by Samantha Christensen
Content Strategist, E-N Computers
20+ years in IT support, plus a journalism background — translating complex technology into clear writing for business audiences.
A small Virginia defense contractor went from IT sprawl to a perfect CMMC security score — which has allowed them to win contracts even before their official certification.
On April 14, 2026, our client submitted a Level 2 self-assessment score of 110 out of 110. They’ve scheduled their third-party assessment for early 2027, but their perfect score already won them a contract in June 2026. When they first came to us, the client’s SPRS score was below zero.
E-N Computers is a managed IT services provider and a CMMC Registered Practitioner Organization based in Virginia and primarily serving defense contractors across Virginia, DC, and Maryland. Neither we nor our client treated CMMC as a project to finish and check off. It was built into how the company ran its IT.The perfect score, and the contracts it won, were the result.
This case study is about an engineering firm, with CAD systems, controlled data, and a server room full of one-off setups. But the pattern applies to any small contractor that handles controlled unclassified information (CUI): compliance is continuous, it touches your whole IT setup, and it can’t be added at the end.
QUICK ANSWER:
How did a Virginia defense contractor reach CMMC compliance?
A small Virginia defense contractor reached a perfect 110 out of 110 CMMC Level 2 SPRS score and began winning contracts before completing third-party certification. Working with a single provider for both managed IT and CMMC compliance kept their score current, saved roughly $1,500 a month versus separate vendors, and let them raise their score quickly when a contract required it.
Table of Contents
- One team for IT and compliance
- Compliance is a process, not a fix
- A stalled score costs a contract
- Trimming back the tech sprawl
- Growing into a better design system
- The very expensive GCC mistake
- What it takes to do a GCC High migration right
- Dropping an expensive tool
- Don’t wait for the deadline to find you
One team for IT and compliance
CMMC has been a moving target for defense contractors since 2019, and most small subcontractors are still working through the basics. This contractor had an advantage: a managed IT provider that also handled CMMC compliance, so the same team that kept the lights on was building toward the audit.
Compliance can only move as fast as the business can absorb change. A small company can’t replace every system in a quarter and still get work done, so E-N Computers sequenced it — roughly one major project a year. A VoIP phone system one year, a computer and server refresh the next, multi-factor authentication across the company, a GCC High migration, and audit preparation. Each project moved the business forward and moved it closer to compliance at the same time.
Running both under one team also saved money — about $1,500 a month versus buying compliance services separately. And the client could move fast when it counted. When the SPRS score needed to improve quickly to qualify for a contract, no handoff between an MSP and an outside consultant slowed things down.
“The right hand and the left hand knew what they were doing,” said Ian MacRae, president of E-N Computers. “Having one team improved communication and timeliness, which at times was critical. We were able to quickly update those scores and stay on the same page.”
Compliance is a process, not a fix
Many businesses treat compliance as a series of one-off fixes that land on “the compliance guy” to solve. MacRae compares it to food safety. If you find a hair in your food at a restaurant, you don’t call the health inspector to fix it. You start with the process — are hands being washed, is everyone wearing a hair net?
“Compliance is integrated into the process,” MacRae said. “When I’m solving the problem of working from home, I’m also solving the problem of network gear, and I’m also solving the problem of the VPN configuration. You can’t just throw the compliance cherry on top. You start with the process.”
That’s also why compliance can’t be settled in a single transaction and set aside. A client who treats it as a one-time fix can find out the hard way what that costs.
A stalled score costs a contract
A SPRS score determines whether a company can be awarded work — the higher the score, the more contracts it qualifies for. Early on, a manager on the client’s side wanted CMMC handled like a single purchase: one signature, one price, done by the end of the quarter. He kept asking why the work wasn’t finished yet.
“He just wanted a single sign-off on one large project to deliver the car tomorrow,” MacRae said.
But you can’t scope CMMC up front the way you’d buy a car. Each step depends on the one before it: you migrate, stabilize what you’ve moved, then look at what that revealed before deciding the next step. The discovery you do along the way is what produces the plan — so the full cost and timeline can’t be fixed in advance, only estimated and refined as you go.
