[Client Name — Utah Manufacturer]

The challenge

What brought them to us.

A prime contractor notified the client that continued work on their DoD program would require CMMC 2.0 Level 2 assertion at the next renewal — roughly six months out.

The client had an internal IT generalist but no one with experience reading NIST SP 800-171 controls, building a System Security Plan, or producing evidence for an assessor.

Email, file share, and production-floor engineering workstations all touched Controlled Unclassified Information (CUI). None of those environments were segmented, logged, or documented.

The solution

What we actually did.

Ran a 2-week gap assessment against all 110 NIST SP 800-171 Rev. 2 controls, produced a prioritized remediation plan, and mapped each control to owner + evidence.

Deployed the Gravity managed cybersecurity stack: EDR on every endpoint touching CUI, 24/7 human-led SOC, managed ITDR on the Microsoft 365 tenant, centralized SIEM logging, and phishing-resistant MFA for privileged accounts.

Re-architected the file share and engineering environment into a segmented CUI enclave with access-control boundaries, logging, and documented data-flow diagrams.

Wrote the System Security Plan (SSP) and Plan of Action & Milestones (POA&M) documents, trained the internal IT lead on maintaining evidence, and ran a mock assessment with a certified C3PAO-adjacent reviewer.

The result

The measurable outcome.

The internal pre-assessment came back clean at Level 2 — no critical gaps, a handful of minor POA&M items on a documented remediation schedule.

The client retained the prime-contract relationship at renewal and was invited to bid on an additional program that required Level 2 as a prerequisite.

Ongoing managed-services engagement continues to operate the controls and update the SSP/POA&M quarterly — so the client isn't rebuilding evidence six months before the next assessment window.

Services involved in this engagement