Case Studies · Defense Industrial Base · Anonymized

Small Defense Prime Gets Assessor-Ready Without Compliance Theater

Situation

A small defense subcontractor (~85 employees, CMMC Level 2 target) needed to demonstrate readiness before a prime contract renewal. Previous consultants had produced generic policy templates with little connection to their actual environment. Leadership needed evidence an assessor would accept — not paperwork for paperwork's sake.

Engagement

Blackbox delivered a phased CMMC Readiness engagement:

• Gap assessment against NIST 800-171 Rev 2 controls mapped to their actual systems
• System Security Plan (SSP) written for their environment — not a template swap
• Plan of Action & Milestones (POA&M) with prioritized remediation and owners
• Evidence collection support for assessor interview prep
• Remediation guidance on identity, logging, and configuration hardening

Outcome

The client entered C3PAO assessment with documented controls, a defensible SSP, and closed POA&M items for their highest-risk gaps. Blackbox did not claim certification — we prepared them to demonstrate real operational security to an assessor. Follow-on work included a scoped internal pen test to validate identity and boundary controls.