Gannett Fleming Uses the Onspring GRC Platform to Manage CMMC Compliance and Third-Party Risk

A CMMC Case Study

OVERVIEW

Gannett Fleming is a civil engineering consulting firm that leads the way in delivering resilient and sustainable planning, design, and technology. In addition to serving private sector clients for over 105 years, the company also supplies solutions to various government agencies. One of the main compliance requirements for its Department of Defense (DoD) contracts is the DoD’s CMMC (Cybersecurity Maturity Model Certification) 2.0 framework. To help obtain CMMC certification, Gannett Fleming turned to Onspring.

Profile

Company:
Gannett Fleming

Industry:
Engineering

Employees:
3,000+

Solutions:
CMMC Management
Third-party / Vendor Risk
Onspring GRC Suite

For privacy reasons Vimeo needs your permission to be loaded.

Challenge

Achieving certification for the three levels of CMMC required Gannett Fleming to demonstrate that it has rigorous cybersecurity controls in place and satisfy a long list of standardized objectives with supporting evidence for each. The company also needed to know which criteria were unmet or partially met so it could address these exceptions. This was difficult when content was dispersed in Excel files and Word documents and stored in OneDrive and SharePoint.

“The major pain point was that we have a very lean team and didn’t have the resources to do things manually,” said Tamika Bass, director of cybersecurity at Gannett Fleming. “We needed some type of automation to help us manage our CMMC compliance initiative.”

In addition to managing compliance with CMMC and other mandates, Bass’s department also oversees third-party risk management. This required them to tailor a standard questionnaire to each existing and prospective vendor, email it to them, chase down responses, and then manually process the answers that came back to assess risk.

“We used to have Excel spreadsheets and took time to go through each question manually,” Bass said. “It was very time consuming, which often led to us not even doing it.”

Solution

Finding a Versatile Governance, Risk, and Compliance (GRC) Solution

Realizing that they needed to progress from manual to automated processes, Bass and her colleagues started to evaluate governance, risk, and compliance (GRC) tools. To aid the selection process, they used Evanta, a Gartner service that connects executives to share best practices, insights, and solutions. It soon became clear which solution best met Gannett Fleming’s wide range of needs.

“We chose Onspring because of the automation and the potential to use it in other areas,” Bass said. “We were focused on compliance, risk management, and third-party risk but noticed that it also offered business continuity, and we could build apps to track exceptions. I wanted to get the best bang for my buck, so I was excited about all the things that it did in addition to our key focus at the time.”

Identifying CMMC Exceptions and Collecting Evidence

A company like Gannett Fleming that works closely with the DoD cannot leave CMMC compliance to chance or just hope that everything required to satisfy this regulatory standard is being done. Onspring graphically represents which conditions have been partially met or unmet in a dashboard and initiates a POA&M process that outlines steps to address these.

“My team is using Onspring mainly for CMMC to manage all the work and the controls that we need to put in place and track compliance,” Bass said. “We recently used it to create a POA&M. The ability to put that in Onspring and have it automatically spit a report out has been awesome for us, as we had to do it manually before.”

Each time Bass’s team completes the POA&M procedure and satisfies a new CMMC objective, Onspring automatically calculates an updated SPRS (Supplier Performance Risk System) score.

“The other big piece of CMMC is knowing what our SPRS score is at any given point,” Bass said. “We built a dashboard that lets me see progress, like our score going from 22 to 46. Onspring allows me as the director to get that type of information that I can share with executive leadership.”

One of the requirements for successful CMMC compliance is for certain roles to not just share specific cybersecurity information, but also back it up with supporting evidence. Collecting this from subject matter experts across a 3,000-person company used to be a time-consuming and frustrating task for Bass and her team, but Onspring has simplified the process.

“We’re using Onspring to request evidence from other key SMEs in the organization,” she said. “That’s a big thing because in the past, we were using email and trying to track people down. Now, we just send them a link and a way to upload the evidence that they need to provide.”

Results

Improving SPRS Scores and Meeting Business Objectives with GRC Automation

Previously, achieving CMMC certification seemed like a Herculean task for Bass and her cybersecurity team. “The challenge before Onspring was the manual work that we had to do with such a lean team,” Bass said. “We were up against a tight deadline to get CMMC implemented, and because we were doing everything manually, we weren’t seeing the progress that we needed.”

Now that the entire CMMC compliance process is being managed from beginning to end in Onspring, it is achievable with just four administrators. “Fast forward to the implementation of Onspring and we’re seeing our SPRS score change and controls being implemented because we’re automating that process,” Bass said. “I’m excited about the opportunity to use Onspring in a lot of different ways, but right now, we’re focusing on CMMC compliance. Onspring is making a huge impact in helping us get that done.”

Now that they’re no longer doing guesswork to try and figure out which controls have been met, hunting for documentation, or following up on missing evidence from SMEs, Gannett Fleming’s cybersecurity team can complete CMMC compliance tasks faster and have more time to focus on other duties.

“Onspring makes us more productive in our roles and that helps meet business objectives. Automating some of our processes allows us to get our jobs done quicker.”

Tamika Bass, CCP, CBCP, CISA, CRISA, HCISPP
Cybersecurity Director
Gannett Fleming

Simplifying Third-Party Risk Management

Since implementing Onspring, Gannett Fleming’s third-party risk process has also been transformed. Bass and her team are no longer using a combination of email and Excel to customize, distribute, collect, and process vendor questionnaires and can easily interpret the results in an Onspring dashboard.

“My favorite part of Onspring is third-party risk management – being able to automate sending out questionnaires, getting responses back, and scoring them,” Bass said. “Using Onspring to send the questionnaire and get an initial score back automatically without needing to look through the questions is saving a lot of time because it expedites the procurement process.”

Looking ahead, Bass intends to extend the reach of Onspring to help automate manual tasks, remove redundant steps, and expedite workflows in GRC activities and beyond. If she had unlimited resources, Bass would immediately utilize Onspring for two key functions.

“I’d implement exception tracking right away,” she said. “Right now it’s a manual process. I’m using a spreadsheet to track exceptions, and it’s daunting. I would also use Onspring to manage our digital search. We’ve had situations where searches expired, and people had so much going on that they didn’t know. If we built an app in Onspring, it could remind us 30 or 90 days out so we didn’t get to a point where we’re backpedaling because we missed the deadline.”

When asked why she might recommend Onspring to a peer in a similar role, Bass said: “Onspring is a business automation tool that goes far beyond compliance, third-party risk, risk management, and business continuity. It has the ability to automate a lot of things that we do manually today, and the apps are fantastic.”

Schedule a demo