Skip to main content
New InterSec is now ISO/IEC 42001 certified for AI management systems Read the announcement
Book a Call
Security Architecture & Engineering
Cybersecurity Advisory
Threat & Vulnerability Management
Compliance Services
Managed Security Services
Cyber Workforce Development
The Company
How We Engage
Capability Statement

Download our Capability Statement for a complete view of InterSec.

Download Now
Learn & Apply
Research & Outcomes
News & Updates ISO/IEC 42001 Certified

The latest milestones, trends, and analysis from the InterSec team.

Read the latest

Client Success Story

Right-Sizing CMMC Level 2 for a Small Navy Industrial-Services Contractor

A small shipyard-services contractor with no IT staff faced a CMMC Level 2 requirement written into an active Navy contract. InterSec built a lean, defensible self-assessment program a two-person team could run and keep running.

Download the Case Study Read the Story
CMMC Readiness Defense Industrial Base Engagement in progress
110
SPRS self-assessment target
A right-sized CMMC Level 2 program a two-person team can run and sustain.
A lean CUI footprint: two laptops, under ten devices
The full policy suite near complete
Hands-on enablement so the client can sustain it
Client
Small Navy industrial-services contractor
Sector
Defense Industrial Base
Scope
CMMC Level 2, self-assessment, two CUI laptops
Engagement
Milestone-based, tied to SPRS score
01

The Challenge

A Navy contract surfaced with an explicit CMMC Level 2 requirement, and the company had no prior cybersecurity program, no dedicated IT staff, and a tight budget. The hard part was organizational rather than technical: how to build a credible, auditor-ready program for a two-person team running a hands-on industrial business without swamping daily operations.

No program or IT staff
Skilled tradespeople, not IT professionals, ran the business.
A tight budget
An expensive enterprise stack was never an option.
Operations come first
Compliance could not become a burden that swamped the daily work.
02

The Approach

InterSec, a Cyber AB Registered Practitioner Organization, structured the work around three principles and pointed every biweekly session at moving the SPRS score forward, finding the next highest-impact artifact gap rather than getting lost in the full control catalog.

01
Keep it lean
Choose the self-assessment path and scope the CUI environment to the absolute minimum.
02
Make it milestone-driven
Tie the payment schedule to reaching SPRS scores of 70 then 100, aligning accountability with outcomes.
03
Build for sustainability
Pick tools the team can actually own and maintain after the engagement ends.
03

The Solution in Practice

The infrastructure reflected the reality of a lean team: two dedicated, encrypted CUI laptops with locked-down configurations, a small-office firewall with segregated Wi-Fi, free and low-cost vulnerability scanning suited to under ten devices, a GCC subdomain for CUI email, and manual log review documented to satisfy the controls instead of a SIEM the team would never run. Live working sessions walked the client's IT lead through credentialed scanning, validation scripts, and firewall setup, turning weeks of stalled implementation into productive hours.

For a company without IT staff, the difference between stalled and progressing is often a single live working session, so enablement, not documentation alone, was the priority.

04

Results & Impact

As of April 2026 the program is on track toward a self-assessment SPRS submission in the 100 to 110 range, and more important than the number, it is one the team can run without outside hands on the keyboard.

A lean CUI architecture is built and documented.
The full policy suite is near complete, with the SSP and POA&M tracked in a GRC platform.
The milestone model kept the client responsive, because the next payment depended on measurable progress.
Hands-on enablement means the client can sustain its own program.
Subcontractor flow-down obligations were identified early, before they became a late-stage gap.
05

Key Takeaways

Right-sizing the path is strategy, not a shortcut
A full third-party audit would have been disproportionate here. Steering a client to the right path is part of the job.
Milestone pricing changes client behavior
When the next payment depends on measurable progress, data calls get answered and artifacts get uploaded.
Lean teams need hands-on enablement
For a company without IT staff, a single live working session is often the difference between stalled and progressing.
Fold compliance into infrastructure changes
A network upgrade documented as it happens produces better evidence than retroactive notes.
Flow-down is a small-contractor blind spot
As enforcement cascades down the defense supply chain, it reaches every contractor regardless of size.
Capabilities Demonstrated
CMMC Level 2 Readiness (NIST SP 800-171)CUI ScopingSelf-Assessment & SPRSPolicy & Evidence DevelopmentTechnical Enablement

Working With InterSec

A small team and a tight budget are not reasons to over-build a program.

InterSec prepares defense contractors for CMMC assessment with a program scaled to how they actually operate. Talk to us about a right-sized readiness engagement.

Book a Call Download This Case Study

More Case Studies

Explore related work

View all
CMMC Readiness Defense Industrial Base
From an SPRS Score of -203 to Assessment-Ready: Multi-Site CMMC Level 2 for a Navy Ship-Repair Prime
Read case study
CMMC Readiness Defense Industrial Base
When the MSP Is the Risk: CMMC Level 2 for a Specialty Metals Supplier
Read case study
CMMC Readiness Defense Industrial Base
Building a CMMC Program from Near-Zero for a Defense and Aerospace R&D Manufacturer
Read case study