CAREERS

Category: Government

When Budgets Tighten – Your IT Strategy Matters More Than Ever

Posted on by David McLaughlin
Across the higher education and public sectors, a familiar challenge is re-emerging—tightening budgets and rising pressure to reduce IT spend without compromising user experience or core capabilities.
At CAG, our senior team has helped over 100 organizations—from Fortune 500 companies to community colleges and large universities—tackle these challenges head-on. Many higher ed and public institutions are facing meaningful budget reductions for the first time in years. Some have time to plan, others have to move quickly.
One often overlooked opportunity? Making better use of the talent institutions already have. Rather than filling roles with new hires, we help assess whether existing team members have the capabilities to take on those responsibilities—saving money and empowering staff at the same time.

Your Institution Isn’t Generic. Neither Is Our Approach.

IT is central to everything from student services and classroom delivery to administration and research. Cutting spend too aggressively—or in the wrong areas—can lead to operational bottlenecks, user frustration, and security risks. But doing nothing isn’t an option either. Leaders are being asked to find savings—and fast.
That’s why our approach always starts with a conversation. No two institutions face the same challenges, and no template can capture the nuance of your environment. Our recommendations are grounded in industry benchmarks but tailored to your structure, goals, and priorities.
Whether you’re looking to consolidate technology platforms, avoid unnecessary hires by better leveraging internal talent, or reinvest savings into mission-critical areas, our team works directly with yours to define and deliver cost strategies that make sense in your world.

What Makes Our Approach Work?

  • Tailored Assessments: No cookie-cutter templates. We assess your IT environment against both best practices and your internal goals.
  • Real Benchmarks: Our insights come from real-world data across higher ed, public sector, and commercial clients.
  • Operational Focus: We don’t just identify savings, we help you redirect those savings to improve the capabilities that matter most.
  • People Optimization: We evaluate internal staff capabilities to see where roles can be filled or expanded without the need for external hires.
  • Minimal Disruption: Our methods are designed to reduce costs with as little impact to users, services, and uptime as possible.

You Don’t Have to Guess Where to Cut — Let’s Talk

Too often, IT leaders are left to guess which levers to pull. But with the right approach, you can cut costs without cutting capability and come out of a tightening cycle with an IT operation that’s not just leaner, but stronger.
If you’re facing budget pressure or preparing for difficult decisions, you don’t have to go it alone. Let’s set up a conversation with one of our senior experts. We’ll walk you through a custom-tailored assessment designed around your environment—and your goals.
Connect with us today to get started: https://columbiaadvisory.com/contact

CMMC: What It Is and Why It Is Important

Posted on by John D'Annunzio

The Cybersecurity Maturity Model Certification (CMMC) is a security framework implemented by the US Department of Defense (DoD) to improve protection of the defense industrial base. Like other security frameworks, the CMMC has a collection of controls for processes and practices with the goal of achieving a certain level of cybersecurity maturity. The main purpose of the CMMC is to provide assurance to the DoD that a company holding federal contracts has the appropriate measures in place to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), and to account for how that information flows. It’s also a powerful framework that can apply to anyone looking to boost their security posture.

If the University uses Federal funds for research with the Department of Defense, you may want to consider CMMC certification. CAG can help with a pre-assessment to ensure the University passes the certification.

CMMC is a scalable framework, so dependent upon the sensitivity of data involved, a federal contract will require specific CMMC controls be in place. Currently, the CMMC has five levels. The higher the level, the more controls required. And because they are cumulative, CMMC Level 3 would demand implementing everything in the preceding two as well.

  • CMMC Level 1: Basic cyberhygiene—focused on safeguarding Federal Contract Information (FCI)
  • CMMC Level 2: Intermediate cyberhygiene—serve as a transition step in cybersecurity maturity
  • CMMC Level 3: Good cyberhygiene—protect Controlled Unclassified Information (CUI)
  • CMMC Level 4: Proactive—protect CUI and reduce risk of advanced persistent threats (APTs)
  • CMMC Level 5: Advanced/progressive—protect CUI and reduce risk of APTs

How Is CMMC different from other security frameworks?

The biggest difference is that it does away with self-attestation. With standards like NIST 800-171, you could self-attest you were following the appropriate controls and standards and win a federal contract. CMMC changes this by requiring that anyone seeking a federal contract with the DoD must receive certification from an approved CMMC third-party assessment organization (C3PAO).

You can easily perform self-assessments by leveraging resources made available by the Office of the Under Secretary of Defense for Acquisition & Sustainment. However, you will still need to engage a C3PAO to receive CMMC certification of the appropriate level to win a federal contract. During the audit by a C3PAO, they should be able to help identify any gaps that will prevent receiving certification. If you or your research entities are subject to CMMC, engaging with a C3PAO is going to be inescapable. The earlier you start, the more flexibility you will have in implementing any recommendations.

There is currently a grace period to allow CMMC to become fully implemented, but in the future federal DoD contracts will not be awarded without the appropriate certification.

Why is CMMC important to universities?

For Universities, CMMC is no different than any other set of standards or frameworks—it contains an established baseline of best practices, and controls and processes that must be implemented. In fact, most of the controls in CMMC are mapped directly to NIST 800-171. So, if you have already been building your cyber program around NIST 800-53 and NIST 800-171, you should look at CMMC as an opportunity to help you stand apart.

For Universities that have not traditionally implemented NIST or other security frameworks because it wasn’t a requirement for your stakeholders, this is an opportunity to own risk and reap the rewards. If you decided to implement the controls within CMMC Level 3—even if you don’t receive certification—you will have a more mature cybersecurity posture, a larger portfolio of services you can offer within your research, and improved scalability.

If you have made it this far and think CMMC doesn’t apply to you since you don’t support these types of projects, you may be interested to know that CMMC has the potential to work down the hierarchy from federal to state and local governments. When NIST 800-53 was originally released in 2005 as recommended security controls for federal information systems, it was intended for federal information systems. In August 2017, federal was removed to indicate that it may be applied to any organization. Many state governments, local municipalities, insurance providers, and public and private entities of all types have required NIST 800-53 controls and processes be followed for years.

One day, CMMC, or an evolution of it, may be just as prevalent as NIST 800-53. With the heightened public awareness concerning the risk cybersecurity threats pose, it’s likely we may eventually see self-attestation as a relic of the past.

CAG Performs Policy Assessments and Controls alignments according to the following standards

  • Gramm–Leach–Bliley Act (GLBA)
  • NIST 800-171
  • NIST 800-53
  • PCI Compliance
  • HIPAA
  • FERPA
  • TAC 202 or other state standards

If you would like to learn more about how CAG can advance your organization’s cyber security maturity, please contact info@columbiaadvisory.com.

ABOUT CAG:

CAG is a highly experienced IT consulting firm. With 100+ years of combined technology experience and business acumen, CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments. By focusing on simple, meaningful, and practical solutions combined with straight-forward analysis and recommendations, CAG’s team has experience in many regulatory and economic environments with companies and organizations of all sizes. CAG not only offers a deep understanding of IT, but its solutions are software and hardware agnostic. Whether a client is high growth or economically challenged, CAG can adapt to the complexities and nuances of that business. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit columbiaadvisory.com