With no decisions getting made, the score stalled where it was. Then a contract came up that required a higher SPRS number than the client had — and they lost it.
The manager eventually left, and his replacement understood that discovery drives the plan rather than delaying it. The work started moving again, the score climbed to a perfect 110 — and the client won a new deal on the strength of it.
Trimming back the tech sprawl
To see why this took years, go back to what E-N Computers inherited.
Before hiring ENC, the company had a two-person internal IT team for a staff of about 30 users. That meant they had a structured IT setup — but it had become overstructured because IT was overstaffed. The company had a one-to-one ratio of servers to users, a boutique phone system, multiple operating systems and rampant “tech sprawl.”
“When you’ve got a guy who knows how to hit with a hammer, he’s going to use a hammer on everything,” MacRae said. “You end up with so many one-off setups because the IT guy was excited about experimenting with something.”
When that team left, no one knew how the one-off setups had been built — and none of it was documented.
By standardizing the environment, E-N Computers also moved the company toward compliance. CMMC’s requirements for system baselines, vulnerability management, and version control and patching are all far easier to maintain across standardized systems than a pile of one-offs.
Growing into a better design system
A second challenge was growth. The company had grown their design team without upgrading their IT setup. Their mostly remote team started having issues with collaboration. Their VPN was slow. Documents were getting corrupted. A lead designer’s new laptop failed.
“The root cause of all those things was that the team really needed to have a server-based CAD management system for coordinating design work instead of shuffling files from engineer to engineer,” MacRae said.
The complete resolution took a couple of years and involved upgrading network gear and increasing fiber and network speeds at the physical office. The new gear and VPN setup now meets CMMC requirements for remote access.
Today, engineers can check drawings in and out and maintain document version control over a fast, reliable, and secure network.
The very expensive GCC mistake
Worse than the IT overbuild was the decision by a previous vendor to go with the wrong version of Microsoft 365.
A defense contractor has two government versions of Microsoft 365 to choose from: Government Community Cloud (GCC) and GCC High. Both keep data inside US data centers. The difference is who’s allowed to touch it. GCC uses Microsoft’s international support staff, while GCC High restricts support to US persons only.
The client was directed toward GCC. But the client’s work falls under export-control rules that restrict defense technology to US persons, including the people providing IT support. Getting the client onto GCC High was a requirement.
“That was a huge, huge problem,” MacRae said. “It’s a huge setback if you choose the wrong platform.”
Migrating from GCC to GCC High wasn’t just a matter of a license change. It meant lifting the company’s entire Microsoft setup out of one version and rebuilding it in another. Email, files, accounts, and security settings all must be exported with a migration tool and set up again on the other side. A migration like this runs $15,000 to $20,000 and stops the rest of the CMMC compliance project until it’s finished. On top of that, you’re navigating annual renewals and license contracts as you move from one expensive set of licenses to another.
The natural question is why you can’t just upgrade in place.
“Microsoft says that you can upgrade from one of these tiers at any point in time, no matter what your contract is,” MacRae said. “In practice, we have not found that to be the case.”
Moving up within the same version — say, a license tier upgrade inside GCC High — follows a built-in path. Crossing from GCC over to GCC High doesn’t. There’s no workflow for it, just support tickets and no track record of getting timely answers.
After a migration, recurring meeting invites stop working. Teams links shared with outside business partners go dead. Guest accounts from outside the organization break. Every employee must re-enroll their device, set up multi-factor authentication again, and sometimes reset their password. None of it is catastrophic alone, but together it adds up to real disruption for people just trying to do their jobs.
The bigger trap is what the wrong version does to every project that comes after it. Enrolling devices in Intune, the Microsoft tool that manages company computers and phones, might be a sensible $5,000 improvement — but done inside the wrong version, it only digs you in deeper. The $15,000 to $20,000 migration has to come first, turning a small step forward into a much bigger one. Every project you take on first makes the migration harder and more expensive.
