How a $20M+ Manufacturer Achieved CMMC Readiness, Migrated to GCC High, and Cut Over a New ERP in Under 12 Months

The Challenge

Our client, a $20M+ precision manufacturer, identified a major growth opportunity in the defense supply chain — but the contract required CMMC certification, GCC High for controlled unclassified information (CUI), and an audit-ready production environment. Their existing IT footprint was not built for that level of scrutiny: • A flat network with no segmentation between front-office, shop floor, and engineering • Aging on-prem servers with no real redundancy or documented disaster recovery • A legacy ERP that could not enforce role-based access or support CUI handling • Email and file sharing in commercial Microsoft 365, not GCC High • No formal policies, SSP, or POA&M to present to a C3PAO They had a hard window: stand up a CMMC-aligned environment and complete an ERP cutover before the new contract kicked in — under 12 months, with zero production downtime.

Our Approach

TRNSFRM led the engagement end-to-end using our IT Resilience Framework: Assess, Build, Transform. Assess • Full CMMC Level 2 gap assessment against NIST SP 800-171 • Mapped every data flow touching CUI across email, ERP, file shares, and engineering systems • Built the System Security Plan (SSP), POA&M, and policy stack from scratch Build — Secure, Redundant Infrastructure • Designed and deployed a new core network with redundant firewalls, switches, and ISPs • Segmented the environment into purpose-built VLANs: corporate, engineering/CUI, shop floor / OT, guest, and management — each with explicit allow-list firewall rules • Hardened identity with conditional access, MFA everywhere, and privileged access workflows • Stood up redundant on-prem and cloud backup with tested restore runbooks GCC High Migration • Migrated mailboxes, Teams, OneDrive, and SharePoint from commercial M365 into GCC High • Rebuilt collaboration and CUI-handling workflows inside the GCC High tenant • Implemented data labeling, DLP, and conditional access policies aligned to NIST 800-171 ERP Cutover • Replaced the legacy ERP with a modern platform integrated into the segmented CUI enclave • Migrated master data, BOMs, routings, and historical transactions with parallel validation • Trained operators, schedulers, and finance on the new system before go-live • Executed a single-weekend cutover with no missed shipments the following Monday

The Outcome

In under 12 months, the client moved from a flat, undocumented network to a fully segmented, CMMC-aligned environment running on GCC High with a new ERP — without losing a single production day. • CMMC Level 2 readiness achieved and assessment-ready, with a complete SSP and POA&M • 100% of CUI workloads migrated into GCC High • Network re-architected into 5 segmented VLANs with redundant firewalls and ISPs • ERP cutover completed in a single weekend with zero missed customer shipments • Unlocked the new defense market and the associated revenue opportunity on schedule The client now operates on infrastructure built for the work they actually do — regulated, redundant, and ready to scale.

Services Delivered

• Cybersecurity Operations
• Governance & Compliance
• Managed IT
• vCIO

Related resources

Book Your Strategy Call Today

No pressure. No sales pitch. Just a conversation with an expert to map out your risks, gaps, and next steps toward compliance and security.

Walk away with a written risk snapshot. No NDA, no sales pitch — or we'll send you a $50 Amazon gift card.

Not ready to book? Get Your Cyber Score — free, 2 minutes.