ManTech simplifies the federal Cybersecurity Maturity Model Certification audit process with Okta

As a federal government contractor, ManTech must adhere to stringent security regulations to work with the Department of Defense. One key requirement is meeting the Cybersecurity Maturity Model Certification, which involves a complex, cross-organization audit process. Ensuring federal data remains safe is core to the certification, and Identity security is a major part of that. ManTech worked with Okta to centralize its Identity management and streamline compliance.

For more than 55 years, ManTech has helped defense, intelligence, and federal civilian leaders solve complex technology challenges. To operate effectively across these sectors as a Federal Systems Integrator (FSI), ManTech holds itself to the highest security standards possible, and always applies the company's "Proven Here First" methodology, says CIO and CTO Mike Uster. Once it’s been proven at ManTech, the company not only guides clients through their security journeys, it also offers unique and deep insights based on firsthand experience.

Meeting federal compliance standards and keeping ahead of industry trends

Serving federal government clients requires ManTech to adhere to the most stringent security regulations. This includes compliance with the Cybersecurity Maturity Model Certification (CMMC). The CMMC was established to ensure contractors working with the Department of Defense (DoD) as part of the Defense Industrial Base (DIB) could effectively ensure the confidentiality, integrity and availability of federal data. More specifically, ManTech achieved CMMC 2.0, the latest version of the maturity model, that requires an independent, Certified Third-Party Assessment Organization’s (C3PAO) audit of 14 security control families — encompassing 110 different security controls — across the business.

ManTech sought the certification to remain ahead of expected industry standards, such as a pending rule that states that CMMC compliance will be required in order to bid on contracts and must remain in place throughout the contract duration. Meeting CMMC standards is mission-critical, so ManTech needs technology solutions that support its compliance needs head-on. “The DoD sets the standards, the C3PAO audits to those standards, we protect sensitive data in accordance with those standards, and we collaborate with vendors like Okta, to do that effectively and efficiently,” Uster says.

Leading a data security strategy with Identity and access management

The company chose to lead the audit process with Identity to show its C3PAO exactly who has access to what data and how it protects its information. “When it comes to cybersecurity, all roads lead back to Identity,” says Paul Beckman, CISO. “The only way you can understand and monitor authorizations is through Identity, and we need that knowledge to meet federal requirements.”

Many organizations rely on rigid legacy systems to manage Identity, and get bogged down with decades of technical debt. “With some of these legacy providers, you have to buy into their full, inflexible suite of solutions which require dedicated time for development and maintenance,” says Uster.

Additionally, locating Identity-related information across these legacy solutions is manual and time-consuming for both IT teams and end-users. “Often legacy systems leave organizations struggling with different ecosystems with separate logins and complicated processes for navigating between them because there isn’t any connective infrastructure,” says Todd Welsh, Executive Director of Zero Trust Engineering & Infrastructure Operations. “Our goal is to simplify that, both for security purposes and to give our teams a better experience.”

Centralizing Identity management with Okta

ManTech’s continuous search for flexible and interoperable systems led to cloud-native technology solutions that eliminate digital friction and drive efficiency even higher. ManTech found that offering a simple yet secure employee experience was the best way to help prevent IT issues, and the easiest way to accomplish this balance was to work with the right vendor partners. “When you’re not locked into vendors that only support specific integrations or connections, you have the freedom to adopt solutions that fit your requirements and unify Identity management for all of them with Universal Directory,” Welsh says.

With Identity centralized in Okta, the company simplified the process for sharing authorization and access information with its C3PAO and could quickly showcase its compliance with key controls. The C3PAO recognized that Okta itself is already FedRAMP High Authorized and adheres to the DoD’s Cloud Computing Security Requirements Guidelines (CC SRG) at Impact Level 4 (IL4), which means that information consolidated in Okta proven to meet federal security standards. Despite the C3PAO recommending ManTech begin the audit by reviewing NIST SP 800-171 R3 section 03.01.01: Account Management controls because of its complexity and potential to take up to two days to review, ManTech was able to complete that portion of the audit in just 45 minutes.

Ultimately, analysis by ManTech indicated Okta was key to satisfying 27 out of 110 NIST 800-171 (CMMC) controls. “Managing Identity through Okta set the table for the whole audit process,” Welsh commented. “With Okta, we can point to exactly how we secure specific data. Using Okta Identity Engine with Device Context, for example, we can enforce expected behaviors by restricting access to data if someone isn’t using a ManTech-managed machine registered in our unified endpoint manager. That level of granular control means we can secure things in ways we couldn’t before.”

Reinforcing Zero Trust security while improving the user experience

In tandem with the audit, the company is helping pave the way for a secure access service edge (SASE) security architecture — defined by its user-driven, cloud-first approach to network security — in a highly regulated industry. ManTech has integrated this approach into its broader Zero Trust security strategy to continuously improve its security posture and Identity management processes.

This includes building the most efficient and secure systems to safely accelerate access. With Okta Lifecycle Management and Workflows, ManTech can automate provisioning processes to make it easy for new employees to get up and running securely in the applications they need most and deprovision access when it’s no longer needed. “With Okta, we can flip the legacy model on its head,” Welsh says. “We’re designing robust systems around role-based access and having deeper conversations about access and data classification instead of just figuring out how to get someone the devices they need.”

By automating Identity processes and trusting Okta to manage new Identity features, ManTech has saved six engineers more than 20% of their time, which they can now dedicate to innovative product development. In addition to this, unifying Identity continues to streamline internal processes. The team recently centralized authentication through a portal, one.mantech.com, with Single Sign-On, so employees can seamlessly access all of their applications in one secure place. “Having a single pane of glass to access all applications saves me a significant amount of time. I don’t have to sift through emails or messages for links or requests,” says Welsh. “I can go to the link, on any device, and handle our authentication.

In further service of improving both the company’s security and user experience, ManTech implemented FastPass to offer passwordless login options for its employees. “FastPass gives us the rare chance to offer something that’s both more secure and makes it easier for end users simultaneously,” Uster says. “Improving both at once is almost unheard of.”

Collaboration through Identity federation

Looking forward, ManTech is exploring new ways to implement even more granular controls and build partnerships with other security-minded organizations. The company is now building data-layer-level security controls, such as portion marking in individual documents using its own solution, Sentris®, in combination with access management solutions, to give users access only to the information they’re supposed to have on a word-by-word basis.

ManTech also plans to expand its ongoing relationship to security — and secure partnerships — by federating Identity management across suppliers, consultants, and business partners with Okta Secure Partner Access. This will allow ManTech to easily tap into other CMMC 2.0-compliant organizations’ resources and more easily offer the best possible solutions to its federal clientele.

About ManTech

When federal managers and military leaders face tough challenges in AI, cyber, data analytics, enterprise IT, or systems and software engineering, they turn to ManTech as their trusted advisor. ManTech’s ultimate objective is to help clients achieve their goals by supporting complex operations. It scales to handle its clients’ missions with high-tech, high-end, emerging tech capabilities as well as agility, precision, efficiency, and speed.