The defense industrial base is not just factories and laboratories. It is the fire-protection contractor servicing a base, the electrical subcontractor wiring a federal facility, the engineering shop producing stamped drawings for an installation upgrade. For these firms, the sensitive material is not an exotic dataset locked in a lab β it is the work product itself. Site drawings, facility layouts, security-system schematics, and project specifications are Controlled Unclassified Information, and they live in the everyday tools of the trade: CAD suites, estimating software, shared file storage, laptops riding between job sites.
The obligations, though, are identical to a primeβs. DFARS 252.204-7019 and -7020 already condition award eligibility on a current SPRS score, 252.204-7021 flows CMMC requirements down through primes to their subcontractors, and the CMMC final rule is phasing those requirements into new solicitations now. For a project-driven business with lean IT and no dedicated security staff, a missing or indefensible score can quietly take the firm off the bid list before anyone picks up the phone. That is the problem LakeRidge exists to solve: turning security work into a provable, evidence-backed record β without rebuilding the business around it.
Why we selected this group
This is a selected showcase, not a directory. We chose these twelve organizations for the caliber and range they represent: century-old engineering institutions, integrated design-build firms, federal primes with eight-figure contract ceilings, specialty fire-and-life-safety contractors, and veteran-owned, tribal-owned, and minority-owned small businesses β the full texture of the built-environment side of the defense supply chain, operating in genuinely security-sensitive, high-stakes environments.
A note on security and attribution. We selected these organizations to showcase the caliber and range of teams using LakeRidge. Because many operate in sensitive defense, research, and CUI environments, we do not publicly attribute assessment scores, gaps, timelines, test results, or remediation details to specific organizations. Customer names show who trusts the platform; outcomes and journeys are aggregated or anonymized to protect customer security.
Trusted by teams that build for defense
These are the firms that carry CUI onto job sites every day β and the names primes recognize when the flow-down letters go out.
Engineering and design institutions
Martin/Martin
Employee-owned civil and structural engineering firm founded in 1945, with landmark work including Denver International Airport's Great Hall renovation, projects in 49 states and some 20 countries, and an ENR Design Firm of the Year honor.
Wight & Company
Integrated architecture, engineering, and construction firm founded in 1939 near Chicago, serving corporate, government, and education clients β and designer of the first building in the country to earn LEED certification.
ZHA
Central Florida capital-projects and owner's-representative consultancy with four decades of experience guiding complex public and institutional programs from planning through delivery.
Fire, life-safety, and building systems
Premier Fire & Security
Full-service fire protection and life-safety systems provider founded in 1974, now part of APi Group, a NYSE-listed global specialty-services leader, with five decades of design, installation, and monitoring expertise.
Sievert Electric
Family-led, service-disabled-veteran-owned electrical construction firm founded in 1913, delivering turnkey electrical, data, and video-display work for clients including O'Hare and Midway airports and professional sports venues.
Century Fire Sprinklers
Full-service fire protection contractor designing, installing, and maintaining automatic sprinkler systems since 1981, serving Fortune 500 clients across the automotive, healthcare, and manufacturing sectors from its Missouri and Kansas City operations.
Federal construction and infrastructure primes
Souza Construction
California general contractor with three decades of building and renovation work across California and Nevada, including military installations such as Lemoore, Point Mugu, and China Lake, and a Navy IDIQ contract with a ceiling of up to $50 million.
OAC Action Construction
Miami-based federal prime contractor and SBA 8(a) graduate delivering design-build, new construction, renovations, and repair services for government clients across multiple states, Puerto Rico, and Central America.
Aytekin Serol Engineering & Construction
Engineering and construction firm founded in 1971 in Adana, Turkey, with more than 120 U.S. government projects completed β renovations, mechanical systems, and infrastructure work at installations including Incirlik Air Base.
UXELL Construction
General construction contractor delivering civil, architectural, mechanical, and electrical works β from large-scale military infrastructure, including earth-covered magazine facilities and specialized training installations, to major mixed-use high-rise developments.
