This week a very small DoD subcontractor passed the Joint Surveillance Voluntary Assessment Program with a perfect 110 after a year of hard work getting ready.  One question facing the Defense Industrial Base for some time has been whether or not small businesses can afford to implement an 800-171 program.  Another question, can they source the skills needed to pass?  I can tell you that a very small OSC just did exactly that.  In the words of the DIBCAC, “This is the smallest OSC our team has assessed, and one of the most comprehensive packages we have seen.” Not only did this small OSC properly implement a comprehensive program, but they also aced the assessment. No bucket list of items to fix, no POA&Ms, no corrections, other than 5 typos in a 250-page SSP and hundreds more pages in policy and procedure.  This OSC was my client.

To give full credit to this story I have to go back to late December 2022.  Most know me as an assessor and instructor.  As an assessor and instructor for the CMMC program, I had begun to interact with so many different OSCs and MSPs.  However, I was fairly new to the CMMC space compared to my colleagues.  The network and systems architect in me had mounting curiosity about implementing CMMC programs using the Azure Gov/GCCH enclave approach.  I wanted to see the details, watch the OSC experience in totality, as well as monitor, pick, and choose features. I did not want to “throw the kitchen sink at it”.  It was probably a naïve idea, but I wanted to find an OSC that was looking for someone to build out their Azure Gov/GCCH enclave and 800-171 compliance program. It would be fantastic if they would be willing to go all the way to JSVA.  It was a tall order.

Where does everyone turn when they are looking for such things?  The dating site of all things IT and Cyber… UPWORK.  Call it serendipity, but shortly after posting my “pick me” add, I was contacted by a small company owned by the most amazing forward thinking OSC owners I could have ever asked for.  It was a family owned and operated company, husband and wife, with an awesome team and a subcontract to a BIG prime.  They had interviewed close to 25 candidates looking for someone to help them with their goals. Over the next year I would find these owners were more ambitious than I realized and believed in the importance of being assessed early.  Around month six, the owner would often ask, “When can we apply for that program?”   They were completely committed to all of my newly implemented scheduled trainings, new rules, new procedures, and strict policy.  “I need more time,” I would explain, “We are getting close.”  I never thought I would be so deep in the weeds of system architecture at this point in my career.  It felt like a complete U-turn.  Here I was night and day, trying to perfect this enclave and all of its complexities (Sentinel, boundaries, rule-sets, whitelisting, AVDs, connecting devices, InTune, Defender for Cloud, O365 Defender, and more).  I can tell you that GCCH does not make that easy!

Around month 8 we began exploring the JSVA program through several C3PAOs.  In September, we heard that the dates given to selected candidates were pushed all the way out to March/April of 2024.  I felt bad explaining this to my customer and even worse about their chances of selection.  Their optimism was unrelenting.  On October 13th, 2023, I look down at my phone to see a message that read, “Would you look at that!”  A forwarded message from the DIBCAC – I could not believe my eyes.  Our assessment would not be in March or April, it would be in about 50 days.

From that day until today, we worked harder than is healthy, operated on little sleep, and pulled off what felt like a Hail Mary.   I am so grateful for the opportunity to have worked with this small company who represents a glimmer of hope for all small businesses facing readiness for the CMMC program.

Cybersec Investments was our chosen C3PAO.  This choice would make all the difference. Fernando Machado was amazing with my customer.  He helped them understand the process and kept them informed from beginning to end.  Most importantly he understood and had a great communication channel with the DIBCAC team.  He was so thorough in his assessment and my new name for him is “Eagle Eye”, as he catches every detail.  He was fair and his familiarity with the DIBCAC processes made everything very smooth.  There was nothing unexpected at any time.  I must also add, I have been a part of several JSVA assessments, and every single time the DIBCAC team has been professional, talented, and very good at what they do. I would also like to thank Mark Berman and FutureFeed for providing an amazing tool that was referred to during the assessment and helped with providing evidence throughout.