The Problem: International Compliance for a Global Leader

As a premier global designer and manufacturer of small arms—responsible for iconic systems like the FN FAL and the FN SCAR®—FN Herstal maintains a vital partnership with the U.S. Department of Defense. However, the introduction of the Cybersecurity Maturity Model Certification (CMMC) created a significant hurdle.

Despite being based in Belgium, FN Herstal is required to meet the same rigorous U.S. cybersecurity standards as domestic contractors to continue their work with the DoD. While FN Herstal maintains a highly capable in-house IT team, the specific complexities of CMMC—and the logistical challenges of managing U.S. controlled unclassified information (CUI) from overseas—required specialized CMMC Advisory Services. They needed a partner who could translate these US federal requirements into an actionable, localized strategy.

The Solution: SysArc’s CMMC Readiness OS™

SysArc deployed its proprietary CMMC Readiness OS™, a battle-tested framework built over a decade of navigating DFARS and NIST 800-171 requirements. SysArc took on a consultative role, guiding the FN Herstal IT team through a five-phase implementation process:

• Discover: SysArc consultants traveled to Belgium to conduct an on-site deep dive. By analyzing information flow and organizational structure, they performed a comprehensive gap analysis to identify exactly where existing systems fell short of CMMC standards.
• Design: Using the gap analysis data, SysArc developed a customized remediation plan. This served as the blueprint for building a secure, CMMC-compliant architecture that aligned with FN Herstal’s unique business operations.
• Build: A critical decision was made regarding data residency. Because CMMC-compliant cloud solutions (like GCC High) require data to be stored on U.S. soil and managed by U.S. citizens, the teams opted for a hardened on-premise server environment in Belgium. SysArc advised on NIST 800-171 control implementation, including a multi-layered physical security strategy featuring:
  • Strictly controlled server environment access.
  • Continuous monitoring and surveillance.
  • Advanced visitor management and physical media protection.
• Prove: SysArc developed the essential documentation required for the audit, including the System Security Plan (SSP) and the Plan-of-Action & Milestones (POA&M), providing a clear roadmap of compliance for the auditors.
• Validate: Before the final audit, SysArc conducted a “mock assessment” to provide a readiness score. On the official day of the assessment, SysArc’s team joined FN Herstal to provide technical support and resources, ensuring the CMMC auditor (C3PAO) received comprehensive answers to all inquiries.

The Result: Secured Contracts and State-of-the-Art Defense

The partnership resulted in a successful path toward CMMC certification, yielding three primary benefits for FN Herstal:

1. Contract Continuity: FN Herstal successfully met its compliance requirements, ensuring they can continue to bid on and win high-value DoD contracts without interruption.
2. Competitive Advantage: By achieving readiness ahead of many global peers, FN Herstal solidified its position as a trusted leader in the defense supply chain, proving their commitment to protecting sensitive U.S. defense information.
3. Enhanced Security Posture: Beyond mere compliance, the implementation of the CMMC Readiness OS™ provided FN Herstal with a state-of-the-art cybersecurity infrastructure, significantly reducing their vulnerability to evolving global cyber threats.

By combining FN Herstal’s internal IT expertise with SysArc’s specialized CMMC Advisory Services, we transformed a complex regulatory requirement into a streamlined competitive advantage.

 

Problem

Green Contracting Company, Inc. (GCC) is a heavy industrial and mechanical contractor with more than 56 years of experience serving private manufacturers, public corporations, and multiple departments of the United States Government. As a Department of Defense (DoD) contractor, Green plays a role in supporting the U.S. defense supply chain.

With the rollout of the Cybersecurity Maturity Model Certification (CMMC), the DoD introduced a mandatory cybersecurity requirement for all defense contractors. In order to retain and win new DoD contracts, Green Contracting had to formally demonstrate compliance with NIST SP 800-171 controls and successfully pass a CMMC assessment conducted by a certified third-party assessor organization (C3PAO).

The challenge was significant.

Green Contracting’s internal IT department consisted of one IT manager responsible for daily operations: user support, infrastructure management, system reliability, and business continuity. Implementing dozens of technical security controls, documenting policies and procedures, creating a compliant System Security Plan (SSP), managing a Plan of Action & Milestones (POA&M), and preparing for a formal CMMC audit is effectively a full-time cybersecurity and compliance role in itself.

