Construction
Construction
Construction
Triton Marine’s NIST 800-171 Compliance Journey
07/2024
5 min read
About Triton Marine
Triton Marine is a construction company based out of Bremerton, Washington. The company manages and executes complex marine and civil construction projects primarily for the government. These projects include building wharves, piers, mooring structures, and other infrastructure. Triton Marine's customers include the United States Navy, the Army Corps of Engineers, and the Department of Homeland Security.
Michael Judd, Information Technology Director at Triton Marine, handles the IT security and compliance requirements related to CMMC and NIST 800-171. Compliance is extremely important for Michael and the team at Triton Marine, as government contracts make up a significant portion of their business. To continue receiving contracts from clients such as the Navy, the Army Corps of Engineers, and other government agencies, compliance with NIST 800-171 and CMMC is essential.
Get started sooner than later because compliance isn’t something that you just turn a switch and it’s done.”
Michael Judd
Information Technology Director, Triton Marine
Story Highlights
- A GRC Replacement: Triton Marine switched from a GRC tool to Atomus for a more comprehensive compliance solution. Atomus automates the implementation and documentation of technical controls and provides expert guidance on the remaining requirements.
- A FedRAMP Moderate Authorized Stack: Triton Marine needed a stack of FedRAMP Moderate Authorized products to meet NIST 800-171, DFARS 7012, and CMMC 2.0 level 2 requirements.
- A Solution for Subcontractors: Getting subcontractors compliant was a huge bottleneck for Triton Marine. With Atomus, Triton Marine has a workflow to onboard and make subcontractors compliant.
Triton Marine's compliance journey before Atomus
Triton Marine was limited by the company’s previous solution, which wasn’t comprehensive or FedRAMP Moderate Authorized. The company’s previous strategy relied heavily on a Governance Risk and Compliance tool (GRC) and a Security Operation Center vendor for compliance.
Triton Marine’s GRC tool did not provide the automation or hands-on guidance that they needed throughout their compliance journey. Using a GRC tool still required a lot of hands-on work because it only offered a high-level explanation for each of the 110 requirements in NIST 800-171, a checklist for those requirements, and frameworks for tracking POA&M items and conducting self-assessments. This meant Triton Marine had to manually implement all their compliance processes without automation or hands-on one-on-one guidance. More challenging was the fact the company had to manually generate 300+ pages of compliance artifacts for its system security plan, which was a manual time-intensive process with a GRC tool.
Triton Marine’s Security Operation Center (SOC) assisted with threat detection, response, and risk management to protect against cyber threats. However, the solution was not FedRAMP Moderate Authorized, making it unsuitable for the company's defense contracts. Additionally, since the product and vendor were not designed for defense companies, they lacked integrations with the government versions of the software the company utilized, such as Microsoft GCC High.
Therefore, Triton Marine decided to switch to Atomus because Atomus offers a more comprehensive solution specifically designed for defense contractors. Atomus automates the technical controls of NIST 800-171, takes care of self-assessments, handles POA&M items, and provides expert guidance on the remaining requirements. Additionally, Atomus has a FedRAMP Moderate Authorized solution stack and supports the monitoring of GCC high environments, firewalls, routers, and endpoints, making it a more comprehensive and tailored fit for government contractors.
Streamlining subcontractor compliance to improve business
The compliance status of subcontractors directly impacts Triton Marine's business. If a subcontractor is not compliant, Triton Marine can not use the subcontractor on contracts or give them information to get bids.
With Atomus, Triton Marine can now use subcontractors that previously didn’t meet the qualifications for jobs requiring CMMC compliance.”
Michael Judd
Information Technology Director, Triton Marine
Triton Marine chose Atomus to provide a solution that would streamline their compliance process, making it easier to get subcontractors compliant. With Atomus, Triton Marine can download Atomus Aegis onto any subcontractor or Triton Marine owned machine so the subcontractor can securely and compliantly handle data for Triton Marine's contracts.
Tackling the challenges of compliance as an IT Director
As an Information Technology Director, Michael oversees the CMMC and NIST 800-171 compliance process. The compliance process can be very technical, which has been challenging for Triton Marine. Michael’s approach at Triton Marine involved leveraging external support that could help because compliance with NIST 800-171 & CMMC can be daunting for even a team of IT and cybersecurity professionals.
Michael was looking for a partner with a FedRAMP Moderate Authorized solution stack who could help him monitor progress, track completed tasks, and identify remaining items that needed attention. He emphasized the importance of having a partner who provided support since Triton Marine has a small IT team.
After evaluating several options, Atomus stood out as the best option. Atomus specializes in assisting aerospace and defense companies in meeting NIST 800-171 and CMMC requirements and has a proven track record of successfully guiding companies to compliance. Atomus’ software streamlines compliance by automating the implementation and documentation of technical controls. Additionally, Atomus offers expert guidance and access to industry professionals, ensuring you have all the necessary resources to achieve and demonstrate ongoing compliance.