Case Study: Achieving CMMC Compliance for a Government Contractor
Overview
A mid-sized government contractor approached Blackhawk MSP to assist in achieving
Cybersecurity Maturity Model Certification (CMMC) compliance. As a critical step in maintaining
eligibility for DoD contracts, the client needed a complete security overhaul aligned with NIST
800-171 and CMMC Level 2 standards.
Challenge
The client had a legacy IT infrastructure with minimal cybersecurity controls. Key issues included:
– Lack of written security policies and procedures
– Unsecured file sharing practices
– Inadequate access controls and user authentication
– No centralized log management or incident response plan
– No domain-level enforcement of security standards
Our Solution
Blackhawk MSP led a phased approach over a year to bring the organization into full
CMMC readiness.
Key initiatives included:
1. Assessment & Gap Analysis
– Full audit against CMMC Level 2 requirements, identifying gaps in physical, technical, and
administrative controls.
2. Network & Domain Security Hardening
– Deployed a secured Windows Active Directory domain
– Configured Group Policies for password complexity, screen lock, USB restrictions, and audit
logging
– Segmented the network to isolate Controlled Unclassified Information (CUI)
– Implemented 2FA across all endpoints and administrator access
3. Policy & Procedure Development
– Authored and implemented access control, incident response, training, and change management
policies
– Established data retention and backup policies
– Delivered security awareness training to all users
4. Vendor & Tool Coordination
– Deployed SIEM, endpoint detection, and vulnerability scanning solutions
– Coordinated with assessors and consultants to validate progress
Outcome
The client successfully passed their third-party readiness assessment and is now positioned for
formal CMMC Level 2 certification. Key results include:
– Fully documented and enforced security policies
– Hardened IT infrastructure and endpoint controls
– Improved incident response readiness
– Maintained eligibility for DoD contracts requiring CMMC compliance
Ryan C. Smith has been doing IT Computer Support since 1996. Since that time, he’s pretty much seen and done everything possible with computers and networks.
