Defense contractors and R&D firms sit at the sharp end of the defense industrial base. They design weapons systems, simulation and training platforms, autonomous maritime and undersea sensors, RF and microwave electronics, advanced semiconductors, and the software that ties it all together β and every piece of that work runs on Controlled Unclassified Information: drawings, source code, test data, and technical specifications flowing under DoD contracts. The engineers who would stand up a compliance program are the same engineers shipping contract deliverables.
Meanwhile, the contractual clock is running. DFARS 252.204-7019 and -7020 already require a current NIST SP 800-171 self-assessment score in SPRS β and give the government the right to verify how it was produced. DFARS 252.204-7021 flows CMMC requirements down through the supply chain, and as the CMMC final rule phases assessment requirements into new DoD solicitations, primes are pushing those clauses onto subcontractors ahead of the governmentβs own timeline. For a firm whose entire book of business runs on controlled technical data, a score it cannot substantiate line by line is not a paperwork problem. It is a contract-eligibility risk.
This is the story of how 42 defense engineering and R&D organizations used LakeRidge to turn that risk into a timestamped, evidence-backed record β while their engineers kept shipping.
Why we selected this group
LakeRidge is trusted by serious defense, research, and supply-chain teams, and no group shows the range of that trust better than this one. The selected showcase below spans the defense mission end to end: prime-scale and global defense-systems manufacturers, undersea and autonomous-systems pioneers, simulation and mission-software developers, ballistics and tactical-systems specialists, advanced-research electronics houses, and the engineering-services and specialized-supplier firms that hold the industrial base together. What they share is a security-sensitive workload and a need for compliance they can prove β not merely claim.
A note on security and attribution. We selected these organizations to showcase the caliber and range of teams using LakeRidge. Because many operate in sensitive defense, research, and CUI environments, we do not publicly attribute assessment scores, gaps, timelines, test results, or remediation details to specific organizations. Customer names show who trusts the platform; outcomes and journeys are aggregated or anonymized to protect customer security.
Trusted across the defense mission
Prime-scale & global defense systems
When organizations that operate at prime scale β whose own supply chains generate the flow-downs the rest of the industrial base feels β put their trust in a platform, it says something about what that platform has to withstand. These are high-stakes environments measured in fleets and programs, not projects.
Leonardo US
The U.S. operations of Leonardo, one of the world's largest aerospace and defense groups; trading as Leonardo DRS (NYSE: DRS), a roughly $3.6 billion prime delivering AESA radars, electronic-warfare systems, and reconnaissance technology to U.S. and allied forces.
EthosEnergy USA
One of the world's leading independent service providers for rotating equipment β gas and steam turbines, generators, compressors β with roughly 3,500 employees, customers in over 75 countries, and FAA-certified repair stations supporting military and commercial aviation.
Menatek Savunma
One of TΓΌrkiye's leading manufacturers of systems and subsystems for military land vehicles β suspension, running gear, hull and turret assemblies β serving the Turkish Army, NATO, and the U.S. Army, with prime contractor status with the U.S. Government.
dB Control
A designer and manufacturer of high-power microwave equipment β traveling wave tube amplifiers, power modules, and modulators β for radar, electronic warfare, and data-link platforms worldwide; a subsidiary of HEICO Corporation's Electronic Technologies Group.
Maritime, undersea & autonomous systems
Few environments concentrate more sensitive technical data than undersea sensing and autonomous maritime systems β acoustic signatures, platform designs, and mission software in the Navy's closest orbit. The firms building them are among the most security-sensitive teams in the defense world.
ThayerMahan
A maritime technology company founded by a retired commander of U.S. submarine forces; its autonomous ocean-surveillance platforms deliver persistent acoustic intelligence for the U.S. Navy, Coast Guard, and Customs and Border Protection.
Hydrospace Group
An internationally recognized engineering firm designing and certifying pressure vessels for human occupancy, hyperbaric chambers, and subsea systems, supporting the U.S. Navy, NOAA, Lockheed Martin, and Woods Hole Oceanographic Institution.
