A cybersecurity training firm based in the Washington, DC metro area came to E-N Computers with 50 SharePoint sites, a potential government contract that would involve meeting CMMC Level 2 compliance, and a state of denial about the amount of data they needed to protect.
In less than two years, E-N Computers simplified their user onboarding and offboarding, scoped their CMMC, planned a SharePoint restructure, and configured their commercial Microsoft 365 setup to meet their current CMMC requirements.
In the beginning, “everything was sort of a mess,” said Ian MacRae, CEO of E-N Computers. The clients were tech-savvy themselves but were hoping for a quick fix rather than the systemic changes CMMC requires.
The team — about 30 full-time employees and another 20 or so 1099 contractors — was almost entirely remote, supporting federal agency and embassy training contracts from home offices across the country.
A small warehouse outside Washington, D.C. handled the build-out of portable training labs. Their previous MSP had sold them a bottom-tier plan that wasn’t built for the realities of handling government data, so ENC stepped in to consolidate everything into a managed service plan and to start preparing them for a potential Air Force contract that would bring CUI into scope.
We rolled out depot service for their remote team, which included procurement and drop-shipping of laptops to new hires and return shipping for refurbishment and reissue. We standardized onboarding and offboarding so the client could submit a request through our website that flagged whether a new user was on government furnished equipment — a distinction that matters when much of the work happens inside federal agencies. We turned on MFA for every user, set up Intune enrollment with authorized device and user lists, and gave them written IT policies.
On the compliance side, we configured their commercial Microsoft 365 setup to meet NIST 800-171 technical controls — which more than covered their CMMC Level 1 obligations and saved the cost and complexity of GCC High. We helped them complete their CMMC Level 1 self-attestation in SPRS. We also helped them figure out exactly where their federal contract information lived — which users, devices, and systems were in scope — which was harder than it should have been: as the work went on, more places turned up than anyone had initially realized.
“They didn’t realize they had regulated data at the scale they had it at,” MacRae said. “I think the breakthrough understanding was that they identified that they had [FCI] in the environment.”
We scoped a SharePoint restructuring project — internal versus external sites — to clean up onboarding and user permissions and support the compliance work going forward.
By the end of the engagement, the firm had a compliance foundation in place: documented policies, working MFA and Intune, a depot process for a remote team, and a clear-eyed picture of where their FCI and emerging CUI lived.
Ian MacRae
Donald Holland
