By Kyle Lai, President and CISO of KLC Consulting
Lead CMMC Certified Assessor (CCA)
CISSP, CSSLP, CISA, CDPSE, CIPP/US, CIPP/G, ISO 27001 Lead Auditor
How A Defense Contractor Navigated the CMMC Certification Process
This CMMC implementation strategy article details how a large, advanced defense software and manufacturing company successfully navigated the CMMC Level 2 certification process. They overcame compliance challenges to secure their standing in a multi-billion-dollar Department of Defense (DoD) contract recompete. The journey highlights the importance of a well-planned, multi-phased approach to CMMC assessment and remediation, especially for organizations with complex operational environments and extensive Controlled Unclassified Information (CUI) requirements.
A critical factor in this success was the involvement of an independent, authorized CMMC 3rd Party Assessment Organization (C3PAO) with specialized expertise in Secure Software Development Lifecycle (SSDLC) and large-scale IT environments. The C3PAO identified compliance gaps and clearly explained the underlying deficiencies, enabling the organization to understand where it fell short and why, laying the groundwork for the firm’s effective remediation aligned with CMMC Level 2 requirements.
About the Organization and Its CMMC Compliance Journey
| Industry | Advanced Defense Software & Manufacturing |
| Company Size | Over 20,000 employees, multiple CAGE Codes, and a multi-divisional structure |
| Key Challenge | Achieving CMMC Level 2 compliance by early 2025 was essential for maintaining eligibility in a high-value defense contract. Certification in CMMC, currently held by few industry peers, provides a compelling competitive advantage. |
| CMMC Scope | Five U.S.-based facilities, over 800 users handling CUI, hybrid cloud and on-premises IT infrastructure, manufacturing facilities, and extensive software development environments with custom APIs serving CUI to external DoD customers and partners. |
CMMC Level 2 Challenge: Complexities and Critical Demands
| Complexity Area | Description |
|---|---|
| Urgent, High-Stakes Timeline | Achieving CMMC Level 2 certification was time-sensitive and directly tied to contract eligibility. Delays or failure threatened significant contract loss. |
| Complex Environment Requiring Specialized Expertise | The scale and diversity of operations (multiple facilities, large user base, hybrid systems, multiple development pipelines) created daunting assessment challenges. |
| Specialized Software Security Needs | Robust Secure Software Development Lifecycle (SSDLC) practices and software security controls were essential for compliance, given the company’s role in delivering advanced software with CUI. |
| No Room for Surprises | The high stakes of the DoD contract required assurance that unforeseen issues would not jeopardize the certification timeline. |
| Pervasive Sensitive Data | The assessment required validating protections for a wide range of enterprise assets, including source code containing CUI. |
Strategic Two-Phased Assessment Approach for CMMC Compliance
To address these challenges, the company adopted a strategic two-phased assessment approach, ensuring independence and thoroughness throughout the process. An independent, authorized C3PAO with deep SSDLC and manufacturing expertise was instrumental in guiding the organization through both the mock and official assessments, providing the technical rigor and objectivity required for success.
Phase 1: Mock CMMC Assessment Illuminates the Path to Compliance
A mock assessment provided a realistic simulation of the official CMMC Level 2 Certification Assessment. This practice assessment identified and explained deficiencies from an independent perspective, empowering the company to self-remediate and build confidence for the official assessment.
Key Focus Areas
- SSDLC Practices: Ensuring secure handling of CUI within development, including version control, code storage, build pipelines, and software support infrastructure.
- Hybrid Cloud, On-Premises IT and Manufacturing Infrastructure: Addressing the complexities of both Azure GCC High and on-premises environments.
- Comprehensive Documentation: Ensuring all processes, controls, incident reporting, and cloud service provider inheritances were fully documented and compliant with CMMC requirements.
