ERRG Speeds Its CMMC Compliance Journey with Egnyte

“Coming on board with Egnyte was a huge improvement. Our security level is far better than it ever was before.”

Brad Hall

Vice President • ERRG

Engineering/Remediation Resources Group (ERRG), a minority- and woman-owned small business providing turnkey environmental remediation and munitions response services, was at a crossroads. The deadline for CMMC 2.0 compliance – a new federal regulation requiring companies working with the Department of Defense (DoD) to demonstrate cybersecurity controls supporting NIST 800-171 regulations – was rapidly approaching. “With about 80% of our revenue coming from federal government contracts, we had a choice,” says Brad Hall, Vice President at ERRG. “We either get compliant with CMMC or we cease to exist.”

Based on what they’d observed in other companies, achieving CMMC compliance was no walk in the park. “Software is a major compliance resource, and we saw companies make software vendor selection choices that really hamstrung them in the end,” says Hall. “After seeing the challenges and dysfunction they ran into, we didn’t want to suffer the same fate.”

Since partnering with Egnyte, ERRG has met roughly 90% of the requirements under CMMC 2.0 and is well on their way to achieving full compliance before the proposed deadline. They are being assisted by Network Coverage, a national Managed Services Provider and CMMC Registered Provider Organization helping ERRG achieve their compliance goals.

Challenge: Find a CMMC-Ready System Without Disrupting Workflows

ERRG had been using Microsoft SharePoint for its storage, monitoring, and file access controls. But the system was clunky and inefficient, and the team was starting to lose patience. “It was an old system that required a lot of overhead and IT support,” explains Hall. More importantly, the team worried that on-premises SharePoint environment, as a legacy system, wasn’t up to the task of facilitating compliance with the new regulations.

Their suspicions were confirmed when, in 2021, ERRG suffered a ransomware attack. “This was an eye-opening event for us,” says Hall. “It was exactly the kind of attack that the CMMC requirements aim to prevent. We knew we needed a new partner to prevent it from happening again.”

But a successful compliance journey would involve more than finding software that had the necessary security capabilities. It also meant minimizing disruption to a team who had never had to think much about cybersecurity before CMMC. “Our staff consists largely of engineers, geologists, and construction managers. In roles like these, cybersecurity is the last thing on your mind,” explains Hall. “They were accustomed to being able to access any file at any time, and CMMC would change that. So we needed to educate them a bit, and we needed a tool that would allow us to get fully compliant without being too disruptive to the team.”

Solution: Egnyte’s Unified Solution Accelerates the CMMC Journey

Within a month of the ransomware attack, ERRG made the decision to move file storage off its legacy SharePoint environment and into the cloud with Egnyte. They began migrating files into the new system and quickly discovered that the Egnyte platform could also become a key resource for addressing CUI security.

Two key aspects of Egnyte’s functionality were particularly impactful in empowering ERRG to reach the level of CUI security and controls necessary for CMMC compliance:

• Sensitive data discovery and classification
  Egnyte made it easy to zero in on particular files containing sensitive content that the team needed to address. Considering the volume of content ERRG works with, this would otherwise have been a needle-in-a-haystack project. “The security and governance tools in Egnyte were great. We’d never seen anything like it,” comments Hall. “The reports that we get from the system show us exactly which folders contain sensitive information like PII, so we know which ones are still out of compliance and need to be cleaned up.”
• Access and sharing controls
  The team was able to set granular file access permissions based on parameters such as username and role, ensuring that only the right people are able to view, modify, or delete any given file – all while still making it easy for people to locate and access the files they need to see. “This made it much easier to make our data more secure and controlled while still allowing people to get their jobs done,” says Hall. “Making these major changes in access controls that CMMC requires could have been really disruptive, but with Egnyte, we were able to make it as smooth as possible.”

Benefits: Racing Toward Compliance with the Wind at their Back

The switch to Egnyte has empowered ERRG to align their CUI security with the federal government’s requirements and race toward full CMMC Level 2 compliance. “Coming on board with Egnyte was a huge improvement,” says Hall. “The security level is far better than it ever was before. We never dreamed of being in the position we’re in now.”

Today, the firm has implemented 90% of the changes required for full Level 2 CMMC compliance and is on pace to complete physical security controls before the proposed deadline with time to spare. Along the way, they’ve had access not only to the functionality of Egnyte’s product, but to its team’s deep technical CMMC expertise, which has given them peace of mind that they’re handling the transition properly and nothing is falling through the cracks. This is further driven by the Network Coverage team’s expertise, not only as a premier Egnyte partner but in aiding in remediation and assessment efforts as ERRG prepares to complete the certification process.

ERRG has also benefited from aspects that extend beyond compliance. “We brought Egnyte on for CMMC, but the platform has also made things much easier and more efficient in areas like collaboration,” Hall explains.

During ERRG’s compliance journey, Hall reflected on the ways he expected CMMC 2.0 to impact the AEC space as a whole – and why, ultimately, he sees the regulation as a net positive. “A lot of companies are going to be a lot more secure in the new CMMC environment,” he says. “It will also put us in a position to assist some of our federal clients. CMMC affects all of us, and some agencies in the DoD itself are behind schedule on compliance. So while we’re getting compliant, we can serve as a consulting partner to help them do the same.”