As organizations across the Defense Industrial Base (DIB) work toward CMMC certification, many face the same challenge: keeping their compliance programs accurate and up to date without drowning in spreadsheets and manual tracking.
One ASCERA customer — a cybersecurity and technology contractor supporting the Army, Air Force, SOCOM, and DIA — was no exception. The company faced a number of challenges that prevented them from confidently preparing for their C3PAO assessment.
After adopting ASCERA, however, the game changed. Less time was spent managing scattered documentation and outdated templates and instead actual progress toward control implementation was made.
This interview with the company’s CTO/CISO gives insight into how ASCERA’s automated evidence collection and continuous monitoring streamlined the company’s CMMC process.
Background Overview
What types of contracts or work does your organization handle within the Defense Industrial Base (DIB)?
Our company operates in three value segments – Defense/Civilian, Health, and Clean Energy. Most of the DoD work is performed by the Defense/Civilian value segment but there is cross-over in the other two segments with DoD contracts.
Most of our DIB contracts are with the Army, Air Force, U.S. Special Operations Command (SOCOM), and Defense Intelligence Agency (DIA), where we provide unclassified and classified support specializing in enterprise IT modernization, cybersecurity, health IT, systems integration, and digital engineering.
Before ASCERA, how were you managing your CMMC or cybersecurity compliance requirements?
I inherited an environment previously assessed against CMMC v1 by a consulting firm that produced an unrealistic SPRS score and relied on incomplete and inaccurate templates. We had separate ISO 27001 and CMMC documentation sets, an SSP lacking detail, and no continuous monitoring plan to sustain compliance.
Challenges Before ASCERA
What challenges or pain points were you facing prior to using ASCERA?
Our challenges and pain points were:
- Having separate documentation sets for ISO and CMMC compliance
- Using a spreadsheet to track control compliance
- An outdated SSP template in Word format
- Cumbersome linking of evidence to assessment objectives
- No executable continuous monitoring plan.
Our asset list was not accurate, assets were not categorized in accordance with the CMMC scoping guide, we hadn’t performed a scoping exercise to find our CUI data flows and were attempting to achieve compliance at the enterprise level at CMMC Level 2 where CMMC Level 1 made more sense with a separate enclave for the limited personnel handling CUI.
How were these challenges impacting your organization’s ability to stay compliant or prepare for CMMC certification?
The SSP was not defendable, I had no confidence in our SPRS score, and we had limited activities planned to demonstrate the ability to sustain compliance.
Why You Chose ASCERA
What stood out to you about ASCERA compared to other solutions you evaluated?
Many things stood out. When I evaluate solutions, I cast a wide net and schedule meetings and demonstrations with several vendors and follow the decision analysis and resolution process we developed through our CMMI compliance program.
ASCERA stood out because it focuses on solving one problem exceptionally well—automated evidence collection and continuous control monitoring. Unlike most tools that only evaluate configuration data, ASCERA analyzes log data to validate whether controls are truly met. That cross-check gave me confidence that when I marked a control ‘met,’ ASCERA would confirm it with real data.
Your Experience Using ASCERA
How has ASCERA helped you simplify or accelerate your CMMC compliance efforts?
I spent much less time formatting my SSP and organizing evidence.
As my approach to writing policy, plan, and procedure documentation was to answer control implementation questions, I was able to very easily cut/paste content from my documents into ASCERA. I found it very intuitive to manage evidence by dragging/dropping files into the repository and tag them to a control family, control(s), or assessment objective(s). And when my C3PAO assessment was complete, I simply exported all the evidence from ASCERA, ran the hashing scripts, and provided the results to the assessors.
What specific features or capabilities have been the most valuable for your team? (e.g., Continuous Controls Monitoring, POA&M tracking, automated evidence collection, policy mapping, reporting dashboard, etc.).
Both the ACE and CCM were the most valuable as these functions were continuously running while I worked on control implementation and I could see things go from red to green as compliant configurations were put in place and reflected in the logs analyzed by ASCERA.
How has ASCERA improved your visibility into compliance or risk posture?
We incorporated viewing of the ASCERA “periodic table of controls” (the compliance view) into our weekly information security management system technical review meetings. ASCERA has become an integral part of our continuous monitoring solution supporting the RA (Risk Assessment) and CA (Security Assessment) control families.
Have you seen measurable results or improvements since implementing ASCERA? (Examples: reduced audit prep time, better documentation, faster gap closure, etc.).
Using ASCERA to manage our SSP, POA&Ms, and evidence management reduced our audit preparation time and simplified our engagement with the C3PAO. ASCERA allowed us to simply enter our control implementation statements, attach evidence, and create POA&M items without having to deal with templates, document management, or any formatting issues.
By providing our C3PAO access to ASCERA, it freed us from having to send any documents to them and ensured they were always seeing the most up-to-date information.
Partnership and Support Experience
How would you describe your experience working with the ASCERA team?
The ASCERA team has been a pleasure to work with. Everyone on the ASCERA team has been enthusiastic, responsive, and very collaborative in responding to any issues we reported and incorporating our feedback and feature requests.
I really enjoyed and appreciated the deeper technical discussions with the development team and SP6 compliance experts around the interpretation of control and assessment objective requirements and how ACE and CCM are implemented to evaluate criteria to ensure we can confidently say they are met or not met.
How responsive or helpful has our customer support been when you’ve had questions or requests?
The customer support team has been very responsive. We had very few issues, but when reported they were corrected quickly. We submitted several feature requests, most of which were received positively and promptly implemented.
How do you feel about the way ASCERA listens to customers and evolves the product?
We had very productive weekly sessions with the ASCERA team which not only helped us fully realize the benefit of the product but also helped everyone more thoroughly understand CMMC requirements and compliant control implementations. For anyone new to CMMC or not well-versed in compliance, I recommend engagement with the ASCERA professional services team for guidance.
Impact and Outcomes
What impact has ASCERA had on your overall compliance process or confidence heading into CMMC certification?
As our assessment date approached, seeing a full set of green controls and a 110 score in ASCERA gave me complete confidence that our integrated ISO 27001:2022 and CMMC Level 2 ISMS would pass—and, more importantly, that it was sustainable through continuous monitoring.
Looking Ahead
How do you see ASCERA fitting into your long-term compliance and cybersecurity strategy?
Now that we have a CMMC Level 2 compliant enclave, I’d like to use ASCERA to perform a CMMC Level 1 self-assessment of our enterprise environment. And if ASCERA continues to evolve to support other compliance frameworks, I’d like to use it for our next ISO 27001 assessment and internal audits.