RIB U.S. COST: Achieving CMMC Certification with Commander Managed GRC 

Background

RIB U.S. Cost has been a trusted leader in construction cost estimating and project controls for over 40 years. Founded in a small basement office in Atlanta, the company has grown into a major contributor in the industry, combining technology and industry expertise to deliver exceptional professional services to clients worldwide. 

Their expertise encompasses construction estimating, cost management, scheduling, and value engineering at all phases of a project, including Capital Planning, Pre-Construction, Procurement, and Construction.  

The Challenge

Much of the content they handle—particularly drawings coming out of Washington—are marked as Controlled Unclassified Information (CUI). After a data breach in 2021 involving an affiliate’s hard drive containing government data, RIB U.S. Cost experienced a significant financial and personnel burden. Although the company had been working to achieve full compliance with NIST 800-171, CEO Suzanne Moltzen recognized the implementation needed to be accelerated.  She knew her company needed to invest more fully in cybersecurity and compliance if they wanted to continue to lead the way in their industry. But like many small federal contractors, she is pulled in many different directions. 

She said, “I want to get it right, but my attention is always divided. There's always something that needs to be done, so that's why I stay committed to using Commander [Summit 7’s Managed GRC Solution].” 

Additionally, much of the company’s operations and policies lived in her head, so they knew they needed documented, repeatable processes. While they had adopted some cybersecurity best practices, they struggled to demonstrate those efforts on paper, which is an essential step toward compliance with CMMC (Cybersecurity Maturity Model Certification). 

“Even if we’re doing the right things, we need to be able to show that we’re doing the right things,” said Moltzen. 

The Solution

RIB U.S. Cost partnered with Summit 7 and was among the earliest adopters of their managed services,  Guardian and Vigilance. As their compliance journey evolved, they added Commander, Summit 7’s managed governance, risk, and compliance (GRC) service.  

The Commander team worked closely with RIB U.S. Cost’s internal cybersecurity analyst to tailor policies, procedures, and documentation that not only aligned with CMMC Level 2 but also fit the company’s actual business operations. 

“For me, it took someone to slowly work us through that… translating what my employees needed to do into a written policy,” said Moltzen. “That is where I found Commander to be very useful.” 

The Results

RIB U.S. Cost officially received their CMMC Level 2 certification in early 2025. While it brought a moment of relief, Moltzen knows it’s only the beginning of a continuous effort. 

“It was the biggest sigh of relief for a moment because I also realized that just because I’m certified, it doesn’t stop here,” she said. “We have to be committed… especially after going through what happens when you’ve had a breach.” 

The breach in 2021 led to costly forensic recovery—15-hour days and a monthly expense greater than a full year’s worth of Summit 7’s services. 

“We spent more in a month with forensics than I spend in a year now with Summit 7,” Moltzen emphasized. “My number one advice: find the experts, use them, appreciate them.” 

Because of their investment in Commander, RIB also has confidence in the future of their cybersecurity and compliance.