🚨 CMMC Phase One started November 10! Here's everything you need to know →

MSPs & IT Services

How MSPs Prove Their Own CMMC, NIST SP 800-171, and ISO 27001 Compliance

MSPs and federal consultancies are subject to CMMC and NIST SP 800-171 themselves — and are who every other contractor calls. Here's how 12 made their own compliance provable.

Managed service providers, IT-services firms, and federal consultancies occupy the most exposed seat in the defense supply chain: they are subject to CMMC and NIST SP 800-171 themselves, and they are the people every other contractor calls when the requirements land. For these teams, Controlled Unclassified Information is not an abstraction — it moves through their laptops, mailboxes, and cloud tenants every working day, often under flow-down clauses from the primes they support. And most of them are lean: a handful of authorized users, no data center of their own, one person wearing the administrator, approver, and end-user hats at once, and a book of business that depends entirely on staying eligible for federal work. When a prime flows requirements down the chain, there is no compliance department waiting to absorb the ask — there is a founder, a calendar, and an evidence burden designed with far larger organizations in mind. A score you cannot substantiate line by line is not a paperwork problem for firms like these; it is a contract-eligibility problem.

Twelve of them — several pursuing ISO 27001 in parallel — used LakeRidge to close that gap: to turn years of quietly competent security work into a timestamped, evidence-backed record that stands up when someone asks to see it.

Why we selected this group

This is a selected showcase, not a census. The names below span Navy ship-design engineering, safety-critical software, federal IT modernization across more than twenty agencies, and veteran-founded advisory practices trusted with some of government’s most demanding programs. They reflect the caliber and range of serious defense, research, and supply-chain teams that trust LakeRidge with their own readiness — an endorsement that carries particular weight here, because these are the firms other contractors hire to get it right.

A note on security and attribution. We selected these organizations to showcase the caliber and range of teams using LakeRidge. Because many operate in sensitive defense, research, and CUI environments, we do not publicly attribute assessment scores, gaps, timelines, test results, or remediation details to specific organizations. Customer names show who trusts the platform; outcomes and journeys are aggregated or anonymized to protect customer security.

Trusted by

Federal IT & engineering services

When the firms that build and run systems inside federal missions choose a readiness platform for their own house, the choice says something. These teams operate in high-stakes, security-sensitive environments every day — and they picked the tool they were willing to be measured by.

Specialized consultancies & advisors

Advisory firms trade on credibility: the standard they help clients meet is the standard their own operations are measured against. These practices chose to hold themselves to it.

The challenge

The structural problem for these firms is concentration. In a ten-person consultancy, the person who approves access is often the person who requests it and the person who uses it — exactly the arrangement that separation-of-duties and least-privilege requirements exist to break apart. Their infrastructure compounds the difficulty: most own no servers at all, so the assessed boundary lives in cloud tenants and virtual desktops that belong to someone else, and the work becomes proving inheritance rather than pointing at a rack. And there is nowhere to hide behind “good enough” — a firm that advises defense contractors on readiness cannot arrive at its own assessment with a shrug, because in this business the proof is part of the product. Several in this group are pursuing ISO 27001 in parallel, on the same handful of people.

Behind all of it runs a contractual clock. DFARS 252.204-7019 and 252.204-7020 already require a current NIST SP 800-171 self-assessment score posted to SPRS — and reserve the government’s right to come verify it. DFARS 252.204-7021 carries CMMC down through the supply chain, and as the CMMC final rule phases assessment requirements into new DoD solicitations, that clause stops being theoretical, award by award. For a services firm whose entire book is defense-adjacent, a number in SPRS that cannot be substantiated is a risk to the next contract — which is precisely the risk a timestamped record answers.

Selected journeys

Because LakeRidge timestamps every assessment answer, every practice-stage change, and every score recalculation, progress in this group is provable rather than asserted. The journeys below are drawn from that record — anonymized, with dates coarsened and counts approximated. The descriptors tell you what kind of firm, never which one.

