Skip to Main Content

Read this if you are involved in cybersecurity at your organization.

The cyber threat landscape is growing

Over the years, the cyber threat landscape has experienced a steady increase in cyberattacks, with more data breaches, targeted social engineering attacks, and crippling ransomware attacks taking place. The increase in cyberattacks is affecting all industries, including government supply chain vendors, higher education and research institutions, and many others. 

The US government is particularly aware of the risks involved with the increase in cyberattacks and understands it must continue to strengthen its cybersecurity program to protect intellectual property and national security. This means not only strengthening cybersecurity controls and processes for the government, but also for contractors who work directly and indirectly with the government. In this case, “contractors” include businesses that enter into contracts with the US government and any supplier, distributor, vendor, or firm that provides products or services to contractors and other subcontractors. 

What is the Cybersecurity Maturity Model Certification (CMMC) framework?

The CMMC framework provides a foundation for establishing a strong cybersecurity program to effectively manage cyber threats. The framework was developed by the Department of Defense (DoD) and is designed to help ensure that cybersecurity controls and processes adequately protect sensitive information that is shared among entities across various industries. Broadly speaking, contractors and subcontractors that work with the DoD will be required to comply with CMMC guidelines. 

Prior to the enforcement of CMMC, contractors were responsible for implementing and monitoring their own cybersecurity controls and processes and could self-attest to their level of security. In other words, the DoD did not audit or verify the level of security maintained by contractors. But now with cyber criminals frequently targeting the weakest link in supply chains, the DoD has responded by moving to a trust-but-verify approach, meaning organizations working with the DoD may be required to have a third party (also called a C3PAO) assess cybersecurity controls and processes and verify CMMC compliance. 

CMMC industry standards and cybersecurity best practices

Although the framework is evolving and requirements are still being finalized, CMMC currently mandates NIST 800-171 compliance and adds additional requirements coming from other cybersecurity frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), Center for Internet Security (CIS) Controls, and the Computer Emergency Response Team (CERT) Resilience Management Model (RMM). CMMC uses these industry standards and cybersecurity best practices to establish a benchmark against which assessors can measure an organization’s cybersecurity posture. Following the assessment, the organization will better understand the maturity of their controls and processes and where gaps may exist. 

CMMC compliance benefits beyond the DoD

CMMC compliance will soon become a prerequisite for DoD contract awards and is expected to impact over 300,000 contractors and subcontractors. The purpose of CMMC is to provide a uniform set of security standards that every contractor working with the DoD must use to protect sensitive information. Without compliance, organizations could be excluded from bidding on DoD contracts. By 2025, every organization doing business with the DoD must be CMMC compliant, including those entities conducting research using federal grant funds. 

Outside of helping companies with DoD contract prerequisites, CMMC compliance is important for several other reasons. First, the framework helps ensure that organizations have implemented the proper controls and processes to protect themselves from cyber threats. It also helps ensure compliance with other laws and regulations. Additionally, by following the CMMC set of standards and best practices, organizations can maintain a high trust relationship with partners and customers. 

Who should be CMMC compliant?

All contractors and subcontractors that work with the DoD should be CMMC certified. The required maturity level will depend on the DoD contract and the sensitivity of information the organization receives or uses. Today, only organizations that directly provide products and services to the DoD, known as prime contractors, must meet NIST 800-171 and additional requirements of CMMC compliance. Prime contractors must also verify that subcontractors further down the supply chain also meet requirements. By 2025, CMMC compliance obligations will extend to all organizations bidding on defense contracts. At that point, all organizations working with the DoD, no matter what service or services they provide, will need at least Level 1 CMMC compliance to win or maintain a DoD contract (more information on maturity levels below). 

If an organization is planning to contract with the DoD, they should plan to be CMMC certified and should preemptively attain Level 1 CMMC compliance. Again, the maturity level required by an organization will be stipulated on a case-by-case basis in the contract. Fortunately, if an organization is already compliant with NIST 800-53 or FedRAMP (the security standard for all government contractors generally), they are not far from becoming certified. Likewise, if an organization is compliant with NIST 800-171, they may already fulfill many of the requirements of CMMC. 

