In a world increasingly digitally driven, effective cybersecurity is paramount — especially so for defense contractors.
The level of cybersecurity clearance required for Department of Defense affiliates, in Hawaii and elsewhere, is on the rise and is expected to remain that way.
Staying ahead of that curve is an investment of time and resources for companies like Honolulu-based Integration Technologies, Inc., which just received a coveted Cybersecurity Maturity Model Certification, or CMMC, clearance as a Registered Provider Organization.
InTech provides IT support for local DoD contractors, which comprise about one-third of its client base. Many of those clients will someday require CMMC certification of their own as the standard is rolled out over a five-year period through Fiscal Year 2025. By that year, nearly 50,000 contractors nationally are expected to require it, per the DoD.
That figure carries weight in Hawaii, which was No. 2 nationally in defense spending as a share of state GDP, at 7.7%, in Fiscal Year 2019.
InTech is one of a handful of companies locally to have obtained CMMC, which verifies that a company meets specific standards in areas like firewall and spam protection, and data backup.
“Because so many of our customers are required to have this certification, it was important for us to be able to provide that for them,” said Sam Gridley, InTech founder and CEO.
Gridley said the prominent 2015 hack of the federal government’s Office of Personnel Management was a “wake-up call” in the cyber community and set the stage for tightened standards.
“From 2010 forward, there has been a series of more stringent rules, and CMMC is sort of the culmination of those series of rules,” he said.
The existing standard had been the National Institute of Standards and Technology certification, but that will eventually give way to the multi-tiered CMMC for all contractors who handle Controlled Unclassified Information, or CUI.
InTech’s 25 employees have trained for CMMC since its introduction in 2020.
“It is a journey. They call it a ‘cybersecurity journey’ so it’s not just one training class, and then you’re good to go,” Gridley said. “It’s actually a series of classes, and retraining on a continual basis.”
The costs of training and certification are about $8,000 for companies familiar with the CMMC standard, he said, but noted the time commitment for staying up on NIST and CMMC is the larger investment, in the hundreds of hours. Per the DoD, the CMMC certification is generally valid for three years.
InTech's Vice President of Client Services Freddy Ludiazo sees the new CMMC standards going beyond the Department of Defense space and to general businesses in the years to come.
“DoD’s always like the testing ground,” Ludiazo said, “and then all the other companies are going to start following [suit].”
