Journey to Achieve CMMC L2 Certification

Defense Software Leader Secures CMMC Level 2

By Kyle Lai, President and CISO of KLC Consulting

Lead CMMC Certified Assessor (CCA)
CISSP, CSSLP, CISA, CDPSE, CIPP/US, CIPP/G, ISO 27001 Lead Auditor

How A Defense Contractor Navigated the CMMC Certification Process

This CMMC implementation strategy article details how a large, advanced defense software and manufacturing company successfully navigated the CMMC Level 2 certification process. They overcame compliance challenges to secure their standing in a multi-billion-dollar Department of Defense (DoD) contract recompete. The journey highlights the importance of a well-planned, multi-phased approach to CMMC assessment and remediation, especially for organizations with complex operational environments and extensive Controlled Unclassified Information (CUI) requirements.

A critical factor in this success was the involvement of an independent, authorized CMMC 3rd Party Assessment Organization (C3PAO) with specialized expertise in Secure Software Development Lifecycle (SSDLC) and large-scale IT environments. The C3PAO identified compliance gaps and clearly explained the underlying deficiencies, enabling the organization to understand where it fell short and why, laying the groundwork for the firm’s effective remediation aligned with CMMC Level 2 requirements.

About the Organization and Its CMMC Compliance Journey

IndustryAdvanced Defense Software & Manufacturing
Company SizeOver 20,000 employees, multiple CAGE Codes, and a multi-divisional structure
Key ChallengeAchieving CMMC Level 2 compliance by early 2025 was essential for maintaining eligibility in a high-value defense contract. Certification in CMMC, currently held by few industry peers, provides a compelling competitive advantage.
CMMC ScopeFive U.S.-based facilities, over 800 users handling CUI, hybrid cloud and on-premises IT infrastructure, manufacturing facilities, and extensive software development environments with custom APIs serving CUI to external DoD customers and partners.

CMMC Level 2 Challenge: Complexities and Critical Demands

Complexity AreaDescription
Urgent, High-Stakes TimelineAchieving CMMC Level 2 certification was time-sensitive and directly tied to contract eligibility. Delays or failure threatened significant contract loss.
Complex Environment Requiring Specialized ExpertiseThe scale and diversity of operations (multiple facilities, large user base, hybrid systems, multiple development pipelines) created daunting assessment challenges.
Specialized Software Security NeedsRobust Secure Software Development Lifecycle (SSDLC) practices and software security controls were essential for compliance, given the company’s role in delivering advanced software with CUI.
No Room for SurprisesThe high stakes of the DoD contract required assurance that unforeseen issues would not jeopardize the certification timeline.
Pervasive Sensitive DataThe assessment required validating protections for a wide range of enterprise assets, including source code containing CUI.

Strategic Two-Phased Assessment Approach for CMMC Compliance

To address these challenges, the company adopted a strategic two-phased assessment approach, ensuring independence and thoroughness throughout the process. An independent, authorized C3PAO with deep SSDLC and manufacturing expertise was instrumental in guiding the organization through both the mock and official assessments, providing the technical rigor and objectivity required for success.

Phase 1: Mock CMMC Assessment Illuminates the Path to Compliance

A mock assessment provided a realistic simulation of the official CMMC Level 2 Certification Assessment. This practice assessment identified and explained deficiencies from an independent perspective, empowering the company to self-remediate and build confidence for the official assessment.

Key Focus Areas

  • SSDLC Practices: Ensuring secure handling of CUI within development, including version control, code storage, build pipelines, and software support infrastructure.
  • Hybrid Cloud, On-Premises IT and Manufacturing Infrastructure: Addressing the complexities of both Azure GCC High and on-premises environments.
  • Comprehensive Documentation: Ensuring all processes, controls, incident reporting, and cloud service provider inheritances were fully documented and compliant with CMMC requirements.

