Skip to main content
New InterSec is now ISO/IEC 42001 certified for AI management systems Read the announcement
Book a Call
Security Architecture & Engineering
Cybersecurity Advisory
Threat & Vulnerability Management
Compliance Services
Managed Security Services
Cyber Workforce Development
The Company
How We Engage
Capability Statement

Download our Capability Statement for a complete view of InterSec.

Download Now
Learn & Apply
Research & Outcomes
News & Updates ISO/IEC 42001 Certified

The latest milestones, trends, and analysis from the InterSec team.

Read the latest

Client Success Story

When the MSP Is the Risk: CMMC Level 2 for a Specialty Metals Supplier

A specialty alloys supplier had a mature quality culture but no cybersecurity program, and an MSP that could not produce CMMC evidence. InterSec turned a mid-engagement MSP change into a compliance gain and built a clean four-user CUI environment.

Download the Case Study Read the Story
CMMC Readiness Defense Industrial Base Engagement in progress
200 +
Evidence items rationalized to a prioritized set
A specialty alloys supplier rebuilt on a CMMC-capable foundation after a mid-engagement MSP change.
MSP transition complete, now producing compliance-ready evidence
A four-user, VLAN-isolated CUI environment with GCC
AS9100D quality processes mapped to CMMC controls
Client
Specialty metals supplier (50+ years)
Sector
Defense Industrial Base
Scope
CMMC Level 2, four CUI users, GCC
Key event
Mid-engagement MSP transition
01

The Challenge

The company came in with something most CMMC clients lack, a genuine quality-management culture under AS9100D. What it did not have was a cybersecurity program, and specifically an IT and managed-services foundation capable of supporting CMMC Level 2. Two months in, a fork appeared.

No security program
Documentation and process discipline existed, but cybersecurity controls did not.
An MSP that fell short
The provider could not show CMMC depth in change logging, incident response, or GCC.
Segmentation gaps
The network segmentation to isolate CUI users on a dedicated VLAN was missing.
02

The Approach

The guidance was unequivocal: a mid-engagement transition is preferable to a post-certification reassessment triggered by MSP control failures. The deeper lesson sits underneath it, that an MSP's ability to produce evidence is a compliance question, not just an IT one, and verbal assurances do not satisfy it.

01
Resolve the MSP dependency first
Switch while the artifacts and responsibility boundaries were not yet finalized, which was cleaner than switching after.
02
Design the CUI architecture deliberately
Keep it small, intentional, and defensible, exactly what assessors want to see.
03
Build the artifacts in parallel
Develop policy and evidence concurrently rather than in sequence.
03

The Solution in Practice

InterSec coordinated the MSP recommendation, and a CMMC-capable provider was selected and integrated into the biweekly cadence from day one, arriving with immediately usable evidence in EDR, managed firewall, and SIEM log management. The team then designed a clean CUI environment: four dedicated workstations on their own VLAN, a separate CUI printer, USB blocking via the EDR platform, GCC for CUI email and storage, and no local storage for CUI. The evidence list was cut from more than two hundred items to a prioritized subset tracked in a GRC platform.

The company's existing AS9100D processes, supplier controls, change management, and audit discipline, were mapped directly to CMMC controls, which cut the net-new documentation burden considerably.

04

Results & Impact

As of April 2026 the program has moved from a standing start to a structured, evidence-backed effort with clear ownership across every control domain.

The MSP transition is complete, with change management, SIEM, EDR, and incident response all producing compliance-ready evidence.
A four-user, VLAN-isolated CUI environment is defined, with GCC confirmed for segregation.
Existing quality-management processes were mapped to CMMC controls, reducing duplicated documentation.
The artifact list was rationalized to a prioritized set tracked with real-time control mapping.
A clear responsibility matrix now spans the client, the MSP, and the project-management partner.
05

Key Takeaways

MSP selection is a compliance decision
The provider's ability to produce evidence is as important as its technical capability. Vet CMMC readiness before signing, not after.
A mature quality framework accelerates CMMC
Documented processes and audit familiarity transfer directly to policy. The job becomes mapping, not building from zero.
A small CUI footprint is an advantage
Scoping CUI access to exactly the users who need it shrinks the assessment surface and makes the program more defensible.
Track changes in the SSP from day one
Letting physical or infrastructure changes outpace documentation creates audit risk.
Evidence rationalization is a morale multiplier
A two-hundred-item list paralyzes a team. A prioritized, visible subset keeps it moving.
Capabilities Demonstrated
CMMC Level 2 Readiness (NIST SP 800-171)MSP Capability AssessmentCUI Architecture DesignPolicy & Evidence DevelopmentQuality-Framework Mapping

Working With InterSec

If your program is only as strong as an MSP nobody vetted for CMMC, that is a risk worth surfacing now.

InterSec prepares manufacturers for CMMC assessment and makes sure the foundation underneath holds. Let's talk.

Book a Call Download This Case Study

More Case Studies

Explore related work

View all
CMMC Readiness Defense Industrial Base
From an SPRS Score of -203 to Assessment-Ready: Multi-Site CMMC Level 2 for a Navy Ship-Repair Prime
Read case study
CMMC Readiness Defense Industrial Base
Right-Sizing CMMC Level 2 for a Small Navy Industrial-Services Contractor
Read case study
CMMC Readiness Defense Industrial Base
Building a CMMC Program from Near-Zero for a Defense and Aerospace R&D Manufacturer
Read case study