Giga-Green Giga-Green

CMMC Consulting

Network & Endpoint Hardening

Technical implementation of the CMMC controls that assessors touch first — segmentation, MFA, encryption, endpoint detection, and configuration baselines aligned to NIST SP 800-171 SC, AC, CM, and SI control families.

Network & Endpoint Hardening

Most Level 2 assessments come apart at the same handful of controls — MFA that isn’t universal, endpoints without EDR, network segments that don’t actually segment, encryption gaps in transit or at rest, and configuration baselines that exist only as verbal tribal knowledge.

Hardening is the technical work that fixes those. It’s where the SSP stops being aspirational and starts being defensible.

What we deliver

  • Segmentation & boundary: VLAN and firewall/ACL review with a documented CUI-boundary diagram your assessor can walk.
  • MFA everywhere feasible: administrator, VPN, cloud, and application access — aligned to AC.L2-3.1.11 and IA.L2-3.5.3.
  • Encryption baseline: TLS 1.2+ enforced, disk encryption verified, cloud-storage encryption confirmed — SC.L2-3.13.8, SC.L2-3.13.11.
  • Endpoint detection & response: EDR deployed and tuned for L2 expectations, with alerting into your monitoring workflow.
  • Configuration baselines: written CIS-aligned baselines for workstations, servers, and mobile devices — CM.L2-3.4.1, CM.L2-3.4.2.
  • Vulnerability scanning: recurring scans with a documented triage-and-remediate cadence — RA.L2-3.11.2, RA.L2-3.11.3.
  • Evidence packaging: everything above documented for your SSP, with the exported configs, screenshots, and control-family narrative your C3PAO expects.

Why we take this approach

We’ve seen too many contractors reach a C3PAO assessment with a well-written SSP describing controls the environment doesn’t actually implement. That gap is where conditional certifications get issued — or worse, denied.

Hardening under Giga-Green is a paired activity: the engineer implementing the control is the same person writing the paragraph that describes it in the SSP. No handoff, no version drift.

Frequently asked questions

What NIST 800-171 control families does hardening cover?

Primarily System & Communications Protection (SC), Configuration Management (CM), Access Control (AC), Identification & Authentication (IA), and System & Information Integrity (SI). Together these cover about half of the 110 Level 2 controls and most of the highest-weighted SPRS items.

Do you bring your own security tools or do you use ours?

We use your tools. If your Microsoft 365 tenant already licenses Defender for Endpoint, Defender for Cloud Apps, and Intune, we configure those. If you have a different stack, we work with what's there. We only recommend new tooling when your existing stack cannot meet a specific control.

How long does a typical hardening engagement take?

6 to 12 weeks for a small-to-mid-size DIB supplier, depending on the size of the environment and the number of unhardened systems. Larger multi-site environments extend the timeline.

What is a Configuration Management (CM) baseline and why does CMMC require one?

A CM baseline is a documented, tested set of configurations for each in-scope system type — workstation, server, network device, mobile device. CMMC Level 2 requires baselines be documented and changes to them be controlled (CM.L2-3.4.1 through CM.L2-3.4.5). Without a baseline, "how do you know what's configured" becomes a finding the assessor cannot resolve.

Do we need a Security Operations Center (SOC) for CMMC?

Not strictly — but you need someone monitoring your EDR, reviewing audit logs, and responding to incidents. Some clients staff this internally; others use a managed detection and response (MDR) service. We help you decide which model fits your team and stitch either into your SSP and IR plan.

Is this engagement fixed-price or time-and-materials?

Scope is set during discovery, then delivered against a fixed statement of work. Unforeseen scope changes (e.g., you discover an unmanaged datacenter mid-engagement) are handled as a change order, not billed hourly against the original SOW.

Ready to talk?

Tell us where you are in your CMMC journey and we'll follow up within one business day.