Integer Technologies
A Columbia, South Carolina applied research firm advancing power and energy systems, autonomous maritime systems, and digital engineering for the U.S. Navy, including a $25 million Office of Naval Research seabed-warfare program.
Boarhog
A San Diego systems engineering firm founded by a retired SPAWAR executive, supporting U.S. Navy Information Warfare and combat systems across carriers, surface combatants, and submarines, with a prime position on the Navy's Seaport vehicle.
Simulation, training & mission software
Training systems encode how forces actually fight. The source code, scenario data, and platform models behind flight simulators and immersive trainers are among the most CUI-dense artifacts in defense β which makes the teams that build them a demanding proving ground for any platform.
CymSTAR
An aircrew training systems integrator building and sustaining high-fidelity flight and mission simulators for the U.S. Armed Forces and allied nations, serving as prime contractor on major Aircrew Training System programs across platforms including the KC-135 and A-10.
Vizitech USA
A Georgia-based designer of immersive 3D, augmented reality, and virtual reality training experiences spanning defense, education, and healthcare, recognized among the leading augmented reality solution providers.
CATI Training Systems
A developer of real-time image-generation technology for flight and ground-combat training, with a library of more than 100 airfields modeled to FAA Level D detail and systems fielded on the UH-60 Black Hawk and CH-47 Chinook.
Street Smarts VR
A veteran-owned developer of immersive virtual reality training for military, law enforcement, and public safety personnel, deployed across dozens of federal agencies, 50-plus law enforcement agencies, and 60-plus Department of Defense installations.
Solers Research Group
A Florida-based provider of research, training development, and workforce solutions for clients including the U.S. Army, Marine Corps, USDA, and FDIC, applying AI and game-based learning to modernize how people learn.
Ballistics, weapons & tactical systems
Firing solutions, fire control, and soldier-borne equipment put controlled technical data directly into the hands of firms that live or die on precision. Their work reaches every branch of the U.S. military.
Applied Ballistics
A leading authority on the science of external ballistics, founded by aerospace engineer Bryan Litz; its solvers and measured bullet data power products from Kestrel, Sig Sauer, Bushnell, and Leica across military and civilian markets.
Accuracy 1st
A precision-shooting training organization founded by Todd Hodnett, one of the world's most sought-after sniper instructors, delivering advanced instruction to elite U.S. and allied military units from its Texas panhandle facility.
B5 Systems
An American manufacturer of precision firearm components, selected as the U.S. Army supplier of the SOPMOD buttstock and now its primary manufacturer for the Department of Defense, with products in service across every U.S. military branch.
nVision Technology
An Ohio defense engineering firm developing advanced fire control systems for small arms and mortar platforms, built on industry-leading Applied Ballistics software for U.S. defense customers.
Defense electronics, sensing & advanced research
Radar, electronic warfare, sensor exploitation, and extreme-environment semiconductors sit at the research frontier of the defense mission β export-sensitive designs whose protection is a condition of doing the work at all.
Black River Systems Company
An employee-owned engineering firm of more than 100 engineers building advanced sensing, signal processing, and data analytics systems for the Department of Defense, with recognized expertise in counter-UAS and advanced surveillance radar.
CoolCAD Electronics
A University of Maryland spinoff and one of a small handful of companies worldwide able to design and fabricate its own silicon carbide chips for extreme environments, developed with partners including DARPA and NASA.
Equinox Corporation
A defense technology firm specializing in intelligent image and sensor exploitation β fusion, target detection, tracking, and recognition β supporting customers across all branches of the U.S. Department of Defense.
Pelatron Technologies
A Native Hawaiian Organization-owned engineering firm and innovator of tactical communication technologies, delivering deployable command-and-control networks to federal customers through vehicles including GSA 8(a) STARS III and SeaPort-NxG.
ITS Aerospace
A Colorado Springs engineering and technical services firm supporting more than 35 DoD and federal programs worldwide with systems engineering, test engineering, and mission software, drawing on a Top Secret-cleared workforce.
