As organizations across the Defense Industrial Base (DIB) — from manufacturers to research labs, engineering firms, and many other vertical markets — work toward CMMC certification, many face the same challenge: keeping their compliance programs accurate and up to date without drowning in spreadsheets and manual tracking.
One SP6 customer was no exception. The company faced a number of challenges that prevented them from confidently preparing for their C3PAO assessment.
This organization adopted two key technologies:
- Splunk as their SIEM and main security analytics solution, in conjunction with
- ASCERA, a Splunk App that was built by Splunk channel partner SP6.
After adopting SP6’s ASCERA Splunk App, the game changed. Less time was spent managing scattered documentation and outdated templates and instead actual progress toward control implementation was made.
This interview with the company’s CTO/CISO gives insight into how SP6’s automated evidence collection and continuous monitoring Splunk App — ASCERA — streamlined the company’s CMMC process.
Background Overview
Before ASCERA, how were you managing your CMMC or cybersecurity compliance requirements?
I inherited an environment previously assessed against CMMC v1 by a consulting firm that produced an unrealistic SPRS score and relied on incomplete and inaccurate templates. We had separate ISO 27001 and CMMC documentation sets, an SSP lacking detail, and no continuous monitoring plan to sustain compliance.
Challenges Before ASCERA
What challenges or pain points were you facing prior to engaging with SP6 and using ASCERA?
Our challenges and pain points were:
- Having separate documentation sets for ISO and CMMC compliance
- Using a spreadsheet to track control compliance
- An outdated SSP template in Word format
- Cumbersome linking of evidence to assessment objectives
- No executable continuous monitoring plan.
Our asset list was not accurate, assets were not categorized in accordance with the CMMC scoping guide, we hadn’t performed a scoping exercise to find our CUI data flows and were attempting to achieve compliance at the enterprise level at CMMC Level 1 where CMMC Level 2 made more sense with a separate enclave for the limited personnel handling CUI.
How were these challenges impacting your organization’s ability to stay compliant or prepare for CMMC certification?
The SSP was not defendable, I had no confidence in our SPRS score, and we had limited activities planned to demonstrate the ability to sustain compliance.
Why You Chose SP6 and their ASCERA solution
What stood out to you about ASCERA compared to other solutions you evaluated?
Many things stood out. When I evaluate solutions, I cast a wide net and schedule meetings and demonstrations with several vendors and follow the decision analysis and resolution process we developed through our CMMI compliance program.
ASCERA stood out because it focuses on solving one problem exceptionally well—automated evidence collection and continuous control monitoring. Unlike most tools that only evaluate configuration data, ASCERA analyzes log data to validate whether controls are truly met. [Note: In the case of this organization, that log data is being collected in Splunk as their SIEM. SP6 built several versions of their ASCERA product, one of which is a Splunk App and purpose-built to leverage the systems data already collected in Splunk.] That cross-check gave me confidence that when I marked a control ‘met,’ ASCERA would confirm it with real data.
Your Experience Using ASCERA
How has ASCERA helped you simplify or accelerate your CMMC compliance efforts?
I spent much less time formatting my SSP and organizing evidence.
As my approach to writing policy, plan, and procedure documentation was to answer control implementation questions, I was able to very easily cut/paste content from my documents into ASCERA. I found it very intuitive to manage evidence by dragging/dropping files into the repository and tag them to a control family, control(s), or assessment objective(s). And when my C3PAO assessment was complete, I simply exported all the evidence from ASCERA, ran the hashing scripts, and provided the results to the assessors.
What specific features or capabilities have been the most valuable for your team? (e.g., Continuous Controls Monitoring, POA&M tracking, automated evidence collection, policy mapping, reporting dashboard, etc.).
Both the ACE and CCM were the most valuable as these functions were continuously running while I worked on control implementation and I could see things go from red to green as compliant configurations were put in place and reflected in the logs analyzed by ASCERA.
