CMMC is the DoD’s response to the shortcomings of the Defense Federal Acquisition Regulation Supplement (DFARS). The regulation required all non-federal entities that did business with DoD and had access to Controlled Unclassified Information (CUI) to comply with security requirements published in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171, protecting CUI in non-federal information systems and organizations. Compliance was through self-attestation, a mechanism that led to significant compromises of sensitive CUI located on contractors’ IT systems. On the other hand, CMMC requires third-party assessments of contractors’ compliance with certain mandatory practices, procedures, and capabilities that can adapt to new and evolving cyber threats from adversaries. Beginning September 2020, DoD will issue select Requests for Proposals including the CMMC requirement for respondents to be certified by a third-party organization before bidding on the contract. The level of certification required, level 1 for most contracts and up to level 5 for a select few, will be determined by contracting officers; certification will be based on their company’s compliance with the CMMC practices and maturity for the required level.
"Ascolta is comprised of a dream team of experienced and cleared software developers, DevOps professionals, computer scientists and engineers. It’s definitely our corporate culture and careful addition of the right team members that has made us what we are today"
While large defense contractors with established security programs can quickly implement the directed practices to achieve compliance, such is not the case for small businesses and individuals. Most of them are inexperienced with federal security requirements and don’t have enough resources for implementation and compliance with the CMMC standards. The establishment of a compliance program requires time to acquire the right tools, hire the right people, and deploy the necessary security practices. The whole process can take up to six months, which for small companies, can result in the loss of DoD contracts, or the decision not to bid in the first place. This is where Herndon, VA based Ascolta is changing the narrative by using DevOps to provide a NIST SP 800-171 compliant cloud environment that is CMMC ready, so smaller companies can easily acquire, perform, and deliver on DoD contracts.
Ascolta’s secure cloud environment is designed to protect customer data to CMMC standards. Rather than trying to preserve your existing legacy network and addressing all the baggage that comes with it, Ascolta creates a new, separate cloudbased Secure Environment where work relating to the client’s government contract can be securely conducted. “With our Secure Environment, compliance and the required documentation is obtained quickly, information is secured, and organizations can focus on their core competencies rather than managing and maintaining a secure compliant environment,” says Wayne Hall, President and Chief Technology Officer of Ascolta. The company’s Secure Environment provides compliance and a CMMC ready environment for business operations through a secure Platformas-a-Service (PaaS) offering. It is rapidly implemented and affordable, contract delivery can begin immediately in a safe, scalable environment. Even if CMMC is not a requirement for organizations, having an Ascolta’s secure environment, which meets government compliance standards for their employees to remotely operate in, is a huge bonus and does not require organization wide alterations to the current infrastructure or policies.
With our Secure Environment, compliance and the required documentation is obtained quickly, information is secured, and organizations can focus on their core competencies rather than managing and maintaining a secure compliant environment
Additionally, users can continue to use their corporate issued equipment, while corporate or contract IP is housed and protected within the environment.
The DevOps Way for Faster CMMC and Compliance Preparation
Serving the DevOps market for over five years now, Ascolta is an expert in delivering DevOps and cloud migration services. Ascolta thoroughly understands that reducing the time from concept to capability is becoming increasingly critical for defense contractors preparing for CMMC, which is why the company leverages DevOps to design and deploy containerized environments that are created technically compliant. Ascolta then works with clients to provide consulting services to ensure policy and personnel practices are in place to meet third-party assessment certification standards. The company’s staff mainly consists of security-focused DevOps employees. As Hall says, “DevOps is where we are all trained. We take that kind of mindset to solve whatever problems we run into.” The company leverages this DevOps mindset to implement Continuous Integration/ Continuous Delivery (CI/CD) life-cycle to create an environment that meets the technical standards of the NIST and CMMC. Ascolta offers this environment to its customers who can use it to develop their DoD based projects that can qualify for CMMC certification.
