State Regulatory Agency Achieves CMMC Level 2 Certification

The Challenge

Our client is a North Carolina state regulatory agency responsible for environmental oversight and natural resource protection. With 150 staff across a headquarters in Raleigh and six regional offices, the agency manages environmental permitting, compliance monitoring, and enforcement for thousands of regulated facilities statewide. The agency handles Controlled Unclassified Information (CUI) related to federal environmental programs administered on behalf of the EPA, making CMMC compliance a contractual requirement for continued federal partnership.

When the agency underwent a CMMC readiness assessment, the results were sobering. Of the 110 security practices required for CMMC Level 2, the agency met fewer than 40. The gaps were systemic. Legacy systems — some running operating systems that had been end-of-life for years — formed the backbone of critical workflows. The permitting database ran on a Windows Server 2012 instance that could not be patched, and field inspectors used aging laptops with local data stores that were never backed up and rarely updated.

The agency had no formal incident response plan. When a phishing attack compromised two employee accounts six months earlier, the response was ad hoc — the IT team disabled the accounts and changed passwords, but conducted no investigation into what data may have been accessed or exfiltrated. No lessons were documented, no process improvements were made, and no report was filed. The agency's leadership acknowledged that if the same attack targeted CUI, the lack of response capability could jeopardize the federal partnership.

Network security was minimal. All offices shared a flat network with no segmentation between user workstations, servers, and guest Wi-Fi. Remote access for field inspectors relied on a legacy VPN with no multi-factor authentication. There was no centralized logging, no SIEM, and no security monitoring of any kind. The IT team of four staff members was stretched thin managing day-to-day operations and had neither the bandwidth nor the specialized expertise to tackle a compliance program of this scope.

The Solution

Layer27 partnered with the agency's IT leadership to design and execute a comprehensive CMMC compliance and infrastructure modernization program. The engagement combined our Protect Pro managed services tier for ongoing security and support, Infrastructure Pro for legacy system modernization, Compliance services for NIST 800-171 implementation, and Managed Detection & Response (MDR) for continuous monitoring.

NIST 800-171 Implementation

Layer27's Compliance team conducted a detailed assessment of all 110 NIST 800-171 security requirements, mapping each to the agency's current state and developing a remediation plan organized into three priority tiers. We worked alongside the agency's IT team and agency leadership to implement every required control.

Access control policies were overhauled with role-based access, multi-factor authentication, and least-privilege principles applied across all systems. Audit and accountability controls were established with centralized logging, tamper-evident audit trails, and automated alerting for security-relevant events. Configuration management baselines were defined for all system types, with automated compliance checking to detect drift. Media protection, physical security, and personnel security controls were documented and implemented in coordination with the agency's HR and facilities teams.

Each control implementation was documented in a System Security Plan (SSP) and supported by evidence artifacts — policies, configurations, screenshots, and test results — organized for assessor review.

Legacy Infrastructure Modernization

Under Infrastructure Pro, Layer27 modernized 85% of the agency's legacy systems. The permitting database was migrated from the unsupported Windows Server 2012 instance to a modern, fully patched environment with automated backup and high availability. Field inspector laptops were replaced with managed devices enrolled in Layer27's endpoint management platform, with encrypted local storage, always-on VPN connectivity, and centralized policy enforcement.

Network architecture was redesigned with proper segmentation. Server infrastructure, user workstations, field devices, and guest access were separated into distinct network zones with firewall rules governing traffic between them. Zero Trust Network Access replaced the legacy VPN, providing secure, identity-verified access to specific applications rather than broad network access.

Managed Detection & Response and SOC

Layer27's MDR service and 24x7 SOC capabilities now provide the agency with the continuous monitoring and incident response capability the agency lacked. SIEM technology aggregates logs from all seven locations, correlating events and alerting Layer27's security analysts to potential threats in real time. A formal incident response plan was developed, tested through tabletop exercises, and integrated with state-level cyber incident reporting requirements.

Zero-Trust Architecture

Layer27 implemented a zero-trust security model across the agency's environment. Every access request is verified against user identity, device health, and contextual risk factors before being granted. This approach is particularly important for the agency's distributed workforce of field inspectors who access agency systems from regulated facilities, remote offices, and mobile locations across the state.

The Results

After 14 months of systematic remediation, the agency underwent a formal CMMC Level 2 assessment and achieved certification. All 110 NIST 800-171 security practices were implemented and documented, with the assessor noting the thoroughness of the agency's System Security Plan and evidence packages.

The legacy modernization effort transformed the agency's technology foundation. The 85% of legacy systems that were modernized now run on supported platforms with automated patching, centralized management, and proper backup. The remaining 15% — specialized environmental monitoring systems with vendor dependencies — are isolated in segmented network zones with compensating controls documented in the SSP.

The agency now has a fully operational incident response capability for the first time in its history. The formal plan has been tested through three tabletop exercises, and the MDR service has detected and contained 47 security events in the first six months — all resolved before they could impact operations or CUI.

"Federal agencies are increasingly requiring CMMC compliance from their state partners, and we were not prepared. Layer27 didn't just help us check boxes — they modernized our infrastructure, built a real security program, and gave us the monitoring and response capability that a regulatory agency handling sensitive data must have. Our federal partners have confidence in our security posture for the first time, and our staff have modern tools that actually help them do their jobs."

— Chief Information Officer

Key Takeaways

• CMMC Level 2 certification requires comprehensive implementation of all 110 NIST 800-171 controls — there are no shortcuts, and partial compliance is not an option for organizations handling CUI.
• Legacy modernization and compliance go hand in hand — you cannot implement modern security controls on unsupported, unpatched systems. Infrastructure Pro's engineering capability is essential for agencies with significant technical debt.
• Protect Pro and MDR provide the continuous monitoring that CMMC requires — compliance is not a point-in-time achievement but an ongoing operational commitment.
• Zero-trust architecture is particularly valuable for government agencies with distributed workforces, replacing the perimeter-based security model that legacy VPNs cannot adequately support.