Fortinetics
← Case Studies · Software ·

Zero to CMMC Level 2 certification in six months: greenfield IT buildout for a venture-backed startup

A venture-backed software startup preparing to handle Controlled Unclassified Information under a compressed customer timeline (name withheld per engagement confidentiality)

Duration
6 months
Frameworks
NIST 800-171 Rev 2 · CMMC 2.0 Level 2 · DFARS 252.204-7012 · NIST 800-53 Rev 5 · CIS Benchmarks
Outcome
CMMC 2.0 Level 2 certification achieved six months after kickoff, from a near-zero IT baseline. Production-ready infrastructure operational ahead of the customer's delivery window; enterprise-wide EDR coverage; C3PAO-assessed with no reopened findings; the client's internal IT and security function scaled in parallel through knowledge transfer and staffed hiring.
Zero-to-CMMC-Level-2 greenfield IT stack, six-month buildout Stacked IT and security layers built from a near-zero baseline to CMMC Level 2 certification in six months. Cloud tenants, identity, endpoint, operations, evidence, and assessment each labeled with the month they went live. PLATE CS-03 · GREENFIELD STACK · 0 → CMMC L2 6 MONTHS · STARTUP CLIENT TIMELINE ↓ MO 6 ASSESSMENT C3PAO Assessment Third-party assessment, no reopened findings. Certificate issued. MO 5 EVIDENCE SSP + POA&M + Artifact library System Security Plan to assessor grade; dry-run audit against the C3PAO checklist. MO 4 OPERATIONS Centralized SIEM + DFARS 7012 pipeline 12-month log retention, review cadence, incident response pre-staged to DC3. MO 3 ENDPOINT EDR/MDR · full-disk crypto · device management Every Windows + macOS endpoint managed; DLP + USB controls; inventory reconciled. MO 2 IDENTITY SSO · MFA · privileged access FIPS MFA at the boundary, least privilege, PAM, break-glass procedure documented. MO 1 CLOUD M365 GCC + Azure Gov tenants Compliance-tier licensing; CUI workload isolation designed-in from day one. MO 0 BASELINE Near-zero baseline · greenfield Informal cloud accounts, personal-class laptops, no central logging or EDR. OUTCOME CMMC L2 CERT NO REOPENED FINDINGS ASSESSOR-GRADE SSP ARTIFACT LIBRARY KNOWLEDGE TRANSFER IN-FLIGHT · INTERNAL IT + SECURITY FUNCTION STAFFED DURING ENGAGEMENT FORTINETICS · BUILD + ASSESS LEAD
Fig. · Greenfield stack built from a near-zero baseline to CMMC Level 2 certification in six months. Each layer annotated with the month it went live.

The situation

A venture-backed software startup was preparing to handle Controlled Unclassified Information under a customer contract with a compressed timeline. The existing IT environment was minimal — informal cloud accounts, personal-class laptops, ad-hoc access management, no centralized logging, no endpoint detection, no formal security program. The engineering team had strong depth in the product domain but no dedicated IT or security function.

The ask was uncommon in both urgency and scope: rebuild the entire IT and security posture from the ground up and achieve CMMC 2.0 Level 2 certification in six months, without disrupting the product team during the most important customer engagement in the company’s history. Most first-time CMMC Level 2 engagements run nine months from a mature IT baseline. Six months from a near-zero baseline is rare.

The approach

Our engagement compressed the six-phase buildout model — discovery and scoping, architecture, procurement and staging, build and deploy, hardening and documentation, operate and assess — into a six-month envelope by running phases in parallel and pre-committing to sequence decisions before they became blockers.

In discovery, we inventoried the existing environment, defined the target CUI enclave boundary, and mapped the NIST 800-171 Rev 2 domains the environment would need to satisfy. Working directly with the CEO and technical leadership, we scoped the minimum-viable CUI-ready environment and a rollout sequence that protected the critical product workstreams from disruption. C3PAO engagement was booked during this phase — assessor availability was a hard schedule constraint that shaped the rest of the plan.