A breakdown of CMMC maturity levels

In September 2020, the DoD established CMMC 1.0. The original framework organized security maturity levels into five tiers, but in November 2021, the DoD announced the most recent version, CMMC 2.0, which introduces several key changes, including a more streamlined model that should reduce costs, particularly for smaller organizations. Additionally, CMMC 2.0 organizes maturity levels into three tiers—instead of five.

  1. Foundational
    The first tier includes basic cybersecurity hygiene appropriate for small organizations utilizing a subset of universally accepted best practices. This tier only requires an annual self-assessment and attestation by company leadership.
  2. Advanced
    The second tier includes coverage of all 110 NIST SP 800-171 controls. This tier will require a CMMC third-party Assessment Organization (C3PAO) to perform a triennial assessment of their CMMC implementation.
  3. Expert
    The final tier includes implementing highly advanced cybersecurity controls and processes. The processes involved at this level include continuous improvement across the organization and timely incident response capabilities. The details of this tier are still being defined, but it is expected that it will incorporate a subset of controls from NIST 800-172. Additionally, the organization would be assessed by the DoD and not by a C3PAO. 

Challenges and considerations of CMMC compliance 

CMMC compliance can be challenging for several reasons. The first challenge refers to the extent of CMMC compliance for the organization, whether you are starting from scratch or modifying another cybersecurity framework. The CMMC’s core is comprised of the 14 cybersecurity domains outlined in NIST 800-171. The domains include areas such as access control, awareness and training, and incident response. Within the 14 domains there are 110 controls. These controls include topics like limiting unsuccessful login attempts, ensuring that personnel are trained to carry out their assigned information security-related duties and responsibilities, and testing organizational incident response capabilities. Mapping all these security requirements is not easy and implementing them without a clear idea of what they entail is almost impossible.

Another common challenge with CMMC compliance is cost, and organizations should begin to build budgets to upgrade cybersecurity controls and processes to the levels needed. The costs associated with CMMC compliance depend on several factors:

  • Organization size
    The size of the organization may have an impact on project costs; however, the number of employees accessing sensitive information is the more significant driver in determining overall costs of compliance. Thus, organizations should limit the number of employees receiving and using sensitive information. 
  • Maturity
    The journey to CMMC compliance will likely cost more and take longer for organizations starting from scratch. For organizations further along in the process, it will be important to consider the current maturity level of documentation development, technology implementation, and what processes and procedures are already documented and in use. 
  • Technology implementation
    Achieving compliance will require a combination of policy and technology. The more technologies the organization must implement, the greater the costs. Some of the more expensive technologies include a security incident and event management (SIEM) system and vulnerability scanner.
  • Consultants
    Consulting costs should be considered when setting out for CMMC compliance. Organizations often have consultants perform a gap analysis to analyze how well their current cybersecurity program meets—or does not meet—the demands of NIST 800-171. This helps an organization determine whether it complies with the CMMC, or what steps will be necessary to achieve compliance. In other words, a gap analysis can keep the organization’s CMMC compliance strategy on track.

It is important that organizations understand that CMMC compliance is not a one-time expense. Compliance can have an impact on IT support teams, forcing units to spend time on regulated data environments at the cost of supporting broader organizational needs. Ongoing training is necessary to keep stakeholders up to date on the evolving threat landscape. Requirements are also not easy to implement and may have an impact on the organization. Finally, noncompliance carries its own risks, such as not qualifying for new awards or the potential loss of current projects. 

The last challenge to completing CMMC compliance is getting the official certification. Contrary to many other frameworks, the organization must obtain the certification from a C3PAO that has been granted accreditation by the CMMC Accreditation Body/The Cyber AB.

Preparing for CMMC compliance

Before achieving CMMC compliance, organizations should understand their current state of security and determine what level of compliance is necessary. Organizations should perform a gap analysis to analyze how their current cybersecurity program meets—or does not meet—compliance requirements. Following the analysis, organizations should develop a security roadmap that outlines how they will implement requirements to prepare for a CMMC assessment. It will also be important for the organization to determine the scope of the assessment. 

For organizations that are ready to attain CMMC compliance, the next step is to perform the assessment. A CMMC assessment is the process of assessing an organization’s cybersecurity maturity, and it is required to demonstrate an organization’s compliance with the desired CMMC level before being certified. For organizations looking to achieve Level 1 CMMC compliance, an assessment can be performed through a self-assessment. Any organizations that intend to attain Level 2 or 3 compliance need to pass a third-party assessment.

