Cybersecurity: Getting CMMC Level 2 Ready - Q&A With Radian Solutions President

Radian Solutions, a certified small business, based in Sacramento, California, is a leading IT consulting firm dedicated to providing innovative and effective solutions for government and commercial clients. With a strong focus on enhancing security postures and ensuring compliance with industry standards, Radian Solutions helps organizations navigate the complexities of today’s digital landscape while safeguarding their sensitive information and critical infrastructure. 

At the forefront of Radian Solutions is President Niranjan Hiras, a distinguished leader in the fields of IT and cybersecurity. With extensive experience in managing security initiatives and a deep understanding of regulatory requirements, Mr. Hiras is committed to driving the company’s mission of empowering clients to adopt robust cybersecurity practices. Under his leadership, Radian Solutions has built a reputation for excellence, reliability, and a client-centered approach, positioning the firm as a trusted partner in the ever-evolving world of cybersecurity. 



Below is an exclusive Interview with the Niranjan Hiras - President of Radian Solutions, sharing an insight on Cybersecurity challenges and road map for Radian Solutions to get CMMC certified.

 

Questions -  

1. Let’s start with the basic question, what is CMMC 2.0 Certification?  

The Cybersecurity Maturity Model Certification (CMMC) 2.0 program is the Department of Defense (DOD’s) program to assist Industry to meet adequate security requirements in the implementation of National Institute of Standards and Technology (NIST) SP 800-171 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations 

 

The program is aligned to the DOD’s information security requirements for Defense Industrial Base (DIB) partners. It is designed to enforce protection of sensitive unclassified information that is shared by the DOD with its contractors and subcontractors by providing increased assurance that industry is meeting the cybersecurity requirements that apply to acquisition programs and systems that process Controlled Unclassified Information (CUI). 

CMMC 2.0 will become a contract requirement once rulemaking is completed, most likely in early 2025. 

2. Why did Radian decide to pursue CMMC?  

We decided to pursue CMMC certification to strengthen trust with our existing SLED and Federal clients. As cybersecurity threats continue to grow, maintaining a high level of security is of utmost importance to Radian and our values. By pursuing CMMC certification, Radian demonstrates its commitment to protecting sensitive data and ensuring compliance with stringent security standards and be the custodian of the data shared. 

We are not only ensuring compliance with stringent government requirements but also leading by example in the cybersecurity space. We believe that cybersecurity is a shared responsibility across both the private and public sectors and achieving this certification will be a testament to our commitment to maintaining the highest security standards in all our operations.   

3. Why do you think government agencies are particularly at risk for cyber-attacks?   

Every state and federal agency owns highly sensitive data of their constituents, their technology or national security, which is not found with any other organizations; and that is of interest to hackers and malicious actors. As these government organizations increasingly digitize and connect their systems, they become more vulnerable to supply chain attacks, which can exploit weaknesses in interconnected networks. Furthermore, the risk is amplified by international actors aiming to infiltrate systems and compromise critical assets and sensitive information. 

4. As a business Leader, what are some of the compelling business or technological reasons for dedicating time and resources to CMMC Certification?   
   

From a business perspective, pursuing CMMC certification would allow Radian to expand its service offerings and expertise in a growing area of cybersecurity compliance. With the Department of Defense (DoD) mandating CMMC compliance for all government contractors in the defense industrial base by 2025, there is increasing demand for CMMC consulting and implementation services. By obtaining certification, Radian can position itself to meet this growing client need. 

 

Radian offers IT Consulting and Cybersecurity services such as cybersecurity assessments, disaster recovery services (BCPDR), data loss protection services (DLP), compliance to cybersecurity frameworks, etc. to various government agencies. Radian aspires to lead by example, by implementing cybersecurity controls within our own environment, so we can advise our clients with authority and lead them in their cybersecurity journey.

From the technology perspective, Radian wants to be an exemplary custodian of client data for our government partners.  Especially, government agencies are facing heightened risks, as evidenced by ever increasing attacks such as City of Oakland’s malware attack, Los Angeles County’s phishing attack, California Department of Food and Agriculture’s government web site breach, Riverside County’s vulnerabilities in IT products, or California Department of State Hospital’s unauthorized access of PII data by an employee. 

5. Where does Radian stand on its road to CMMC certification?  

Radian has established a dedicated team of cybersecurity documentation analysts and SOC analysts who are actively working on documenting all required controls to ensure compliance for certification. Our goal is to complete the pre-assessment by end of November 2024 and achieve Level 2 certification by the first quarter of 2025. 

