David’s Story, Chapter 2: Hitting The Market Window
David sat at the head of the conference table next to his 2nd floor office. No windows in this end of the building. His company had grown fast, from 50 employees to 250 in three years, thanks to great products, strong demand in the private sector, and a team that worked well together. Now, the company had its eyes set on the government market—a vast, high-stakes opportunity. But there was a catch.
Certification.
Government contracts came with a thicket of regulatory requirements: NIST SP 800-171, CMMC, ISO 27001, you name it. Compliance wasn’t just a box to check; it was a shift in how business processes are engineered and automated, and every department had a part to play.
Finance was doing its part. Engineering was updating the product to suit the environment in which it would be used and had started security reviews. Facilities had upgraded physical security and tightened access control, and a process had been started to get security clearance for select employees.
But IT, well, that was another story.
David had outsourced its IT department 2 years ago to save costs, improve uptime, and generally leave it to the experts. His Managed Service Provider (MSP) looked good on paper and had done a good job until now: good SLA numbers, competitive rates, and solid reviews. But now, when the company needed IT to help drive its move into the government market, to enable other departments and help bring security and compliance to products, people, and processes, it was coming up short.
David leaned back in his chair and rubbed his temples.
He’d just gotten off a call with the VP of Engineering. “We can’t finalize the security documentation without the infrastructure specs,” she had said.
It wasn’t the first complaint. The compliance officer had raised concerns, too. Delays in getting access logs, concerns about data residency, and now the window to pursue a key federal RFP was closing. Once the contract was awarded, it would be locked up for years..
David took a breath. He thought about the 250 people who worked here. The late nights. The product launches. The momentum they’d built.
And how that momentum was suddenly looking fragile..
He needed help. More importantly, he needed a decision.
Two days later, David called an emergency executive leadership meeting. The department heads filtered in, their faces expectant and tired. When everyone was seated, David spoke.
“I’m going to be blunt,” he said. “The government market is the future for this company. But we’re losing ground because we can’t move fast enough. Everything we do is becoming more digital every day and gets more integrated with our IT. Today, it’s compliance and certification but tomorrow it could be something else.”
Murmurs.
David continued. “We need an IT partner that gets this and is capable of driving IT integration everywhere. Sure, we need ticketing and troubleshooting, but we also need regulatory readiness today, and a digital twin tomorrow.”
The CFO leaned forward. “So… what’s the solution? Bring IT back in-house?”
“That’s one option,” David said. “But it’s costly and not quick enough. We’d have to hire a team, build capabilities, define roles, and we don’t have that kind of time. The RFP drops in four months. Besides, all the reasons we went with an MSP are still valid.”
Silence.
Then, from the compliance officer: “There’s a middle path. I know a few boutique firms that specialize in being an MSP and an MSSP at the same time, and they have experience with government readiness. They can even offer vCISOs who can work with various internal departments and certifying bodies. They understand things like FedRAMP and CMMC, and they know how to run point.”
David nodded. “I’ve heard of that. It is definitely an option we need to consider.”
David looked around the room. “But let me be clear: this is not just IT’s problem. It’s our problem. If we don’t solve it now, we lose momentum. And if we lose that, we’re playing catch-up for years.”
Heads nodded.
“Here’s what we’ll do,” David said, decision firm in his voice. “I’ll personally engage a firm this week. Compliance, work with me on vetting. Legal, prep for contract amendments. Engineering, keep moving—assume we get what we need. Everyone else, support where needed.”
Four weeks later, David had found just what he needed. He was pushing forward with Integrated IT, masters of MSP, MSSP, and all focused on companies just like his. Integrated IT moved like a seasoned field commander, coordinating across teams, translating compliance-speak into clear, actionable steps, and making it happen.
Months later, David and team won the contract.
David stood again in that same conference room. The office was unchanged, but his company was transformed.
Starting in October 2025, the Department of Defense (DoD) will begin including CMMC requirements in new contracts.
Read more about CMMC and what Business Leaders need to know
Book a time to discuss your compliance needs
