Spirit Electronics

Spirit Electronics had been working with an IT service provider that assured it had all necessary security controls in place and met CMMC standards. A formal assessment revealed gaps that had not previously been identified. Spirit’s assessment revealed that the organization’s security posture was less mature than leadership had initially believed.

That experience prompted Spirit to evaluate new partners with far greater scrutiny. After interviewing several providers, the company selected CyberSheath for its specialization in CMMC compliance and its deep roots in the defense industrial base.

CyberSheath began by deploying its endpoint agent across Spirit’s machines, running comprehensive scans to establish a clean baseline. The formal gap assessment that followed showed that Spirit’s SPRS score was lower than the 110 leadership had believed.

From there, CyberSheath began systematic remediation through biweekly meetings spanning three disciplines — compliance, security, and IT — delivered as an integrated service rather than separate workstreams. Security implementations and compliance documentation progressed in parallel, avoiding the delays that come with coordinating across multiple vendors.

A major early step was migrating Spirit’s entire organization to Microsoft GCC High, which addressed many compliance requirements on its own. The team also replaced the company’s firewall, upgraded physical security cameras, and deployed a password manager and file-sharing software. CyberSheath’s endpoint agent provided continuous vulnerability management aligned with CMMC requirements.

With a smaller organization and limited remote work, leadership determined that placing everyone on the GCC High tenant and scoping the entire building was the more practical path than an enclave solution.

While CyberSheath handles security and compliance entirely, Spirit maintains internal IT staff      who manage tier-one support and day-to-day issues, escalating to CyberSheath’s IT team as needed. This provides Spirit with specialized expertise in CMMC compliance, alongside immediate on-site support for daily operations.

CyberSheath delivered an AVD enclave hosted in GCC, limiting the compliance scope to the 20 users who needed CUI access. Employees outside that group continued working in Tunnell’s commercial environment with no disruption or additional licensing costs. The secure staging area addressed a challenge specific to personnel-focused contractors: collecting sensitive screening documents from prospective hires — who may submit from personal email accounts or outside domains — without introducing that data directly into the enclave. The staging area served as a controlled intake point for documents, where they were received, vetted, and moved into the CUI environment as needed.