Skip to content
LEVEL 2Compliance Solutions
Case StudyCMMC

Multi-site and mid-stream: bringing a mid-market HVAC contractor into scope

Commercial HVAC contractor · ~$60M revenue · ~300 employees

L2CS · April 2, 2026

The situation

A commercial HVAC contractor — about $60M in revenue, roughly 300 employees across several regional offices — held federal work that put part of the business in CUI territory. They had started on CMMC: a policy set bought from a vendor, a tool someone had stood up, and a spreadsheet of controls. The pieces did not add up to a program, and no one owned the whole.

The challenge

Mid-market is its own kind of hard. There was real IT capacity, but it was spread across sites with different practices. CUI flowed between offices. Documentation existed but did not match how work was actually done, so any honest assessment would find drift between the SSP and reality. And leadership wanted a defensible answer for buyers — a credible SPRS posture — not just "we're working on it."

What we did

The gap assessment confirmed the core problem: fragmentation. Three offices touched CUI in three slightly different ways. So the program led with consolidation:

  • We redrew the scope around a single, consistent CUI workflow shared across sites, rather than three parallel ones, and brought in a managed security partner to standardize monitoring across the boundary.
  • We rebuilt the SSP and policies to describe the consolidated environment accurately, retiring the generic template that no longer matched reality.
  • We stood up a managed GRC program with a recurring cadence — owners, evidence, and reviews — so the documentation could not drift out of sync again.
  • We ran role-based training so practitioners at each office could speak to their controls, since a multi-site assessment samples across locations.

A readiness assessment then stress-tested the consolidated program with the same examine–interview–test methods an assessor would use.

The outcome

  • Three divergent partial efforts became one program with a single owner and a consistent boundary across offices.
  • The SSP and the live environment matched, so evidence could be produced on request rather than reconstructed.
  • Their SPRS posture became something they could state plainly to primes, with a short, dated POA&M for the remainder.

"We didn't have a CMMC problem so much as five half-answers. The value was making them one answer we could actually stand behind." — Compliance director (representative)

The mid-market lesson: the obstacle is usually not capability — it is coherence. Consolidate first, then certify.

Related

Case StudyCMMC·May 21, 2026

Many programs, one posture: CMMC at an enterprise plastics supplier

Plastics injection molding supplier · ~$400M revenue · ~1,500 employees

A ~$400M injection-molding supplier with multiple programs and a mature IT org didn't lack security — it lacked an audit-ready, repeatable way to prove it. How a GRC operating model tied it together.

Read →
CMMC·May 14, 2026

GCC High, on-prem enclave, or hybrid? Choosing your CUI boundary

Where your CUI lives shapes cost, effort, and how many controls you inherit. A plain-English guide to the three common boundary models — and how to choose.

Read →

Want this for your program?

Start with a discovery call. We'll tell you where you actually stand on CMMC — and what it takes to get audit-ready.

Book a Discovery Call