The client's primary challenge was the mandatory requirement for CMMC Level 2 compliance to secure new revenue from federal government contracts. Capacity of existing teams led to delays in the compliance effort and left the client behind schedule. They needed to quickly implement the necessary controls to qualify for upcoming proposals and contract bids. Without passing the audit, the client faced automatic rejection, jeopardizing critical business revenue.
The technical complexity focused on building a fully accredited CMMC-compliant secure enclave from an undefined state. The initial infrastructure design was incomplete, and the in-house teams lacked the capacity and specific, systemic expertise required to document and implement controls across various domains (source control, infrastructure, networking, identity, and access). The project also required expertise for adopting new tools, such as the Wiz Cloud Security Posture Management (CSPM) tool and GitHub, which was necessary for ongoing compliance monitoring and remediation.
Trility's approach focused on aggressive, proactive problem-solving to quickly establish a system-level design where a clear plan was missing.
Proactive System Design: Trility's experts leveraged deep knowledge of application development, infrastructure, and pipelines to make design decisions in the absence of clear requirements or an established design. This proactive stance kept the project on track.
Best Practices: A previous engagement focused on implementing industry-standard best practices (especially AWS standards) as a starting point. This allowed the client's internal team to refine and tweak the baseline, speeding up development and cutting through initial analysis paralysis.
Compliance Enablement: Trility focused on making the environment audit-ready, providing expertise in evidence gathering for the CMMC self-assessment, particularly for the new GitHub version control implementation.
Knowledge Transfer: Trility successfully transferred operational ownership of the newly built systems, including the version control environment, to the client's internal team, ensuring long-term sustainability.
Technologies Used: The compliant enclave leveraged a modern, secure technology stack.
Infrastructure as Code (IaC): Terraform and Terragrunt were used to manage the AWS accounts, roles, and services.
Automation: Ansible was employed for hardening the Amazon Machine Images (AMI), and Ansible AWX was utilized to connect to instances and run hardening scripts, ensuring consistent security posture.
Security & Compliance: Wiz was adopted to monitor security posture, with Trility personnel providing expert remediation and reporting support.
DevOps & Environment: AWS Workspace, S3 bucket, SharePoint, GitHub (used for source control and as the orchestration for accounts within the compliant environment), Linux, CodeBuild, and Python.
This project resulted in tangible, high-value outcomes for the client:
Verifiable Compliance: Through self-certification, the client achieved CMMC Level 2 compliance (Controlled Unclassified Information, 110 NIST Rev2 controls) for the critical program enclave, successfully building and evidencing the required security controls.
Qualification for Revenue: The establishment of the compliant enclave immediately qualified the client to bid on and secure essential government contracts, turning a significant business blocker into a competitive advantage.
Exceptional Audit Performance: In the initial self-assessment audit, the client was praised by the external audit firm for being "by far the furthest along" and achieving an exceptionally high score, demonstrating the quality and robustness of the solution built by Trility.
Increased Capabilities & Reusable Patterns: Trility delivered core components, such as version control within the compliant environment, and established repeatable security hardening and infrastructure patterns that the client can leverage for future compliance efforts and operational maintenance.