QNA Diversified
8(a) woman-owned engineering and construction management firm headquartered in San Juan, Puerto Rico, delivering projects for the U.S. Army and the U.S. Army Corps of Engineers.
Chief Long King
Tribal-owned civil construction contractor delivering sitework, infrastructure, and heavy-civil projects for federal clients.
The challenge
Scoping is the first hard problem for these firms: the same laptop drafts a commercial bid in the morning and a defense facility layout in the afternoon. Field devices connect from untrusted networks. Project-based crews turn over, which makes onboarding and offboarding a live control problem rather than a paperwork exercise. IT is often one person deep β and yet the CMMC and NIST SP 800-171 bar these firms must clear is the same one a global defense prime clears.
Then there is the evidence burden. When a prime or contracting officer asks how a score was produced, an objective-level, timestamped, evidence-backed 110 built in LakeRidge is a fundamentally different asset from a checkbox self-assessment scored in an afternoon β one is provable, the other is a promise.
Selected journeys
Each of these journeys is verified against LakeRidgeβs timestamped records, then deliberately coarsened β season-level dates, approximate counts, no names.
The six-month climb to a perfect record. An engineering-and-construction contractor arrived in the fall of 2025 at β203 β the unassessed starting state, meaning no defensible record existed yet, not that nothing was in place. About six months later, in early spring 2026, it held a perfect self-assessed, evidence-backed 110: every practice driven to audit-ready, all of its roughly 200 POA&M tasks closed, and its System Security Plan published straight from that record β then republished in a refreshed revision as the environment matured.
The heavy lift, shown honestly. A building-systems contractor that joined in early 2025 broke its remediation into roughly 130 POA&M tasks within its first month and closed about 70 of them, lifting its score more than 200 points in under three months β from unassessed at β203 into positive territory. It is candidly still mid-remediation, and that is the point: the same record that proves what is done shows leadership exactly what remains.
Under a month to the high 90s. A construction contractor onboarded in late spring 2026 and climbed from the unassessed floor to the high 90s in under a month. That pace was not a from-scratch build β the firm was already operating most of the required controls day to day. The sprint was importing that existing evidence into an objective-level record: the full assessment completed in a handful of working days, and nearly every practice driven to audit-ready.
How they got compliant
Every firm followed the same LakeRidge path, whatever its starting point.
It begins with the guided gap assessment. Each of the 110 CMMC and NIST SP 800-171 practices is worked at the assessment-objective level, with a determination and supporting evidence recorded per objective and a timestamp on every answer β the difference between an evidence-backed, objective-level 110 and a checkbox self-assessment.
Every practice moves through a plain-English lifecycle β not started, gap analysis, remediation, audit-ready β so a managing partner, a client, or a prime can see at a glance how done the program actually is, without translating anyoneβs spreadsheet.
Gaps become a working POA&M. Each finding turns into a task with an owner and a due date, broken down to the checklist grain small teams actually execute β so the Plan of Action and Milestones doubles as the weekβs work plan rather than a shelf document.
The SPRS score recalculates live. As tasks close and practices reach audit-ready, the score updates on its own β no spreadsheet math, no stale number waiting for someone to remember it.
The SSP is generated, versioned, and kept alive. LakeRidge builds the System Security Plan directly from the assessment answers and publishes it as a versioned release; when the environment changes, firms republish rather than rewrite.
And for the strongest programs, scoping came first. The top performers drew the smallest honest boundary they could β consolidating CUI work into a purpose-built enclave in a government cloud tenant and documenting inherited controls in the SSP instead of leaving them implied.
Aggregate results
Across nine construction, AEC, and building-systems contractors on LakeRidge: seven of the nine began unassessed at β203 β a missing record, not a measure of what was actually in place β and every one stands higher today. 75% of tracked CMMC Level 2 practices have been driven to audit-ready. One firm holds a perfect self-assessed, evidence-backed 110, with several in the 90β100 range. Roughly 730 POA&M tasks have been tracked across these firms, with about 460 closed β remediation as a managed backlog, not a binder on a shelf.
Ready when you are
See where you actually stand β run the guided gap assessment and get your live, evidence-backed SPRS score in your first week.