Aerospace & Defense

Aerospace & Defense

Aerospace & Defense

How OpsLab built trust with customers and became NIST 800-171 compliant using Atomus

07/2024

5 min read

About OpsLab

OpsLab is a small dual use technology company. As part of commercializing their innovative AI software they worked with the Air Force to win an Air Force Phase 1 & 2 SBIR contract.

The company decided to deploy the military version of their software using Platform One. However, while Platform One manages the application once it is deployed and simplifies the Authority to Operation (ATO) process, the company still needed to make sure that defense information on the company’s internal network was kept secure and compliant.

To research and develop the military version of their software, the company needed to receive test data from their military end users and customers. This data is considered Controlled Unclassified Information or CUI and requires companies that handle this data to comply with NIST 800-171 requirements.

Atomus radically simplified the cybersecurity and compliance process for my company to get DFARS compliant. We now have an industry leading cybersecurity and compliance program, and the SPRS score to show it.”

Arun Nair
OpsLab Founder

Why the NIST 800-171 Score Matters

Starting in September 2020, the Department of Defense started requiring all defense contractors to conduct NIST 800-171 self-assessments according to DoD’s carefully defined Assessment Methodology, and to file those scores with the DoD’s SPRS (Supplier Performance Risk System). This SPRS system takes in a score ranging from -203 to +110. A score less than 110 indicates that a company has security gaps that need to be remediated.

The DFARS Interim Rule also includes a clause requiring defense contractors to achieve CMMC certification at the level appropriate for their contract to be eligible to do work for the DoD. Certification will be determined by outside third-party auditors known as C3PAOs. Organizations that handle CUI will be required to achieve CMMC Level 3, which requires them to meet all of NIST 800-171’s 110 practices, plus an additional 20, for a total of 130 cybersecurity practices.

The SPRS score shows NIST 800-171 compliance and demonstrates an organization’s cybersecurity posture. This score is an important advantage against competitors and a way to build trust with your military customers when growing your company’s government and military sales. Second future regulations such as CMMC require full compliance with NIST 800 171 to bid on future Department of Defense contracts. There is no path to CMMC certification via partial compliance with NIST 800-171 practices.

The Decision-Making Process

OpsLab needed to show their military customers and end users that the small company could keep the military’s data safe. The company had 2 options:

Option 1: Build Custom Cybersecurity

The company could devote a team of 3-4 engineers to go through the 110 controls and custom build a cybersecurity stack for the company. Assuming the engineers had a background in cybersecurity, the process would take a minimum of 3-4 months to set up. Once the engineers picked, built, and configured the different cybersecurity solutions they would then need to document these decisions in a System Security Plan (SSP) which runs on average about 300+ pages per company. This SSP would need to be updated every time a new employee was added, a new software is downloaded onto a computer, etc making it a huge headache to develop and manage. Most importantly after going through the painful process there was no assurance that the company would have set up their system correctly.

Time Cost: 4 months with 3-4 engineers

Monetary Cost: $$$ High

Compliance: Not 100% sure if they are compliant. Will most likely fail an audit

Headache: Huge

Option 2: Onboard to Atomus Aegis

The company could onboard to Atomus Aegis which is pre-built and compliant with NIST 800-171 regulations out of the box. Instead of building a custom cybersecurity stack, Atomus’ software creates a standardized enclave on a computer. Because Atomus’ software is used by dozens of different customers, Atomus is able to use its scale to negotiate a low price and pass the savings down. More importantly Atomus is able to completely automate compliance documentation for customers. As a result OpsLab would get 400+ pages of detailed compliance paperwork showing their customers how they keep military data safe. This paperwork and technology has been assessed by third party cybersecurity experts selected by the Department of Defense giving the company a level of assurance that they are fully compliant.

Time Cost: <1 day

Monetary Cost: $$ Moderate

Compliance: Atomus Aegis has been assessed by a third party for NIST 800-171 compliance

Headache: Nonexistent

Building Trust with Military Customers

OpsLab made the decision to go with Atomus reducing the time, cost, and headache of complying with NIST 800-171 on their own. They were able to earn the trust of their military customers to handle Controlled Unclassified Information and continue to grow their military sales.

Atomus allows the Air Force to collaborate using CUI with small businesses in a secure and familiar way.”

Major in United States Air Force
OpsLab Military Customer
Logo image

Become Compliant with NIST 800-171, DFARS 7012, and CMMC Requirements

Talk to an Expert