CMMC assessments examine the cybersecurity policies, procedures, controls, and processes to determine compliance with NIST 800-171, NIST 800-172, and any other requirements. The extent of the assessment will depend on the maturity level an organization wants to achieve. The assessor will request information to evaluate the controls and processes protecting sensitive information, which may include previous risk assessments, network diagrams, vulnerability scans, and other relevant documentation. 


In today’s rapidly evolving environment, the DoD is focused on protecting sensitive information from malicious cyberattacks, particularly throughout the supply chain. CMMC offers a structured framework for organizations to strengthen their cybersecurity posture. For organizations doing business or looking to do business with the DoD, CMMC compliance will soon be required to help ensure that contractors are meeting minimum industry standards and cybersecurity best practices. 

While the road to compliance presents challenges like resource allocation and technological adaptation, the journey toward compliance is an ongoing process. To help ensure compliance, organizations should establish transparent ownership and consistent expectations across their enterprise and partnerships.

CMMC: Is it time for your cybersecurity program to grow up?

Read this if you are at a Medicaid agency.

The official release from the Centers for Medicare and Medicaid Services (CMS) of the Streamlined Modular Certification (SMC) for Medicaid Enterprise Systems (MES) has left some states wondering: How do CMS outcomes fit into the planning of MES Information Technology projects? 

Because CMS outcomes are based on statutory and regulatory requirements, they can be ambiguous, which can make it difficult for states to begin the process of defining outcomes and meaningful metrics to support those outcomes. While the SMC process can seem overwhelming, it offers the perfect opportunity for states to look at the future of their programs and use these outcomes to make management decisions that will provide lasting improvements in their programs. 

Establishing outcomes is critical in preparing for a successful implementation, helping to ensure certification is achieved and securing Federal Financial Participation. During the planning phase of the SMC process, states define what improvements will be made to their Medicaid program with a focus on modernizing their MES. These desired improvements are the driving factor in defining meaningful and measurable outcomes and metrics. 

Success measures: using outcomes to support management decisions

To be successful, state project sponsors should engage with their management teams to discuss areas of improvement within their programs. Management teams should look at CMS outcomes as an opportunity to implement process change within their programs—keeping in mind that the changes must be measurable and increase productivity. States should focus on those areas of improvement that will provide the most benefit while increasing productivity.

Let's use a decision support system/data warehouse (DSS/DW) implementation as an example of how states can use outcomes to support management decisions. CMS has defined two DSS/DW outcomes: 

  • DSS/DW1: The system supports various business processes' reporting requirements
  • DSS/DW2: The solution includes analytical and reporting capabilities to support key policy decision-making

While these outcomes may be initially difficult to decipher, they provide states with the opportunity to create metrics to support a management decision that benefits their programs. A DSS/DW must have the ability to store data in a way that improves the speed and efficiency of accessing data from different data sets within an MES and makes it easier for states to report and analyze data. 

Here’s an example of a metric for DSS/DW1 that would support a management decision for a fast, user-friendly DW that will increase productivity among its users:

New operations dashboards are available in four weeks or less upon design approval. Data is rendered in 10 seconds 99% of the time (scalable). 

This outcome allows the state to make the management decision to help ensure new dashboards are released in production and operating at a rate that will benefit their users—and the MES. Rather than being intimidated by the process of defining outcomes and metrics, states should embrace the process as an opportunity for improvement. 

When navigating through the SMC process, states should collaborate early and often with CMS to ensure their outcomes and supporting metrics are in alignment with CMS expectations.

Need help with your state’s CMS SMC effort? BerryDunn has subject matter experts experienced in the SMC process. We would love to work with your state to ensure a timely and successful MES certification. If you would like to discuss how BerryDunn can support your needs, contact the Medicaid consulting team.

Transforming CMS outcomes into management decision drivers

Read this if you are interested in your hospital’s performance.

At BerryDunn, we understand the critical role of benchmarking in enabling hospitals to make informed decisions and achieve their strategic goals. Believe it or not, the Medicare cost report hospitals are required to file annually can be a rich source of information that can be leveraged to gain valuable insights into financial and operational performance, especially when combined with data from peers.

