If you are a federal government contractor wanting to land lucrative contracts with the Department of Defense and other large federal agencies, you must up your cybersecurity game.
But how do you do that with limited expertise, time, budget and resources?
That was the challenge facing one rapidly growing government contractor based in the Washington DC metro area. Here’s what they did.
The company specializes in agile software development, DevSecOps, human-centered design (UX/UI), AI/ML, RPA, ERP software implementation, cloud engineering and enterprise integration for federal government agencies. They employee roughly 200 people and run their entire operation in the cloud. They have no on-premises servers, storage or other hardware.
While they had deployed basic cybersecurity protocols enabled by the Microsoft suite of applications and native security features, they were doing little more than securing user accounts and laptops with passwords. With only one junior engineer on their internal IT staff, whose role was mainly to handle Microsoft administration, they knew they didn’t have the level of IT expertise or the resources to get their cybersecurity where it needed to be.
This small business, however, had big goals: They wanted to land contracts with larger federal agencies in general, and the Department of Defense in particular.
This required implementing much more robust security features. To win federal government contracts, the company had to assure government agencies that they are in compliance with the strictest standards against the threat landscape, including the U.S. Department of Commerce National Institute of Standards and Technology (NIST), as well as the Department of Defense Cybersecurity Maturity Model Certification (CMMC).
The company knew that it couldn’t harden its cyber security posture or meet NIST and CMMC standards using its in-house IT expertise resources alone.
So, they conducted a gap and risk management analysis to learn where they needed help. They also performed a cost-benefit analysis to discover if they should gain the required expertise themselves through hiring and training, or if they should instead outsource this new requirement.
As it turned out, the challenge for the company went beyond simple hardware, software and provisioning. It included understanding the requirements for meeting NIST and CMMC compliance, training of staff on the necessary cybersecurity protocols and best practices, creating cybersecurity policies and procedures, and plenty more.
Their challenge, however, also carried a considerable amount of risk.
By bidding on contracts with large federal government agencies, they were putting themselves in the crosshairs of state-sponsored hackers, cybercriminals and other malicious actors. This is because hackers often assume that federal government contractors have access to sensitive government data (which they do). But being a small business also makes the company more vulnerable to phishing attacks than larger enterprises are.
To play in the big leagues, they needed to upgrade to enterprise-level cloud security.
After determining that outsourcing would be the best option, the firm decided to engage with Ntiva based on our expertise in Managed IT and Security Services for government contractors.
“We chose Ntiva because they clearly understood federal government regulations,” says the company’s Chief Administrative Officer. “Their cybersecurity expertise was considerable, and Frank Smith (Ntiva’s Head of Security and Consulting Practice) was very knowledgeable throughout the entire process.”
We began the implementation with our four-phase onboarding process:
1. Service Definition
2. Data Collection
3. Internal Information Review
4. Orientation Meeting and Service Handoff
Our managed cybersecurity services included ensuring that all employees and subcontractors—anyone with access to company networks—had a monitored and managed user account in the system. We performed an inventory of all company computers, tagging them so they could be tracked.
We then conducted penetration tests and phishing tests, implemented and tested a Security Information and Event Management threat detection solution, and completed the company’s System Security Plan and Plan of Action and Milestones.
We also conducted comprehensive training, teaching their staff how to guard against phishing attacks, and how to safeguard hardware and data against theft – a vital consideration with so many of the company’s employees working remotely.
Since outsourcing their cybersecurity to Ntiva, the company has seen a dramatic and rapid improvement in their information security compliance scores.
They measured their level of compliance in November 2020 using the NIST 800-171 self-assessment tool. (The NIST 800-171 measures security compliance based on 14 factors, including access control, configuration management, identification and authentication and physical protection.)
The company’s score started at -60 points.
By February, after the company began implementing Ntiva’s recommendations, the score rose by 77 points into positive territory, at +17.
And by April 2021, four months after partnering with Ntiva, the company’s NIST 800-171 score was +59, a whopping 119-point improvement, putting them well into the zone of compliance with NIST cybersecurity standards.
Their Chief Administrative Officer couldn’t be happier: “Working with Ntiva and improving our compliance has opened up a lot of opportunity. But more importantly, meeting these guidelines has put us into alignment with best practices for any company dealing with sensitive data or critical infrastructure. Ntiva will help keep us ahead of new standards and cyber threats as they arise, so we’ll always be protected.”
Landing contracts with federal government departments requires your company to meet or exceed NIST and CMMC standards. This requires a considerable amount of effort, expertise and experience.
If you lack the resources to do this yourself, consider outsourcing your cybersecurity to a firm of security professionals that offers Cybersecurity Managed Services, such as IT Governance, Risk & Compliance, Cybersecurity Risk Assessment, Multi-Factor Authentication, Intrusion Detection and Response, Endpoint Detection and Response, Phishing Prevention Training, and Vulnerability Scanning and Remediation.
Ntiva is your trusted security solutions partner, improving your cybersecurity compliance so you can land the contracts and grow your business.
Want to learn more? Read the full case study below.
Want to learn more about IT Risk Management Services for your business? See Ntiva’s Governance, Risk and Compliance Management Services.