Deficiencies Identified

DeficiencyDescription
Missing Software Process DocumentationCUI was present in the source code, but software development and change management procedures were not detailed in the System Security Plan (SSP).
Incomplete Configuration BaselineThe baseline configuration did not cover all hardware and software assets in the software support infrastructure.
Undefined CUI Incident ReportingThe SSP lacked a specific incident reporting process for CUI.
Unsynchronized System ClocksIn-scope system clocks were not synchronized as required.
Incomplete Cloud Service Provider (CSP) Inheritance DocumentationSome cloud service provider inheritances were not documented.
Unsecure File Sharing SystemThe file sharing system lacked FIPS validation and Multi-Factor Authentication (MFA).
Inconsistent Vulnerability ScanningScanning frequency did not align with established policies.

Empowered Self-Remediation:

Using the detailed findings from the mock assessment, the company implemented targeted improvements and self-remediated the identified deficiencies. This proactive approach ensured alignment with CMMC requirements before the official assessment.

Phase 2: Official CMMC Level 2 Certification Assessment

With self-remediation complete, the company entered the official CMMC Level 2 certification assessment:

  • Cross-Functional Engagement: Assessors engaged all relevant stakeholder groups, including IT, security, manufacturing, and software development teams.
  • Full Scope Verification: The assessment validated the CUI boundary and scoping documents, confirming inclusion of all applicable systems, users, and third-party vendors.
  • SSDLC and Software Environment Evaluation: Assessors reviewed SSDLC practices and interviewed software engineering teams to confirm alignment with CMMC Level 2 requirements.
  • Hybrid Cloud and On-Premises Assessment: Compliance was assessed across both environments, including assessment of inherited responsibilities from cloud service providers (CSPs), shared responsibilities, and customer-specific controls, as defined in the CSP’s FedRAMP Customer Responsibility Matrix (CRM).

The Result: CMMC Level 2 Achieved—Ready for Multi-Billion Dollar Contract Recompete

  • Perfect SPRS Score: The company’s SPRS score improved from a failing 80 to a perfect 110, validating that all required CMMC practices were met.
  • CMMC Level 2 Certification: The company achieved final CMMC Level 2 status, meeting all requirements without conditions or delays.
  • Contract Readiness Reaffirmed: Certification reinforced the company’s eligibility in a critical DoD recompete and enhanced its positioning for future CUI-related opportunities.
  • Foundation for CMMC Level 3: Achieving Level 2 provides a robust foundation for pursuing Level 3 certification as future needs arise.

Conclusion

This article demonstrates how a large, complex defense contractor can successfully navigate the CMMC Level 2 certification process by leveraging a strategic, multi-phased assessment approach and empowering self-remediation. The lessons learned highlight the value of independent, realistic mock assessments and the importance of cross-functional collaboration and comprehensive documentation. In addition, the journey highlights the value of independent C3PAO assessment, particularly for organizations facing intricate technical and compliance challenges. The specialized expertise in SSDLC and large-scale defense environments provided by the assessment team was instrumental in identifying gaps that allow self-remediation, ensuring the organization could confidently achieve certification and secure its standing in the defense industrial base. 

By prioritizing these success factors, organizations can overcome compliance challenges, obtain the CMMC Level 2 certification, and unlock new opportunities in the defense industrial base.

About KLC Consulting

KLC Consulting is an Authorized C3PAO specializing in conducting CMMC assessments and providing NIST 800-171 compliance solutions for the Defense Industrial Base (DIB). With over two decades of experience and a team of Cyber AB-authorized Lead Certified CMMC Assessors, KLC Consulting delivers objective, high-quality CMMC Level 2 assessments and readiness services for organizations ranging from Fortune 500s to small subcontractors.

Renowned for transparent communication, empathy, and a collaborative approach, KLC Consulting helps clients navigate complex compliance challenges across multiple CAGE codes, hybrid environments, and extensive CUI requirements. Their comprehensive offerings include gap analysis, remediation planning, mock assessments, and certification assessments, all designed to empower organizations to achieve and maintain DoD cybersecurity requirements efficiently and affordably.

Want to Know How Much a CMMC Assessment Costs?

Check out our YouTube channel and LinkedIn pages for the latest informational and educational resources for Cybersecurity Maturity Model Certification.

CMMC Day 2025 Case Study

In-Person Presentation
Monday, May 5th, 2025
1:50PM EST

Scroll to Top