Arlington IT cybersecurity company C3 Integrated Solutions has merged with Massachusetts cyber firm Steel Root in a deal that brings together two companies with similar missions of helping government contractors strengthen their cyber defenses.
In announcing the deal Wednesday, the companies said that in joining forces they will be able to provide end-to-end cybersecurity compliance for any contractor — from a parts manufacturer to a construction company — working with the Department of Defense.
The timing is especially crucial, they said, because it comes just six months before the Defense Department's updated Cybersecurity Maturity Model Certification (CMMC) takes effect. The CMMC is a mandate that requires any defense contractor to obtain prescribed levels of cybersecurity protection before it can compete for a new solicitation, and the expectation is that tens of thousands of companies will need to update their IT systems to meet the required standards and pass DOD audits in order to win any new work with the agency.
The deal was facilitated through an undisclosed investment from M/C Partners, a Boston private equity group that had no prior investments in either company.
The merged company will operate under the C3 Integrated Solutions name but with a new CEO, Marc Pantoni, who had been president at Thrive, a Massachusetts IT provider. C3 founder and CEO Bill Wootton will move into a new role as chief revenue officer and Steel Root co-founder and Managing Director Ryan Heidorn will become C3's chief technology officer.
In an interview, Heidorn said that Steel Root's narrow base of clients and service offerings had limited the company's growth potential. C3, meanwhile, offers a broader array of services but was looking to fine-tune its offerings to better meet clients' needs.
“What Ryan and Steel Root brings to us is an added layer of discipline and standardization to a lot of the services that we were offering originally,” Wootton said.
Wootton and Heidorn declined to disclose financial terms of the deal but said that the investment from M/C Partners will help the merged company scale up to meet what's expected to be heightened demand from government contractors as CMMC regulations dawn.
“We were not looking for investment. We were very happy where we were at,” Wootton said. “What really changed that for us was M/C actually understood us. The vision that we had, the pathway, the market opportunity, they came to us with a story that was 100% in alignment with where we were already going and what our vision was. That's what made us kind of step up and take notice.”
Wootton and Heidorn estimate that nearly 25% of the nation's roughly 300,000 defense contractors will need to update their IT systems to reach the DOD's new threshold for cybersecurity health.
The new DOD guidance is aimed at both streamlining and strengthening cybersecurity regulations for defense contractors. Dubbed CMMC 2.0, it reduces the previously planned five levels of cybersecurity standards that the DOD would require contractors to meet down to three levels.
The number of security controls required at each level has also been reduced, down from 171 in the previous advanced level requirement to 110-plus in the new version. The levels still adhere to National Institute of Standards and Technology (NIST) cybersecurity standards, Defense officials have said.
“While CMMC is technically a new regulation, all it really is is an enforcement mechanism for a requirement that's already been there since the end of 2017,” Heidorn said. “So, contractors were supposed to have been doing all of this stuff. Frankly, they haven’t and so this is DOD saying, ‘Now we’re going to come check your work and make sure you’re actually doing it so we can have a secure supply chain.’”
Wootton added that other government agencies are likely watching CMMC 2.0 closely and could ultimately follow the Defense Department's lead in establishing new guidelines.
C3, founded in 2008, placed No. 25 in the Washington Business Journal's recent ranking of the region's fastest-growing companies, based on its average yearly revenue growth for the past three years. The company reported revenue of $13.42 million last year, up 86% from 2020. Steel Root, founded in 2017, has annual revenue of about $3.8 million.
The new company will have around 60 employees and will continue to maintain offices in Arlington and Massachusetts.
