The Challenge
Synergy Business Innovation & Solutions is a software development company and federal systems integrator serving the Department of Defense. Already holding ISO 9001, ISO 20001, and ISO 27001 certifications, the company recognized that CMMC certification would soon become mandatory to compete for DoD contracts.
But when Chuck Irvin, Synergy’s Facility Security Officer (FSO), began evaluating solutions, the costs were prohibitive. “We were getting estimates for GCC or GCC High that were two to three times what we paid for PreVeil,” Chuck recalled. VDI solutions would cost over $150,000 across five years.
More importantly, Synergy needed a solution that its 2-person IT team could manage. “Adding a VDI solution would exceed our bandwidth because now we have another IT system to take care of,” Chuck explained.
Despite holding three ISO certifications, Chuck discovered his initial CMMC documentation fell short. “I had already done a draft SSP, but as we started getting into it, I realized I was nowhere close.”
The Solution
After conducting a thorough evaluation of multiple C3PAOs and advisors, Synergy found its answer.
“When we found PreVeil and a C3PAO said, ‘You can achieve CMMC with PreVeil and stay in your commercial tenancy. You don’t have to go with GCC High,’ we realized that was the most economical & shortest path to certification.”
Chuck Irvin
FSO, Synergy Business Innovation & Solutions
Technology Stack:
Synergy’s CMMC environment includes:
- PreVeil for secure email and file sharing
- Microsoft 365 E5 licensing (commercial tenancy)
- Azure Defender for endpoint protection
- Cisco Duo for MFA compliance
- Dedicated CMMC laptops for the 20-user CUI scope
CUI Workflow with PreVeil
Synergy established a clear workflow for handling CUI:
- Bid/Proposal Phase: CUI workflows through PreVeil secure email and drive
- Contract Award: Customer added to the whitelist
- Email Gateway: If CUI arrives at a commercial email, PreVeil automatically redirects to the CUI system
- Customer Communication: “We automatically pull it over into the CUI system and inform the customer to use the secure address,” Chuck said
Documentation
Even with ISO maturity, Synergy relied heavily on PreVeil’s documentation and resources. “Even for someone like us who were mature with our 27001, there are things in the Compliance Accelerator that really help,” Chuck said.
“Every time we got to a point where we’re like, ‘What do we do here?’ we’d go look at ACME in the Compliance Accelerator. It gave us that frame of reference — sort of like having a buddy that did the same thing that you can pick their brain.”
Assessment Preparation
Synergy’s preparation focused on 3 documents:
Evidence Organization: “We went through all the controls and snapped evidence for each one, top to bottom,” Chuck explained. “For every control family, we saved all the JPEGs.”
Control Mapping: The team created a control objective evidence-mapping spreadsheet that documents every requirement, including screenshots and file locations.
Operational Checklist: “We created a cadence spreadsheet — daily, weekly, monthly tasks — instead of flipping through the 200-page-plus SSP document every time.”
“The biggest thing was having that checklist and pictures. When the assessor said, ‘Show me this control,’ I could pull up the JPEG and say, ‘Here it is in Defender, here’s the policy, and this is what it does.'”
Chuck Irvin
FSO, Synergy Business Innovation & Solutions
The Result
Synergy achieved a perfect 110 CMMC Level 2 score.
“The assessment went well,” Chuck said. “We had a checklist for everything they’d look at. If something didn’t immediately come to mind, I could look at the evidence pictures we took and find it.”
Significant Cost Savings
Saved $100k vs VDI over 5 years and 2-3x vs GCC High
Early Adopter Advantage
By certifying early, Synergy positioned itself in an elite group. They’re among the first 0.1% of companies to get CMMC certified.
“It really is a license to shop. People going after these contracts are looking for either a prime or a sub. It’s a huge faucet to drink from because we’re early adopters.”
Chuck Irvin
FSO, Synergy Business Innovation & Solutions
Manageable for Small Teams
Synergy proved that CMMC compliance doesn’t require massive IT departments. “The IT shop is one other guy and me, and we can manage it easily,” Chuck said.
Recommendations for Other SMBs
Based on Synergy’s experience, Chuck offers three key recommendations for defense contractors pursuing CMMC:
1. Start with the Right Tools
“Definitely go with the Compliance Accelerator and start with the GRC tool from day one. It’ll make it a lot easier on the back end.”
2. Build Evidence Checklists with Photos
“Go through all 110 controls and snap evidence for each one. When the assessor asks to see a control, you can pull it up immediately.”
3. Create an Operations Cadence
“Build a daily, weekly, and monthly checklist instead of flipping through the 200-page SSP every time. That makes ongoing compliance actually manageable.”
