Case Studies

The challenge

This mid-size defense subcontractor had been working toward CMMC Level 2 certification for over six months using a traditional consulting approach. Their SSP was a 380-page Word document maintained by a single compliance analyst. Every time infrastructure changed, the SSP fell behind. Their previous assessor flagged 34 evidence gaps on the first review — not because the controls weren't implemented, but because the documentation couldn't prove they were.

With a DoD contract renewal deadline approaching, they needed to go from "we think we're compliant" to "we can prove it to a C3PAO" in under three months.

The solution

We deployed our compliance-as-code pipeline against their AWS infrastructure and on-premises manufacturing network:

• Automated evidence collection using Prowler, Steampipe, and custom OPA policies mapped to all 110 NIST 800-171 Rev 2 practices
• OSCAL SSP generation rebuilding the System Security Plan from pipeline artifacts on every commit — replacing the Word document entirely
• CUI boundary scoping with Terraform-enforced authorization boundary and network segmentation validation
• SOCFortress CoPilot deployment for detect/respond coverage (Wazuh + Graylog) inside their authorization boundary
• Weighted SPRS scoring per DoD Assessment Methodology, tracking score improvement from 47 to 97 over the engagement

The results

The organization went from a stalled 6-month manual process to assessment-ready in 8 weeks. The OSCAL-based SSP passed the C3PAO assessment on the first attempt — the assessor specifically noted the quality of evidence traceability. POA&M items for the 3 remaining controls in remediation were auto-generated with specific check IDs and remediation timelines.

Total engagement cost was 60% less than the accumulated spend on their previous manual approach, and the deliverables — the SSP, evidence packages, and pipeline configuration — are assets they own permanently.

The challenge

This regional healthcare network operated 15 facilities across four states, each with its own IT environment and compliance documentation practices. Risk assessments were conducted annually per facility using spreadsheets, with results stored in shared drives that varied by location. When their compliance director needed to present the organization's HIPAA posture to the board, it took three weeks just to aggregate the data.

The 2026 HIPAA Security Rule updates added urgency: new requirements around technology asset inventories, network segmentation validation, and 72-hour incident notification meant their manual approach couldn't scale.

The solution

We built a centralized compliance evidence pipeline that unified all 15 facilities under a single assessment framework:

• Per-facility automated risk analysis using infrastructure scanning, access control auditing, and configuration validation
• Centralized evidence repository with per-facility segmentation — each facility's evidence collected independently, aggregated into a single organizational view
• Gap analysis engine mapping current controls against both existing HIPAA requirements and proposed 2026 changes
• Board-ready reporting generating facility-by-facility and aggregate compliance dashboards from live evidence, not manual surveys
• Remediation tracking with automated POA&M generation tied to specific HIPAA safeguard requirements

The results

The initial assessment identified 23 compliance gaps that had been invisible under the previous manual process — including 7 network segmentation issues and 4 access control misconfigurations that existed across multiple facilities. These were patterns, not one-off issues, and they would have surfaced in an HHS audit. Within 60 days, the risk register was reduced from 47 critical findings to 3, with automated POA&M tracking covering the remainder.

Ongoing compliance overhead dropped by 40%. The three-week board report now takes 15 minutes to generate from live data. The compliance director can answer "where do we stand?" for any individual facility or the entire organization in real time.