LZ Technology
A woman-owned engineering and IT firm based beside NASA's Johnson Space Center, with contributions to more than 279 NASA space program projects for federal and aerospace clients.
Virtual Laser Application Design
A specialized consultancy for the laser material processing industry, led by a former Penn State Applied Research Laboratory scientist whose research on laser-metal interaction physics is widely cited.
Engineering services, acquisition support & specialized suppliers
These firms are the connective tissue of the defense industrial base β their analysts, engineers, and supply-chain specialists touch data from many programs at once, which makes disciplined CUI handling a core professional obligation rather than an overhead line.
RoundTable Defense
A veteran-owned systems engineering firm specializing in test and evaluation, operations research, and acquisition management for defense organizations including the U.S. Army Test and Evaluation Command and Headquarters Marine Corps.
DCI Solutions
A defense technology firm headquartered at Aberdeen Proving Ground, supporting U.S. Army systems engineering from basic research through major ACAT I acquisitions with a roughly 130-person team of engineers and AI/ML specialists.
SciTech Services
A science- and technology-driven defense contractor supporting the Department of Defense since 1990, specializing in chemical, biological, radiological, nuclear, and explosive defense for partners including the U.S. Army's Edgewood Chemical Biological Center.
Tenax Technologies
A woman-owned engineering firm supporting Aberdeen Proving Ground commands including the DEVCOM laboratories and C5ISR Center, with more than $43 million in federal contract awards across 100-plus task orders.
KaDSci
A service-disabled veteran-owned analytics and decision-science firm serving the U.S. Army, the Department of Defense, and the intelligence community, with work on one program credited with roughly $1 billion in cost avoidance.
Command Strategies
An Arlington, Virginia consulting firm helping research universities and defense industry win federal R&D work, with a track record including an estimated $125Mβ$180M in annual RDT&E funding generated for clients.
Defense Consulting & Technology
A Melbourne, Florida professional services firm connecting government and defense organizations with top-tier talent across strategic planning, project management, and operational support.
Custom Enterprises Group
A service-disabled veteran-owned firm delivering business management and program management support to federal agencies, staffed by professionals drawn from the military, government, academia, and industry.
DBMGlobal
A contractor and services firm supporting the defense supply chain, helping deliver the goods and services that mission-critical programs depend on.
SolutionFoundry
An engineering services firm serving the defense supply chain, partnering with prime contractors and government programs to turn demanding technical requirements into mission-ready results.
Alpha Terra Engineering
A San Antonio service-disabled veteran-owned firm delivering architectural and engineering design and facility assessments, having evaluated more than 20,000 facilities at 84 military installations from Greenland to Korea.
Hiti
Homeland Intelligence Technologies International, a veteran-operated defense services firm supporting the U.S. Government and allied foreign militaries with foreign military sales support and military training for more than two decades.
EOS-AV
A woman-owned aerospace supply-chain specialist managing parts provisioning and repair administration for customers including the Defense Logistics Agency and U.S. Coast Guard, across Boeing, Airbus, Embraer, and Lockheed Martin platforms.
The challenge
The CUI these firms handle lives in the tools their engineers use every day: CAD and simulation environments, code repositories, developer workstations, test rigs, and file shares. Whether the organization is a single-team research shop or a multi-facility product company, the CMMC Level 2 bar is the same 110 practices of NIST SP 800-171 β and the recurring problems were remarkably consistent. CUI spread across general-purpose IT with no clean system boundary. Audit logging, encryption, and media handling that existed in practice but not in evidence. Policy sets too thin to hand an assessor. An assessor wants a defensible system boundary, a System Security Plan with per-control narratives, and repeatable evidence β not just working technology. The engineering challenge was to lock all of that down without pulling engineers off contract work, and to be able to show, at any moment, exactly where the program stood.
Selected journeys from the data
Every determination, stage change, and score recalculation in LakeRidge is timestamped, so progress here is provable rather than asserted. The journeys below are drawn from that record β aggregated and anonymized, with dates coarsened and counts approximated, each labeled only by the class of organization it belongs to.
