See all customer stories

Taking the pain out of CMMC Level 2 certification

Snapshot

Businesses working with U.S. Government data must fulfill CMMC Level 2 requirements to secure and keep Defense contracts. CMMC 2.0 sets a high bar, requiring a total of 110 security controls and scoring a full 110 points. If a company handles Controlled Unclassified Information (CUI), skipping these measures is not an option. Failure to maintain compliance jeopardizes vital Defense deals.A world-spanning shipping company recently turned to Kalles Group for help completing the CMMC Level 2 certification process. While they only handled some U.S. Government work, the contracts were valuable enough to justify the time and cost of compliance. They wanted an expert plan to meet CMMC 2.0 Level 2 requirements and register a strong SPRS score, so that an official CMMC audit would run smoothly. Thanks to targeted advice from Kalles Group, the business gained the clarity to push through CMMC assessment and audit readiness steps without wasted money or guesswork.

U.S. Navy ship

Challenge

The CMMC 2.0 model is mandatory for all contractors and subcontractors tied to the Defense Industrial Base. Achieving a CMMC compliance audit for Level 2 means mastering 17 FCI controls plus an extra 93 CUI requirements from NIST SP 800-171. Each neglected control leads to failure. On top of that, the business must also prove that any partners in the chain abide by the same stringent guidelines, intensifying the challenge.In this case, the shipping company discovered the scope was bigger than they thought. Not only did they need to handle the main business unit, but they also had to include a group of affiliated enterprises that shared core IT systems. If even one sub-company did not meet the needed standard, everything would fail. Timing was tight as well: the upcoming contract renewal with the DoD was approaching, and CMMC auditors were in short supply nationwide. Missing the window to schedule an audit or scoring too low on the Supplier Performance Risk System (SPRS) would seriously harm future Defense revenue.

Approach

Kalles Group’s CMMC Consultant began by doing an in-depth review of the entire environment that touched DoD data. This involved mapping every piece of software, each cloud platform, and all staff who handle that data. They categorized the information into FCI or CUI, then traced how it flowed through the 12 different companies. This process was key to creating an accurate scope for a CMMC 2.0 Sanitization approach and setting up the business for a CMMC compliance audit.Next, Kalles Group ran a gap analysis comparing the current posture to the NIST SP 800-171 controls. If a sub-company missed specific measures like strong identity management or tested backups, it showed up in the gap summary. The result was a straightforward list of what needed to be done, how critical each step was, and how it fit the schedule. The final portion was building a timeline that recognized their limited resources and the short timeframe to get an official CMMC assessment and audit. By laying out tasks in an orderly manner, the shipping business could knock out top risks first and move closer to meeting CMMC Level 2 requirements.

Syncing with business owners and shaping a formal strategy
Kalles Group led a Town Hall with key stakeholders, revealing the scope of what is CMMC Level 2? plus the required tasks. They explained the difference between a self-assessment for a simpler scenario and a formal third-party review for CMMC compliance service. The client learned how to isolate DoD data if needed and ways to prevent overhead. This synergy across the entire group kept the project on track and gave them confidence that they could eventually request a formal audit with a passing SPRS score above +88.

Results

By the end of the engagement, the shipping group had a sharper understanding of how how to get CMMC Level 2 certification. They recognized which controls were already in good shape and where they lacked coverage. They also saw if separate enclaves or partial segmentation made sense. This saved them from sinking money into misguided guesses. Instead, they had a documented plan that aligned with each requirement from CMMC 2.0 Level 2 requirements.Second, they gained the ability to manage sub-companies more effectively. Because a single breakdown in one affiliate could jeopardize the entire CMMC audit, Kalles Group’s guidance let them unify their approach so that each entity had consistent security settings. Tools were set in place for CMMC compliance services that track daily progress. This introduced a new sense of accountability across leadership teams that once operated on their own. The client was on track to continue with the official CMMC compliance audit while minimizing the risk of failing the entire process.

Third, the group avoided repeating mistakes or paying for multiple attempts at certification. They used a formal readiness approach, ensuring each sub-company tackled the must-have tasks before scheduling expensive CMMC auditors. This not only saved money but also reduced stress about looming deadlines.

Ready for CMMC Success?

Want to remove the complexity from CMMC Level 2 certification? Get in touch with Kalles Group consultants to build a tailored plan for CMMC assessment and audit. Contact us today to learn how we can streamline your CMMC compliance service, and guide you in meeting CMMC 2.0 Level 2 requirements.

 

See all customer stories
Your future is secured when your business can use, maintain, and improve its technology

Request a free consultation

Incident Response
Incident Response