Attempting to handle both daily IT operations and a complex federal compliance initiative would have placed enormous strain on the organization and increased the risk of audit failure.

Recognizing the scope of the mandate, Green Contracting’s IT manager engaged SysArc, Inc., a managed service provider and managed security service provider specializing in DoD contractor compliance and CMMC readiness.

Solution

SysArc deployed its proprietary CMMC Readiness OS™, an audit-ready operating framework purpose-built for defense contractors. Developed through nearly a decade of experience helping organizations navigate DFARS and CMMC requirements, the framework delivers a structured, repeatable path to certification.

SysArc guided Green Contracting through a six-phase implementation process:

Discover

SysArc began by meeting with key stakeholders to understand how Green Contracting’s organization operates, how Controlled Unclassified Information (CUI) flows through the business, and how users interact with systems.

A comprehensive gap analysis was performed to evaluate existing security controls against NIST SP 800-171 requirements. This analysis identified compliance deficiencies and informed a clearly defined scope of work tailored to Green’s operational realities.

Design

Using the gap analysis findings, SysArc engineered a remediation roadmap and secure architecture aligned with CMMC requirements. This included designing a compliant enclave environment to properly safeguard CUI and reduce risk exposure.

Build

SysArc migrated Green Contracting’s users and data into a secure Microsoft GCC High environment, purpose-built for organizations handling sensitive government information. This migration established the technical foundation required for CMMC compliance while minimizing disruption to daily operations. For more information, see our GCC High Migration Services. This environment was then hardened to meet the controls within NIST 800-171.

Prove

Compliance is not just about implementing controls; it must be documented and defensible.

SysArc developed Green Contracting’s System Security Plan (SSP) and Plan of Action & Milestones (POA&M), clearly mapping implemented controls and demonstrating compliance to the C3PAO. This documentation provided the formal evidence required to support certification.

Validate

Before the official assessment, SysArc conducted a mock audit to evaluate readiness and assign a readiness score. This proactive validation ensured there were no surprises on assessment day.

When the formal CMMC assessment occurred, SysArc joined Green Contracting’s team, providing direct support, answering auditor questions, and ensuring that all required artifacts and explanations were readily available.

Sustain

Compliance is not a one-time event. Without ongoing governance, organizations risk “compliance drift.”

Through its managed IT and cybersecurity services, SysArc continuously monitors, maintains, and strengthens Green Contracting’s security posture. This ensures ongoing CMMC alignment while protecting against evolving cyber threats.

Result

Green Contracting successfully met its CMMC requirements and achieved certification, enabling the company to maintain existing DoD contracts and remain eligible for future contract awards.

The impact extended far beyond certification:

• Business Continuity Secured: Green can confidently continue competing for and executing DoD projects.
• Competitive Advantage: Achieving CMMC positions Green Contracting as a security-conscious, trustworthy partner in the defense supply chain.
• IT Leadership Elevated: The IT manager was able to dramatically increase the organization’s cybersecurity maturity without sacrificing daily operational performance. By leveraging SysArc’s expertise, he became the internal champion who modernized the company’s security framework.
• Significant Cost Avoidance: Instead of hiring a full internal cybersecurity and compliance team, Green leveraged SysArc’s specialized expertise, saving hundreds of thousands of dollars annually.
• State-of-the-Art Security: With a secure GCC High environment, documented controls, and ongoing managed security oversight, Green Contracting significantly reduced its exposure to modern cyber threats.

By partnering with SysArc and implementing the CMMC Readiness OS™, Green Contracting not only achieved certification — it strengthened its operational resilience, elevated its market position, and reinforced its commitment to protecting the U.S. defense supply chain.

In a recent memorandum, U.S. Secretary of Defense Pete Hegseth issued an urgent directive to Pentagon leadership, calling for heightened measures to protect the Department of Defense’s (DoD) information technology (IT) capabilities, including cloud services, from foreign adversaries such as China and Russia. The memorandum underscores the growing concerns regarding the vulnerability of the DoD’s supply chain to potential malicious influence by foreign powers, particularly in light of recent revelations surrounding the use of China-based engineers by Microsoft for Pentagon cloud services.

