Skip to content
CyberAutopsySHIELD · COMPLIANCE
CMMC Level 2ServicesThe MethodIndustriesResourcesAbout Client PortalBook Contract Risk Audit →
INDUSTRIES

Where CUI lives, we sit.

CMMC is one standard; the playbook to reach it is not. The path for a $20M subcontractor with one prime is not the path for a $3B systems integrator. We pattern our engagements to the operating reality.

SECTOR · PRI

Prime Contractors

You set the flow-down standard. Mistakes are visible.

Primes are now answerable to contracting officers for the CMMC posture of their subcontractor base. The CUI boundary you defend is no longer just your own. We help primes build supplier intake programs that surface SPRS scores, draft compliant teaming agreement language, and rehearse the C3PAO posture across the supply chain.

Typical engagement profile
  • $500M to $5B+ annual DoD revenue
  • 10 to 200 subcontractors with CUI flow-down
  • CISO + Contracts + Supply Chain stakeholder triangle
SECTOR · SUB

Subcontractors

The 7021 clause just landed in your inbox.

Most subcontractors discover CMMC the day a prime sends them a flow-down notice. The 14 families do not get easier because you are smaller; in practice, they get harder because the assumed infrastructure is not present. We collapse the program down to the minimum viable enclave for sub-scale teams, often using a dedicated GCC-High tenant or a hardened workstation pattern.

Typical engagement profile
  • $1M to $50M annual revenue
  • Single contracting officer, often single prime
  • IT often outsourced; CISO function distributed
SECTOR · MFG

Defense Manufacturers

Your shop floor is in scope. Most are.

Manufacturers are the highest-risk industry profile under CMMC because operational technology, contract drawings, and CAD files routinely qualify as CUI. We design enclaves that protect engineering data without halting production. CNC programming, ERP integration, and vendor portals all get scoped carefully.

Typical engagement profile
  • ITAR-controlled drawings and technical data
  • OT/IT convergence challenges
  • Multi-site operations with varied IT maturity
SECTOR · SAAS

SaaS Providers in the DoD Supply Chain

You are an External Service Provider. The rules are different.

SaaS firms whose products store, process, or transmit CUI for DoD customers are External Service Providers under the rules. Your customers will require evidence of your security posture, often demanding FedRAMP Moderate equivalency or higher. We position SaaS providers for both the CMMC ESP role and the underlying FedRAMP path where required.

Typical engagement profile
  • FedRAMP Moderate or High equivalency required
  • Multi-tenant boundary justification needed
  • Continuous monitoring and POA&M discipline expected
SECTOR · EDU

Universities with CUI

Federally funded research is on the line.

Universities are an under-served corner of the CMMC ecosystem and the most painful, because the campus network model fights cleanly with the CUI enclave model. We work with research VPs and CIOs to design segregated research enclaves that protect federally funded research without rewriting institutional networks.

Typical engagement profile
  • DARPA, ONR, or AFRL research awards
  • Federated identity and BYOD complications
  • Decentralized governance across colleges and labs
NEXT STEP

Not sure which profile fits you?

A 15-minute triage call answers it. Bring your CAGE code and the most painful solicitation on your desk.

Book a Contract Risk Audit →