Manufacturing Consulting Concepts, LLC (MCC) is a Product Lifecycle Management (PLM) implementation company that started in 2013 and has been supporting the Air Force A-10 PLM Implementation project since 2016.
“When you’re dealing with 110 controls and around 320 control objectives for NIST 800-171 and CMMC, demonstrating how each control is being implemented and doing that continuously is a massive lift. Having Secureframe pull all of that evidence automatically is a massive time saver. It’s saved us at least 500 hours in the past two years.”
Lead Cybersecurity Engineer, Manufacturing Consulting Concepts
Secureframe provided MCC with:
Jump To
Manufacturing Consulting Concepts (MCC) is a Product Lifecycle Management (PLM) implementation company that works primarily with the U.S. Air Force. As the lead security engineer for MCC’s DoD-facing information systems, David Hoenisch is responsible for the design and implementation of all the security controls required for NIST 800-171 and CMMC compliance.
With only one other person on his team, David faced a growing documentation burden.
“There’s a huge breadth of documentation required for NIST and CMMC, and it was getting unruly and inefficient managing it ourselves in Word documents and spreadsheets. As a very small team, it’s possible but it makes you want to pull your hair out. We needed a force multiplier,” David explained.
Much of the team’s time was consumed by gathering evidence and then monitoring controls across their distributed environment, including AWS, Azure, Microsoft 365, GitHub, and other tools.
“We didn’t have time for the actual things that needed to get done, like technical implementation, because so much time was spent documenting everything and tracking where we were in the process,” he said.
David also recognized the need to formalize MCC’s compliance posture with a third-party assessment for NIST 800-171, both for peace of mind and audit defensibility.
“NIST 800-171 compliance has been the requirement under DFARS 252.204-7012 for years, and while you're allowed to self-assess, I’ve always been paranoid that if the government audits us and finds something we missed, they could claim we lied. I don’t want to deal with that,” he explained.
By proactively validating their implementation of NIST 800-171, MCC could also prepare for an eventual CMMC 2.0 assessment, a requirement which is expected to be written into DoD contracts in the near future.
After coming across an ad for Secureframe and comparing it to a few other vendors, MCC chose to adopt Secureframe based on its strong reviews and breadth of automation.
“It was exactly what we were looking for,” he said. “Having a tool that can come alongside and augment your personnel force is a huge blessing. It was a weight off our shoulders.”
Secureframe provided MCC with the automation and expert support they needed to meet NIST 800-171 and CMMC Level 2 requirements and pass third-party audits with confidence.
One of the most immediate benefits was the team’s ability to connect their tech stack to automate evidence collection and continuous monitoring.
“Secureframe’s ability to hook into all of these different providers we’re using, automatically run tests, and update control statuses was huge,” David said. “It lessened the workload on us to have to go to each of those systems and manually gather evidence like screenshots, which can quickly become outdated. Having that live, continuous updating is really nice.”
Policy management was another area where Secureframe drove significant time savings. MCC used out-of-the-box templates and customized them as needed, then assigned and distributed policies by role and tracked acknowledgments all in one platform.
“Instead of having to build a lot of those out manually, we were able to just use the templates and adjust them,” David said. “Being able to assign those policies and procedures to particular people and track who’s reviewed and accepted is also really useful.”
By leveraging these automation features and working with a Secureframe C3PAO partner, MCC’s third-party assessment for NIST 800-171 was seamless.
“It was super easy. We just gave the auditor access, and they could log in and see all the evidence, artifacts, and documentation without needing to constantly ask for proof of XYZ being implemented,” David said.
That experience gave David and his team a strong foundation for CMMC Level 2 certification.
“It was a great launch board for CMMC because it gave us a solid sense of how a CMMC assessment would go. We understood how we stacked up to that framework and got a good roadmap forward,” David said.
Throughout both readiness and assessment processes, Secureframe’s expert support team was a critical resource.
“I’m fairly new to CMMC and honestly most people are, so being able to email one of Secureframe’s compliance managers who has real CMMC and audit experience and bounce ideas and questions off of them has been invaluable,” David said.
This level of expert and personalized support stood out to David in a landscape increasingly reliant on AI-driven support.
“Being able to reach a real, live human who’s been there, done that, and has the experience to answer questions has probably been my number one favorite thing, aside from all the other awesome features Secureframe offers,” David noted.
“With Secureframe, you not only have access to the tool, you also have access to the mind and the talent behind the tool. When looking at other platforms, I didn’t see that.”
Using Secureframe, MCC gained significant time savings and increased confidence in their NIST and CMMC compliance efforts.
“When you’re dealing with 110 controls and around 320 control objectives for NIST 800-171 and CMMC, demonstrating how each control is being implemented and doing that continuously is a massive lift. Having Secureframe pull all of that evidence automatically is a massive time saver. It’s saved us at least 500 hours in the past two years,” David said.
Secureframe also enables MCC to maintain compliance more effectively over time.
“Looking ahead, there’s the annual requirement under CMMC to conduct an internal self-assessment. Secureframe is going to be pivotal in that process. We’ll be able to easily go into the dashboard and see exactly where we stand in terms of test results and passing controls.”
“It’s going to make our internal audit much more efficient because we can rely on all the data and information Secureframe is already pulling in, rather than manually gathering and piecing everything together ourselves,” David explained.
In the short term, Secureframe has already delivered real business value.
“We already have current customers reaching out asking for proof of CMMC, and we’re able to say that we’re good to go. That’s been really helpful,” David said.
With CMMC requirements expected to be written into contracts any day now, MCC views their readiness as a strategic advantage.
“We’re actually excited for the requirements to take effect because we know there are other companies that aren’t ready. It’s going to be a huge competitive advantage for us,” David said.
Secureframe is also making it easier for MCC to scale their compliance program to meet additional federal and commercial framework requirements.
“The ability to manage multiple frameworks without having to redo everything again has made the idea of pursuing additional certifications much more feasible,” David said. “If we had to start from scratch for each one, that would be a huge lift.”
MCC is confident they can keep pace with evolving compliance demands, now that they have the right technology and expert support behind them.
“Secureframe really becomes a partner. Other platforms feel more self-serve, like you get access to the platform and then you’re more or less on your own. With Secureframe, I genuinely felt like we had a partner and they cared about our success, not just their own.”