A Summarization of Pete Hegseth’s Directive

Immediate Actions for Secure IT Capabilities

Secretary Hegseth’s memorandum mandates the DoD Chief Information Officer (CIO) to collaborate with key departments including the Under Secretaries of Defense for Acquisition and Sustainment, Intelligence and Security, and Research and Engineering to immediately review and validate all information technology assets within the DoD. This review focuses on ensuring that these systems are secure against any potential supply chain attacks by adversarial nations, particularly China and Russia. The directive emphasizes the necessity of ensuring that the Department does not procure any hardware or software that may be susceptible to foreign influence or pose a risk to mission security.

Fortifying the Defense Industrial Base (DIB)

In a bid to counter these threats, the DoD has been instructed to strengthen existing safeguards within the Defense Industrial Base (DIB) that serves as a critical supplier of goods and services to the military. The Department will take measures to eliminate or mitigate adversarial foreign influence in its products and services, with a focus on preventing the introduction of malicious capabilities by foreign actors. The memorandum further directs the Department to explore any additional steps necessary to address the risks posed by foreign influence.

Several ongoing initiatives are being leveraged to support this effort, including the Cybersecurity Maturity Model Certification (CMMC), the Software Fast Track Program, the Authority to Operate process, and the Federal Risk and Authorization Management Program (FedRAMP). These programs, alongside efforts such as the Secure Software Development Framework, are all aimed at enhancing the security of DoD systems and operations.

Additionally, the Under Secretary of Defense for Intelligence and Security will oversee the review and validation of personnel security practices and insider threat programs within the DIB and cloud service providers. This initiative is critical to ensuring that the personnel handling sensitive military data do not pose any potential security risks.

Tightened Oversight Following ProPublica Investigation

This memorandum follows recent revelations from a ProPublica investigation, which uncovered that Microsoft had been using China-based engineers to support U.S. military systems hosted in its cloud infrastructure. According to the report, these engineers, while monitored by U.S.-based “digital escorts” (U.S. citizens with security clearances), were still granted access to sensitive systems. This arrangement raised significant concerns about the potential for indirect foreign access to the Pentagon’s cloud infrastructure, leading Microsoft to end the practice.

As a direct consequence of these findings, Microsoft decided to cease using China-based engineers for Pentagon cloud services, in order to comply with U.S. security protocols and mitigate any perceived security risks. While Microsoft assured that it would continue adhering to all U.S. regulations, the company has not yet specified how it will address the technical support needs previously met by the now-discontinued use of Chinese engineers.

Future Guidance and Expectations

In response to these concerns, Secretary Hegseth has directed the DoD CIO to issue additional implementing guidance within 15 days to ensure a secure environment for the nation’s warfighters. This move underscores the urgency of protecting U.S. military infrastructure from potential vulnerabilities in an increasingly interconnected world, where adversaries such as China and Russia may seek to exploit weaknesses in the supply chain and cloud services.

The DoD’s actions reflect a growing recognition of the risks posed by foreign influence in military technologies and underscore the Department’s commitment to safeguarding sensitive defense systems from adversarial threats. Through rigorous security protocols, strategic reviews, and proactive measures, the DoD aims to fortify its IT infrastructure, ensuring the safety and security of its operations in an era of rapidly evolving technological threats.

The Department of Defense (DoD) officially submitted the final 48 CFR rule to the Office of Information and Regulatory Affairs (OIRA) for review. This important step paves the way for CMMC requirements to be incorporated into defense contracts as early as October 2025.

What Is the 48 CFR Rule?

The rule covers 48 CFR Parts 204, 212, 217, and 252 and establishes CMMC acquisition policies along with standardized contract language. While 32 CFR Part 170 has been effective since December 2024, the 48 CFR rule is necessary to formally authorize the inclusion of CMMC language in solicitations and contracts.

The final rule’s submission to OIRA marks the second-to-last stage before it becomes official, enabling CMMC to be enforceable in defense contracts. OIRA has 90 days to review and it could take one to three weeks for the final rule to be published in the Federal Register.

Therefore, we expect to see CMMC requirements in contracts starting in late October 2025.

What Is the Significance?

CMMC requirements remain unchanged—they were established by 32 CFR Part 170. However, the 48 CFR rule:

• Adds the DFARS 252.204-7021 clause to contracts
• Grants contracting officers the authority to include CMMC language in solicitations
• Initiates the four-phase rollout of the CMMC program

The Four Phases:

Why You Need to Act Now

If your organization plans to bid on or receive DoD contracts after October 2025, obtaining CMMC Level 2 certification could be mandatory. 