Ten weeks from unassessed to a perfect self-assessed 110. In spring 2024, a management consultancy serving DoD programs started where every contractor starts: unassessed at -203, the floor of the SPRS scale — with no defensible record of controls it had, in truth, been running for years. About ten weeks later, it held a perfect self-assessed 110 — publishing successive revisions of its System Security Plan along the way — and ultimately brought every in-scope practice to audit-ready with nothing left in remediation. The firm did not build a security program in ten weeks. It formalized one that was already operating, and let the record catch up to reality.

The signature story: scores that hold. The most telling pattern in this group is not the climb — it is what happens afterward. An IT consultancy has now held a perfect self-assessed 110 for more than three years, its score still recalculating as the environment changes and its SSP republished five times to stay audit-current. A managed cloud-services provider tells the same story over a longer arc: practice tracking since fall 2021, a first SSP published the following winter, seven published revisions since, and a near-perfect self-assessed score its live record still maintains today. A number that holds for years, with the evidence trail still running underneath it, is the retention proof most compliance tooling never gets to show: maintenance mode, not one-and-done.

A sprint that was really an import. In fall 2025, a federal IT services provider went from unassessed at -203 to a perfect self-assessed 110 in about a month, closing nearly 300 POA&M tasks in under two weeks and publishing its SSP within days of finishing. That pace was not a team racing through attestations. It was a team formalizing controls already in operation — working the guided assessment with artifacts in hand, importing the evidence of a mature environment.

The same record, without the score. Breadth matters too. A specialized advisory firm built the same objective-level evidence record with no SPRS score in it at all: dozens of practices moved to audit-ready, and roughly three-quarters of its ~120 remediation tasks closed across a single autumn. The discipline is identical whatever a framework asks for: evidence, recorded, dated.

How they got compliant

Every firm followed the same LakeRidge path, whatever its starting point.

It begins with the guided gap assessment. Each of the 110 CMMC and NIST SP 800-171 practices is worked at the assessment-objective level, with a determination and supporting evidence recorded per objective and a timestamp on every answer — the difference between an evidence-backed, objective-level 110 and a checkbox self-assessment.

Every practice moves through a plain-English lifecycle — not started, gap analysis, remediation, audit-ready — so a managing partner, a client, or a prime can see at a glance how done the program actually is, without translating anyone’s spreadsheet.

Gaps become a working POA&M. Each finding turns into a task with an owner and a due date, broken down to the checklist grain small teams actually execute — so the Plan of Action and Milestones doubles as the week’s work plan rather than a shelf document.

The SPRS score recalculates live. As tasks close and practices reach audit-ready, the score updates on its own — no spreadsheet math, no stale number waiting for someone to remember it.

The SSP is generated, versioned, and kept alive. LakeRidge builds the System Security Plan directly from the assessment answers and publishes it as a versioned release; when the environment changes, firms republish rather than rewrite.

And for the strongest programs, scoping came first. The top performers drew the smallest honest boundary they could — consolidating CUI work into a purpose-built enclave in a government cloud tenant and documenting inherited controls in the SSP instead of leaving them implied.

Aggregate results

Across the 12 firms in this group — several also pursuing ISO 27001 — the average self-assessed SPRS score among score-tracked firms stands at 78 out of 110, with five firms holding a perfect self-assessed 110 and 79% of tracked practices driven to audit-ready. Seven of the ten score-tracked firms began unassessed at -203, the floor of the scale. On the way up, roughly 610 POA&M tasks were tracked and about 400 closed, and 22 SSP revisions were published — a record that keeps running long after target scores were reached. All figures are aggregated and anonymized across the group.

In their words

“This app put into perspective and laid out exactly what we needed to do to become compliant.”

Christopher Davis, IT Manager, InnovaPrep

Ready when you are

See where you actually stand — run the guided gap assessment and get your live, evidence-backed SPRS score in your first week.

Book a consultation →