The significance of benchmarking

Benchmarking involves comparing an organization's performance metrics against those of its peers, whether within the same region, of similar size, or the same healthcare specialty. By doing so, hospitals can identify performance gaps, uncover areas of improvement, and set realistic goals. This data-driven approach gives hospitals a holistic understanding of their strengths and weaknesses, what sets them apart from their peers, and enables them to make informed decisions for better patient care and financial sustainability.

Benchmarking portal delivers insights 

BerryDunn's Hospital Benchmarking Portal offers a comprehensive array of nearly 40 benchmarking reports, with performance indicators related to volume and payor mix, cost structure, and profitability. Let's dive into some of the critical insights hospitals can gain from just a selection of benchmarks available in the portal:

  • Average length of stay and occupancy percentage: These metrics provide insight into how efficiently a hospital utilizes its inpatient resources. A shorter stay reduces the cost per discharge, which is ideal for hospitals reimbursed under a fee-for-service model. The occupancy rate is the proportion of staffed beds that are occupied. If a hospital has a low occupancy rate compared to its peers, it indicates potential room for improvement in its inpatient staffing model. Conversely, a high occupancy rate may indicate that capacity is being challenged—the hospital may want to analyze the feasibility of increasing staffed beds.
  • Payor mix: Analyzing trends in payor mix can provide hospitals with insight into the socioeconomic status of the community they serve, which impacts a hospital's revenue streams and long-term sustainability. A balanced payor mix is ideal as government programs often pay less than cost, and revenue from commercial payors helps close the gap. The mix of services a hospital offers can also have an impact on its payor mix.
  • Average hourly wage and employee benefits as a percentage of salaries: Labor is often the most significant expense for healthcare providers. These indicators shed light on the competitiveness of a hospital’s total compensation and identify potential opportunities to reevaluate employee benefit structures.
  • Capital cost percentage and average age of plant: Hospitals often require substantial investments in infrastructure, medical equipment, and technology to provide high-quality patient care. Analyzing these benchmarks can help a hospital assess whether they are adequately investing in capital projects, which is critical to its competitiveness and long-term financial sustainability.
  • Overhead percentage: Benchmarking overhead costs as a percentage of total costs allows a hospital to assess whether its resources align with peers and if it is investing in critical areas while managing overhead costs effectively to support financial stability and operational efficiency.
  • Uncompensated care percentage and bad debt and charity as a percentage of total charges: These benchmarks help evaluate a hospital's financial health by analyzing the percentage of charges that go uncompensated and the portion that becomes bad debt or charity. This provides insight into a hospital’s community benefit, financial assistance policies, and the effectiveness of certain revenue cycle management processes.
  • Disproportionate share percentage: Medicare Disproportionate Share payments are a vital component of Medicare reimbursement to help offset the cost of uncompensated care for eligible hospitals. The Disproportionate Share Hospital (DSH) percentage also determines eligibility for the 340B Drug Pricing Program for certain hospitals. If a hospital’s DSH percentage varies from other DSH hospitals in its region, it should evaluate its methodology for capturing the required data to ensure that it's optimizing this revenue source.
  • ER physician availability percentage:  Medicare pays cost-reimbursed hospitals for the time that emergency physicians are on standby, and not treating patients. This is an excellent opportunity for additional reimbursement for Critical Access Hospitals. Those with lower percentages should carefully review the methodology used to track availability time to ensure accuracy, compliance with Medicare rules, and optimization of potential reimbursement.
  • Medicare and Medicaid profitability: These measures provide insight into the portion of allowable program costs that Medicare or Medicaid reimburses. For many hospitals, this represents a shortfall that needs to be funded by other sources. 
  • Total margin and operating margin: These financial ratios reflect a hospital's overall financial health and efficiency in managing costs and optimizing revenue.

The transformational impact of benchmarking on hospitals

The benefits of utilizing benchmarking extend far beyond data analysis. Hospitals can experience transformative impacts with data-driven decision-making and incorporating benchmarking insights into areas of their operations, including:

  • Performance enhancement: Benchmarking empowers hospitals to set realistic performance targets and track their progress over time, fostering a culture of continuous improvement. Remember the saying, “You can’t improve what you don’t measure”.
  • Strategic planning: Data-driven decision-making facilitated by benchmarking guides hospitals in developing strategic plans that align with their strengths, weaknesses, opportunities, and threats.
  • Financial decision-making: Informed financial decisions are a cornerstone of sustainable healthcare operations. Benchmarking helps hospitals allocate resources effectively, optimize revenue streams, and manage costs efficiently.