Key points to keep in mind:

• CMMC Level 2, verified through C3PAO assessments, can be required starting in Phase 1 (i.e., in 2025), since contracting officers have discretion regarding certification requirements.
• Waivers probably won’t happen, as they are pre-determined at the acquisition level and are not typically granted to subcontractors or late bidders.
• The time between solicitation release and contract award—known as the Procurement Administrative Lead Time (PALT)—is usually short (around 32 days), leaving little room to begin CMMC compliance after a solicitation is issued.

Next Steps…

CMMC compliance takes time. Most organizations need 9 to 12 months to fully implement NIST SP 800-171 controls, validate compliance, and successfully pass a C3PAO assessment.

If your organization handles Controlled Unclassified Information (CUI), is a prime contractor or subcontractor within the defense industrial base, and plans to bid on contracts in 2026 or sooner, then you should already be in the CMMC assessment and implementation phase.

SysArc is has helped DoD contractors like FN America, Honeycomb Company of America, and 2 Circle prepare for CMMC. To learn how we may help your organization prepare for CMMC, get a free consultation.

The Problem

2 Circle Inc., a growing government contractor, had an ambitious roadmap for scaling its business and expanding its presence in the defense and federal sectors. However, the company’s leadership quickly recognized a critical obstacle: their existing Managed Service Provider (MSP) lacked the capabilities necessary to support that vision.

The challenges were twofold:

1. CMMC Compliance Roadblocks: The current MSP had no expertise in implementing the NIST 800-171 controls required for Cybersecurity Maturity Model Certification (CMMC). Without a clear path to compliance, 2 Circle Inc. faced a fragmented and risky process—outsourcing to yet another provider who would still need to coordinate with their inadequate MSP. Additionally, the existing MSP lacked a Security Operations Center (SOC), another essential element for CMMC compliance.
2. Inexperience with Government Contractors: Government contracting is not like other industries. It requires specialized IT strategies, cybersecurity frameworks, and the ability to scale quickly in response to new contract wins. The incumbent MSP didn’t understand these nuances, putting 2 Circle Inc. at risk of non-compliance and operational bottlenecks at a crucial time in their growth.

The leadership at 2 Circle knew they needed more than just IT support—they needed a strategic partner who could guide them through CMMC compliance and help them scale securely.

The Solution

2 Circle Inc. partnered with SysArc Inc., a Washington, DC area based provider of managed IT and cybersecurity services tailored specifically for government contractors.

SysArc’s Unique Value Proposition
With decades of experience supporting government contractors, SysArc brings together comprehensive IT support and robust cybersecurity services under one roof. Their in-house Security Operations Center (SOC) ensures clients meet compliance requirements without relying on third-party vendors. This “one-stop-shop” approach allows SysArc to manage everything from everyday IT needs to high-stakes compliance initiatives like CMMC.

Tailored Implementation for 2 Circle Inc.
SysArc delivered a comprehensive solution that aligned with both 2 Circle’s operational and regulatory requirements:

• Seamless Migration to Microsoft GCC (GovCon): SysArc migrated 2 Circle’s IT infrastructure from Microsoft 365 Commercial to Microsoft GCC, enabling compliance with Controlled Unclassified Information (CUI) requirements.
• CMMC-Ready Infrastructure: Leveraging pre-configured tools and processes developed specifically for government contractors, SysArc provided 2 Circle with a ready-made framework to meet NIST 800-171 controls.
• SOC Implementation: SysArc deployed its 24/7 Security Operations Center to continuously monitor 2 Circle’s network, a critical requirement for CMMC certification.
• Streamlined IT Provisioning: As 2 Circle scaled its workforce, SysArc’s mature onboarding systems ensured efficient, secure, and remote provisioning for a distributed team.

