← Portfolio / Box

Cummins Export Controls Compliance & Cloud Collaboration Platforms

FedRAMP Authorized dual-environment deployment protecting $2B in federal contract eligibility — delivered in under 30 days.

TIMELINE
Nov 2016 – Aug 2019
ROLE
Project Lead, PO
MVP LAUNCH
October 1, 2017
INDUSTRY
Government Contracts, Manufacturing

Project Overview

In November 2016, an Export Controls business analyst identified a critical compliance gap threatening $2 billion in government contract revenue. Cummins' export-controlled intellectual property resided in systems that failed to meet NIST SP 800-171—federal standards mandating specific controls for any non-federal system storing, processing, or transmitting Controlled Unclassified Information (CUI). Without a compliant content management platform deployed by October 1, 2017, Cummins would be disqualified from prime and subcontractor government contracts representing 5% of global revenue—damaging both revenue and relationships with federal agency partners.

I led the end-to-end program: vendor evaluation, solution selection, contract negotiation, and implementation of a dual-environment platform built on Box for Government (a FedRAMP Authorized cloud environment for export-controlled operations) and Box for Enterprise (a commercial instance for broader collaboration). We delivered the compliant environment ahead of the October deadline. The commercial platform scaled to support over 10,000 global users within two years.

Project Scope

The initiative encompassed vendor evaluation and selection, contract negotiation, and parallel deployment of two distinct cloud environments — a compliance-focused platform for export-controlled operations and a commercial collaboration platform for broader enterprise use. The scope extended beyond immediate regulatory requirements to establish a strategic collaboration capability serving joint ventures, field operations, and international partnerships.

Box for Government
  • FedRAMP Authorized Environment — Deployed within a federally authorized cloud service meeting rigorous security standards for government data
  • NIST SP 800-171 Compliance — Satisfied all 110 security controls required for systems storing, processing, or transmitting Controlled Unclassified Information
  • U.S. Geo-Located Servers — Ensured all export-controlled data resided on servers physically located within United States borders
  • Large File Support — Enabled secure sharing of files up to 2GB to support engineering documentation and technical specifications
  • CUI Access Controls — Restricted environment access to personnel authorized to handle Controlled Unclassified Information
Box for Enterprise
  • Global User Scale — Supported 10,000+ internal users and unlimited external collaborators within two years of launch
  • Joint Venture Support — Enabled secure collaboration with external partners on co-development projects and strategic partnerships
  • Field Technician Access — Provided mobile-first solutions for service technicians accessing technical documentation in the field
  • International Operations — Supported collaboration in foreign-constrained environments with appropriate data sovereignty controls
  • External Sharing — Facilitated controlled information exchange with suppliers, customers, and partners outside the Cummins network
Platform Enhancements & Customizations
  • Custom Workflows — Designed information governance processes aligned with Cummins operational requirements
  • Box Platform API Integration — Leveraged Box Platform APIs to extend native functionality for Cummins-specific use cases
  • Controlled Content Access — Developed tailored permission structures for field technician guide distribution
  • Mobile Optimization — Created mobile-first experiences for users accessing content from tablets and smartphones in field environments

My Role

I served as Project Lead and Product Owner for Cummins' Box cloud collaboration platform initiative, owning end-to-end responsibility for vendor selection, implementation, and ongoing platform evolution — balancing urgent compliance requirements with long-term strategic platform vision across a complex cross-functional stakeholder environment.

My primary responsibility centered on protecting $2 billion in government contract revenue by implementing a NIST SP 800-171 compliant content management system before the October 1, 2017 regulatory deadline. I led comprehensive requirements gathering by analyzing all 110 security controls and engaging stakeholders across Export Controls, Cybersecurity, Product Engineering, and Quality to identify needs beyond baseline compliance. I conducted enterprise-wide discovery to confirm no existing Cummins platforms satisfied requirements, validating the business case for external procurement.

