Compliance infrastructure buildout: a case study covering the Microsoft 365 migration, DFARS compliance documentation, and the dedicated server environment ETTE built for a Washington, DC nonprofit's Department of Defense contract.

ETTE  ·  Case Study

An entirely new infrastructure for a Washington, DC nonprofit

The client is a Washington, DC-based nonprofit that holds a document management contract with a Department of Defense component. That work involves Controlled Unclassified Information, and the DoD is moving contractors from self-assessment to third-party CMMC audits. Between August 2025 and June 2026, ETTE moved the organization off its aging file server into Microsoft 365, then designed and built a dedicated, DFARS-aligned server environment across its headquarters and a satellite site. This page documents what was built and how. The client's name is withheld; every date and count comes from the project record.

August 2025 – June 2026
Two sites · DC headquarters & satellite office
41
DFARS compliance documents prepared
2
Sites built out, headquarters and satellite
88
Minimum score third-party CMMC assessors require
5
Weeks from hardware delivery to tested remote access

From aging file server to compliant environment

ETTE modernized the client's day-to-day systems first, then built a separate, tightly scoped environment for the defense contract work.

  1. Move to the cloud
    Personal drives to OneDrive, shared files to SharePoint and Teams; the old file server retired
  2. Scope the obligation
    CMMC requirements mapped; scope kept tight to control cost
  3. Document everything
    A System Security Plan plus 41 DFARS compliance documents
  4. Build the environment
    A dedicated server and government-certified firewalls at two sites
  5. Secure the people
    Certificate-backed VPN for hybrid workers; incident reporting readiness; ongoing governance

Two phases: modernize first, then build for compliance

The first phase retired the legacy file server. ETTE analyzed every share, reorganized a decade of files into four functional areas (Accounting, HR, Programs & Services, and Government Contracts), and moved the organization into Microsoft 365, with the migration timed around the nonprofit's annual financial audit so accounting never lost access. The second phase answered a harder problem: the Department of Defense is replacing contractor self-assessment with third-party CMMC audits that require a minimum score of 88, and the client's self-assessed score sat in the 40s. ETTE scoped, documented, and built a dedicated compliant environment in roughly six weeks.

Scope kept deliberately small

Only the defense contract work runs inside the compliant environment. Keeping that boundary tight limits which systems an assessor has to examine, which keeps both the build cost and the ongoing compliance burden down.

Documentation as change control

A buildout runbook served as the authoritative record of the environment; ticket notes tracked execution only. Credentials and configuration details went into ETTE's documentation system rather than email threads, so the record an assessor sees matches what is actually deployed.

Project timeline

Aug 2025
File server analysis
Share-by-share review; four-folder restructure planned; migration mapped around the annual audit
Dec 2025
Migration to Microsoft 365
Shared drives to SharePoint and Teams, personal drives to OneDrive; staff onboarded the following Monday
Jan 2026
Device resets
Workstations rebuilt for cloud-first logins; legacy server wound down
Apr 28
CMMC engagement scoped
Third-party assessment requirement confirmed; build agreement finalized
May 1
Documentation review
41 DFARS compliance documents complete; System Security Plan data collection underway
May 7
Hardware lands
Server delivered; FortiWiFi 60F firewalls on hand for both sites
May 15
On-site network build
Firewall install and office network setup at the client's DC office
Jun 7
Server build complete
On-site server portion done and recorded in the buildout runbook
Jun 9
Remote access tested
Certificate-backed VPN for hybrid workers set up and verified

What the build actually involved

Every item below comes from the project record: working meetings with the client's leadership, the buildout ticket history, and the compliance documentation review. Dates and counts are taken directly from those sources.

Hardware
A dedicated server environment at two sites

ETTE specified the server and firewall hardware, coordinated the orders with the client, and tracked delivery. Two FortiWiFi 60F firewalls went in, one for each site, configured off-site to keep the on-site window short. The server was installed with out-of-band management set up, so ETTE can administer it remotely without opening new holes in the network boundary.

Environment running five weeks after hardware delivery
Remote access
Hybrid workers, without weakening the boundary

Client staff on the contract split their time between home and office, so remote access had to be part of the design rather than an exception to it. ETTE set up VPN access with RADIUS password authentication plus a certificate installed on each machine as a second factor. A password alone gets no one in; the device itself has to be known.

Setup complete and tested June 9, 2026
Incident readiness
The 72-hour reporting obligation, covered

DFARS requires contractors to report cyber incidents to the Department of Defense within 72 hours. ETTE walked the client through obtaining the digital certificate needed to file reports through DIBNet and named the internal contacts responsible for reporting, so the process exists before it is ever needed rather than being improvised during an incident.

Reporting path in place before go-live

Server is scheduled to be delivered tomorrow by 1:30 pm and the firewalls have already arrived. We should be good to go with everything by tomorrow! Thanks Team!

— Chief Operating Officer, client organization · May 6, 2026

Where the client stands now

A separate, defensible environment

The defense contract work now runs in its own environment behind government-certified firewalls at both sites, apart from the organization's day-to-day systems. What an assessor has to examine is small and well defined.

Cloud-first daily operations

Staff work from OneDrive, SharePoint, and Teams. The legacy file server that once held everything, including a decade of stale files, is retired, and workstations were rebuilt for cloud logins.

A path to the required score

The organization entered the engagement with a self-assessed compliance score in the 40s against a third-party requirement of 88. The controls built into the new environment are designed to lift that score into the 80s ahead of the contract's assessment deadline.

Documentation an assessor can follow

The System Security Plan, 41 DFARS documents, and buildout runbook describe the environment as it actually exists, with change control keeping the record and the deployment in step.

Governance that continues

Compliance is not a one-time build. ETTE supports the client with quarterly business reviews and annual tabletop exercises so the posture holds between now and the third-party assessment, and staff acknowledge an acceptable use policy as part of working in the environment.

The team on the build

Descriptions and quoted remarks come from the project's ticket record and working meetings.

Chief Technology Officer
ETTE · Architecture & Compliance
Project lead

Designed the environment and led the compliance work: the System Security Plan, the 41 DFARS documents, and the buildout runbook that served as the authoritative build record. Configured the firewalls, set up the certificate infrastructure behind remote access, and ran the documentation reviews with the client's leadership.

Authoritative build documentation remains the Buildout Runbook per the ticket's change-control rule; this note tracks execution only.
Field Technician
ETTE · On-Site Build

Ran the on-site work: received and verified the hardware, collected the vendor documentation, built out the office network at the client's DC office, and installed the server. Coordinated directly with the client's building contact for site access and kept their COO updated at each step.

Our next step is to finish installing and configuring the firewall, which will allow us to set up the on-site server after that. We'll keep you updated on our progress!
Client Leadership
Client · Operations & Finance

The client's Chief Operating Officer and finance leadership drove the project from their side: hardware approvals and purchasing, site logistics at both locations, and the organizational details the System Security Plan needed. They also took on the compliance roles the environment requires, including the named contacts for DoD incident reporting.

If you hold a government contract

Compliance-driven infrastructure for organizations like this one

Nonprofits and small businesses that hold federal contracts face the same shift this client did: self-attestation is giving way to third-party assessment, and the documentation and infrastructure have to exist before an assessor arrives. ETTE scopes the environment, prepares the compliance library, builds the hardware and access controls, and stays on for the governance side through its Cybersecurity & Compliance and Virtual CISO practices.

The pattern that worked here, keeping the compliant environment small and separate while daily operations run in the cloud, keeps both the build cost and the audit surface manageable for organizations without a large IT budget.