Compliance infrastructure buildout: a case study covering the Microsoft 365 migration, DFARS compliance documentation, and the dedicated server environment ETTE built for a Washington, DC nonprofit's Department of Defense contract.
An entirely new infrastructure for a Washington, DC nonprofit
The client is a Washington, DC-based nonprofit that holds a document management contract with a Department of Defense component. That work involves Controlled Unclassified Information, and the DoD is moving contractors from self-assessment to third-party CMMC audits. Between August 2025 and June 2026, ETTE moved the organization off its aging file server into Microsoft 365, then designed and built a dedicated, DFARS-aligned server environment across its headquarters and a satellite site. This page documents what was built and how. The client's name is withheld; every date and count comes from the project record.
From aging file server to compliant environment
ETTE modernized the client's day-to-day systems first, then built a separate, tightly scoped environment for the defense contract work.
-
Move to the cloudPersonal drives to OneDrive, shared files to SharePoint and Teams; the old file server retired
-
Scope the obligationCMMC requirements mapped; scope kept tight to control cost
-
Document everythingA System Security Plan plus 41 DFARS compliance documents
-
Build the environmentA dedicated server and government-certified firewalls at two sites
-
Secure the peopleCertificate-backed VPN for hybrid workers; incident reporting readiness; ongoing governance
Two phases: modernize first, then build for compliance
The first phase retired the legacy file server. ETTE analyzed every share, reorganized a decade of files into four functional areas (Accounting, HR, Programs & Services, and Government Contracts), and moved the organization into Microsoft 365, with the migration timed around the nonprofit's annual financial audit so accounting never lost access. The second phase answered a harder problem: the Department of Defense is replacing contractor self-assessment with third-party CMMC audits that require a minimum score of 88, and the client's self-assessed score sat in the 40s. ETTE scoped, documented, and built a dedicated compliant environment in roughly six weeks.
Scope kept deliberately small
Only the defense contract work runs inside the compliant environment. Keeping that boundary tight limits which systems an assessor has to examine, which keeps both the build cost and the ongoing compliance burden down.
Documentation as change control
A buildout runbook served as the authoritative record of the environment; ticket notes tracked execution only. Credentials and configuration details went into ETTE's documentation system rather than email threads, so the record an assessor sees matches what is actually deployed.
Project timeline
What the build actually involved
Every item below comes from the project record: working meetings with the client's leadership, the buildout ticket history, and the compliance documentation review. Dates and counts are taken directly from those sources.
Third-party assessors work from paper, so the documentation came before the hardware. ETTE prepared 41 DFARS compliance documents and a System Security Plan covering both sites, down to details like monthly scanned-document volumes, physical security controls at each location, and video surveillance retention at the DC building. Staff acknowledgment of an acceptable use policy became part of the standard onboarding for anyone touching the contract work.
ETTE specified the server and firewall hardware, coordinated the orders with the client, and tracked delivery. Two FortiWiFi 60F firewalls went in, one for each site, configured off-site to keep the on-site window short. The server was installed with out-of-band management set up, so ETTE can administer it remotely without opening new holes in the network boundary.
Client staff on the contract split their time between home and office, so remote access had to be part of the design rather than an exception to it. ETTE set up VPN access with RADIUS password authentication plus a certificate installed on each machine as a second factor. A password alone gets no one in; the device itself has to be known.
DFARS requires contractors to report cyber incidents to the Department of Defense within 72 hours. ETTE walked the client through obtaining the digital certificate needed to file reports through DIBNet and named the internal contacts responsible for reporting, so the process exists before it is ever needed rather than being improvised during an incident.
Server is scheduled to be delivered tomorrow by 1:30 pm and the firewalls have already arrived. We should be good to go with everything by tomorrow! Thanks Team!
— Chief Operating Officer, client organization · May 6, 2026Where the client stands now
The defense contract work now runs in its own environment behind government-certified firewalls at both sites, apart from the organization's day-to-day systems. What an assessor has to examine is small and well defined.
Staff work from OneDrive, SharePoint, and Teams. The legacy file server that once held everything, including a decade of stale files, is retired, and workstations were rebuilt for cloud logins.
The organization entered the engagement with a self-assessed compliance score in the 40s against a third-party requirement of 88. The controls built into the new environment are designed to lift that score into the 80s ahead of the contract's assessment deadline.
The System Security Plan, 41 DFARS documents, and buildout runbook describe the environment as it actually exists, with change control keeping the record and the deployment in step.
Compliance is not a one-time build. ETTE supports the client with quarterly business reviews and annual tabletop exercises so the posture holds between now and the third-party assessment, and staff acknowledge an acceptable use policy as part of working in the environment.
The team on the build
Descriptions and quoted remarks come from the project's ticket record and working meetings.
Designed the environment and led the compliance work: the System Security Plan, the 41 DFARS documents, and the buildout runbook that served as the authoritative build record. Configured the firewalls, set up the certificate infrastructure behind remote access, and ran the documentation reviews with the client's leadership.
Ran the on-site work: received and verified the hardware, collected the vendor documentation, built out the office network at the client's DC office, and installed the server. Coordinated directly with the client's building contact for site access and kept their COO updated at each step.
The client's Chief Operating Officer and finance leadership drove the project from their side: hardware approvals and purchasing, site logistics at both locations, and the organizational details the System Security Plan needed. They also took on the compliance roles the environment requires, including the named contacts for DoD incident reporting.
If you hold a government contract
Compliance-driven infrastructure for organizations like this one
Nonprofits and small businesses that hold federal contracts face the same shift this client did: self-attestation is giving way to third-party assessment, and the documentation and infrastructure have to exist before an assessor arrives. ETTE scopes the environment, prepares the compliance library, builds the hardware and access controls, and stays on for the governance side through its Cybersecurity & Compliance and Virtual CISO practices.
The pattern that worked here, keeping the compliant environment small and separate while daily operations run in the cloud, keeps both the build cost and the audit surface manageable for organizations without a large IT budget.