Skip to main content
New InterSec is now ISO/IEC 42001 certified for AI management systems Read the announcement
Book a Call
Security Architecture & Engineering
Cybersecurity Advisory
Threat & Vulnerability Management
Compliance Services
Managed Security Services
Cyber Workforce Development
The Company
How We Engage
Capability Statement

Download our Capability Statement for a complete view of InterSec.

Download Now
Learn & Apply
Research & Outcomes
News & Updates ISO/IEC 42001 Certified

The latest milestones, trends, and analysis from the InterSec team.

Read the latest

Client Success Story

From an SPRS Score of -203 to Assessment-Ready: Multi-Site CMMC Level 2 for a Navy Ship-Repair Prime

A Navy ship-repair prime with five dispersed sites and no structured security program started at an SPRS score of -203. InterSec sequenced five parallel workstreams and moved the score to -95 in six weeks, on track toward assessment readiness.

Download the Case Study Read the Story
CMMC Readiness Defense Industrial Base Engagement in progress
108 pts
SPRS-point gain in six weeks
From a -203 baseline to -95, on track to clear +100 before the pre-assessment.
Asset inventories validated across all five sites
MSP responsibilities documented in a shared matrix
Sequenced toward the November 2026 deadline
Client
Navy ship-repair prime (since mid-1980s)
Sector
Defense Industrial Base
Scope
CMMC Level 2 across 5 sites + GCC High
Starting point
SPRS -203, now -95 in six weeks
01

The Challenge

The company entered the engagement with no structured cybersecurity program and an SPRS score of -203, a baseline where most required controls are simply not yet in place. The complications stacked up, and none of this was a single-site problem with a single-site answer.

Five physical environments
Five dispersed sites with inconsistent security postures rather than one.
An undefined MSP boundary
Responsibility between the company and its MSP was not yet defined.
A GCC High migration
The CUI environment required a move to GCC High, alongside a mixed permanent and contract workforce.
02

The Approach

InterSec ran the engagement on a biweekly cadence and organized the work into five parallel workstreams, so progress did not stall waiting on any one track. The sequencing decision drove the early results.

01
Run five parallel workstreams
Policy, technical remediation, asset and site inventory, MSP coordination, and the GCC High migration advanced together.
02
Lead with high-impact, low-effort controls
Start with personnel security, policy, and account management to build score momentum and show tangible progress fast.
03
Give regional managers accountability
Clear site-level ownership kept each location moving rather than waiting on headquarters.
03

The Solution in Practice

The five workstreams ran across policy development, technical remediation, asset and site inventory, MSP coordination, and the GCC High migration. Asset inventories were validated across every location rather than assumed, so the scoping reflected what was actually deployed. The MSP relationship was documented into a clear responsibility matrix, settling who owned logging, monitoring, patching, and access control before an assessor could ask. A shared task-management platform kept the geographically dispersed teams aligned on what was due and who owned it.

Across dispersed sites, the real deployed footprint is what the scope has to reflect, so inventories were validated at every location, not assumed.

04

Results & Impact

As of April 2026 the program has moved fast from a deeply negative baseline toward assessment readiness.

The SPRS score climbed from -203 to -95 in roughly six weeks, a steep early trajectory.
The program is targeting a score above +100 before the formal pre-assessment.
Asset inventories are validated across all five sites, giving the scope a real foundation.
The MSP's responsibilities are documented in a shared matrix, closing a common audit gap.
The work is sequenced toward the November 2026 deadline, with site teams accountable through a shared task platform.
05

Key Takeaways

Multi-site is a force multiplier for complexity
Five locations mean five physical environments and five sets of habits. A single-site plan does not scale to them.
Score velocity matters early
Leading with high-impact, lower-effort controls builds momentum and shows an organization that the work is moving.
Validate asset inventories, do not assume them
Across dispersed sites, the real deployed footprint is what the scope has to reflect.
Define the MSP boundary before the assessor does
A documented responsibility matrix closes one of the most common and avoidable gaps.
Distributed teams need shared accountability
Regional ownership and a shared task platform keep dispersed sites moving in step.
Capabilities Demonstrated
CMMC Level 2 Readiness (NIST SP 800-171)Multi-Site Scoping & Asset InventoryGCC High Migration PlanningMSP Responsibility MappingPolicy & Evidence Development

Working With InterSec

A negative SPRS score and five sites is a hard place to start.

But a sequenced, multi-track program turns it into measurable progress. InterSec prepares dispersed defense contractors for CMMC assessment and builds momentum where it counts. Let's map your path.

Book a Call Download This Case Study

More Case Studies

Explore related work

View all
CMMC Readiness Defense Industrial Base
When the MSP Is the Risk: CMMC Level 2 for a Specialty Metals Supplier
Read case study
CMMC Readiness Defense Industrial Base
Right-Sizing CMMC Level 2 for a Small Navy Industrial-Services Contractor
Read case study
CMMC Readiness Defense Industrial Base
Building a CMMC Program from Near-Zero for a Defense and Aerospace R&D Manufacturer
Read case study