The Result

Thanks to their forward-thinking leadership and SysArc’s strategic guidance, 2 Circle Inc. achieved transformative outcomes:

• CMMC Readiness: 2 Circle successfully implemented the NIST 800-171 controls necessary for CMMC compliance. The company is now prepared for its official audit—ensuring continued eligibility for government contracts and setting the foundation for long-term growth.
• Rapid Workforce Expansion: With SysArc’s support, 2 Circle scaled from 100 to over 250 users, smoothly integrating new employees without operational disruptions.
• Industry Leadership & Competitive Advantage: By prioritizing cybersecurity and compliance, 2 Circle positioned itself as a trusted leader in the government contracting space. This reputation not only protects their current business but also enhances their potential to win future contracts.

Conclusion
For 2 Circle Inc., the decision to partner with SysArc was more than an IT upgrade—it was a strategic move that enabled the company to meet its growth goals, achieve compliance, and secure its future in the government contracting arena. Together, SysArc and 2 Circle turned a complex challenge into a powerful competitive advantage.

 

Partnering with SysArc to Achieve Full CMMC Compliance

The Problem

Honeycomb Company of America, Inc., a supplier to the U.S. Department of Defense (DoD), faced a critical challenge: achieving compliance with the Cybersecurity Maturity Model Certification (CMMC) before the upcoming 2025 audits by the CMMC Accreditation Board. The company’s internal IT manager was equipped with deep institutional knowledge but lacked the bandwidth and specialized expertise to meet the rigorous requirements of NIST 800-171 alone.

With a one-person IT department, the manager was caught between two competing priorities—keeping day-to-day operations like help desk support running smoothly, and dedicating the massive effort required to prepare for a CMMC audit. Either the organization’s IT support would suffer, or CMMC compliance wouldn’t get done. The stakes were high: without certification, Honeycomb risked losing existing DoD contracts and missing out on future opportunities.

Recognizing that internal resources alone couldn’t handle the scope of the task, the IT manager turned to SysArc, a Managed IT Service Provider (MSP) with deep expertise in CMMC compliance and a track record of supporting defense contractors.

The Solution

SysArc began the engagement with a comprehensive Gap Assessment, evaluating Honeycomb’s current IT maturity against the stringent requirements of NIST 800-171. The results revealed significant gaps that would require either substantial internal staffing or a strategic partnership with a specialized MSP. Honeycomb chose to partner with SysArc.

To address the compliance gaps, SysArc deployed a suite of tailored solutions:

• Continuous Network Monitoring – SysArc implemented its Security Information and Event Management (SIEM) tool along with its Security Operations Center (SOC), enabling 24/7 monitoring—an essential component of CMMC compliance.
  
• Secure Data Handling – The team established robust data flow and access controls to ensure that Controlled Unclassified Information (CUI) was handled, stored, and transmitted securely, with access strictly limited to authorized personnel.
  
• Enhanced Authentication – A secure password management system was introduced, along with enforced multi-factor authentication across all devices to protect against unauthorized access.
  
• Help Desk Support – SysArc deployed its full-service help desk, giving Honeycomb’s employees reliable access to expert IT support and freeing the internal IT manager to focus on strategic initiatives.
  

Thanks to SysArc’s “templatized” CMMC-compliant infrastructure, processes, and toolsets—developed specifically for defense contractors—Honeycomb was able to rapidly and cost-effectively achieve compliance without disrupting daily operations.

The Results

With SysArc’s support, Honeycomb Company of America passed the Joint Surveillance Voluntary Assessment Program (JSVAP) with a perfect score of 110, effectively demonstrating full CMMC compliance. This crucial milestone ensures Honeycomb’s continued eligibility for DoD contracts and positions them strongly for future business growth.

The partnership delivered results that went far beyond compliance:

• The IT manager emerged as a strategic leader, having successfully positioned the company for long-term success with DoD partnerships.
  
• Cost savings were realized by leveraging SysArc’s team of CMMC specialists for less than the cost of adding a full-time employee.
  
• Cybersecurity was dramatically improved, protecting sensitive company data from cyber threats with top-tier defenses.
  
• Operational efficiency increased, as the IT manager was freed to focus on growth, innovation, and strategic initiatives rather than being bogged down by daily IT support or complex compliance tasks.
  
• SysArc complemented—not replaced—the IT manager’s role, becoming an extension of the internal team and a long-term strategic partner.
  

Conclusion
SysArc’s partnership with Honeycomb Company of America illustrates the power of expert-led collaboration between a forward thinking IT manager and a well-equipped MSP. With the right support, even lean internal IT teams can achieve full CMMC compliance—on time, on budget, and without compromising daily operations.