Navigating benchmarking challenges

While benchmarking offers immense potential, there are common pitfalls hospitals should be aware of:

  • Data accuracy: Ensuring accurate and consistent data collection is essential. Discrepancies can lead to skewed benchmarking results and misguided decisions. BerryDunn’s Hospital Benchmarking Portal seeks to provide consistent and reliable measures by using the Medicare cost report data; however, it should be recognized that there can be differences in the way hospitals complete the cost report, despite best efforts to standardize this required reporting.
  • Apples-to-apples comparison: Hospitals should compare themselves to peers with similar characteristics to draw meaningful insights. Variations in patient demographics, services offered, and market dynamics can distort comparisons. Our portal allows you to customize your benchmarking experience by selecting peer group comparisons that align with your specific needs and interests. However, it’s essential to understand a hospital’s unique differentiators and consider them when evaluating benchmark results.
  • Context matters: Interpreting benchmarking data requires a deep understanding of the hospital's unique circumstances. Unquestioningly adopting practices of top performers may not take into account nuanced factors. Benchmarking data is but one tool in your arsenal to help you identify opportunities for improvement.

Hospitals seeking to excel in today's rapidly evolving healthcare landscape should harness insights from a comprehensive range of financial and operational benchmarks. With a data-driven focus, hospitals can fine-tune their strategies, streamline operations, and ultimately provide higher-quality care while ensuring financial sustainability. Moreover, benchmarking can help hospitals uncover and emphasize their unique differentiators, enabling them to stand out in the competitive healthcare landscape. 

While BerryDunn’s Hospital Benchmarking Portal is a powerful tool, hospitals should also be aware of the challenges in benchmarking and approach the data with a critical and context-driven perspective. With the right approach, benchmarking can pave the way for hospitals to achieve new heights of excellence.

To learn more about how the BerryDunn Hospital Benchmarking Portal could help your hospital, register on our portal or contact our dedicated hospital benchmarking consulting team to request a demonstration.

Unlock the power of hospital cost report data for financial and operational benchmarking 

Many organizations implement well-being strategies to advance culture, engagement, and business performance. They recognize that successful well-being strategies combine work design, benefit and program offerings, and the built environment (physical workplaces and virtual capabilities) to address a myriad of human capital challenges and opportunities. Yet, many organizations aren’t clearly connecting their well-being strategies to their risk management programs and Environment Social Governance (ESG) reporting.  

Reporting on the social component of ESG brings transparency to how an organization is managing human capital-related risks, the most prevalent in current ESG reporting standards being employee turnover. It also gives organizations the opportunity to share how they are supporting a workforce that can thrive both in and outside of work. 

Here are five ways an organization’s well-being strategy fits into their ESG reporting:  

1. Promoting healthy behaviors. The workplace is a recognized social determinant of health and can shape health behaviors for many individuals. Work shifts can influence sleep schedules, available food and beverage options can influence eating patterns, the nature of work and workplace features can influence safety and activity levels, health plan design can influence proactive and preventive healthcare decisions, and the culture drives many health-related behavioral norms. Workplaces that cultivate healthy behaviors not only see benefits to productivity, retention, and engagement, but also make a positive difference in helping to address local and national health challenges.

2. Cultivating social connection and belonging. The workplace is an important source of social connection for working adults. Yet 36% of Americans report feeling “serious loneliness.” Loneliness carries real consequences for individuals and workplaces. For instance, social isolation (even if only perceived) can increase inflammation in the body to the same degree as physical inactivity. Additionally, high belonging in the workplace is linked to a 56% increase in job performance, a 50% drop in turnover risk, and a 75% reduction in sick days. Organizations that emphasize the importance of connection right from the beginning of an employee’s onboarding journey, deliberately build in opportunities to connect as part of the work experience, and encourage workplace friendships can dramatically reduce feelings of loneliness among workers.   