6. What are some of the lessons learned and challenges faced while getting CMMC ready?  

Throughout our preparation for CMMC Level 2 certification, we gained valuable insights and lessons that have strengthened our approach to cybersecurity and compliance. 

One of the key lessons we learned was the importance of early and thorough planning. The certification process is highly detailed and time-sensitive, so it became clear that having a well-structured roadmap was essential. This involved not only identifying the necessary security controls but also creating a realistic timeline that accounted for training, documentation, and resource allocation. Being proactive rather than reactive helped us stay on track and avoid delays. 

Another important takeaway was the need for cross-functional collaboration. Cybersecurity isn’t just the responsibility of the IT or compliance teams—it's a company-wide effort. We found that involving various cross functional personnel early on, such as HR, operations, and finance, ensured that every aspect of our organization was aligned with the cybersecurity objectives. This collaboration improved communication and helped us address potential gaps more efficiently. 

We also learned the value of continuous training and education. Cybersecurity protocols are constantly evolving, and achieving certification is not a one-time event. It requires ongoing learning and adaptation to new threats and regulations. Ensuring that our staff received continuous training on cybersecurity best practices was vital in maintaining compliance and fostering a culture of security awareness within the organization. We ensured all the compliance training needed was taken through various Cybersecurity training platforms. 

One of the more practical lessons was the importance of selecting the right partners and vendors. Finding a third-party company with expertise in handling CUI data and DoD requirements took longer than expected, but it was a crucial step. The right partner not only helped us meet the necessary standards but also provided valuable guidance throughout the process. Vetting vendors and ensuring they were fully compliant with CMMC standards became a critical aspect of our overall strategy. 

Lastly, we realized that maintaining flexibility was key. As we navigated the certification process, unforeseen challenges arose, and our ability to adapt and make quick decisions was essential. Whether it was adjusting timelines or reallocating resources, being flexible allowed us to navigate roadblocks more effectively. 

In summary, the lessons learned from preparing for CMMC Level 2 certification highlighted the need for detailed planning, collaboration across departments, continuous training, thorough documentation, careful selection of partners, and flexibility. These insights not only helped us succeed in our certification efforts but also enhanced our overall approach to cybersecurity moving forward. 

7. How does Radian achieving CMMC certification help its state government clients?  

Achieving CMMC (Cybersecurity Maturity Model Certification) positions Radian Solutions to provide enhanced cybersecurity protections that benefit its government clients, especially those using the NIST Cybersecurity Framework 2.0 (CSF). CMMC aligns closely with the CSF’s core principles, such as risk management and incident response, allowing Radian to meet stringent security expectations at both the state and federal levels. This certification demonstrates that Radian has robust practices in place, reducing the risk of data breaches and ensuring the integrity of sensitive government data. 

By achieving CMMC certification, Radian strengthens its cybersecurity maturity, a key focus of both CMMC and CSF. The certification ensures Radian can scale its security practices to match the needs of its clients, whether they require basic security hygiene or more advanced protocols for high-risk environments. This adaptability, combined with the proactive identification and closing of security gaps, minimizes potential vulnerabilities and provides government agencies with greater confidence in Radian’s ability to safeguard critical systems and information. 

Additionally, CMMC certification aligns with compliance and incident response best practices outlined in the CSF. Radian’s preparedness to respond to cybersecurity incidents helps government clients mitigate potential disruptions, ensuring minimal downtime and data loss. The certification also helps reduce risks related to non-compliance, giving agencies peace of mind that they are working with a partner that meets high federal and state security mandates. 

8. Apart from the CMMC Level 2 certification, is Radian considering any other cybersecurity measures?   

Yes, we are looking into Cybersecurity Supply Chain Risk Management (C-SCRM) measures to mitigate risks associated with the supply chain in their government projects. C-SCRM is based on NIST SP 800-161 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. C-SCRM ensures the security, integrity, and resilience of IT products and services by addressing risks across the entire supply chain, including third-party vendors, software components, and infrastructure providers. 

In government projects, like those Radian Solutions is involved in, supply chain security is crucial to protect sensitive data, ensure compliance with cybersecurity frameworks (like the Cybersecurity Framework - CSF), and maintain the reliability of services. Implementing C-SCRM measures helps prevent disruptions or vulnerabilities caused by suppliers, strengthens data protection, and supports the overall security and compliance posture. 

Additionally, C-SCRM is often mandated by government agencies to align with federal or state regulations and standards, reducing the likelihood of cyber threats or attacks within the supply chain and ensuring continuous operations in mission-critical systems.