SysArc, a leading provider of cybersecurity and compliance solutions for the Defense Industrial Base (DIB), has proudly announced that four of its clients—Mantech, FN America, Honeycomb Company of America (HCOA), and Hunatek—have successfully completed their CMMC DIBCAC High Assessments through the Joint Surveillance Voluntary Assessment (JSVA) Program, each receiving an SPRS score of 110.

In a period marked by heightened activity and productivity, SysArc has demonstrated its expertise and dedication to preparing clients for CMMC compliance. This achievement underscores SysArc’s commitment to providing tailored solutions and unwavering support to businesses aiming to protect sensitive information and meet stringent cybersecurity standards.

Mantech

SysArc collaborated with Mantech in the final stages of their assessment, providing expert CMMC Consulting Services. Mantech notably implemented a zero-trust architecture across its environment, a testament to their dedication to cybersecurity. SysArc’s team played a critical role in finalizing the SSP, Policies and providing critical evidence during the Assessment.

FN America

FN America, a U.S. subsidiary of FN Herstal, S.A., worked closely with SysArc over two years to ensure readiness for their assessment. Leveraging SysArc’s CMMC Program Management Consulting Services, FN America successfully navigated the complexities of compliance, as detailed in their case study.

Honeycomb Company of America

For Honeycomb Company of America (HCOA), SysArc developed a comprehensive CMMC Program from the ground up.  As a mature MSP/MSSP focused on the DIB, SysArc manages the IT infrastructure for HCOA and our Compliance and SecOps teams run their Security Program. With SysArc managing their IT infrastructure and running their Security Program, HCOA was well-prepared for the CMMC assessment.    

Hunatek

Similarly, Hunatek benefited from SysArc’s dedicated team of IT, Security, and CMMC experts, who provided a complete outsourced solution to achieve their compliance requirements.

SysArc’s work has earned them high praise within the industry. A Director of CMMC from Redspin, a leading C3PAO, commented, “You are doing a fantastic job, so keep it up. In fact, I think you may be the only RPO that has had more than one client pass JSVA. That is a big deal.”

SysArc’s success is further highlighted by their recent CMMC Mock Assessment for External Service Providers (ESP) conducted by an independent C3PAO, where zero gaps were identified, and a Plan of Actions & Milestones (POA&M) was not required.  SysArc currently has an SPRS score of 110 out of a possible 110 and SysArc’s ability to assist the DIB and/or bid on existing or new DoD contracts remains in place.

All of the hard work and these recent wins for our customers has proven SysArc’s ability to fully support many different sized organizations and approaches with customized solutions to fit their compliance and security requirements knowing that they will successfully achieve CMMC compliance when the time comes.

About SysArc

SysArc is a trusted cybersecurity and compliance partner for the DIB, offering customized solutions to meet the unique needs of each client. With a focus on protecting sensitive information and achieving industry certifications, SysArc delivers expert guidance and support to organizations of all sizes. For more information, visit sysarc.com and experience compliance for yourself.

 

Safeguarding lives on physical and cyber battlefields.

FN America, LLC, is a U.S. subsidiary of FN Herstal, S.A., a global leader in developing and manufacturing high-quality, reliable firearms for military, law enforcement, and commercial customers worldwide. True to its vision to be the firearm industry’s most innovative company, the company makes cybersecurity one of its main priorities. They have been at the forefront of the U.S. Department of Defense’s latest mission to protect America’s defense industrial base from foreign and domestic cyber breaches and attacks with the rollout of the Cybersecurity Maturity Model Certification (CMMC).

“Cyberattacks targeting systems and data throughout the world are constantly increasing in both volume and sophistication. Our purpose is to safeguard the lives of American service members and its allies, and we understand that this purpose extends to the cyber battlefield as well. Therefore, we strive to take the same innovative approach to cybersecurity as we do with our firearms.”

— Jason Britton, IT Director, FN America

The Challenge

In 2016, the Department of Defense (DoD) announced a new cybersecurity requirement for DoD suppliers—DFARS 252-204-7012. This requires all companies who provide products and services to the DoD to implement NIST 800-171 cybersecurity controls within their IT systems.  FN America promptly conducted a self-assessment to determine their compliance gaps and found issues they tried to correct themselves.