I owned the vendor evaluation and selection process from RFI through contract execution. After identifying three FedRAMP Authorized vendors meeting DFARS 252.204-7012 requirements, I developed detailed RFI and RFP documentation articulating Cummins' technical specifications and business requirements. I coordinated vendor demonstrations, ensuring each showcased capabilities relevant to our specific use cases. I assembled a cross-functional source selection committee and developed evaluation criteria using a Cause & Effect (C&E) Matrix to enable objective, weighted scoring across proposals. As primary vendor point of contact, I orchestrated evaluation sessions, managed communications, and facilitated the decision to select Box for both compliance and commercial environments.

Following vendor selection, I navigated the $2.5 million contract through Legal and Procurement approval processes and shepherded the solution through Cummins' SDLC onboarding procedures. I partnered closely with Box's implementation team to complete deployment in under one month — meeting the critical October deadline and protecting $2 billion in government contract eligibility.

Beyond initial implementation, I evolved into the strategic platform owner, curating a product backlog that extended Box's native capabilities through Box Platform API integrations. I prioritized enhancements including controlled access frameworks for field technician documentation and mobile-first experiences, addressing operational efficiency opportunities across diverse user segments. Within two years, the commercial platform scaled to support over 10,000 global users and enabled unlimited external partnerships for joint ventures and international operations.

Methodology

Requirements Discovery:

I initiated the project by analyzing NIST SP 800-171's 110 security requirements, which provided explicit compliance specifications for the controlled environment. To ensure comprehensive requirements capture, I engaged stakeholders across Export Controls, Cybersecurity, Product Engineering, and Quality to identify needs beyond baseline compliance. I conducted enterprise-wide discovery to confirm no existing Cummins systems could satisfy the requirements, eliminating potential redundancy and validating the need for external procurement.

Vendor Evaluation:

I identified three FedRAMP Authorized vendors meeting DFARS 252.204-7012 requirements, capable of addressing both compliance and commercial collaboration needs. I developed and issued Requests for Information (RFI) and Requests for Proposal (RFP) articulating Cummins' technical specifications, compliance mandates, and business use cases. I coordinated vendor demonstrations, ensuring each presented capabilities addressing our specific needs and allowing for consistent, apples-to-apples comparison across solutions.

Source Selection Process:

Working with my manager, I assembled a cross-functional source selection committee representing key stakeholder departments. I developed evaluation criteria using a Cause & Effect (C&E) Matrix — a Six Sigma tool that prioritizes key process input variables (KPIVs) based on customer output priorities (KPOVs) — ensuring objective, weighted scoring across vendor proposals. I organized meeting spaces, coordinated vendor communications as the primary point of contact, and facilitated evaluation sessions that led to Box's selection for both Box for Government and Box for Enterprise environments.

Procurement & Implementation:

Following vendor selection, I coordinated contract negotiations with Legal and Procurement, navigating a $2.5 million agreement through approval processes. I shepherded the solution through Cummins' System Development Lifecycle (SDLC) onboarding procedures, ensuring proper governance and risk management protocols. I partnered with Box's implementation team to complete platform deployment in under one month, achieving production readiness by the October 1, 2017 compliance deadline.

Platform Enhancement:

Post-launch, I developed a custom product backlog leveraging Box Platform APIs to extend native platform capabilities for Cummins-specific use cases. I prioritized enhancements including controlled access frameworks for field technician guides and mobile-optimized experiences, improving operational efficiency and addressing the needs of diverse user segments.

Cummins Box Implementation Timeline

November 2016 – October 2017

11-month sprint to protect $2 billion in government contracts

November 2016

Compliance Gap Identified

Export Controls business analyst escalates critical risk: $2B in government contracts threatened by non-compliant content management system.

December 2016

Company Holiday Shutdown

Complete company closure for two-week holiday period. Project timeline frozen — no work, no decisions, no progress possible.

January – February 2017

Stakeholder Alignment

Secured executive support and budget approval. Engaged cross-functional stakeholders across Export Controls, Cybersecurity, Product Engineering, and Quality.

