When the DOD/DOW conducted an unexpected DIBCAC High Assessment at Kampi’s facility, the company faced immediate pressure to achieve full CMMC Level 2 compliance. The audit revealed gaps that needed addressing before Kampi could pursue formal certification.

The company had not yet completed its planned migration from a commercial cloud infrastructure to Microsoft’s Government Community Cloud (GCC High). Kampi also relied on multiple managed service providers (MSPs) for various IT functions, including a major MSP handling help desk support and network operations center services. None of these external service providers were CMMC compliant, and some had no plans to pursue certification or support the compliance requirements. Under CMMC requirements, noncompliant service providers with access to Controlled Unclassified Information (CUI) environments become compliance obstacles that can prevent successful certification.

As a distribution company with warehouse operations handling military materials, Kampi also needed comprehensive physical security controls, including visitor management, access control systems, secure storage for CUI in both digital and physical formats, and monitoring capabilities across its entire facility.

Following the government audit, Kampi engaged CyberSheath to develop a comprehensive compliance strategy. CyberSheath’s initial gap assessment aligned closely with the government’s findings, confirming the scope of work and establishing a clear road map to certification.

The collaborative process included:

• Cloud infrastructure migration: Moving Kampi’s entire environment from commercial cloud services to GCC High while maintaining operational continuity.
• Service provider remediation: Evaluating all external service providers’ compliance status and determining remediation paths.
• Physical security implementation: Establishing comprehensive controls across Kampi’s facility, including infrastructure security, visitor management systems, badge readers, surveillance cameras, alarm systems and secure storage for physical CUI materials.
• Documentation preparation: Developing a System Security Plan (SSP) and Plan of Action and Milestones (POAM) aligned to CMMC assessment requirements.

CyberSheath implemented a GCC High managed services solution that provided the FedRAMP-authorized platform Kampi needed for handling CUI. The solution created a fully compliant technology environment by eliminating noncompliant service providers and implementing controls across both digital and physical operations.

For Kampi’s warehouse and office operations, CyberSheath worked with the company to plan and implement security controls for the entire 36,000-square-foot facility with monitoring, access controls and procedures for handling CUI materials in all formats.