Ascolta uses a thorough and in-depth onboarding process. It asks prospective clients to answer a very explorative questionnaire, the client’s responses about their technical process and personal requirements allow Ascolta to develop tailored policies, practices and procedures designed to meet CMMC practices. Each deployment comes with the necessary security documentation to include policy templates and a Systems Security Plan (SSP). As new technology, software, and security patches are made available, Ascolta seamlessly integrates these updates into the environment. The company provides environments that are CMMC ready and meet the Good Cyber Hygiene rating (Level 3) required for contracts involving CUI. By utilizing the company’s compliant environments, customers can be ready for CMMC certification within days, allowing them to bid and win DoD contracts. “We have developed a perfect solution for small businesses and startups to quickly, easily and in an affordable manner meet requirements to meet the DFARS requirements while subsequently being prepared to obtain a CMMC certification,” says Wayne. If the client is looking for a contract that requires these types of accreditations, then Ascolta can help.
The Road to Success
As the CMMC requirement becomes more widely known, the market for NIST compliant solutions has grown. Wayne believes that while traditional security tool/service providers and MSSPs offer consulting services to assist customers in bringing their existing environments into compliance or they offer a tool or service that provides compliance for specific NIST controls, none of the solutions that are offered, give a secure out-of-the-box like compliant solution such as Ascolta’s. The company offers this secure out-of-the-box like compliance environment that provides best-of-breed protection to all technical related cybersecurity controls that eliminates an organization’s requirement to resource, manage, and integrate these tools. With Ascolta’s environment, clients quickly obtain compliance, secure information, and can focus on their core competencies rather than security.
“Ascolta is comprised of a dream team of experienced and cleared software developers, DevOps professionals, computer scientists and engineers. It’s definitely our corporate culture and careful addition of the right team members that has made us what we are today. The way this team works seamlessly together has allowed us to not only achieve the successes that we have had to date, but has also firmly shaped who we are growing into. It’s been quite a journey watching Ascolta shape and build itself over the last several years and we are all excited to see what lies ahead!” says Wayne.
Responsible for leading Ascolta and constructing this team, Wayne has over two decades of experience in public, private, and startups focusing on organizational change management, product development, professional services, and business optimization in commercial and government contracting (CONUS and OCONUS). Skilled at building and directing high performance teams and focusing business growth through the orchestration of technology and processes, he also leverages his varied expertise in GEOINT, C4ISR, cloud transition support and hybrid cloud solutions, data analytics, machine learning, and advanced R&D to lead the team at Ascolta.
Joining Wayne and responsible for operations at Ascolta is EVP of Ops, Rick Palermo. With 34 years of defense and security experience, 22 as a U.S. Marine Corps combat arms officer and 10 in the office of the DoD CIO, Rick has extensive experience in strategy and policy, as well as business and systems review while supporting both the Deputy CIO’s for both Cybersecurity and Business Process and Systems Review. Leveraging his extensive leadership, strategic and operational planning and program management experience, Rick has been a vital piece of the Ascolta Executive Team and overall company success.
Rapid Growth in Cybersecurity Compliance Market
In terms of their upcoming projects, Ascolta has divided its future roadmap into short-term and long-term goals. For the short-term, the company plans to continue delivering on its DoD contracts and complete development of their secure environments’ product and to position Ascolta for rapid growth in the expanding compliance piece of the cybersecurity market. For the long-term the company plans on acquiring professional services work in both software integrations and DevOps training engagements. Ascolta continues to help its customers prepare for DoD contracts and capture a portion of the government cybersecurity compliance market.
Ascolta will continue on its mission to provide leading-edge secure cloud technical and professional services to commercial and government organizations in need of sophisticated yet cost-effective technology. “We partner with industry leaders to provide customized solutions in flexible delivery and financial models, enabling organizations to accelerate deployment of cloud based solutions with a focus on secure CMMC ready environments,” adds Wayne.