Case Study: Achieving CMMC Compliance for a Government Contractor
Overview
A mid-sized government contractor approached Blackhawk MSP to assist in achieving
Cybersecurity Maturity Model Certification (CMMC) compliance. As a critical step in maintaining
eligibility for DoD contracts, the client needed a complete security overhaul aligned with NIST
800-171 and CMMC Level 2 standards.
Challenge
The client had a legacy IT infrastructure with minimal cybersecurity controls. Key issues included:
– Lack of written security policies and procedures
– Unsecured file sharing practices
– Inadequate access controls and user authentication
– No centralized log management or incident response plan
– No domain-level enforcement of security standards
Our Solution
Blackhawk MSP led a phased approach over a year to bring the organization into full
CMMC readiness.
Key initiatives included:
1. Assessment & Gap Analysis
– Full audit against CMMC Level 2 requirements, identifying gaps in physical, technical, and
administrative controls.
2. Network & Domain Security Hardening
– Deployed a secured Windows Active Directory domain
– Configured Group Policies for password complexity, screen lock, USB restrictions, and audit
logging
– Segmented the network to isolate Controlled Unclassified Information (CUI)
– Implemented 2FA across all endpoints and administrator access
3. Policy & Procedure Development
– Authored and implemented access control, incident response, training, and change management
policies
– Established data retention and backup policies
– Delivered security awareness training to all users
4. Vendor & Tool Coordination
– Deployed SIEM, endpoint detection, and vulnerability scanning solutions
– Coordinated with assessors and consultants to validate progress
Outcome
The client successfully passed their third-party readiness assessment and is now positioned for
formal CMMC Level 2 certification. Key results include:
– Fully documented and enforced security policies
– Hardened IT infrastructure and endpoint controls
– Improved incident response readiness
– Maintained eligibility for DoD contracts requiring CMMC compliance
