Maya HTT, a Montreal-based provider of specialized industrial software solutions and 3D simulation tools, recently achieved CMMC Level 2 certification (and a perfect SPRS score), joining fewer than 600 organizations worldwide to reach this milestone.
The company serves government organizations in both the U.S. and Canada, including Department of Defense customers, making CMMC compliance essential for their continued growth.
To achieve certification, Maya HTT took a proactive, partnership-driven approach. They enlisted StreamScan, a cybersecurity company and CMMC Registered Practitioner Organization (RPO), to help with preparation and gap analysis.
When ready, they worked with Forvis Mazars, a CMMC Third-Party Assessment Organization (C3PAO), to conduct their official assessment. The company also leveraged Virtru's encryption platform to stay on commercial cloud infrastructure while meeting stringent CUI protection requirements.
In a recent episode of Hash It Out, Maya HTT's CISO Jonathan Bieber, StreamScan's Christopher Augoustis, and Forvis Mazars' lead assessor Brendan Kenney shared key insights from their journey, offering a roadmap for other organizations pursuing CMMC Level 2 certification.
One of the most important (and most overlooked) aspects of CMMC compliance is documentation. Organizations often have security controls in place operationally but fail to document them properly, which can derail certification efforts.
According to Augoustis, approximately 95% of the companies StreamScan works with struggle with documentation and policies. While most organizations are actually doing the work and have controls in place, they simply haven't documented them properly.
"Even though you can prove that you do it, if you do not have any documentation supporting it, it's like you’ve nothing,” he said. “The biggest piece that companies are missing is documentation."
From the assessor's perspective, Kenney noted that misalignment between documentation and implementation is a frequent stumbling block. When consultants come in with fresh eyes before the official assessment, they typically catch these misalignments and help organizations correct them, preventing issues during the actual certification process.
Jonathan Bieber's advice for organizations starting their CMMC journey reflects this reality.
"I would say start building the different policies. We always think we're doing our best, and that's great. However, maturity comes when you realize that your operations are solid, but you also have the processes well in place and documented."
Many organizations assume that CMMC Level 2 requires sophisticated, complex systems and processes. In reality, the framework is designed to be flexible and allows organizations to define their own approaches, as long as they meet the intent of the requirements.
Kenney addressed this misconception directly, explaining that NIST 800-171 and CMMC Level 2 allow for organizationally defined processes and parameters. Since they're organizationally defined, they just need to work for your specific organization, not be the most sophisticated or complex approach possible.
"Organizations that go through and read the CMMC assessment guide and the supplemental guidance from this 800-171 and other NIST documentation, they sometimes get it in their heads that they have to implement some sophisticated solution or sophisticated process,” said Kenney.
“That's never the case. The intent is just to meet those 320 assessment objectives."
As Kenney noted, assessors simply need to verify that organizations are meeting the requirements as defined. Not implementing the most advanced solution possible.
A common assumption among organizations pursuing CMMC is that they must migrate to government cloud environments like Microsoft GCC High. However, this isn't always necessary (or even practical) especially for organizations with international operations or limited budgets.
Maya HTT initially considered separating their operations into different tenants but quickly realized this approach created more problems than it solved. Jonathan Bieber explained that multiplying systems actually multiplies weaknesses; when you're enforcing settings across multiple environments, it's easy to apply a security update to one system and forget about the other.
Instead, Maya HTT chose to use Virtru's Data Security Platform, which integrates with existing commercial cloud infrastructure.
"We're focused on the integration part of our systems,” said Bieber.”That's where Virtru is a great solution because it integrates with our systems in place without necessarily having to maintain multiple environments. GCC High also comes at a cost, and we wanted to remain flexible on that part."
Taking this path was particularly important for Maya HTT as a Canadian company with international teams. Christopher Augoustis noted that GCC High isn't even accessible for many Canadian organizations, and you need to be a U.S. citizen with a U.S. business location to get access, making it essentially impossible for many Canadian companies.
When StreamScan evaluated Virtru for Maya HTT's certification, they found it met all necessary requirements without adding complexity. In fact, StreamScan noted they had no concerns after reviewing the documentation; they knew it would be a viable solution for passing certification.
The integration benefits extended beyond just cost savings. Bieber highlighted user adoption as a key benefit.
"The fact that the solution allows us to be agile...they have to make sure it's part of their daily tools,” said Bieber. “If you make it a different platform every time, it becomes hard to use. They might use other systems. It might be harder to enforce."
Beyond documentation issues, several other gaps commonly trip up organizations pursuing CMMC certification.
Lack of preparation and understanding: Kenney noted that confidence in scoping is a key indicator of readiness. When organizations can clearly articulate their scope and demonstrate understanding of where CUI flows, assessors gain confidence in their readiness. Conversely, organizations that struggle to explain their scope or are still finalizing their system security plan while trying to schedule an assessment are red flags.
Underestimating resource requirements: Bieber emphasized that CMMC preparation is resource-intensive. "You have to consider that it could require a person full time if you're looking at getting certified within a year, for instance."
Not thinking about enforcement: Implementing controls is only part of the equation. Organizations must also be able to demonstrate how they enforce those controls. According to Bieber, "You do have to think about that all the time with CMMC, because you do apply the controls. But one of the questions that [an assessor] is gonna ask you is how do you enforce it? And that is something that you have to provide an answer for."
Unrealistic operational commitments: Augoustis highlighted how organizations sometimes commit to response timeframes they can't realistically maintain, like promising to patch vulnerabilities within 24 hours when there's no IT staff available on weekends. An incident that comes in Friday night might not get addressed until Monday, creating a gap between what the organization claims in their policies and what they actually do.
"When we're going out to show evidence...it's the auditor that decides,” warned Agoustis. “We open our tickets, we show one or two, and if it pops up that we haven't touched one in 48 hours, right there is a gap. It could possibly lead to a failed certification."
The value of bringing in consultants early: Understanding control requirements from an assessor's perspective (before the actual assessment!) can save significant time and prevent failed certifications. Kenney explained that while self-assessments give organizations their own interpretation of controls, assessors who've conducted numerous evaluations may have different opinions. Consultants help bridge that gap between what organizations think a control means and what it actually requires.
Maya HTT's success was built on strategic partnerships with both a consultant (StreamScan) and an assessment organization (Forvis Mazars) that understood their needs and could work collaboratively.
Augoustis stressed finding good partners who can help with both CUI protection and security monitoring; either partners who are already CMMC Level 2 certified themselves, or organizations with the internal capability to manage ongoing compliance requirements.
To Bieber and Maya HTT, the partnership method was invaluable.
"You need to get help, wherever it is for your journey, to build all the controls and make sure that you get the right assessors,” said Bieber. “Because when you talk to a technical team, you're speaking the same language. It makes the whole assessment easier, and you're actually aligned on everything you're saying."
Maya HTT's journey to CMMC Level 2 certification demonstrates that success requires:
For organizations embarking on their own CMMC journey, the message is clear: start early, prioritize documentation, choose solutions that integrate with existing workflows, and don't hesitate to bring in expert partners who can guide you through the process.
To learn more about how Virtru can help your organization achieve CMMC compliance while staying on commercial cloud infrastructure, book a demo today. For consulting services, visit StreamScan. For CMMC assessment services, visit Forvis Mazars.