Client Success Story

The Hardest CMMC Client: Level 2 for a Solo Defense Technology Consultant

A one-person defense consultancy carried the same 110-control burden as a 200-person manufacturer, with none of the capacity. InterSec redesigned its delivery model around a sole operator's reality: shorter documents, self-execution, manual monitoring, and an honest timeline.

Download the Case Study Read the Story

CMMC Readiness Defense Industrial Base Engagement in progress

110

Controls, scoped to a two-laptop environment

A delivery model rebuilt around a sole operator's real capacity, not a textbook's.

The 120-page workbook condensed to 50 pages

Phones and tablets removed from the CUI boundary

A single consolidated procedures document

Client

Solo defense technology consultancy (30+ years)

Sector

Defense Industrial Base

Scope

CMMC Level 2, two laptops, no MSP

Constraint

One person; compliance vs billable time

The Challenge

This is the most constrained profile in the CMMC small-business landscape: a leading expert running a one-person practice, with genuine DoD contracts and real CUI obligations, but no IT support and very limited bandwidth alongside active delivery. The standard delivery model was not executable here, yet the requirements were identical to any larger firm: the same 110 controls, the same real CUI, the same November 2026 deadline.

Same 110 controls, one operator

A sole proprietor faces the identical control set as a 200-person manufacturer.

No IT support

Every hour on compliance is an hour not spent on billable technical work.

Relationships to protect

Aggressive demands risked the client relationships sustaining the business for decades.

The Approach

InterSec redesigned its delivery approach around the operator's reality, pivoting from a simultaneous build-out of all 110 controls to a prioritized, client-autonomy model. That meant accepting a longer path to full compliance in exchange for a sustainable one.

Shift to client autonomy

Put the owner in the execution seat with InterSec validating, rather than a hands-on implementation role.

Lead with low-disruption controls

Sequence the most impactful, least disruptive controls first.

Minimize the time burden

Use shorter documents, self-executed steps with review, and asynchronous feedback wherever possible.

The Solution in Practice

The standard 120-page technical controls workbook was condensed to a 50-page guide tailored to a two-laptop environment with no managed services. Live sessions walked the owner through scanning, full-disk encryption, password policy, and CIS hardening. The documentation followed the same logic: a single consolidated operational procedures document rather than a multi-document suite. The CUI environment was stripped to its minimum viable footprint, with phones and tablets explicitly removed from the boundary, CUI kept in the cloud with no local server, and quarterly POA&M reviews documented as the continuous-monitoring mechanism.

A well-documented manual process for a two-laptop environment is more defensible than an enterprise SIEM no one would actually watch.

Results & Impact

As of April 2026 the program is progressing on an extended but realistic timeline. Certification is a longer road for a sole proprietor, and InterSec has been candid about that from the start. That honesty is itself part of the service.

The CUI architecture is defined, with phones and tablets removed and disk encryption and CIS hardening applied.

Technical controls are documented through the condensed guide, with screenshot-based evidence collection underway.

The policy framework is simplified to a single operational procedures document.

Manual monitoring is formalized in the SSP, with a quarterly POA&M review cadence.

The model is adapted to client autonomy, with a candid timeline that favors sustainable compliance over forced-pace failure.

Key Takeaways

The CMMC burden does not scale down with size

A sole proprietor with two laptops faces the same 110 controls as a 200-person manufacturer. A model that ignores that tension will stall.

Client autonomy fits constrained operators

Putting the owner in the execution seat, with the consultant validating, produces evidence he can actually explain to an assessor.

Documentation must match operational reality

A documented manual process for two laptops is more defensible than a SIEM that never gets read.

Scope reduction is a legitimate strategy

Removing devices from the CUI boundary and keeping CUI off local servers shrinks the assessment surface defensibly.

Honesty about constraints is a service

A program honest about its timeline is worth more than one that overpromises and collapses.

Capabilities Demonstrated

CMMC Level 2 Readiness (NIST SP 800-171)CUI Scope ReductionRight-Sized Technical ControlsConsolidated Policy DevelopmentClient-Autonomy Delivery Model

Working With InterSec

Compliance does not get easier when you are the only person in the company.

It gets different, and it needs a model built for that. InterSec prepares the smallest defense contractors for CMMC assessment with programs they can own and sustain. Let's find a pace that works.

Book a Call Download This Case Study