March – April 2017

Requirements & Vendor Research

Analyzed NIST SP 800-171 requirements (110 security controls). Conducted enterprise-wide discovery. Identified 3 FedRAMP Authorized vendors meeting DFARS 252.204-7012 and issued RFI/RFP.

May 2017

Evaluation Criteria Development

Created source selection committee with cross-functional representatives. Developed Cause & Effect (C&E) Matrix for objective vendor scoring.

June – July 2017

Source Selection Process

Coordinated vendor demonstrations and evaluation sessions. Facilitated committee scoring and deliberation. Selected Box for dual-environment solution.

August 2017

Procurement & Contract

Negotiated $2.5M contract with Legal and Procurement. Finalized terms for both Box for Government and Box for Enterprise environments.

September 2017

Implementation & SDLC

Rapid deployment with Box implementation team. Completed IT project gating and SDLC onboarding procedures. User acceptance testing.

October 1, 2017

Go-Live: Compliance Achieved

FedRAMP Authorized, NIST SP 800-171 compliant environment deployed. $2B in government contracts protected. Deadline met with zero days to spare.

11

Months from risk to resolution

$2B

Contract revenue protected

<30

Days from contract to go-live

Challenges

⏱ Compressed Timeline with High Financial Stakes

The 11-month window from compliance gap identification to production deployment carried extraordinary pressure — $2 billion in government contracts hung in the balance, representing 5% of Cummins' global revenue. This timeline demanded accelerated vendor evaluation, expedited procurement, and rapid implementation without compromising security rigor or compliance validation. The stakes prohibited any delays or implementation missteps that would push delivery past the October 1, 2017 deadline, requiring meticulous project planning and proactive risk management throughout.

🏗 Dual-Environment Architecture Complexity

Implementing two distinct Box environments — one meeting stringent FedRAMP Authorized and NIST SP 800-171 requirements for export-controlled government work, another supporting open commercial collaboration — required careful architectural planning to prevent accidental data migration between environments while maintaining user experience consistency. Users needed clear governance policies, training, and technical controls that enforced environment separation without creating operational friction. The dual-environment approach also complicated license management, user provisioning, and administration workflows.

🤝 Enterprise-Wide Stakeholder Alignment

The project required coordination across multiple departments with competing priorities and varying levels of urgency around the compliance deadline. I worked directly with senior stakeholders from Export Controls, Cybersecurity, Product Engineering, Quality, Legal, Procurement, and IT — each with legitimate requirements that needed reconciliation within the selected solution. Building consensus on evaluation criteria, navigating departmental priorities within the source selection committee, and managing expectations during vendor demonstrations demanded diplomatic facilitation and the ability to translate technical capabilities into business value for diverse audiences.

📋 Vendor Evaluation Under Pressure

Assessing three FedRAMP Authorized vendors through RFI/RFP processes while maintaining aggressive timeline targets required structured evaluation frameworks that balanced thoroughness with efficiency. The source selection committee needed clear criteria, consistent scoring methodologies, and efficient meeting coordination to reach defensible decisions without analysis paralysis. Carefully crafted RFP specifications ensured vendor responses addressed both immediate compliance requirements and long-term enterprise collaboration needs — without overlooking critical capabilities in the rush to meet the deadline.

Outcome

The initiative successfully delivered a dual-environment cloud collaboration platform that satisfied immediate compliance mandates while establishing strategic enterprise capabilities with long-term business value.

Compliance Achievement

Deployed a FedRAMP Authorized, NIST SP 800-171 compliant Box for Government environment ahead of the October 1, 2017 deadline — protecting $2 billion in government contract eligibility and preserving 5% of Cummins' global revenue. The secure environment reached production readiness in under one month following contract execution. Operational details of the controlled environment are confidential given the sensitive nature of export-controlled operations.

Commercial Platform Success

Established Box for Enterprise as a strategic collaboration platform supporting over 10,000 global users and enabling unlimited external partnerships within two years of launch. The platform facilitated seamless operations for joint ventures, empowered field technicians with mobile-first access to technical documentation, and enabled collaboration in foreign-constrained environments with appropriate data sovereignty controls.

