth of resources that could not be matched in their previous shared IT structure.

“We now have access to the insight and experience to do something like use Power Automate to eliminate repetitive operations and get to a level where everything we can automate is automated,” the client says. “Those are the kind of things that just were not possible with our previous IT support.”  

A strong foundation for ongoing compliance and growth

CMMC compliance is a critical issue for government contractors, as establishing an effective framework and adhering to the DOD cybersecurity regulations will be necessary to obtain contracts once the new standard goes into effect Dec. 16, 2024. In fact, our client has already been able to turn compliance into a competitive advantage because a growing number of contracts are already requiring CMMC certification.

“I know there are organizations similar to us that have not even started their CMMC implementation,” the client says. “Anyone that is starting now does not have time to make mistakes. They need an organization to help that isn’t guessing at what the regulations mean and how to implement them.”

After several significant projects with RSM, the client is in a much stronger position to meet and exceed commercial and regulatory expectations. The technology and security transformation, along with managed IT and security services, has created a clear path to CMMC compliance and sustained growth.

With a strong track record of collaboration with RSM that has led to effective solutions and business evolution, the client is looking forward to further successes in the future.

“I love the RSM team that's been helping me, and I hope we're going to continue the relationship for many, many years to come,” the client says.