Calgon Carbon Accelerates CMMC Level 2 Readiness

Calgon Carbon, a global leader in activated carbon solutions, advanced its cybersecurity program with Seiso’s specialized CMMC expertise. Through planned improvements in risk management, vendor oversight, data classification, incident response, and employee awareness, Calgon Carbon accelerated their path toward CMMC Level 2, increased compliance, and improved operational resiliency.

 

Customer Situation

Calgon Carbon is a global leader in advanced activated carbon solutions, playing a vital role in protecting public health and safety across high-risk sectors including water treatment, air purification, food safety, and industrial manufacturing.

As a trusted partner to U.S. government agencies and defense contractors, Calgon Carbon is held to the highest cybersecurity standards, including compliance with the evolving Cybersecurity Maturity Model Certification (CMMC), to ensure the security and resilience of critical infrastructure.

Challenges

In line with its industry and regulatory environment, Calgon Carbon needed to strengthen its existing security program to prepare for CMMC Level 2 certification. While the company already had a solid information security foundation, it sought specialized CMMC expertise from Seiso to address critical areas, improving their odds of achieving certification:

• Risk Management: Calgon Carbon aimed to bolster its approach to identifying, documenting, and remediating security risks, ensuring greater visibility and accountability across the enterprise.
• Vendor Risk Management: The company recognized a need to improve oversight of third-party providers and ensure they followed CMMC requirements.
• Incident Response & Awareness: In meeting elevated CMMC standards, Calgon Carbon required updates to its incident response processes and practical education for employees who handle sensitive data.
• Future Readiness: The organization needed a clear roadmap—from CMMC Level 1 to Level 2—to proactively address both immediate and anticipated regulatory obligations.

Our Solution

Seiso delivered a comprehensive suite of cybersecurity services guided by our Security Simplified philosophy. Over a 12-week engagement, we focused on the following:

 

CMMC Controls Assessment & Plan of Action and Milestones (POA&M)

• Performed a thorough assessment of security controls, classifying each control as Met, Partially Met, or Not Met.
• Developed a detailed POA&M to sequence remediation tasks, assign responsible owners, and track milestone completion.
• Provided advisory services and a baseline for a detailed System Security Plan (SSP) that charted Calgon Carbon’s path from CMMC Level 1 to Level 2, documenting policies, processes, and technical safeguards.

 

Risk Management Program & Risk Register

• Established a formal risk register to log and prioritize security risks across the organization, ensuring transparent remediation planning.
• Delivered risk management governance resources—such as acceptance forms and corrective action standards—aligned with CMMC practices.

 

Vendor Risk Management Enhancements

• Strengthened Calgon Carbon’s third-party oversight by defining comprehensive vendor inventories and tying them into the risk register.
• Implemented vendor risk management policies and procedures mapped to CMMC guidelines, clarifying accountability for each control domain.

 

Data Classification & Incident Response Upgrades

• Mapped and categorized data assets containing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)—reinforcing how both are identified and safeguarded.
• Enhanced incident response with dedicated playbooks for ransomware and business email compromise. Conducted a tabletop exercise to validate and refine incident readiness.
• Provided engaging, scenario-focused awareness materials and an infographic to help employees quickly identify and report suspicious activities.

Results

Upon completion, Calgon Carbon received clear guidance and deliverables to advance its security posture toward CMMC Level 2:

 

Structured Roadmap for CMMC Compliance

A System Security Plan (SSP) and POA&M offered Calgon Carbon a clear strategy for upgrading controls, policies, and procedures, thereby reducing ambiguity around CMMC objectives.

 

Actionable Risk Management

The new risk register established a centralized view of organizational risks, driving more efficient prioritization and remediation activities.

 

Improved Vendor Oversight

Refined vendor management practices ensured consistent, CMMC-aligned standards for critical third-party relationships.

 

Enhanced Data Protection & Incident Preparedness

Detailed guidance for FCI and CUI classification helped safeguard sensitive information through improved user training and documented procedures, while updated incident response capabilities empowered teams to respond effectively to potential threats by establishing user-friendly playbooks.

 

Through a focus on practical, real-world outcomes, Seiso delivered specialized CMMC expertise that elevated Calgon Carbon’s existing program and positioned the company for ongoing cybersecurity success.

By focusing on practical, real-world outcomes, Seiso delivered tailored CMMC expertise that not only strengthened Calgon Carbon’s cybersecurity posture but also strategically aligned its program with long-term compliance and operational resilience. Our guidance helped transform compliance into a competitive advantage—positioning Calgon Carbon as a trusted, security-first supplier in highly regulated and mission-critical industries.