Cage Code: 10JQ0

Case Study: PlatformOne Enables InSourceITSolutions to Achieve CMMC Level 2 Compliance

by PlatformOne Inc

About InSourceITSolutions

InSourceITSolutions is a prominent provider of healthcare and revenue cycle management solutions for federal agencies and defense contractors. While working with military health organizations and subcontracted federal programs, InSourceITSolutions must protect Controlled Unclassified Information (CUI) in accordance with DFARS 252.204-7012. In preparation for forthcoming Department of War (DoW) contracts and the implementation of the Cybersecurity Maturity Model Certification (CMMC), the organization is dedicated to attaining complete compliance with CMMC Level 2.

The Challenge

InSourceITSolutions encountered challenges typically faced by mid-sized federal contractors:

Their IT infrastructure was hosted on Microsoft 365 Commercial, which does not meet DFARS or CUI handling requirements.
The internal IT team was small, overwhelmed, and lacked expertise in compliance.
There were no formal documents for access controls, incident response, or vulnerability management.
Their prior vendors offered limited support beyond basic ticket handling, lacking strategic guidance or compliance expertise.

InSourceITSolutions understood that simply "checking the box" was insufficient, so they needed a comprehensive solution that addressed both security and compliance requirements, and they needed a partner with expertise in the DIB sector.

Why InSourceITSolutions Chose PlatformOne

PlatformOne stood out as the preferred partner due to its specialization in DoW-compliant cloud environments and hands-on experience with:

Microsoft 365 GCC High tenant migrations

CMMC Level 2 readiness strategies and documentation

Managed services tailored to federal cybersecurity frameworks

Transparent communication and structured project planning

After evaluating several providers, InSourceITSolutions selected PlatformOne due to its engineering-first approach, clear roadmap for CMMC compliance, and proactive guidance throughout every phase of the engagement.

PlatformOne's Solution

Phase 1: Migration to Microsoft 365 GCC High

PlatformOne completed a migration from Microsoft 365 Commercial to Microsoft 365 GCC High to comply with federal cloud regulations.

Coordinating licensing and sponsorship through a U.S. sovereign reseller such as Carahsoft
Exporting and staging user data securely via migration tools
Configuring email, DNS, and re-deploying Group Policies to meet hardening standards
Reimplementing security and DLP policies to match CUI handling requirements
Enabling Microsoft Defender for Endpoint, Microsoft Purview, and Intune for endpoint compliance and monitoring

Phase 2: Managed Security & Compliance Services

Post-migration, InSourceITSolutions enrolled in PlatformOne's Managed Services Program (MSP), which covered both technical operations and compliance oversight.

Automated monthly scanning, change-controlled patching, and configuration management hardening
Vulnerability scanning using Tenable.io with real-time priority-driven dashboards
24/7 log monitoring via TotalWatch with integrated XDR, and Managed 24x7x365 SOC
Backup and recovery solutions with federal-mandated storage and retention policies via AvePoint Backup
Centralized audit evidence collection and monthly compliance reviews via the ComplianceOne Tool to streamline audit review

Phase 3: CMMC Level 2 Advisory & Documentation

PlatformOne tailored its advisory services to align InSourceITSolutions with all 110 controls in NIST SP 800-171.

A complete control-by-control gap analysis and remediation plan
Development of key compliance artifacts: SSP, POA&M, IRP, CM policy, and user access controls
Internal readiness assessments modeled after third-party C3PAO audits
Scheduled reporting and evidence compilation to prove continuous compliance

Results

The engagement with PlatformOne produced significant and measurable results:

Days

Migration to GCC High was completed within 45 days without user disruption.

Days

All NIST 800-171 controls were documented and implemented within 90 days of the initial request.

100%

Security

Achieved a Zero Trust model, real-time threat detection, and monthly remediation cycles.

60%

Reduction

Internal IT workload for compliance tasks reduced by 60%.

"PlatformOne dian't just migrate our systems—they elevated our entire security and compliance maturity. Now, we're ready to pass a CMMC audit and win more DoW contracts."

— Director of Infrastructure & Security, InSourceITSolutions

Project Execution Timeline

Weeks 1-2

Discovery, GCC High sponsorship intake, kickoff planning

Weeks 3-7

Migration execution, endpoint onboarding, DNS, and policy cutover

Weeks 8-10

MSP onboarding, monitoring, and patching automation

Months 3-5

Documentation delivery, evidence gathering, internal audit simulation

What's Next

InSourceITSolutions is actively preparing for a formal C3PAO assessment scheduled in early 2025. PlatformOne continues to provide managed services and compliance monitoring as a long-term partner. Future roadmap initiatives include aligning with NIST SP 800-171 Rev 3, integrating Software Bill of Materials (SBOM) management, and evaluating for CMMC Level 3 or FedRAMP Moderate certification, depending on future contracts.

Final Takeaways

InSourceITSolutions's mission reflects an everyday reality in the defense contracting space: security and compliance are inseparable. By engaging with PlatformOne, they moved from reactive IT to proactive cyber governance, achieving both regulatory alignment and operational peace of mind.