CMMC Level 2 Certification for Defense Subcontractor
Engagement Type: CMMC Level 2 Readiness & Advisory
Client: Defense Industrial Base Subcontractor
Engagement Start: January 2024
Certification Achieved: December 2024
Framework: CMMC 2.0 Level 2 (NIST SP 800-171)
Krieger Security partnered with a mid-sized defense subcontractor handling Controlled Unclassified Information (CUI) to prepare for and achieve CMMC Level 2 certification. The client had a partial NIST SP 800-171 implementation with a System Security Plan that was incomplete and an initial SPRS self-assessment score that required significant improvement before a C3PAO assessment.
Krieger Security’s CMMC advisory methodology combines gap assessment, Plan of Action & Milestones (POA&M) management, and hands-on implementation support to accelerate readiness and reduce assessment risk.
THE CHALLENGE
The client processed CUI across multiple on-premises and cloud systems with inconsistent access controls, no formal incident response plan, and gaps across 47 of the 110 NIST SP 800-171 practices — resulting in a negative SPRS score and immediate risk of losing DoD contract eligibility.
The organization also lacked dedicated cybersecurity staff, requiring Krieger Security to serve as a virtual CISO throughout the engagement and coordinate with the client’s IT team on technical implementation of required controls.
THE STRATEGY
Krieger Security conducted a full NIST SP 800-171 assessment against all 110 practices, developed a prioritized remediation roadmap, and authored a compliant System Security Plan (SSP), POA&M, and all required supporting policies and procedures.
Our team implemented multi-factor authentication, endpoint detection and response (EDR) tooling, and CUI data flow controls across the client’s environment. We coordinated with a C3PAO to conduct a pre-assessment readiness review, enabling the client to achieve CMMC Level 2 certification with no Practice Deficiencies.
THE CHALLENGE
Remediating 47 control gaps while maintaining operational continuity and meeting active DoD contract obligations on an 11-month timeline.
Project Gallery
CLIENT’S TESTIMONIALS
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident. Krieger Security provided dedicated vCISO support throughout the engagement, conducting monthly POA&M reviews and coordinating with leadership on remediation priorities. All 110 CMMC Level 2 practices were addressed, resulting in a successful C3PAO assessment and full certification.
Benjamin Tickle, Project Manager
Company Name Inc