The seven-week formalization. A simulation-and-training developer opened its guided gap assessment in late summer 2025 where every contractor starts: unassessed at -203, with no defensible record. Years of disciplined engineering had already put most of the controls in place β the work was bringing them into the record and making them provable. About seven weeks later, in autumn 2025, the firm posted a perfect self-assessed 110, every determination recorded and dated, and it has kept publishing SSP revisions in the months since.
The restart and the surge. A defense-systems manufacturer holds a practice record on LakeRidge dating back to spring 2022 β and shows what re-engaging looks like. In spring 2026 the program surged: dozens of POA&M tasks opened and mostly closed, roughly thirty policy documents published, and a score climbing out of negative territory into the mid-90s by summer 2026 β still moving.
The two-year grind, fully closed. An engineering-services firm started deep in negative territory in spring 2023 and reached a perfect self-assessed 110 by mid-2025, opening roughly 120 POA&M remediation tasks along the way β and closing every single one before calling the program done.
The honest mid-climb. A training-systems developer started unassessed in early 2026 and, across roughly six consecutive weeks in late spring 2026, drove about 45 practices to audit-ready β publishing SSP revisions in the same window, its score still early in the climb. Nothing about the remaining work is hidden: every practice not yet audit-ready sits in a visible stage of the record, exactly where an assessor expects to find it.
Maintenance mode, proven. At the far end of the arc, a training-services firm has held a near-perfect score for roughly three years, republishing its System Security Plan as the environment changes β continuous monitoring, not a plaque on the wall.
How they got compliant
Every firm followed the same LakeRidge path, whatever its starting point.
It begins with the guided gap assessment. Each of the 110 CMMC and NIST SP 800-171 practices is worked at the assessment-objective level, with a determination and supporting evidence recorded per objective and a timestamp on every answer β the difference between an evidence-backed, objective-level 110 and a checkbox self-assessment.
Every practice moves through a plain-English lifecycle β not started, gap analysis, remediation, audit-ready β so a managing partner, a client, or a prime can see at a glance how done the program actually is, without translating anyoneβs spreadsheet.
Gaps become a working POA&M. Each finding turns into a task with an owner and a due date, broken down to the checklist grain small teams actually execute β so the Plan of Action and Milestones doubles as the weekβs work plan rather than a shelf document.
The SPRS score recalculates live. As tasks close and practices reach audit-ready, the score updates on its own β no spreadsheet math, no stale number waiting for someone to remember it.
The SSP is generated, versioned, and kept alive. LakeRidge builds the System Security Plan directly from the assessment answers and publishes it as a versioned release; when the environment changes, firms republish rather than rewrite.
And for the strongest programs, scoping came first. The top performers drew the smallest honest boundary they could β consolidating CUI work into a purpose-built enclave in a government cloud tenant and documenting inherited controls in the SSP instead of leaving them implied.
Aggregate results
Across the 42 organizations measured, the average self-assessed SPRS score stands at 93 out of 110 β 27 hold a perfect, evidence-backed 110, and 30 sit at 100 or better. Thirty-one of the 42 began at the unassessed starting state of -203, with no defensible record, and the median climb from that floor ran about five months β the fastest arrivals formalizing controls that were already operating rather than building from scratch. Today, 84% of tracked practices are audit-ready, roughly 700 of about 900 POA&M remediation tasks are closed, and 90 SSP revisions have been published β everything that remains sits on a live POA&M: countable, not vague.
What customers say
βIn a growing complex field of cyber security, it is very difficult to find a simple flashlight for small companies to find their way through the dark labyrinth. The App is very well organized and most helpful in guiding our way forward.β
β Will Kohnen, President, Hydrospace Group
βApp is very easy to use and very straight forward. I have seen many apps in searching for a company to work with, the LakeRidge app was by far easier to use.β
β Chris Clark, Vice President/COO, EOS AV Corp
Ready when you are
See where you actually stand β run the guided gap assessment and get your live, evidence-backed SPRS score in your first week.