Tunnell Government Services

How Tunnell Consulting cut CMMC costs without cutting corners.

Client

Tunnell Government Services

Tunnell Consulting Inc. employee-owned professional services firm founded in 1962 and headquartered in Berwyn, Pennsylvania offering specialized scientific and technical expertise to government agencies and commercial clients.
Tunnell Government Services, a wholly owned subsidiary of Tunnell Consulting, Inc., provides scientific and technical consulting to federal agencies, including the Department of Defense/War (DOD/DOW), the Department of Health and Human Services, and the Department of Homeland Security. The Company sources and places specialized SMEs (subject matter experts) to support government missions in areas such as public health preparedness and biomedical research.

Situation

Tunnell Government Service’s primary business model centers on identifying, vetting, and placing qualified consultants into government positions. These consultants typically work on-site at government facilities or remotely using government furnished equipment, meaning Tunnell’s own systems handle CUI on a limited basis.

The Company initially pursued enterprise-wide Cybersecurity Maturation Model Certification compliance, which would have required migrating all users and systems to meet cybersecurity requirements. That approach would have imposed unnecessary licensing costs and operational burden on the broader organization, given that only a small
fraction of its workforce needed access to CUI-related systems.

Process

CyberSheath worked with Tunnell’s leadership team to shift from an enterprise model to a targeted enclave strategy.

The collaborative process included:

  •  Scope assessment and cost optimization — Determining that only 20 of Tunnell’s 242 resources required access to the compliant environment, dramatically reducing licensing and infrastructure costs compared to the original enterprise approach.
  • Enclave design — Building an Azure Virtual Desktop (AVD) environment in Microsoft’s Government Community Cloud (GCC), providing a secure workspace for CUI without changes to the company’s existing commercial systems.
  • Forward-looking data protection — Developing a secure staging area using a FedRAMP-authorized file-sharing platform to handle personnel screening and vetting information. While the government does not currently classify this data as CUI, Tunnell’s leadership recognized it could be designated as such in the future. CyberSheath configured the platform per the provider’s customer responsibility matrix and integrated its logs for monitoring.
  • Documentation development — Preparing all compliance materials through CyberSheath’s AIM (Assess, Implement, Manage) methodology, with Tunnell’s leadership actively reviewing and refining documents to ensure accuracy.

Solution

CyberSheath delivered an AVD enclave hosted in GCC, limiting the compliance scope to the 20 users who needed CUI access. Employees outside that group continued working in Tunnell’s commercial environment with no disruption or additional licensing costs. The secure staging area addressed a challenge specific to personnel-focused contractors: collecting sensitive screening documents from prospective hires — who may submit from personal email accounts or outside domains — without introducing that data directly into the enclave. The staging area served as a controlled intake point for documents, where they were received, vetted, and moved into the CUI environment as needed.

Results

Tunnell Consulting achieved CMMC Level 2 certification with a perfect score of 110 through an assessment conducted by Cybersec Investments. The assessment was completed ahead of schedule, with no pushback from auditors on documentation or evidence.

"CyberSheath approached this as a strategic partnership, not just a compliance checklist. They took the time to understand how our consultants operate, where CUI truly intersects with our systems and how to protect it without disrupting our core mission. Their disciplined scoping and technical expertise allowed us to achieve a perfect 110 score on our first assessment while avoiding unnecessary cost and operational complexity. CyberSheath gave us confidence not only in our certification, but in the long-term security of our environment.”

- Mary Corcoran, CIO and Director of Business Operations

Tunnell’s leadership played a direct role in that outcome, reviewing compliance documentation, challenging narratives for accuracy, and adding operational context that strengthened the materials for assessment. The enclave approach kept costs proportional to Tunnell’s actual CUI footprint, avoiding the significantly higher expense of enterprise-wide GCC licensing.