A Perfect 110: Achieving CMMC Level 2 Compliance in Under 12 Months

How netMethods modernized a legacy IT environment and guided an Orange County soft goods manufacturer to a perfect CMMC Level 2 assessment score — securing a government-adjacent contract in the process.

The Situation

An Orange County soft goods manufacturer with more than 100 employees had an existing IT environment — Active Directory, traditional antivirus, and a server infrastructure that had served the business for years. The problem was age. The environment was running on Windows Server 2008, a platform Microsoft had long since ended support for, with legacy antivirus that offered no visibility into modern threats and a flat network with no segmentation between business systems and areas handling sensitive data.

When the company was offered a contract requiring CMMC Level 2 certification — a federal cybersecurity standard mandating 110 security practices across 14 domains, including access control, incident response, and the handling of Controlled Unclassified Information (CUI) — it became clear that their existing environment wasn’t a starting point. It was a liability. Without significant modernization and a certified compliance posture, the contract would go to someone else.

They had less than 12 months. They brought in netMethods.

The Challenge

The existing infrastructure created specific technical and compliance challenges that had to be addressed systematically. A legacy environment isn’t just outdated — it carries accumulated risk that has to be inventoried, documented, and remediated before any compliance framework can be applied on top of it.

•       Windows Server 2008 — end-of-life, unpatched, and ineligible as a compliant CUI-handling platform

•       Traditional antivirus with no behavioral detection, no central visibility, and no audit logging

•       Flat network architecture with no segmentation — a critical gap under CMMC access control requirements

•       No multi-factor authentication across any user accounts or systems

•       No documented security policies, incident response procedures, or CUI handling controls

•       A hard deadline tied directly to contract execution

The Approach

netMethods conducted a full environment assessment against the NIST SP 800-171 framework that underpins CMMC Level 2, mapping every gap between the existing environment and the 110 required practices. From there, we built a phased remediation and implementation plan designed to achieve a clean assessment within the contract timeline — without disrupting active production operations.

Phase 1: Server Infrastructure Modernization

The Windows Server 2008 Active Directory environment was migrated to Windows Server 2022 — a supported, patchable, and CMMC-eligible platform. The migration was planned and executed to preserve existing user accounts, group policies, and business continuity while eliminating the compliance exposure that the end-of-life environment represented. Group Policy was restructured to enforce the access control, session management, and audit logging requirements mandated under CMMC.

Phase 2: Network Segmentation

CMMC Level 2 requires that systems handling CUI are isolated from general business traffic. We redesigned the network architecture using VLAN segmentation to create distinct zones for CUI-handling systems, production operations, corporate IT, and guest access. Inter-VLAN traffic was controlled through firewall policy, with next-generation firewall technology providing deep packet inspection, intrusion prevention, and full audit logging at every segment boundary. Remote access was secured through encrypted VPN with enforced authentication at every entry point.

Phase 3: Identity & Multi-Factor Authentication

Controlling who can access what — and proving it to an auditor — is one of the most scrutinized areas in a CMMC assessment. We deployed cloud-based multi-factor authentication across every user account in the organization, covering workstations, remote access, and any application touching CUI. Role-based access controls were implemented and documented, ensuring that each user’s access was limited to what their role actually required. Every access event was logged and auditable.

Phase 4: Endpoint Security Replacement

Traditional antivirus was replaced across all 100+ endpoints with AI-driven endpoint detection and response technology — providing real-time behavioral monitoring, automated threat containment, and the centralized audit logging that CMMC assessors require as evidence of operating controls. Unlike legacy antivirus, which relies on known signatures, the new platform detects and responds to threats based on behavior, including novel attack techniques that signature-based tools miss entirely.

Phase 5: Email Security & Data Protection

Advanced email security was deployed to intercept phishing attempts, malicious attachments, and business email compromise attacks before they reached users — a critical control in a manufacturing environment with high-volume supplier and vendor communication. An enterprise backup platform was implemented across all endpoints and servers, with encrypted offsite replication, automated verification, and documented recovery procedures satisfying both CMMC requirements and the company’s own business continuity needs.

Phase 6: Policy, Documentation & Assessment Preparation

Technology controls alone don’t achieve CMMC compliance — every practice requires documented evidence that it is implemented and operating as designed. netMethods worked with company leadership to produce the complete documentation package required for a Level 2 assessment: System Security Plan (SSP), Plan of Action and Milestones (POA&M), incident response plan, access control policy, configuration management documentation, and a full asset inventory. Every one of the 110 practices was mapped, evidenced, and ready for auditor review before assessment day.

The Outcome

The manufacturer achieved a perfect score of 110 out of 110 on their CMMC Level 2 assessment — the maximum possible — and executed the contract within the required timeline. Every one of the 110 required practices was fully implemented and evidenced, with no findings, no deficiencies, and no conditions.

Beyond the assessment, the engagement delivered a modernized IT environment the business will carry forward. Windows Server 2022 Active Directory, next-generation endpoint protection, multi-factor authentication, a segmented network, and a complete compliance documentation library now form the operational and security foundation of the organization — supporting growth, reducing risk, and positioning them to pursue additional contracts that require a demonstrated compliance posture.

Results at a Glance

•       Perfect CMMC Level 2 assessment score — 110 out of 110

•       Windows Server 2008 environment fully migrated to Server 2022

•       Network redesigned with VLAN segmentation across all operational zones

•       Multi-factor authentication deployed across all user accounts and systems

•       100+ endpoints migrated from legacy antivirus to AI-driven endpoint detection and response

•       Complete CMMC documentation package delivered — SSP, POA&M, policies, and procedures

•       Contract executed on schedule

•       Ongoing managed IT and compliance maintenance retained post-certification

About netMethods

netMethods is a managed IT services provider headquartered in Lake Forest, CA, with over 25 years of experience supporting organizations across Orange County and Southern California. We specialize in managed IT, cloud infrastructure, IT security, and practical AI solutions for healthcare, manufacturing, public sector, and professional services organizations.

netmethods.com   |   info@netmethods.com   |   949.309.2941