GovSky in Exeter has raised $2.5 million in investment funds

The federal government now requires that contractors and subcontractors for the Department of Defense prove they meet certain cybersecurity requirements, a potentially complicated, costly and time-consuming process.

A startup company based in Exeter wants to help.

GovSky builds a cybersecurity compliance software platform for government contractors.

“Our goal is to help our customers get and stay compliant as quickly and cost-effectively as possible, so they can protect their business from attacks,” said Conor McClintock, co-founder and CEO.

Cybersecurity Maturity Model Compliance (CMMC), approved in November 2020, is expected to go into effect in the fourth quarter of this year or the first quarter of 2025.

“Compliance is meant to protect sensitive unclassified information (CUI) and federal contract information (FCI) shared between the department and others through acquisition programs,” according to information from the DoD chief information officer.

The federal government has always wanted the computer systems and networks of contractors to be secure but it never codified how, according to McClintock.

“So the government finally sort of woke up back in 2018/2019 and decided that something needed to be done to enforce compliance across the entire industrial supply chain,” he said.

The CMMC process will be a requirement for more than 500,000 companies in America’s Defense Industrial Base, including those in New Hampshire, such as BAE Systems.

A listing of defense contractors show 1,839 in New Hampshire whose contracts between 2000 and 2020 were worth a total of $27.26 billion.

“What the government realized is that it is really important that the entire supply chain is secure, not just the Raytheons, Northrops, Grummans, etc., but the entire supply chain because these FCI and CUI are passed down the supply chain from prime contractors to subcontractors,” McClintock said.

The CMMC requirement will ultimately apply not only to defense giants like Lockheed Martin, but also to small subcontractors who may make a specialized machined shopsourced part for, say, the Lockheed Martin produced F-22 Raptor fighter jet.

“The hardest part is for the small machine shop that, for the first time, now needs to prove to the government, effectively to the DoD, that they are compliant, but they don’t really know where to begin,” McClintock said.

In most cases, according to McClintock, defense contractors and subcontractors will need to hire outside consultants to help them through the complexities of CMMC certification.

“GovSky can help make that process a lot cheaper and easier. It’s a tool that they can use along with that expert to help get their company compliant cost effectively,” he said.

GovSky builds the cybersecurity compliance software platform. It does not supply the CMMC consultants that a company might hire.

It puts into one platform what might otherwise exist in separate and disparate spreadsheets and logs kept by a defense contractor. The platform puts all the components of compliance — implementation tracking, project management, evidence collection, document generation, and more — all in one place.

The client retains use of the software to maintain ongoing compliance.

Ultimately, there are 110 controls a company has to prove to a government-sourced assessor who does the CMMC audit.

“What happens is when a company is assessed, they need to prove to that assessor that they’re meeting every single one of the 110 controls,” McClintock said.

The CMMC 2.0 model now in effect has three levels, and each level’s requirements are aligned with NIST cybersecurity standards. NIST is the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce. At Level 3, a system is certified to protect the confidentiality, integrity and availability of CUI from advanced persistent threats.

GovSky publicly launched its compliance platform June 12, saying in a statement that successfully passing an audit takes six to 18 months to implement and costing over $200,000 for the typical small business.

McClintock, who has a background in company building as a cybersecurity investor, partnered with Tristan Fisher as his co-founder and chief technology officer. GovSky has raised $2.5 million in funding to date, with backing from Peterson Ventures, Revolution’s Rise of the Rest Seed Fund, SaaS Ventures, Sequoia and others.

McClintock said he and Fisher are hiring as they settle into an office in Exeter.

“There’s just nothing that can replace that face to face. So we do have an office,” McClintock said.