3. Reducing mental health stigma. The quality of mental health in the US is a recognized national health crisis, with one in five adults living with a mental health condition, and mental health conditions on the rise in children and young adults. Unmanaged depression and anxiety have been shown to impair cognition, including problem solving, creativity, memory, and executive functioning. Organizations have the opportunity to bring visibility to mental health challenges, reduce stigma, and improve access to and quality of mental health resources for individuals and families.  

4. Educating employees to make sound financial decisions. Four out of five employers report that their employees’ personal financial issues impact their job performance. At a baseline, organizations are responsible for providing fair living wages to their employees. Organizations seeking to be employers of choice will pay competitive wages. Beyond how much employees are paid, organizations can equip employees with the knowledge and resources to make sound financial decisions in support of long-term financial independence. 

5. Supporting inclusion with flexibility. Flexible work schedules, “work from anywhere” arrangements, and alternative work schedules are all ways employers can support retention among talented employees who might otherwise leave the workforce or seek different job paths. Examples of employees who benefit most are those with caregiving roles (for children, elders, or other dependents) or who simply cannot afford to live near the office. Executed effectively, more flexible work arrangements can lead to improved retention and increased diversity.  

If you are interested in exploring how you can implement a well-being strategy for your organization and how you can integrate well-being into your ESG reporting, please contact our team.  

Start by assessing your organization’s well-being program 

Understanding the maturity level of your organization’s well-being program can help you benchmark, assess progress, and gain leadership support by showing a clear path to improvement. Our maturity model can help you assess where you are now.

How well-being advances the social component of ESG

Read this if your company is eligible for the Employee Retention Credit (ERC) and has filed a claim.

In order to protect taxpayers from an influx of ERC scams, the IRS has put an immediate halt to processing new claims, effective as of September 14. The moratorium will remain in effect through at least the end of 2023. 

IRS Commissioner Danny Werfel said, “The further we get from the pandemic, the further we see the good intentions of this important program abused. The continued aggressive marketing of these schemes is harming well-meaning businesses and delaying the payment of legitimate claims, which makes it harder to run the rest of the tax system. This harms all taxpayers, not just ERC applicants.” 

ERC claims filed before the moratorium going into effect (September 14) will still be processed; however, due to stricter compliance reviews, processing time of these claims will be longer, doubling the standard ERC processing goal of 90 days to 180 days.

The agency will be working with the Justice Department to pursue fraud that has been perpetrated by companies pursuing aggressive and misleading marketing tactics. Additionally, the IRS is working to put more taxpayer protections in place, including the following:

Settlement program: The IRS is working on new initiatives to help businesses that were victims of aggressive promoters, including a settlement program for repayments for businesses that received an improper ERC payment. Details to come from the IRS this fall.

Withdrawal option: There will also be made available a special withdrawal option for those who have filed an ERC claim but whose claim has not been processed or paid, which will allow the taxpayers to avoid possible repayment issues and paying promoters' contingency fees. 

Our recommendations:

For those companies and organizations who filed the applicable Form(s) 941-X before September 14, continue to be patient while waiting for your refunds. It has been taking the IRS between 4 – 18 months to process claims, depending upon the amount claimed. We recommend you mail the forms to the IRS-certified mail/return receipt so there is documentation the IRS received the forms. If you did not mail the form via certified mail/return receipt and want to be sure the IRS received your Form(s) 941-X, you can always call the IRS to make sure they received them. 

For those companies and organizations who have not filed a Form 941-X to claim the ERC, we recommend continuing to work with reputable companies to help you navigate eligibility for the ERC. We also recommend filing any completed Form(s) 941-X to claim the credit during this moratorium. However, any claims must be supported by adequate documentation outlining eligibility for the ERC under either the gross receipts test or the partial shutdown rules.

IRS Commissioner Werfel also stated, "In the meantime, businesses should seek out a trusted tax professional who actually understands the complex ERC rules, not a promoter or marketer hustling to get a hefty contingency fee.” We couldn’t agree more. Please contact our team if you have any questions. We’re here to help.

Employee Retention Credit articles from BerryDunn:

What can you believe about the Employee Retention Credit?
Too good to be true? IRS warns employers of ERC scams
Employee benefit plan updates: The Employee Retention Credit and student loan repayment programs

IRS Employee Retention Credit resources:

IRS news release on the ERC moratorium
For more information on the ERC, visit

Employee Retention Credit moratorium: IRS halts processing claims