How has ASCERA improved your visibility into compliance or risk posture?
We incorporated viewing of the ASCERA “periodic table of controls” (the compliance view) into our weekly information security management system technical review meetings. ASCERA has become an integral part of our continuous monitoring solution supporting the RA (Risk Assessment) and CA (Security Assessment) control families.
Have you seen measurable results or improvements since implementing ASCERA? (Examples: reduced audit prep time, better documentation, faster gap closure, etc.).
Using ASCERA to manage our SSP, POA&Ms, and evidence management reduced our audit preparation time and simplified our engagement with the C3PAO. ASCERA allowed us to simply enter our control implementation statements, attach evidence, and create POA&M items without having to deal with templates, document management, or any formatting issues.
By providing our C3PAO access to ASCERA, it freed us from having to send any documents to them and ensured they were always seeing the most up-to-date information.
Partnership and Support Experience
How would you describe your experience working with the ASCERA team?
The ASCERA team has been a pleasure to work with. Everyone on the ASCERA team has been enthusiastic, responsive, and very collaborative in responding to any issues we reported and incorporating our feedback and feature requests.
I really enjoyed and appreciated the deeper technical discussions with the development team and compliance experts around the interpretation of control and assessment objective requirements and how ACE and CCM are implemented to evaluate criteria to ensure we can confidently say they are met or not met.
How responsive or helpful has our customer support been when you’ve had questions or requests?
The customer support team has been very responsive. We had very few issues, but when reported they were corrected quickly. We submitted several feature requests, most of which were received positively and promptly implemented.
How do you feel about the way ASCERA listens to customers and evolves the product?
We had very productive weekly sessions with the ASCERA team which not only helped us fully realize the benefit of the product but also helped everyone more thoroughly understand CMMC requirements and compliant control implementations. For anyone new to CMMC or not well-versed in compliance, I recommend engagement with the ASCERA professional services team for guidance.
Impact and Outcomes
What impact has ASCERA had on your overall compliance process or confidence heading into CMMC certification?
As our assessment date approached, seeing a full set of green controls and a 110 score in ASCERA gave me complete confidence that our integrated ISO 27001:2022 and CMMC Level 2 ISMS would pass—and, more importantly, that it was sustainable through continuous monitoring.
Looking Ahead
How do you see ASCERA fitting into your long-term compliance and cybersecurity strategy?
Now that we have a CMMC Level 2 compliant enclave, I’d like to use ASCERA to perform a CMMC Level 1 self-assessment of our enterprise environment. And if ASCERA continues to evolve to support other compliance frameworks, I’d like to use it for our next ISO 27001 assessment and internal audits.
About SP6
SP6 is a niche consulting firm focused on Splunk; specifically, optimizing organizational data analytics capabilities for Security Operations, Observability, Fraud detection, Compliance analytics, and other use cases, depending on specific customer needs.
SP6 is the proud recipient of Splunk’s Services Partner of the Year Award for 2023, 2024, and 2025 in the Americas. Our solution capabilities include:
- Project-based Professional Services
- Co-Managed Splunk, whereby SP6 co-manages customer Splunk environments, detections, and data governance when organizational staff requires additional expertise or bandwidth
- Splunk license acquisition and management
If you’re looking to optimize the value of your investment in Splunk, SP6 has the award-winning expertise to ensure the best and most cost-effective business outcomes.
Learn more at SP6.io.
About ASCERA
ASCERA is software for cyber compliance, purpose-built for the NIST 800-171 framework for CMMC. Built by SP6, ASCERA provides Automated Collection of Evidence (ACE) for security assessments by leveraging systems data already collected in an organization’s SIEM and other components of their technology stack. That systems data (evidence) is then mapped against organizational standards to determine where technical security controls are met or not met; something known as Continuous Controls Monitoring (CCM). ASCERA continues to build ACE and CCM capabilities for additional security frameworks, including other NIST and ISO security frameworks.
Learn more at ASCERA.com.