Patrick Pierson - Reflections on Achieving a 110/110 CMMC 2.0 Audit Score

Reflections on Achieving a 110/110 CMMC 2.0 Audit Score

The road to CMMC 2.0 Level 2 compliance is often described as a marathon, but for those of us in the trenches of federal IT, it felt more like a gauntlet. After months of late-night troubleshooting, documentation marathons, and technical hardening, I’m proud to share a major milestone: we’ve officially completed our audit with a perfect score of 110/110.

Beyond the "Compliance Box"

Reaching a 110 isn’t just about administrative due diligence; it’s a validation of the technical architecture I’ve spent the last several years refining. Throughout this process, my goal was never just to "pass" the audit, it was to build a functional, resilient fortress for Controlled Unclassified Information (CUI).

Compliance on paper is one thing, but ensuring that security controls actually work without hindering the mission is where the real challenge lies.

The Technical Pillars of Success

Achieving full marks across all NIST SP 800-171 controls required a deep dive into every corner of our environment. A few key areas that were critical to this success include:

Zero Trust in Practice: We leaned heavily into Microsoft Entra ID and Intune to move beyond the traditional perimeter. Proving that "Zero Trust" was a daily reality for every endpoint, not just a buzzword, was essential.

Visibility & Detection: Fine-tuning tools like Microsoft Defender and our Managed Security Service Provider VigilantSec (https://vigilantsec.net/) allowed us to demonstrate the proactive monitoring capabilities auditors demand. Being able to see, log, and react to threats in real-time was a cornerstone of our 110 score.

Infrastructure Integrity: From managing LUKS-encrypted Ubuntu servers to hardening our cloud footprint, every technical control was mapped directly to a requirement.

A Mission-First Perspective

Having served in Operation Iraqi Freedom, I’ve always viewed IT through the lens of mission readiness. Securing the Defense Industrial Base (DIB) feels like a natural continuation of that service. Passing this audit with a perfect score is more than a professional win—it’s a guarantee to the warfighters we support that their data is in safe hands.

The Finish Line is Just a New Starting Block

A perfect score is a great milestone, but in the world of cybersecurity, the work is never truly "done." The 110 reflects our status today, but the threat landscape of tomorrow is already shifting. The focus now moves from attaining compliance to sustaining it, ensuring our security culture remains as robust as the systems we’ve built.