CMMC Level 2 Certification Program for Cornerstone Consulting Organization
Enabling a Veteran-Owned Defense Industrial Base Consulting Firm to Protect CUI and Secure DoD Contract Eligibility Through Full CMMC 2.0 Compliance
0%
0
0
0%
Cornerstone Consulting Organization (CCO) is a Toledo, Ohio-based consulting firm that has built a reputation for hands-on operational excellence in manufacturing environments. Founded in 2015, CCO deploys experienced consultants directly into client operations, helping manufacturers increase throughput, reduce waste, compress cycle times, and improve profitability. Through their affiliate companies, Premier Staffing Solution (PSS) and Just-In-Time Staffing (JITS), CCO also provides skilled trades professionals, engineers, and production operators to manufacturing facilities nationwide.
CCO is a certified Service-Disabled Veteran-Owned Small Business (SDVOSB), and its leadership team brings decades of experience from Fortune 500 manufacturing operations. The company's 'anti-consultant' philosophy — embedded execution rather than detached recommendations — has delivered billions in documented savings for their clients.
As CCO expanded its work with defense manufacturers and prime contractors supporting Department of Defense (DoD) programs, a new requirement emerged. Defense industrial base (DIB) clients increasingly required their consulting partners to demonstrate CMMC compliance. Without certification, CCO risked losing access to its fastest-growing market segment.
The Challenge
The Problem
CMMC 2.0 Level 2 requires implementation of all 110 security practices defined in NIST SP 800-171 Revision 2. For a consulting firm like CCO, this presented a challenge distinct from a typical manufacturer's CMMC journey.
CCO's consultants do not work in a single facility. They deploy to client sites across the country, often for months at a time. They access client systems, use client-issued devices in some engagements and CCO-issued devices in others, and handle CUI that belongs to the client but transits through CCO's communication and collaboration tools. The 'system boundary' for CUI handling was not a single office network in Toledo — it was a distributed environment spanning CCO's headquarters, remote consultant locations, client facilities, and the cloud services connecting them all.
The initial gap assessment revealed significant work ahead. CCO had standard business cybersecurity controls, but these fell far short of NIST SP 800-171 requirements. The assessment identified gaps in 73 of the 110 required practices. Key areas of non-compliance included access control, audit and accountability, identification and authentication, incident response, media protection, and system and communications protection.
The timeline pressure was real. CCO had received a letter from a major prime contractor stating that consulting partners handling CUI would need to demonstrate CMMC Level 2 readiness within six months. Failure to comply would result in exclusion from future task orders.
Our Approach
4 Phases. 16 weeks.
Flynaut's OneProtect team scoped CUI data flows across CCO's distributed consulting model, implemented all 110 NIST SP 800-171 practices using a Microsoft 365-centric architecture, built comprehensive policy documentation, and guided CCO through assessment preparation with zero POA&M items.
CUI Scoping & System Boundary Definition
3 weeksTraced every CUI data flow across CCO's distributed consulting model — from CUI received from clients, created by consultants during engagements, stored in CCO systems, transmitted between parties, and destroyed at engagement completion. Defined the CUI boundary: Microsoft 365 tenant, CCO-issued devices, VPN infrastructure, and specific cloud applications.
Most small organizations get CMMC wrong by scoping too broadly or too narrowly. We reduced CCO's compliance footprint by documenting out-of-scope systems (marketing site, staffing platform, accounting) without creating gaps.
Technical Controls Implementation
6 weeksImplemented all 110 NIST SP 800-171 practices across 14 control families. Deployed Microsoft Entra ID with conditional access and MFA, Microsoft Sentinel as centralized SIEM, Intune for device management with BitLocker/FileVault encryption, Purview for sensitivity labels and DLP, and always-on VPN for remote consultants.
All 14 shared/generic accounts were eliminated. USB storage blocked by policy. Email containing CUI is automatically protected through sensitivity labels that enforce encryption and prevent forwarding.
Policy, Documentation & Training
4 weeksDeveloped the System Security Plan (SSP) documenting every practice, CUI handling procedures for field consultants, and role-specific security awareness training. Conducted two tabletop exercises: compromised consultant laptop and phishing attack targeting engagement managers. Quarterly phishing simulations established.
Goal was zero POA&M items at assessment time — achieved. Initial phishing simulation click rate: 6.1%, trending down with quarterly reinforcement.
Assessment Readiness & Validation
3 weeksConducted comprehensive pre-assessment simulating C3PAO methodology. Reviewed every control implementation, tested every technical safeguard, examined every policy document, and interviewed staff to verify practices were understood and followed. Pre-assessment found 4 minor documentation clarifications and 2 technical adjustments — all resolved within one week.
CCO achieved full compliance with all 110 NIST SP 800-171 practices with zero POA&M items at actual assessment.
The Results
Performance That Speaks
Metric
Before
After
Change
NIST SP 800-171 Practices Met
37 of 110
110 of 110
POA&M Items
N/A
Zero
MFA Coverage
0%
100%
CUI Data Flows Mapped
None documented
100% mapped & protected
Shared/Generic Accounts
14
Zero
Encrypted Devices
62%
100%
SIEM/Log Monitoring
None
24/7 (Sentinel + OneProtect)
Incident Response Plan
None
Documented & tested (2 exercises)
Phishing Simulation Click Rate
Not measured
6.1% (trending down)
Time to Certification Readiness
N/A
16 weeks
Within 60 days of achieving CMMC readiness, CCO secured three new defense manufacturing consulting engagements contingent on compliance. Combined contract value: $4.2 million over 18 months. The prime contractor who issued the compliance ultimatum expanded CCO's scope of work, citing their security posture as a differentiator.
Technology
The Stack
Reflections
What This Project Taught Us
CMMC for consulting and staffing firms presents a unique scoping challenge that most CMMC guidance — written for manufacturers with fixed facilities — does not adequately address. CCO's consultants are nomadic by design. Defining the CUI boundary for this operating model required creative thinking and close collaboration with CCO's engagement management team.
The Microsoft 365 ecosystem (Entra ID, Intune, Purview, Defender, Sentinel) proved to be a remarkably effective CMMC compliance platform for small and mid-size organizations. The integrated nature of the Microsoft stack delivered full NIST SP 800-171 coverage at a cost point that was sustainable for a company of CCO's size.
CCO's leadership framed the CMMC investment not as a compliance burden but as an extension of their service to the defense industrial base. As a veteran-owned company whose consultants work daily to strengthen America's manufacturing capacity, protecting the CUI they handle is a continuation of the service ethic that defines their culture. That framing transformed what could have been an adversarial compliance project into an organizational commitment.
Ready?
Ready to transform your digital experience?
Flynaut builds enterprise-grade digital experiences for brands that refuse to compromise.