What it takes to do a GCC High migration right
E-N Computers can sell GCC High licensing directly, so it managed the whole transition in-house — timing the move so the client walked out of GCC and into GCC High without paying for both at once. The client’s annual licensing went from about $28,000 to roughly $40,000, but they avoided paying for both sets of licenses at the same time — a spike into the tens of thousands of dollars.
Second, one engineer owned the 250-hour project from start to finish. The migration and the hardening — building out the new setup to meet every regulatory requirement — ran together as one coordinated project rather than two disconnected ones. Weekly check-ins kept the client’s stakeholders in the loop and progress on track, and the work that needed after-hours timing or on-site visits got it, so people could still log in and do their jobs the next morning.
Third, E-N Computers financed the cost. A migration like this runs between $35,000 and $60,000. Instead of hitting the client with an upfront price tag of $50,000, the cost was spread across a year.
Getting the client out of a non-compliant cloud tier wasn’t a quick fix, but it went about as smoothly as a project this size can. With a less experienced team, it could have cost more, taken longer, and broken more along the way.
Dropping an expensive tool
The project also ended with the client paying for one less tool. Throughout the build-out, E-N Computers used FutureFeed — a compliance management tool that runs about $3,600 a year — to track the work and calculate the client’s SPRS score. It did the job well, but once the heavy lifting was done, E-N Computers canceled it and moved the ongoing work onto tools the client already pays for.
Since the start of the project, Microsoft built out Purview, its compliance toolset, and the government rebuilt the SPRS site so it walks you through the score instead of leaving you to calculate it by hand. The paid tool was solving a problem where the free tools were now good enough for a smaller organization.
Don’t wait for the deadline to find you
Most small defense contractors who come to E-N Computers ask the same question: how do I get to CMMC compliance without breaking my business? The honest answer is that you don’t do it in one year, you don’t do it with a single tool, and you don’t do it by hiring a compliance firm that doesn’t know your IT.
This client did it by picking one partner and giving the partner time to do it right.
This client’s five-or-six-year timeline wasn’t a long road — it was an early start. Because they began before a deadline forced the pace, they reached a perfect score, scheduled their assessment on their own terms, and won contracts along the way.
Contractors who waited can’t do that. After November 10, 2026, you can’t be awarded a covered defense contract without CMMC certification, and the lead time to book a third-party assessor runs months.
If you handle CUI and don’t have a clear path to compliance yet, starting now costs far less than starting late.
E-N Computers offers a free consultation with a Registered Practitioner who can map what your path to certification looks like.
Complimentary review with an experienced engineer
Are you ready for CMMC?
Get a free strategic consultation to start or streamline your journey toward CMMC compliance.
CMMC RESOURCES
If you need CMMC managed IT services
- Virginia CMMC Managed IT Services
- Best CMMC managed IT services providers in the DMV
- Best Virginia CMMC managed IT services providers
If you need to better understand CMMC requirements:
- The Ultimate Guide to CMMC
- The Ultimate Guide to DFARS and NIST 800-171 (in plain English)
- What is FCI and should I worry about it?
- What is CUI and should I worry about it?
- CMMC compliance deadlines: Key dates and what they mean
If you’re looking for CMMC tools and training:
- We found the best GRC tool for CMMC
- What is Microsoft GCC High and do I need it?
- Best CMMC training resources
- CMMC Level 1 guide as audio book
- CMMC Level 2 guide as audio book
- CUI enclaves in CMMC compliance: Are they right for your business?
If you’re looking for a CMMC consultant or Registered Practitioner Organization:
- Best CMMC consultants
- Best CMMC RPOs near Washington, DC
- Best Virginia Registered Practitioner Organizations
- Case Study: Virginia Government Contractor Nears CMMC Compliance
- CMMC Gap Analysis
If you’re looking for a CMMC assessor:
If you’re looking for information about CMMC that is targeted toward smaller businesses:
