Fortinetics
← Case Studies · Defense Industrial Base ·

CMMC Level 2 certification with a perfect 110/110 assessor score for a defense subcontractor

A defense subcontractor handling Controlled Unclassified Information, pursuing CMMC Level 2 certification ahead of contract flow-down requirements (name withheld per engagement confidentiality)

Duration
8 months
Frameworks
CMMC 2.0 Level 2 · NIST SP 800-171 Rev 2 · DFARS 252.204-7012 · DFARS 252.204-7021
Outcome
Perfect 110/110 assessor score at first C3PAO-assessed CMMC Level 2 engagement. Certification achieved in 2025 with no reopened findings during the assessment window. Client entered contract award cycle with current certification in hand.
CMMC Level 2 CUI enclave architecture with evidence-as-byproduct pipeline Controlled Unclassified Information enclave architecture that achieved a perfect 110/110 CMMC Level 2 assessor score. Identity with MFA at the boundary, endpoint and EDR coverage inside, centralized SIEM with retention, and a sidecar evidence pipeline that produces assessor-ready artifacts as a byproduct of operations. PLATE CS-02 · CMMC L2 · CUI ENCLAVE NIST 800-171 REV 2 · 110 CTL · 110/110 PUBLIC INTERNET · CUSTOMER NETWORKS Corp M365 tenant NON-CUI · COMMERCIAL TIER BND CUI ENCLAVE BOUNDARY IDENTITY · MFA · SSO ▪ FIPS-validated MFA ▪ Conditional access ▪ Least-privilege roles ▪ PAM / break-glass ENDPOINT · EDR/MDR ▪ Managed Windows + macOS ▪ Full-disk encryption ▪ EDR agent · kernel telemetry ▪ DLP policy + USB controls CUI WORKLOAD · M365 GCC · AZURE GOV ▪ CUI storage · exclusively here ▪ GCC-High mail + SharePoint ▪ Azure Gov VMs · FIPS-enabled ▪ Tenant + data residency US-only SIEM · LOGS · RETENTION ▪ 12-month retention, on/offline tiers ▪ Correlation rules per AC / AU / IR ▪ Scheduled review cadence ▪ DFARS 7012 incident pipeline EVIDENCE AS BYPRODUCT ▪ Auto-artifact from native events ▪ Traceability → SSP statements ▪ Ready for C3PAO without rebuilding CERTIFIED CMMC LEVEL 2 · 110/110 · 8-MO. ENGAGEMENT · NO REOPENED FINDINGS CLIENT NAME WITHHELD
Fig. · CUI enclave architecture that yielded a 110/110 CMMC Level 2 assessor score. Evidence pipeline on the right runs as a sidecar of normal operations.

The situation

A defense subcontractor handling Controlled Unclassified Information on existing DoD contracts faced the CMMC Phase 2 transition: by contract flow-down timing, a Level 2 C3PAO-issued certificate would be required at the time of the next contract award in their pipeline. The organization had existing IT infrastructure — cloud tenants, identity systems, endpoint management, a logging pipeline — but had been operating under DFARS 252.204-7012 self-attestation rather than formal CMMC certification.

The gap was not a missing IT stack. The gap was the combination of: controls implemented but not all documented to assessor standard, evidence captured but not organized for a formal assessment, policies present but not all aligned to the CMMC practice statements, and no experience with the C3PAO assessment format itself.

The engagement was scoped as an end-to-end CMMC Level 2 readiness and certification support — gap analysis, remediation, documentation, and walking the organization through the formal assessment.

The approach

The engagement ran an eight-month program with the assessment window booked at the back end. Bookings with C3PAOs typically need to be made months in advance given assessor capacity constraints, and anchoring the program to a committed assessment date created the forcing function that kept the preparation on track.

Months 1–2 — Gap analysis and architecture review. We assessed all 110 NIST 800-171 Rev 2 controls against the existing environment. Controls fell into three buckets: fully implemented with evidence (about half), partially implemented or weakly documented (a substantial portion), and missing or deficient (a smaller remainder). The gap analysis output became the remediation roadmap.

Months 2–5 — Remediation and documentation. In parallel, our team closed the implementation gaps — MFA coverage expansion, logging retention alignment, configuration management formalization, personnel security documentation — while authoring the System Security Plan, policy library, and supporting documents to the level of detail a C3PAO assessor expects. Every control implementation description was specific, traceable, and supported by an operational evidence source.

Months 5–6 — Evidence pipeline and operational rigor. The most consequential work was ensuring that the organization’s operations produced CMMC-grade evidence continuously rather than assembling artifacts reactively. Access reviews, configuration changes, incident response activations, training completion records, vulnerability remediation — each flowed through a system of record that the assessor could inspect directly. By the time the assessment began, evidence retrieval was measured in minutes rather than hours.

Month 7 — Internal dry-run and remediation. A full dress-rehearsal assessment, conducted internally against the C3PAO’s assessment criteria, surfaced residual gaps. These were closed before the real assessment began.

Month 8 — C3PAO engagement. Our team supported the organization through the formal assessment — assessor interviews, technical demonstrations, evidence walk-throughs, and response to the C3PAO’s information requests. The assessment closed with all 110 practices rated fully satisfied.

What made this engagement fit

Existing infrastructure with documentation gap. The organization had built functional IT; what it lacked was the assessor-grade documentation and evidence discipline that turn functional IT into certifiable compliance. Our engagement model is built around this exact gap — implementation is the minority of the work; the majority is the architectural, documentation, and operational rigor that turn implementation into certification.

Committed assessment date as anchor. Booking the C3PAO engagement early created forward pressure that kept the preparation on schedule. Programs that delay C3PAO booking until “readiness” often find that readiness slips to match the unscheduled assessment window. Our sequencing puts the assessment on the calendar first and works backward.

Evidence-as-byproduct discipline. By the time the C3PAO arrived, we had no reconstructive work to do. Every control’s evidence was where it was supposed to be, generated by the operations that the policies described. The assessment was a walk-through, not a scramble.

Outcome

Perfect 110/110 assessor score. All 110 NIST 800-171 Rev 2 practices rated fully satisfied on first assessment. No findings requiring reopening during the assessment window. Certification issued on schedule in 2025, with the organization able to enter its next contract award cycle with a current CMMC Level 2 certificate in hand.

The client retained the policy library, SSP, evidence pipeline, and operational runbooks as living artifacts — not one-time assessment artifacts. Continuous monitoring operates on the same evidence infrastructure that supported the initial assessment, positioning the organization cleanly for its surveillance audits and eventual recertification.

Commercial structure

The engagement was structured as a firm fixed-price readiness and certification support program, with milestone-based invoicing tied to gap analysis delivery, documentation completion, dry-run execution, and final certification. Engagement pricing is scope-dependent and is defined during a scoping call; we do not publish price lists.

If your situation rhymes with this engagement, book a thirty-minute scoping call — we’ll give you an honest read on the runway and what the engagement would look like.

Similar engagement?

Start a scoping conversation.

If you're building a classified facility, pursuing a certification, or scoping an accreditation — we'll walk through your situation honestly in a thirty-minute call.

Book a scoping call →