Helping Clients Ensure Information Security
Rhia Dancel, information security expert at NSF International Strategic Registrations (NSF-ISR), is a lead ISO/IEC 27001 auditor, CMMC registered practitioner and information security technical manager. She helps companies ensure that their information is secure as part of new U.S. Department of Defense (DoD) CMMC requirements.
CMMC stands for Cybersecurity Maturity Model Certification. “CMMC is a unified standard that takes into account all of the various information security standards and best practices,” says Dancel. The goal is to protect federal contract information (FCI) and controlled unclassified information (CUI).
“The difference between CMMC and other NIST security standards is that it adds a third-party verification element to the mix, and that verification is what we provide,” she adds. The new CMMC information security requirement announced by the DoD in 2020 means that all 350,000-plus Department of Defense contractors and their supply chains will have to be audited and certified by the end of 2025.
Note the word “requirement.” The DoD will require all its contractors and their supply chains to be fully audited and certified as being in compliance starting in 2026.
Any DoD supplier that has not been certified in accordance with CMMC by the end of 2025 will lose the right to do business with the department. For many small to medium size contractors, the loss of federal government business could mean the difference between staying in business and being forced to shut down. That’s the cold, hard reality of CMMC.
Dancel and her fellow NSF-ISR auditors provide the critical help companies need to ensure they’re in compliance by the program’s deadline. “It's a five-year phased rollout with new DoD contracts,” Dancel explains. “CMMC requirements will appear in all contracts starting in fiscal year 2026, meaning all DoD contractors will need to be in compliance to bid on the work.”
“First, they need to develop a system security plan and conduct a self-assessment to NIST 800-171. Second, they should create a plan of actions and milestones (also known as a POA&M) with target dates to achieve the maximum score of 110, which they then submit into the DoD’s Supplier Performance Risk System (SPRS) platform.”
Her journey in science and technology began with a gift her parents gave her as a young child. “They gave me a microscope. I actually still have it,” Dancel recalls. The gift fostered a love of science, which inspired her to earn a degree in chemistry, which led her to laboratory development and analytical work. “I've always leaned toward the analytical and technical path. I did analytical chemistry using manufacturing practice regulations, which are enforced by the Food and Drug Administration,” Dancel says. “I was able to gain over 17 years of compliance experience in that industry.”
In 2014, she joined NSF as a technical reviewer for food equipment. “I was doing on-site evaluations and I really enjoyed the customer interaction.” In 2017, she joined NSF-ISR’s information security audit team led by Tony Giles. With Dancel’s audit experience and compliance background, she gravitated toward the sector. “Information security will always be fundamental in any industry,” she says.
Dancel handles information security engagements for companies that are part of the sprawling DoD supply chain. The process she uses relies primarily on ISO 27001 and NIST standards. ISO 27001 is the recognized international standard for managing information security. NIST stands for the National Institute of Standards and Technology, an agency in the U.S. Department of Commerce that develops security control standards.
Dancel stays informed on the constant cybersecurity threats that take place around the world. “The threats that get press coverage affect high-profile companies or agencies,” Dancel says, “but there are so many others that take place in any given month that are just as significant.”
Dancel and her colleagues understand that some contractors may be feeling apprehensive about their ability to meet the new information security standards. But, she says, “Many organizations are already protecting their information. Adding this next layer of technical controls and documentation will only enhance the security measures they have already implemented.”
Dancel has a specific goal for the clients she works with on CMMC certification. “We want them to be the contractor who is a secure link in the supply chain,” she says. In essence, she would like to put their information security program under her very own microscope to ensure that security controls are in place for full compliance with CMMC.