CMMC Readiness for Defense Pharma Group

A HealthSec Engineering™ Case Study

Client: Anonymous Federal Defense Distributor Group

Challenge

A multi-entity sales and distribution group supporting federal defense programs needed to secure operations and meet CMMC Level 2 compliance across its parent and subsidiary operations. The organization operated across multiple interconnected IT environments, handling federal contract CUI without centralized network boundaries or access policies.

With emerging DoD compliance deadlines, the parent entity faced the complex challenge of aligning diverse business units under a single, unified security architecture. They required a rigorous compliance assessment to identify shared vulnerabilities, isolate multi-entity data boundaries, and coordinate a multi-stage remediation program.

Solution

HealthSec Engineering led a comprehensive CMMC Level 2 gap assessment across the group's parent operations. We evaluated IT network boundaries, physical facility access, and federal contract data flows, establishing a centralized remediation strategy.

Our work included:

• Multi-Entity Boundary Analysis: Evaluating data exchange pathways and network boundaries between the parent company and subsidiaries.

• CUI Access Auditing: Reviewing user role configurations and access permissions for federal contract repositories.

• Physical Security Assessment: Auditing physical facility access controls, door configurations, and surveillance coverage at the primary distribution facility, including mapping all 11 exterior access points.

• Remediation Program Management: Developing and leading a phased remediation roadmap (currently in Phase 2 execution).

Outcomes & Impact

We delivered a complete picture of the organization's compliance posture, protecting over $15M in annual federal contract revenue (GSA/FSS and DLA DAPA vehicles) and launching a coordinated remediation program:

• Scored all 110 NIST 800-171 controls, establishing a baseline SPRS score of -106 with 86 controls Not Met, and built a prioritized 32-item remediation plan across four phases targeting C3PAO readiness within 180 days.

• Identified five critical vulnerabilities requiring immediate action: unverified external administrative access to federal data systems, flat network architecture with no segmentation, unencrypted FTP transmission of CUI, fail-safe door configurations bypassing physical security, and operational commingling between entities.

• Delivered entity-specific roadmaps for each subsidiary (Integrated and Imaging), establishing independent compliance paths, cost estimates, and remediation sequencing tailored to each entity's operational posture.