A growing Department of Defense subcontractor held active contracts requiring the creation, handling, and transmission of Controlled Unclassified Information (CUI) — but had no formal CUI program, no defined system boundaries, and no documentation that could satisfy a prime contractor or DoD assessor.
Data was scattered across systems with no formal classification or handling protocols. Employees interacted with sensitive federal information daily without knowing it had a specific regulatory designation or specific handling requirements attached to it.
With CMMC 2.0 requirements tightening across the defense industrial base and prime contractors increasingly requiring documented compliance evidence as a subcontracting condition, the organization was at real risk of losing contract eligibility — not because of bad intent, but because of a program that simply didn't exist.
Starting from Scratch in a High-Stakes Regulatory Environment
The organization had no idea where CUI lived, how it flowed between systems, or who had access to it at any given time.
No System Security Plan, no POA&M, no data handling procedures — the two core documents every DoD assessor will request on Day 1.
Prime contractors were conditioning subcontracting arrangements on evidence of NIST 800-171 and CMMC alignment.
Staff had no training on CUI identification, marking, handling, storage, transmission, or destruction requirements.
Discovery First. Controls Second. Documentation Always.
Most contractors fail CUI programs because they start with the controls before understanding the data. CybSecWatch reversed that sequence — beginning with a thorough discovery and scoping exercise to define exactly what needed to be protected before a single control was addressed or documented.
Conducted a comprehensive CUI discovery across all systems, applications, shared drives, email environments, and physical locations — identifying every point where CUI was created, stored, processed, or transmitted to define the precise system boundary.
Built detailed data flow diagrams documenting how CUI moved through the organization — into the environment, across internal systems, to external parties, and out of scope. This became the architectural foundation for the entire compliance program.
Mapped all 110 NIST SP 800-171 controls against the organization's environment. Implemented technical and administrative controls in priority order, documented each implementation, and identified residual gaps requiring remediation planning.
Produced a complete, assessor-ready System Security Plan documenting the system boundary, control implementations, responsible parties, and evidence references for each of the 110 controls — the primary deliverable in any CMMC assessment.
Built a prioritized POA&M documenting all controls not yet fully implemented, with realistic remediation timelines, resource requirements, and risk acceptance decisions — demonstrating a good-faith, managed compliance posture to assessors.
Designed and delivered organization-wide CUI training covering identification, marking, handling, approved storage and transmission methods, destruction requirements, and incident reporting obligations — tailored to the contractor's specific work environment.
Frameworks & Standards Applied
A Program They Could Own, Operate, and Defend
The difference between a CUI program that passes an assessment and one that fails isn't the number of controls documented — it's whether the documentation reflects operational reality. Assessors can tell immediately when a System Security Plan was written to impress rather than describe.
By starting with discovery, every control implementation was grounded in how the organization actually operated. The SSP described real systems, real people, and real processes. The POA&M reflected honest gaps with credible remediation plans — not optimistic projections designed to minimize findings on paper.
The organization didn't just receive a set of documents. They received a CUI program they understood deeply enough to operate independently, update as their environment changed, and present with genuine confidence to prime contractors and third-party assessors.
Full CUI inventory and data flow documentation completed
All 110 NIST SP 800-171 controls mapped and documented
Complete, assessor-ready System Security Plan (SSP) delivered
Prioritized Plan of Action & Milestones (POA&M) produced
Full workforce trained on CUI handling and reporting
Organization positioned for CMMC Level 2 certification
"We knew we had a CUI problem — we just didn't know where to start. CybSecWatch gave us a clear roadmap and built the entire program alongside us. Not just for us. The difference is everything."— IT Director, DoD Subcontractor (identity withheld per client request)