Client Success Story

Validating and Rebuilding a Legacy CMMC Program for a Navy Ship-Preservation Subcontractor

A ship-preservation subcontractor under new ownership inherited a five-year-old compliance baseline and a pending platform decision. InterSec validated the legacy program, ran a structured CUI-tool evaluation, and rebuilt on a clean cloud foundation.

Download the Case Study Read the Story

CMMC Readiness Defense Industrial Base Engagement in progress

110

Target SPRS, nearly double the inherited 60

An unvalidated 2020 baseline, reviewed and rebuilt on a FedRAMP-authorized cloud.

A four-workstation, VLAN-isolated CUI architecture

The CUI platform chosen after a structured evaluation

MSP responsibilities documented for an assessor

Client

Navy ship-preservation subcontractor (since late 1980s)

Sector

Defense Industrial Base

Scope

CMMC Level 2, four CUI workstations

Starting point

Inherited 2020 SPRS ~60, target 110

The Challenge

This engagement carried a dimension most do not. The company entered with a prior compliance baseline, an SPRS score of roughly 60 from a 2020 audit, but under new ownership that had inherited the program without full knowledge of how it was built or how current it remained. It was not starting from zero; it needed to validate, update, and rebuild confidence in a program that existed on paper but had gaps in practice.

An unvalidated baseline

New owners inherited a 2020 program without knowing how it was built or how current it was.

A legacy email server

An on-premise email server predating modern CUI handling sat in scope.

An open platform decision

The CUI management platform was undecided, and policy and technical work could not finalize until it was.

The Approach

The first principle was validation before acceleration: a 2020 baseline is a starting point, not a guarantee. The second was to give the technology decision its own phase, holding the policy and technical tracks until the platform question was settled in exchange for a clean execution phase with no rework.

Validate before accelerating

Treat the legacy documentation as a draft requiring review rather than a foundation ready to extend.

Give the platform its own phase

Hold policy and technical work until the CUI platform is chosen, to avoid building on the wrong foundation.

Be the implementation partner

Serve as both advisor and hands-on partner for a single client-side program owner.

The Solution in Practice

The platform decision came out of a structured evaluation of two cloud CUI options, judged on FedRAMP status, audit readiness, shared-responsibility clarity, Microsoft 365 integration, cost at a four-user scope, and CMMC track record rather than vendor marketing. The FedRAMP-authorized, M365-integrated option won. With it set, the architecture crystallized: four dedicated CUI workstations isolated on a separate VLAN, a firewall managing the network boundary and VPN, the platform handling CUI email and files in the cloud, and the MSP engaged against a documented question set and a shared-responsibility matrix.

Keeping CUI in the cloud rather than on local servers simplifies the compliance boundary, so the legacy on-premise email server was flagged for migration.

Results & Impact

As of March 2026 the program has moved from an unvalidated 2020 baseline to a structured, modern effort built on the right foundation, targeting an SPRS score of 110.

The CUI platform is selected after a structured evaluation and is piloting with six users.

A four-workstation, VLAN-isolated architecture is defined, with firewall-managed VPN logging and cloud CUI management.

The 2020 baseline has been reviewed and updated under new ownership, with the SSP and POA&M refreshed.

The MSP's responsibilities are documented, with a question set covering logging, patching, and remote access.

The policy suite is in active development, written to match the company's actual environment.

Key Takeaways

Inheriting a program requires validation first

New owners who did not build a program cannot vouch for it. Validate what exists before building on it.

Technology selection deserves its own phase

Building a policy and technical program before the platform is chosen invites rework. Resolve it first.

Simplifying the boundary reduces assessor risk

Moving CUI to the cloud and retiring legacy on-premise systems shrinks the assessment surface.

MSP documentation must be proactive

Defining shared responsibility before an assessor asks is a common, avoidable failure mode.

Complex engagements need a longer window

An involved starting position needs timeline flexibility, paired with milestones that hold accountability.

Capabilities Demonstrated

CMMC Level 2 Readiness (NIST SP 800-171)Legacy Baseline ValidationCUI Platform EvaluationCUI Architecture DesignMSP Responsibility Mapping

Working With InterSec

An inherited program and an open platform decision are where wrong assumptions get expensive.

InterSec prepares defense contractors for CMMC assessment, validates what you already have, and rebuilds on a foundation that will hold. Let's review where you stand.

Book a Call Download This Case Study