Situation
A 22-person UAV subcontractor needed a practical path to CMMC-aligned controls while continuing product delivery and customer pilots.
Approach
- Defined a narrow CUI boundary to avoid over-scoping.
- Sequenced identity, endpoint, and evidence controls as phase-one priorities.
- Built SSP and POA&M artifacts in parallel with technical remediation.
- Set weekly operating cadence with engineering and leadership owners.
Outcomes
- Execution roadmap delivered in under 30 days.
- Evidence quality improved from ad hoc to review-ready artifacts.
- Risk-based POA&M backlog gave leadership clear timeline tradeoffs.
- Procurement conversations shifted from uncertainty to documented plan.