Cost Recovery & Governance Model

Co-developed with the Cybersecurity team, the platform launched with a department-level chargeback model — allocating costs based on user count per department across both environments. The commercial platform fully offset the cost of the compliance environment, making the government-grade infrastructure effectively self-funding. In my concurrent role as Information Asset Protection (IAP) Program Manager, I spearheaded a shadow IT identification initiative targeting both internal systems and externally shared content on unsanctioned free platforms. The guiding principle was simple: if it's free, you're the product. Approximately 100 employees were identified using unsanctioned tools and redirected to approved enterprise solutions — reducing data exposure risk and strengthening Cummins' overall information governance posture.

Global Accessibility

Ensuring platform adoption across Cummins' global workforce required creative problem-solving beyond standard deployment. Colleagues in China faced a significant barrier — Cummins' primary authentication system was blocked at the national network level, preventing direct Box for Enterprise access. I designed a workaround leveraging an existing Salesforce portal as an authenticated entry point, enabling Chinese operations teams to access the platform without friction. This solution reflected a core product ownership principle: removing barriers to adoption is as important as the platform itself.


Industry Recognition & Strategic Partnerships

Engagements

Cummins' innovative implementation created reciprocal value — influencing Box's product roadmap while gaining competitive advantage through early access to innovation.

Advisory

Box Product Leadership Board

Invited to join Box's strategic advisory group comprising select enterprise customers based on Cummins' innovative implementation. Contributed to advancing key security and governance features, ensuring Cummins' compliance requirements directly influenced Box's product roadmap while providing early visibility into emerging capabilities.

Smart Access Information Governance Geo-Located Data Centers MFA Enhancements

Beta Partner

Box Beta Testing Partnership

Cummins' proactive engagement and thought leadership positioned the organization as a key beta testing partner for Box Relay, Box's workflow automation tool. This strategic relationship granted early access to new offerings within the Box Suite ahead of general availability — including Box Shield's advanced threat detection capabilities.

Box Relay Box Shield Early Access Workflow Automation

These partnerships demonstrated how successful implementation and strategic vendor engagement can create reciprocal value — influencing product development while gaining competitive advantage through early access to innovation.

Lessons Learned

🔄 Sunset Strategy Requires More Than Feature Parity

When the field service technician team lost their custom-coded legacy tool as part of the platform consolidation, feature parity alone wasn't enough to drive adoption. The team had years of workflow muscle memory built into their previous solution. Recognizing this, I engaged Box's lead technical resource to design a custom implementation that replicated the team's specific operational needs within the Box for Enterprise environment — rather than asking users to adapt to out-of-the-box functionality. The lesson: migration success depends on meeting users where they are, not where the platform wants them to be. Bringing in the right expertise early, rather than assuming native capabilities would suffice, was the difference between adoption and resistance.

🔍 Shadow IT Is Both a Risk Signal and an Adoption Opportunity

The Information Asset Protection initiative revealed approximately 100 employees using unsanctioned free platforms to share and store content — often without understanding the data exposure risk. The guiding principle was simple: if it's free, you're the product. Rather than approaching these users punitively, we redirected them to approved enterprise solutions, turning a governance risk into a platform adoption opportunity. The lesson: shadow IT isn't just a security problem — it's a signal that user needs aren't being met by sanctioned tools. Addressing the root cause of adoption gaps is as important as enforcing compliance boundaries.

🌐 Global Accessibility Requires Creative Problem-Solving

Standard deployment assumptions don't hold in every geography. When it became clear that Cummins' primary authentication system was blocked at the network level in China, a conventional rollout would have left an entire operational team without access. Designing a Salesforce portal-based authentication workaround ensured Chinese operations teams could access Box for Enterprise without friction. The lesson: inclusive platform thinking means anticipating infrastructure barriers before they become adoption failures — and being willing to engineer creative solutions when standard approaches fall short.

Artifacts

Due to the sensitive nature of export-controlled operations, specific project artifacts and implementation documentation remain confidential.