Deficiencies Identified
| Deficiency | Description |
|---|---|
| Missing Software Process Documentation | CUI was present in the source code, but software development and change management procedures were not detailed in the System Security Plan (SSP). |
| Incomplete Configuration Baseline | The baseline configuration did not cover all hardware and software assets in the software support infrastructure. |
| Undefined CUI Incident Reporting | The SSP lacked a specific incident reporting process for CUI. |
| Unsynchronized System Clocks | In-scope system clocks were not synchronized as required. |
| Incomplete Cloud Service Provider (CSP) Inheritance Documentation | Some cloud service provider inheritances were not documented. |
| Unsecure File Sharing System | The file sharing system lacked FIPS validation and Multi-Factor Authentication (MFA). |
| Inconsistent Vulnerability Scanning | Scanning frequency did not align with established policies. |
Empowered Self-Remediation:
Using the detailed findings from the mock assessment, the company implemented targeted improvements and self-remediated the identified deficiencies. This proactive approach ensured alignment with CMMC requirements before the official assessment.
Phase 2: Official CMMC Level 2 Certification Assessment
With self-remediation complete, the company entered the official CMMC Level 2 certification assessment:
- Cross-Functional Engagement: Assessors engaged all relevant stakeholder groups, including IT, security, manufacturing, and software development teams.
- Full Scope Verification: The assessment validated the CUI boundary and scoping documents, confirming inclusion of all applicable systems, users, and third-party vendors.
- SSDLC and Software Environment Evaluation: Assessors reviewed SSDLC practices and interviewed software engineering teams to confirm alignment with CMMC Level 2 requirements.
- Hybrid Cloud and On-Premises Assessment: Compliance was assessed across both environments, including assessment of inherited responsibilities from cloud service providers (CSPs), shared responsibilities, and customer-specific controls, as defined in the CSP’s FedRAMP Customer Responsibility Matrix (CRM).
The Result: CMMC Level 2 Achieved—Ready for Multi-Billion Dollar Contract Recompete
- Perfect SPRS Score: The company’s SPRS score improved from a failing 80 to a perfect 110, validating that all required CMMC practices were met.
- CMMC Level 2 Certification: The company achieved final CMMC Level 2 status, meeting all requirements without conditions or delays.
- Contract Readiness Reaffirmed: Certification reinforced the company’s eligibility in a critical DoD recompete and enhanced its positioning for future CUI-related opportunities.
- Foundation for CMMC Level 3: Achieving Level 2 provides a robust foundation for pursuing Level 3 certification as future needs arise.
Conclusion
This article demonstrates how a large, complex defense contractor can successfully navigate the CMMC Level 2 certification process by leveraging a strategic, multi-phased assessment approach and empowering self-remediation. The lessons learned highlight the value of independent, realistic mock assessments and the importance of cross-functional collaboration and comprehensive documentation. In addition, the journey highlights the value of independent C3PAO assessment, particularly for organizations facing intricate technical and compliance challenges. The specialized expertise in SSDLC and large-scale defense environments provided by the assessment team was instrumental in identifying gaps that allow self-remediation, ensuring the organization could confidently achieve certification and secure its standing in the defense industrial base.
By prioritizing these success factors, organizations can overcome compliance challenges, obtain the CMMC Level 2 certification, and unlock new opportunities in the defense industrial base.
About KLC Consulting
KLC Consulting is an Authorized C3PAO specializing in conducting CMMC assessments and providing NIST 800-171 compliance solutions for the Defense Industrial Base (DIB). With over two decades of experience and a team of Cyber AB-authorized Lead Certified CMMC Assessors, KLC Consulting delivers objective, high-quality CMMC Level 2 assessments and readiness services for organizations ranging from Fortune 500s to small subcontractors.
Renowned for transparent communication, empathy, and a collaborative approach, KLC Consulting helps clients navigate complex compliance challenges across multiple CAGE codes, hybrid environments, and extensive CUI requirements. Their comprehensive offerings include gap analysis, remediation planning, mock assessments, and certification assessments, all designed to empower organizations to achieve and maintain DoD cybersecurity requirements efficiently and affordably.
