The federal government now requires that contractors and subcontractors for the Department of Defense prove they meet certain cybersecurity requirements — a potentially complicated, costly and time consuming process.
A startup company based in Exeter wants to help.
GovSky builds a cybersecurity compliance software platform for government contractors. Its co-founder and CEO, Conor McClintock, said, “Our goal is to help our customers get and stay compliant as quickly and cost-effectively as possible, so they can protect their business from attacks.”
The new cybersecurity requirements are built into something called Cybersecurity Maturity Model Compliance (CMMC). It became a requirement for DoD contractors and subcontractors effective November 2020 with a five-year phase-in period.
According to information from the DoD chief information officer, “compliance is meant to protect sensitive unclassified information (CUI) and federal contract information (FCI) shared between the department and others through acquisition programs.”
The federal government has always wanted the computer systems and networks of contractors to be secure but it never codified how, according to McClintock.
“So the government finally sort of woke up back in 2018/2019 and decided that something needed to be done to enforce compliance across the entire industrial supply chain,” he said.
Thus, the CMMC process was born. It will be a requirement for more than 500,000 companies in America’s Defense Industrial Base, including those in New Hampshire, such as BAE Systems.
A listing of defense contractors show 1,839 in New Hampshire whose contracts between 2000 and 2020 were worth a total of $27.26 billion.
“What the government realized is that it is really important that the entire supply chain is secure, not just the Raytheons, Northrops, Grummans, etc., but the entire supply chain because these FCI and CUI are passed down the supply chain from prime contractors to subcontractors,” he said.
So the CMMC requirement will ultimately apply not only to defense contractor giants like Lockheed Martin., but also to the very small subcontractor who may make a specialized machined shop-sourced part for, say, the Lockheed Martin produced F-22 Raptor fighter jet.
The large contractors might have their own internal cybersecurity team with the time and resources to meet the CMMC standards.
“The hardest part is for the small machine shop that, for the first time, now needs to prove to the government, effectively to the DoD, that they are compliant, but they don’t really know where to begin,” McClintock said.
In most cases, according to McClintock, defense contractors and subcontractors will need to hire outside consultants to help them through the complexities of CMMC certification.
“GovSky can help make that process a lot cheaper and easier. It’s a tool that they can use along with that expert to help get their company compliant cost effectively,” he said.
GovSky (govsky.com) builds the cybersecurity compliance software platform. It does not supply the CMMC consultants that a company might hire.
It puts into one platform what might otherwise exist in separate and disparate spreadsheets and logs kept by a defense contractor. The platform puts all the components of compliance — implementation tracking, project management, evidence collection, document generation, and more — all in one place.
“Think of GovSky as a power tool in the hands of an expert,” McClintock said. “So the same way that you might build a house and you might hire somebody to build it, think of us as a tool that the builder can use to get their job done a lot more efficiently.”
The client retains use of the software to maintain ongoing compliance.
Ultimately, there are 110 controls a company has to prove to a government-sourced assessor who does the CMMC audit.
“What happens is when a company is assessed, they need to prove to that assessor that they’re meeting every single one of the 110 controls. They need to show that they have a perfect score by proving to the assessor that they’re meeting each one of those controls,” McClintock said.
The CMMC 2.0 model now in effect has three levels, and each level’s requirements are aligned with NIST cybersecurity standards. NIST is the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce. At Level 3, a system is certified to protect the confidentiality, integrity and availability of CUI from advanced persistent threats.
SkyGov publicly launched its compliance platform on June 12, saying in a statement that successfully passing an audit is challenging, expensive and time-consuming, taking six to 18 months to implement and costing over $200,000 for the typical small business. “GovSky’s mission is to reduce this burden so these businesses can efficiently earn compliance and stay focused on their critical role in defense of our nation,” it said.
McClintock, who has a background in company building as a cybersecurity investor, partnered with Tristan Fisher as his co-founder and chief technology officer. “He’s also an expert in security as well. So that’s so he’s been incredibly helpful,” McClintock said. “He’s the CTO, we’re both co-founders. He’s been tasked with building the actual product from a coding standpoint.”
GovSky has raised $2.5 million in funding to date, with backing from Peterson Ventures, Revolution’s Rise of the Rest Seed Fund, SaaS Ventures, Sequoia and others.
McClintock said he and Fisher are hiring as they settle into an office in Exeter.
“There’s just nothing that can replace that face to face. So we do have an office,” McClintock said. “We are really big fans of New Hampshire, both me and my co-founder. We think it’s an awesome place to start a company.”