Skip to main content
New InterSec is now ISO/IEC 42001 certified for AI management systems Read the announcement
Book a Call
Security Architecture & Engineering
Cybersecurity Advisory
Threat & Vulnerability Management
Compliance Services
Managed Security Services
Cyber Workforce Development
The Company
How We Engage
Capability Statement

Download our Capability Statement for a complete view of InterSec.

Download Now
Learn & Apply
Research & Outcomes
News & Updates ISO/IEC 42001 Certified

The latest milestones, trends, and analysis from the InterSec team.

Read the latest

Client Success Story

Building a CMMC Program from Near-Zero for a Defense and Aerospace R&D Manufacturer

A small R&D manufacturer doing mission-critical defense and space work had the contracts but no documented security program and a non-compliant cloud. InterSec sequenced a from-scratch CMMC Level 2 build against a firm November 2026 deadline.

Download the Case Study Read the Story
CMMC Readiness Defense Industrial Base Engagement in progress
14
Control families now under a live policy framework
A from-near-zero CMMC Level 2 build, sequenced against a firm November 2026 deadline.
User accounts rationalized from 44 to roughly 24
GCC architecture defined and license count right-sized
A live evidence repository with templates for every artifact
Client
Small defense & aerospace R&D manufacturer
Sector
Defense Industrial Base
Scope
CMMC Level 2; commercial M365 to GCC
Deadline
November 2026 (Level 3 to follow)
01

The Challenge

A hard November 2026 deadline sat in the company's existing and pipeline contracts, and this was a build from near-zero. Documented policies did not exist, network diagrams were incomplete, asset inventories were inaccurate, and several challenges interlocked at once.

Near-zero documentation
No policies across the fourteen control families, and no data-flow map ready for an assessor.
A non-compliant cloud
A commercial Microsoft 365 environment was unsuitable for CUI under CMMC.
A costly migration
GCC quotes came in at 1,500 to 2,000 dollars per user before right-sizing.
02

The Approach

InterSec's approach was deliberately practical, meeting the company where it was rather than where a textbook assumed it should be. Four concurrent workstreams ran through recurring biweekly meetings and a shared evidence repository.

01
Sequence by control-family risk
Start with Access Control and Awareness and Training, then layer in the technical and physical domains, rather than confronting all 110 controls at once.
02
Put the client in the policy seat
The internal compliance lead owned the drafting with InterSec reviewing, which moved faster than outsourcing the writing.
03
Plan the GCC migration early
Evaluate cost-effective options, right-size the license footprint, and identify the automation rebuild before it was discovered mid-migration.
03

The Solution in Practice

A shared SharePoint environment became the central evidence repository, with a GRC platform loaded for live SPRS scoring and templates for the fifty-plus required artifacts. Baseline work rebuilt the fundamentals: inventories, network diagrams, data-flow maps, a defined CUI boundary, and an Active Directory cleanup. The GCC workstream handled tenant setup with a government-cloud partner and a subdomain strategy that kept familiar identities while enforcing CUI segregation, and technical remediation covered encryption, least-privilege access, audit logging, and vulnerability scanning.

An existing ISO 9001 documentation culture gave the from-scratch CMMC build a real head start, so the job became mapping and aligning rather than building from zero.

04

Results & Impact

As of April 2026, with the deadline seven months out, the program has moved from nonexistent to structured and progressing.

A policy framework is initiated across all fourteen control families.
The GCC architecture is defined and the license count right-sized.
The user scope is rationalized from 44 accounts to roughly 24, with CUI boundaries defined.
A shared evidence repository is live, with templates for every required artifact.
Technical gaps are mapped with remediation assigned, and a Level 3 roadmap is identified for 2028.
05

Key Takeaways

Start the GCC conversation early
Migration cost and complexity are routinely underestimated. Quotes of 1,500 to 2,000 dollars per user, before right-sizing, are common. Early scoping prevents budget shock.
Policy ownership accelerates everything
A client who owns the procedures, with the consultant in review mode, moves faster and is better prepared to face an assessor.
ISO 9001 is an asset, not a distraction
An existing documentation culture gives a from-scratch CMMC build a real head start.
Subcontractor flow-down is easy to miss
Raising it early lets a company assess supply-chain exposure before it becomes a late-stage gap.
Scoring visibility drives behavior
A live SPRS trajectory turns abstract compliance work into tangible progress leadership can track.
Capabilities Demonstrated
CMMC Level 2 Readiness (NIST SP 800-171)GCC Migration PlanningCUI Scoping & Account CleanupPolicy & Evidence DevelopmentTechnical Remediation

Working With InterSec

A near-zero start and a hard deadline is a hard combination, but a manageable one.

A sequenced program makes it work. InterSec prepares defense and aerospace contractors for CMMC assessment and builds the evidence trail that holds up. Let's map your path.

Book a Call Download This Case Study

More Case Studies

Explore related work

View all
CMMC Readiness Defense Industrial Base
From an SPRS Score of -203 to Assessment-Ready: Multi-Site CMMC Level 2 for a Navy Ship-Repair Prime
Read case study
CMMC Readiness Defense Industrial Base
When the MSP Is the Risk: CMMC Level 2 for a Specialty Metals Supplier
Read case study
CMMC Readiness Defense Industrial Base
Right-Sizing CMMC Level 2 for a Small Navy Industrial-Services Contractor
Read case study