Project Description
Onspring Helps Avnet Centralize Data & Reporting for CMMC 2.0 Certification
A CMMC Case Study
OVERVIEW
Headquartered in Phoenix, Arizona, Avnet is a global electronic components distributor and solutions provider that works with suppliers in every major technology segment to serve customers worldwide across a broad range of markets. To continue supporting their customers’ government contracts with the Department of Defense (DoD), Avnet needed to obtain certification for the DoD’s CMMC (Cybersecurity Maturity Model Certification) 2.0 framework. The company turned to Onspring CMMC Management software to track its compliance with this standard.
Challenge
Safeguarding sensitive national security information cannot be left to chance, which is why the DoD created the CMMC 2.0 framework. Organizations like Avnet that support U.S. Government contracts with the DoD must demonstrate that they meet the requirements to achieve CMMC certification and maintain continued compliance with the standard.
Jillene VanNostrand came to Avnet as a GRC analyst III in mid-2023 to help oversee IT security policies and cybersecurity assessments. The company had licensed a system that was supposed to centralize data collection, testing, and reporting for CMMC certification, but it wasn’t working as expected.
“We had a different GRC tool that we attempted to apply to our CMMC compliance activities when I joined Avnet, but it was not a good fit for the CMMC business requirements,” VanNostrand said. “It did not have anything out of the box that we could work with and would have required a lot of customization to fit the project needs.”
As a result, the company was relying on a largely manual workflow. “We were using team collaboration tools, MS Excel files, and collecting evidence through emails,” VanNostrand said. “This semi-automated approach met our basic business requirements, but it was very time consuming and we needed to find ways to make the process more efficient.”
Solution
To streamline CMMC compliance and replace the existing system that wasn’t usable, Avnet searched for a dedicated CMMC management system that offered turnkey functionality.
“It had to be something that we could set up and use without a high level of effort or resources to even get it working,” she said. “We also needed to customize it for our processes in a way that was intuitive for our users that only use the tools a few times each year. They have to be able to complete their assessment processes or document reviews without having to retrain every time.”
Simplifying CMMC 2.0 Reporting for 20 Departments
After evaluating multiple products, Avnet selected the Onspring CMMC Management solution. This enables the company to monitor its status against CMMC 2.0 levels that map directly to NIST SP 800-171r2 and NIST SP 800-172 frameworks. Avnet continuously monitors its CMMC control implementation and the Onspring solution offers a simple process for the control owners to submit information within their area of responsibility.
“We have had a great deal of positive feedback about the Onspring tool and how easy it is to use,” VanNostrand said. “Using a questionnaire built in the CMMC module, users review their dashboard, answer questions, and have the capability to upload evidence, which comes to our GRC team to review. It provides a means to ingest all their information in a much more organized fashion. We can then evaluate the evidence against CMMC requirements to manage our overall compliance with our regulatory obligations.”
With this simple process, Onspring allows users from 20 different Avnet departments to contribute to the CMMC assessment and certification process, including:
- Platform services
- IT systems administration
- Sales
- HR
- Physical security
- Vendor risk management
- Identity services
Resolving Unmet CMMC 2.0 Objectives
Once staff from these functional areas have answered questions and uploaded evidence, Onspring collates this and displays which objectives have been partially or fully met or unmet. For the latter, Onspring initiates a POA&M process to identify what needs to be adjusted, who’s responsible for it, and enables tracking of remediation efforts to close any gaps. The system uses Department of Defense (DoD) methodology to automatically calculate an updated SPRS (Supplier Performance Risk System) score each time a new objective or control standard is met.
“Onspring consolidates our information into one dashboard that we can reference to see where a CMMC practice is missing information or how we need to improve a process,” VanNostrand said. “It gives us one central command space where we can visualize all of our CMMC requirements and evaluate our compliance. The Onspring CMMC module improves our efficiency as we go through our processes.”
Results
Creating a Collective Brain for CMMC 2.0 Certification
Previously, it was time consuming for Avnet’s GRC team to sift through all of the data and evidence to evaluate the effectiveness of the controls. With Onspring, VanNostrand and her colleagues can quickly pinpoint any unmet or partially met objectives and focus their attention on these until each is resolved.
“Onspring allows us to visualize where we’re at in our CMMC process to understand where we need follow up,” she said. “It empowers us to make better decisions because we have the information we need in one place and can set up different reports and visual configurations to quickly identify what needs more attention. Onspring serves as our collective brain.”
Standardizing data collection, identifying deficiencies, and automating CMMC workflows has made VanNostrand’s job easier and allowed her to balance CMMC framework compliance with her other GRC duties.
Enhancing CMMC 2.0 Compliance Reporting
Once Avnet completes a CMMC assessment, Onspring automatically generates a results report that VanNostrand can send out.
“My favorite feature of Onspring is reporting,” she said. “It provides visuals to help us better describe the value of what we’re doing and metrics to show we have efficiencies and policies in place. We can demonstrate progress in a way that’s measurable and tangible for our different stakeholders.”
VanNostrand is also using Onspring for policy management, allowing her to see which policies need to be reviewed or updated and to instantly provide information to Avnet customers and auditors. Looking ahead, she sees many possibilities for extending the platform in GRC and across the enterprise.
“If you can imagine it, you can build it because Onspring is customizable, and it has so many different building blocks and ways of putting things together,” she said. “We are looking closely at the third-party risk management module. We’re excited about the AI integrations, and we have some ideas for how we can leverage that for various use cases.”
Find your CMMC compass
Explore more insights
DORA, The Explainer
With stringent requirements for ICT risk management and third-party oversight, the Digital Operational Resilience Act (DORA) ensures that financial entities are fortified against digital threats. Get up to speed on before the next deadline.
Guide for Building an Internal Control Testing Program
This guide simplifies the creation of a robust internal control testing program, ensuring that your business remains secure and compliant. Learn how to effectively assess, test and document controls for optimal risk management.
4 Writing Tips for Annual GRC Updating
Now is the time to refresh your GRC policies and procedures for the coming year. As you begin to write these updates, here are four tips to help boost your writing skills for better drafts and more compelling corporate narratives in your business documents.
