A CMMC Case Study
OVERVIEW
Gannett Fleming is a civil engineering consulting firm that leads the way in delivering resilient and sustainable planning, design, and technology. In addition to serving private sector clients for over 105 years, the company also supplies solutions to various government agencies. One of the main compliance requirements for its Department of Defense (DoD) contracts is the DoDโs CMMC (Cybersecurity Maturity Model Certification) 2.0 framework. To help obtain CMMC certification, Gannett Fleming turned to Onspring.
Profile
Company
Gannett Fleming
Industry
Engineering
Employees
3,000+
Challenge
Achieving certification for the three levels of CMMC required Gannett Fleming to demonstrate that it has rigorous cybersecurity controls in place and satisfy a long list of standardized objectives with supporting evidence for each. The company also needed to know which criteria were unmet or partially met so it could address these exceptions. This was difficult when content was dispersed in Excel files and Word documents and stored in OneDrive and SharePoint.
โThe major pain point was that we have a very lean team and didnโt have the resources to do things manually,โ said Tamika Bass, director of cybersecurity at Gannett Fleming. โWe needed some type of automation to help us manage our CMMC compliance initiative.โ
In addition to managing compliance with CMMC and other mandates, Bassโs department also oversees third-party risk management. This required them to tailor a standard questionnaire to each existing and prospective vendor, email it to them, chase down responses, and then manually process the answers that came back to assess risk.
โWe used to have Excel spreadsheets and took time to go through each question manually,โ Bass said. โIt was very time consuming, which often led to us not even doing it.โ
Solution
Finding a Versatile Governance, Risk, and Compliance (GRC) Solution
Realizing that they needed to progress from manual to automated processes, Bass and her colleagues started to evaluate governance, risk, and compliance (GRC) tools. To aid the selection process, they used Evanta, a Gartner service that connects executives to share best practices, insights, and solutions. It soon became clear which solution best met Gannett Flemingโs wide range of needs.
โWe chose Onspring because of the automation and the potential to use it in other areas,โ Bass said. โWe were focused on compliance, risk management, and third-party risk but noticed that it also offered business continuity, and we could build apps to track exceptions. I wanted to get the best bang for my buck, so I was excited about all the things that it did in addition to our key focus at the time.โ
Identifying CMMC Exceptions and Collecting Evidence
A company like Gannett Fleming that works closely with the DoD cannot leave CMMC compliance to chance or just hope that everything required to satisfy this regulatory standard is being done. Onspring graphically represents which conditions have been partially met or unmet in a dashboard and initiates a POA&M process that outlines steps to address these.
โMy team is using Onspring mainly for CMMC to manage all the work and the controls that we need to put in place and track compliance,โ Bass said. โWe recently used it to create a POA&M. The ability to put that in Onspring and have it automatically spit a report out has been awesome for us, as we had to do it manually before.โ
Each time Bassโs team completes the POA&M procedure and satisfies a new CMMC objective, Onspring automatically calculates an updated SPRS (Supplier Performance Risk System) score.
โThe other big piece of CMMC is knowing what our SPRS score is at any given point,โ Bass said. โWe built a dashboard that lets me see progress, like our score going from 22 to 46. Onspring allows me as the director to get that type of information that I can share with executive leadership.โ
One of the requirements for successful CMMC compliance is for certain roles to not just share specific cybersecurity information, but also back it up with supporting evidence. Collecting this from subject matter experts across a 3,000-person company used to be a time-consuming and frustrating task for Bass and her team, but Onspring has simplified the process.
โWe’re using Onspring to request evidence from other key SMEs in the organization,โ she said. โThat’s a big thing because in the past, we were using email and trying to track people down. Now, we just send them a link and a way to upload the evidence that they need to provide.โ
Results
Improving SPRS Scores and Meeting Business Objectives with GRC Automation
Previously, achieving CMMC certification seemed like a Herculean task for Bass and her cybersecurity team. โThe challenge before Onspring was the manual work that we had to do with such a lean team,โ Bass said. โWe were up against a tight deadline to get CMMC implemented, and because we were doing everything manually, we weren’t seeing the progress that we needed.โ
Now that the entire CMMC compliance process is being managed from beginning to end in Onspring, it is achievable with just four administrators. โFast forward to the implementation of Onspring and weโre seeing our SPRS score change and controls being implemented because weโre automating that process,โ Bass said. โI’m excited about the opportunity to use Onspring in a lot of different ways, but right now, we’re focusing on CMMC compliance. Onspring is making a huge impact in helping us get that done.โ
Now that theyโre no longer doing guesswork to try and figure out which controls have been met, hunting for documentation, or following up on missing evidence from SMEs, Gannett Flemingโs cybersecurity team can complete CMMC compliance tasks faster and have more time to focus on other duties.
โOnspring makes us more productive in our roles and that helps meet business objectives. Automating some of our processes allows us to get our jobs done quicker.โ
Simplifying Third-Party Risk Management
Since implementing Onspring, Gannett Flemingโs third-party risk process has also been transformed. Bass and her team are no longer using a combination of email and Excel to customize, distribute, collect, and process vendor questionnaires and can easily interpret the results in an Onspring dashboard.
โMy favorite part of Onspring is third-party risk management โ being able to automate sending out questionnaires, getting responses back, and scoring them,โ Bass said. โUsing Onspring to send the questionnaire and get an initial score back automatically without needing to look through the questions is saving a lot of time because it expedites the procurement process.โ
Looking ahead, Bass intends to extend the reach of Onspring to help automate manual tasks, remove redundant steps, and expedite workflows in GRC activities and beyond. If she had unlimited resources, Bass would immediately utilize Onspring for two key functions.
โIโd implement exception tracking right away,โ she said. โRight now it’s a manual process. I’m using a spreadsheet to track exceptions, and itโs daunting. I would also use Onspring to manage our digital search. Weโve had situations where searches expired, and people had so much going on that they didn’t know. If we built an app in Onspring, it could remind us 30 or 90 days out so we didnโt get to a point where we’re backpedaling because we missed the deadline.โ
When asked why she might recommend Onspring to a peer in a similar role, Bass said: โOnspring is a business automation tool that goes far beyond compliance, third-party risk, risk management, and business continuity. It has the ability to automate a lot of things that we do manually today, and the apps are fantastic.โ