FN America’s IT leadership initially over complicated the process and implemented controls that were difficult to understand and implement. Like many other manufacturers, FN America’s shop floor also presented challenges and complexities to secure compared to development or service floors—sensitive information was often left exposed on unattended computers, and new procedures disrupted their productivity.

The Solution

When CMMC was first announced in 2019, FN America decided to rethink their approach to implementing NIST 800-171 in order to avoid their previous pitfalls of incorrectly interpreting the standard with the goal of becoming  one of the first companies to be CMMC certified. After a thorough search of the market for NIST 800-171/CMMC experts, they partnered with SysArc in early 2020 to provide CMMC Advisory Services including Program Management of their CMMC Project.  As a first step, SysArc provided a comprehensive NIST 800-171 gap assessment that identified FN America’s compliance gaps.  From there, SysArc assisted with the SSP, POAM items, Policies & Procedures and Assessment preparation.  

The Result

FN America’s early and consistent collaboration with the compliance experts at SysArc allowed them to secure their CMMC certification through the Joint Surveillance Voluntary Assessment Program (JSVAP), positioning them ahead of their competitors. Fewer than 100 companies worldwide have successfully navigated this process and achieved certification, making FN America a leader in their industry.

“FN America was successful in their compliance journey because they received a solid  commitment of support from their overseas parent company, FN Herstal, and they were diligent about working through all of the requirements, no matter how challenging.”

— Bernhard Bock, SysArc CISO and CMMC Program Manager

Since completing certification and starting their program with SysArc, FN America is not only compliant with their customers’ requirements, but are more secure and have reduced their risk of a serious breach. Through this process, they have become more committed to continuous improvement with an ongoing effort to maintain high-security standards and compliance moving forward. By improving the security of sensitive information, FN America can now better serve the war fighter and are doing their part to protect the DIB supply chain from bad actors.

Do you need help preparing for CMMC?

We’ve helped over 1,500 DoD contractors throughout the U.S. navigate the complexities of DFARS, NIST 800-171, and now CMMC. Through our many experiences, we’ve fine-tuned several solutions that enable our clients to prepare to achieve compliance faster and at a lower cost compared to other solutions that have been popping up in the market recently. If you need help preparing for CMMC, give us a call or request a consultation today.

As we recently reported, The Department of Defense (DoD) has outlined its four (4) phase approach for the inclusion of Cybersecurity Maturity Model Certification (CMMC) Program requirements in solicitations and contracts.

The first phase, which is expected to begin in the 1st quarter of 2025, will require all companies who engage with the DoD to include their CMMC Level 1 or Level 2 Self-Assessments. The DoD also states that they reserve the right to enforce these requirements before this date and/or require companies to complete a CMMC Level 2 Certification Assessment instead of a Self-Assessment. The Certification Assessment is an assessment conducted by CMMC enforcement officials themselves.

The bottomline is that companies will need to have completed an assessment, either by themselves or by a certified third-party, like SysArc, by Q1 of 2025 in order to be considered for contract awards.

Why You Should Act Now

Because the CMMC assessment and readiness process can take 12 to 18 months (depending on system complexity) to complete, it is crucial that DoD contractors act as soon as possible if they have not already started the process. Companies who have already prepared may have a significant competitive advantage in the contract award process.

How to Prepare

There are two routes companies can take to prepare:

1. Use In-House Resources: Companies with internal IT resources may be able to complete the CMMC Self Assessment themselves. The DoD has provided both CMMC Level 1 and Level 2 Self Assessment Guides that can aid in the process. Those can be found here.
2. Hire a CMMC RPO: For those companies who lack the time and resources, a CMMC Registered Provider Organization (RPO), like SysArc, can perform a readiness assessment or a mock assessment for you and guide you through the process of preparing for all phases of the CMMC rollout. If this option sounds best for your organization, request a consultation here.  

How We Can Help

As a CMMC RPO, SysArc has helped over 1,500 DoD contractors navigate the complexities of CMMC since 2017. We can conduct a CMMC readiness assessment or mock assessment and develop a roadmap for you to achieve CMMC certification so you can continue to do business with the DoD without delay. Our years of experience in supporting DoD contractor IT systems has made us a leader in the space, able to offer CMMC preparation faster and for less cost than other options on the market. Request a free consultation here.