In architecture and procurement, running partly in parallel, we designed the target cloud architecture — tenant separation for CUI workloads, network and identity controls, Microsoft 365 compliance-tier integration — negotiated the necessary licensing, procured long-lead items, and coordinated subcontractors for physical and network work.

Build and deploy covered the bulk of the engagement. Cloud infrastructure came up first: DNS, virtual networks, compute, databases, application firewalls, with CUI workloads isolated in a dedicated tenant. Identity followed — unique user accounts, SSO federation, MFA for all users, privileged access management. Endpoints — a mix of Windows and macOS — migrated onto unified management with EDR/MDR deployed enterprise-wide. A centralized SIEM came online, ingesting logs from cloud services, endpoints, boundary devices, and identity. Security tooling — email security, web security, password and secret management — integrated with CMMC-appropriate configurations.

Hardening and documentation ran concurrently with deployment. DISA STIG / CIS Benchmark configurations applied to Windows and cloud resources. A complete policy library authored, reflecting the CMMC 2.0 Level 2 domain structure. The System Security Plan drafted to assessor-grade standards. A BYOD policy aligned with CMMC requirements. An internal training program built to the team’s technical depth, with completion tracked in a dedicated system.

The final phase — operate and assess — overlapped with C3PAO engagement. The environment needed operational history for the assessor to evaluate operating effectiveness. We ran the environment during this phase, produced evidence continuously as a byproduct of normal operations, and walked the assessor through the evidence package through formal and informal checkpoints. The C3PAO issued certification at the end of month six.

The outcome

CMMC 2.0 Level 2 certification achieved six months after engagement kickoff. From a near-zero IT baseline to a C3PAO-assessed, fully certified CUI-handling environment — a timeline that is noticeably faster than industry norm and, to our knowledge, unusual for a startup at this size and stage.

The environment was operational ahead of the customer’s delivery window. CUI could be received and processed under CMMC-aligned controls. EDR coverage reached near-complete enterprise saturation within the first weeks of rollout. The centralized SIEM was producing actionable alerts by go-live. The client’s internal IT and security function scaled in parallel — during the engagement, multiple operational roles (GRC, IT systems, security engineering, support) transitioned from Fortinetics advisory to the client’s own payroll.

At handoff, the client inherited a documented, operational, assessor-ready environment with runbooks, baseline configurations, an active POA&M, and an internal team capable of continuing operations independently.

What made this engagement fit

Three factors made this the right engagement for Fortinetics’ model:

First, the timeline was non-negotiable but the scope was shape-able. Our six-phase model compressed well because we have run this pattern before — we know which sequencing decisions buy time without compromising the eventual assessment posture, and which ones cannot safely be compressed regardless of pressure. Running architecture and procurement in parallel, pre-booking the C3PAO window as a forcing function, and treating evidence as a byproduct of build rather than a post-build retrofit were the three compressibility levers that let six months work.

Second, the engagement spanned both build and operate. The client needed the environment running, not just designed. Our willingness to operate the environment through the transition period and the assessment window avoided the typical handoff-to-MSP gap that leaves organizations without coverage during the most critical weeks.

Third, the compliance context was part of the build, not a retrofit. CMMC 2.0 Level 2 controls were designed into the architecture at the earliest stage. Evidence became a byproduct of normal operations, not a reconstructive exercise at audit time. This is the single largest driver of why the assessment closed cleanly — the evidence package was ready by the time the C3PAO arrived because it had been produced continuously during the build.

Commercial structure

The engagement combined a firm fixed-price build contract for the core infrastructure deployment with a time-and-materials operating period through the transition and assessment phases. Engagement pricing is scope-dependent and is defined during a scoping call; we do not publish price lists.

If you’re heading toward a CUI-handling contract and need both the IT stack and the certification at the same time, book a scoping call — thirty minutes, no commitment.

Similar engagement?

Start a scoping conversation.

If you're building a classified facility, pursuing a certification, or scoping an accreditation — we'll walk through your situation honestly in a thirty-minute call.

Book a scoping call →