How a Dallas–Fort Worth woman-owned defense contractor moved from non-compliant to assessor-defensible — and what it means for PE-backed DIB portfolios facing the next 24 months of CMMC enforcement.
- Client
- SBA-certified WOSB, Inc. 5000 honoree (5x), Dallas–Fort Worth metroplex
- Revenue
- ~$35M, ~85% federal
- Federal portfolio
- $38M+ lifetime awards across DLA, GSA, DoD, FBI, DHS, FEMA, plus prime flow-down (Lockheed Martin, Boeing)
- Engagement
- Fractional CTO, 9-month monthly retainer
- Scope
- CMMC Level 2 self-assessment, NIST 800-171 mapping, SSP authoring support, SPRS remediation
- SPRS movement
- −40 → 110 (150-point swing across all 110 controls)
The Situation
The client is a privately-held, founder-led defense supplier in the Dallas–Fort Worth area. Inc. 5000 five years running. Roughly 85% of revenue comes from federal contracts — direct DoD awards, GSA Schedule sales, DLA IDIQs, and prime-contractor flow-down from Lockheed Martin and Boeing.
Like most sub-$50M defense suppliers, the company’s IT footprint grew organically: Microsoft 365, on-premise networking, a small internal IT team, and a long list of practices that pre-date NIST 800-171 having real enforcement teeth.
Then November 10, 2025 happened. CMMC Phase 1 went live. Self-assessment scores submitted to SPRS started showing up in contracting officer go/no-go decisions. The company couldn’t ship its next bid without a defensible SPRS score — and an honest assessment of where it stood wasn’t going to clear the bar.
The Challenge
Three pressures stacked on top of each other.
Active contract risk. The company has 16,000+ federal award actions across DLA, GSA, DoD, FBI, DHS, and FEMA. A failed self-assessment doesn’t just block new awards — it puts modification and option-year exercise at risk on existing IDIQs.
Prime flow-down. Lockheed Martin and Boeing now require subcontractor CMMC posture as a condition of staying on the supplier list. Lose that, and a meaningful chunk of revenue goes dark.
No in-house cyber leadership. The internal IT team is operational — they keep the network running. Mapping 110 NIST 800-171 controls and writing a defensible System Security Plan is a different job entirely. The company doesn’t carry a full-time CISO at this revenue band. Nor should it.
The Approach
Vertex CTO Advisory engaged as fractional CTO on a 9-month monthly retainer with a focused CMMC Level 2 scope.
Month 1 — Boundary and asset definition. Defined the CUI (Controlled Unclassified Information) enclave. Most small-business CMMC engagements die here: scoping is either too broad (every endpoint in the company, impossible budget) or too narrow (auditor pushback at the eventual Level 2 third-party assessment). We isolated CUI flows to the federal contract management workflow — email, file storage, ERP integration points — and pulled the rest of the business out of scope.
Months 2–3 — Gap assessment against NIST 800-171 Rev 2. Walked all 110 controls. Built the SPRS scoring spreadsheet. Initial composite SPRS score: −40.
For context: SPRS starts at 110 (every control fully implemented) and subtracts weighted points as controls are missing or partial. −40 means the company was 150 points underwater — dozens of controls were either not implemented or implemented in name only. That’s the normal starting position for a sub-$50M federal supplier that grew its IT footprint organically.
Months 4–5 — Remediation, prioritized by SPRS point value. Quick wins first: MFA on M365 and VPN, centralized logging, documented incident response playbook, removable media controls, FIPS-validated encryption at rest. Then the heavier lifts: CUI network segmentation, continuous monitoring tooling, vulnerability management cadence.
We prioritized by SPRS point weight, not CMMC domain order. A 5-point control implemented in 4 hours buys more breathing room than a 1-point control that takes 4 weeks. Most consultants work the controls alphabetically or by domain — that’s tidy, not effective.
Months 6–7 — System Security Plan and POA&M. The client’s leadership authored the SSP with Vertex co-authoring the controls language and reviewing every section for assessor defensibility. This was deliberate: an SSP written by an outside consultant alone usually fails third-party assessment because the company can’t speak to it on the day. The SSP has to live inside the company. Vertex’s job is to make sure it gets written correctly the first time.
POA&M built alongside the SSP for the controls still in flight.
Month 8 — SPRS resubmission and final closure. SPRS resubmitted as each high-value control closed. Final composite score: 110. Full implementation across all 110 NIST 800-171 controls.
Month 9 — Knowledge transfer and continuous operations posture. Internal IT team trained on continuous monitoring, quarterly SPRS update cadence, annual SSP refresh, and pre-audit readiness for the eventual Level 2 third-party assessment when contract profile triggers it.
The Result
- SPRS score: −40 → 110. A 150-point swing. The company is now above any contracting officer threshold on active IDIQs, modifications, and new awards.
- All 110 NIST 800-171 controls fully implemented. No POA&M items still open at engagement close.
- SSP written, owned, and defensible by the client’s internal team — not consultant-dependent. They can speak to every control on assessment day.
- Prime-contractor flow-down compliance attestations ready on request from Lockheed Martin, Boeing, and any other prime requiring them.
- Pre-positioned for Phase 2. When third-party Level 2 assessments become mandatory for the company’s contract profile, the SSP and supporting evidence are already at assessor-defensible quality.
Why This Matters for PE-Owned DIB Portfolios
This client is founder-owned. Most companies in this exact operating shape are not — they’re held by middle-market PE funds with defense, aerospace, or government services theses (Arlington Capital, AE Industrial, Veritas, Stellex, J.F. Lehman, Cerberus, Greenbriar, Renovus, Godspeed, and others).
If you’re an operating partner at a fund with DIB exposure in the $20–100M revenue band, here’s what this engagement makes obvious.
Phase 1 has teeth. Self-assessment isn’t optional anymore. SPRS scores are in contracting officer go/no-go decisions today — not “eventually,” today.
Sub-$50M portcos rarely have the in-house team for this. Internal IT is operational, not compliance-trained. CISO bandwidth at this size is a fractional-only purchase. A 9-month fractional engagement runs roughly 10–15% the cost of a full-time CISO hire — and is faster.
The cost of a failed assessment is multiples of the cost to prepare for it. Every dollar of federal contract revenue at a DIB portco is contingent on CMMC posture. The math at exit gets brutal if a portco is bidding-blocked when a buyer’s diligence team pulls SPRS.
The work scales across a fund’s DIB book. The same SSP/POA&M skeleton, the same NIST 800-171 methodology, the same SPRS workflow apply across portcos with similar contract profiles. A fund-level CMMC roadmap looks very different from a one-portco engagement — and gets you to defensible posture across the portfolio faster and cheaper than running nine independent vendors.
If you have DIB exposure in your portfolio and Phase 1 just snuck up on you, this is a 30-minute conversation, not a six-month project.