CMMC Success: A Tale of Collaboration and Excellence, Belcan’s Journey through the JSVAP

Belcan LLC, a global supplier of design, software, manufacturing, supply chain, information technology, and digital engineering solutions, has achieved a significant milestone. Led by Matt King, Chief Security and Data Officer, Belcan recently completed a successful Joint Surveillance Voluntary Assessment Program (JSVAP) for Cybersecurity Maturity Model Certification (CMMC) compliance. This joint surveillance voluntary assessment success is anticipated to become the CMMC 2.0 Level 2 certification when rulemaking becomes final. Belcan Government Services achieved a perfect score of 110, while Belcan scored an impressive 107. This success story highlights their journey and the strategies they employed to ensure compliance and secure their business operations.

Background

Belcan is both a prime and subcontractor operating in diverse markets, including aerospace, defense, space, government services, automotive, and industrial sectors. The organization’s commitment to maintaining the highest security standards was underscored by its early adoption of CMMC compliance. The journey began in 2017 when Matt King joined Belcan and immediately started developing a robust security strategy to meet DFARS 7012 requirements.

The Road to CMMC Compliance

Understanding the importance of CMMC compliance, Belcan proactively chose to participate in the JSVAP to demonstrate its commitment to cybersecurity and accelerate its path to certification. By doing so, the company aimed to maintain a competitive edge and ensure readiness for the rapidly evolving regulatory environment. Additionally, Belcan valued the 180-day Plan of Action and Milestones (POA&M) feature of the JSVAP if needed, as well as the anticipated two-year certification validity upon rule finalization.

Matt King emphasized the importance of leadership commitment from the start. By framing the necessity of compliance as a business-critical decision, he secured strong support from Belcan’s leadership, which ensured that the organization was aligned and focused on achieving its CMMC goals.

Strategic Separation of Assessments

Belcan’s unique structure, which includes both Belcan Engineering and Belcan Government Solutions, required a tailored approach to assessments. Given their different operational models—government solutions engage directly with prime contracts, while engineering services primarily focus on flow-down contracts—separating the assessments was a logical approach to allow each business unit to concentrate on their specific compliance needs and streamline the process. Redspin performed an onsite assessment at Belcan’s headquarters and two other sites, along with both their primary and secondary data centers.

“As both a Prime and Subcontractor for the DoD, we at Belcan have had a very positive experience with the Redspin team. Opting for Redspin as our C3PAO was a pivotal decision in our JSVA processes. The Redspin team was not just conducting assessments; they were by our side, guiding us through each challenge and ensuring we reach the finish line”

-Matt King, Chief Security and Data Officer, Belcan 

Redspin’s Role in Belcan’s Success

As an experienced CMMC 3rd Party Assessment Organization (C3PAO), Redspin played a crucial role in helping Belcan navigate its CMMC journey, including providing expert guidance on remediation efforts and detailed feedback to ensure all documentation met the stringent CMMC requirements. Redspin’s collaborative approach and deep understanding of CMMC and the JSVAP enabled Belcan to navigate the complexities of the assessment smoothly and efficiently, ultimately leading to their successful DIBCAC-High Certifications and soon-to-be Level 2 certifications.

Preparation and Execution

Preparation for the assessments began the moment Matt King joined Belcan in 2017. His proactive approach involved addressing technology debt, upgrading infrastructure, and ensuring all systems were current and fully supported by vendors. His initial strategy also included achieving compliance with DFARs 252.204-7012 and NIST 800-171, which is the basis of CMMC. By October 2022, Belcan had formed a dedicated team focused on documentation and final preparations for the assessments.

Belcan also conducted a preassessment with a Registered Practitioner Organization (RPO) to ensure that they were fully prepared. This pre-assessment served as a critical check, as it identified key areas for improvement and allowed Belcan to address any gaps prior to the actual assessment.

Team Effort and Documentation

The success of Belcan’s CMMC journey through the early adopter JSVAP can be attributed to the dedicated efforts of their team. Starting with just one security employee, King grew the team to 23 members globally. The U.S. team is comprised of many experts from all aspects of security, infrastructure, and business operations. A technical writer was also hired to streamline documentation requirements. Mock run-throughs and thorough documentation reviews were integral to their preparation. By ensuring the team understood the assessment process and could respond confidently to assessor questions, Belcan demonstrated their commitment to a successful outcome.

The Assessment and Beyond

Belcan’s meticulous preparation paid off. Both Belcan Government Solutions and Belcan Engineering received high scores—110/110 and 107/110, respectively—with only minor gaps identified and easily addressed by the POA&M within 180 days. The organization is already working on closing these gaps and is well-positioned for future assessments, including potential Level 3 CMMC requirements and ISO 27001 certification.

Summary

Belcan’s choice to address CMMC early with JSVAs is a testament to the power of strategic planning, leadership commitment, and team collaboration. Their success in the JSVAP reinforces the security of their business operations and positions them as leaders in their industry. As they continue to grow and evolve, Belcan remains dedicated to maintaining stringent security standards and staying ahead of regulatory requirements while delivering exceptional service to its customers.

Whether you’re looking for a C3PAO or a help building a comprehensive CMMC program to protect your sensitive information, Redspin can help. Connect with one of our experts to learn more.