How a DoD Contractor Closed 47 CMMC Gaps in 90 Days

When a 300-person aerospace supplier came to us, they had 47 unresolved CMMC controls and a 90-day window before their contract renewal assessment. Their IT team was stretched thin, and their previous consultant had delivered a 200-page report with no prioritized remediation path.

The Challenge

The contractor handled controlled unclassified information (CUI) across three facilities but had no formal incident response plan, incomplete access controls, and gaps in their media protection policies. Their SSP was outdated, and their POAM lacked realistic timelines.

Our Approach

We started with a rapid scoping engagement — three days on-site, interviewing each facility's system administrators and mapping every CUI data flow. We then produced a prioritized remediation matrix organized by impact and effort, not alphabetical control number.

Over the next 80 days, our team embedded two days per week alongside their IT staff. We didn't just tell them what to fix — we configured their M365 tenant for compliance, wrote their IR playbooks, and trained their team on continuous monitoring.

The Result

The contractor passed their C3PAO assessment with zero major findings. But the number that mattered most: their System Security Plan now lives in a maintained internal wiki, not a forgotten SharePoint folder. Their team owns the process.

"For the first time, I actually understand what our compliance posture looks like." — VP of Operations