Win a DARPA robotics award, a Navy-sponsored acoustics program, or the contract to sustain the equipment that trains military aircrews, and you take on more than the science. You take on Controlled Unclassified Information β and a Department of Defense standard for protecting it that reaches into every login, lab workstation, and file share the work touches. The obligation moves through the contract chain: program offices check for a current score before new awards, primes flow the requirement down to every research partner, and the burden of proof lands on a research-security team that is usually a handful of people supporting thousands of researchers. Good security isnβt enough on its own. It has to be evidenced β objective by objective, in a form an assessor will accept β and kept current while grant deadlines and semesters churn around it. Fall short, and the risk is not a finding in a report. It is the contract itself.
Why we selected this group
LakeRidge is built for serious defense, research, and supply-chain teams, and this group is the flagship proof: state flagships and Carnegie R1 universities, the operator of a DoD University-Affiliated Research Center, and independent scientific R&D labs whose work runs from next-generation memory devices to aeromedical training systems. It is a selected showcase β chosen for caliber and range, not sampled for statistics. It is also the hardest test we could pick: if a compliance platform holds up in security-sensitive, faculty-driven, deadline-shaped environments like these, it holds up.
A note on security and attribution. We selected these organizations to showcase the caliber and range of teams using LakeRidge. Because many operate in sensitive defense, research, and CUI environments, we do not publicly attribute assessment scores, gaps, timelines, test results, or remediation details to specific organizations. Customer names show who trusts the platform; outcomes and journeys are aggregated or anonymized to protect customer security.
Trusted by
Eight U.S. research institutions β seven of them Carnegie R1, including multiple state flagships and the operator of a DoD University-Affiliated Research Center β plus four scientific R&D labs.
Research universities
Universities are where the DoD's hardest long-horizon problems get worked on β and where CUI meets some of the most decentralized IT environments in the defense industrial base. These eight manage that tension every day.
The University of Texas at Austin
The flagship of the University of Texas System and home to the Applied Research Laboratories, a Department of Defense University-Affiliated Research Center conducting Navy-sponsored research in undersea technology, acoustics, and information systems.
University of Georgia
Georgia's flagship public research university, with a research enterprise that recently topped $650 million in annual R&D expenditures across the life sciences, agriculture, and engineering.
University of Massachusetts Amherst
The flagship campus of the University of Massachusetts, ranking first among New England public universities for National Science Foundation awards.
Louisiana State University
Louisiana's flagship land-, sea-, and space-grant university, with a record $488 million in annual research expenditures across its campuses.
Worcester Polytechnic Institute
A private STEM-focused research university in Massachusetts, home to the nation's first robotics engineering department.
University of Houston
A major public research university anchored by the Cullen College of Engineering, whose federal research funding has grown more than 50% since 2019.
University of New Hampshire
New Hampshire's flagship public research university, with nationally recognized strength in space science through its Institute for the Study of Earth, Oceans, and Space, home to NASA-sponsored satellite instrumentation work.
SUNY Polytechnic Institute
New York State's public polytechnic university, anchored by the Albany NanoTech Complex, one of the most advanced publicly owned semiconductor research facilities in the world.
Scientific R&D labs
Independent labs carry the same obligations with even leaner teams β often a small bench of scientists and engineers standing between breakthrough work and a federal standard.
Fraunhofer USA
The American arm of the Fraunhofer-Gesellschaft, Europe's largest applied-research organization, running U.S. research centers in advanced manufacturing, energy, materials science, and software, often in partnership with leading universities.
Cerfe Labs
An Austin-based electronic materials and device research company developing next-generation memory technologies, spun out of Arm Research with a portfolio of more than 150 patent families.
Franklin Scientific
An engineering services firm that maintains, upgrades, and installs the aeromedical training equipment preparing military aircrews for flight, sustaining a fleet of 14 altitude training chambers across the continental United States.
Acumen Scientific
A Goleta, California research and development firm specializing in infrared physics and imaging, with team experience spanning device design and fundamental physics through orbiting imagers.
The challenge
The paperwork now has teeth. DFARS 252.204-7019 and 252.204-7020 require a current NIST SP 800-171 self-assessment score on file in SPRS before new awards; 252.204-7021 flows CMMC requirements down through the subcontract chain; and the CMMC final rule is now phasing certification requirements into new DoD solicitations. A missing or stale score is no longer a back-office gap β it is a reason to lose work.
For research institutions, the exposure runs deeper than lost bids. Under the Department of Justiceβs Civil Cyber-Fraud Initiative, a misstated cybersecurity posture is a False Claims Act problem β and higher education has already been the test case. DOJ intervened in an FCA suit against Georgia Tech over the NIST SP 800-171 score it submitted, and Penn State settled FCA allegations that it misrepresented its compliance with the same standard. Whoever signs the SPRS submission is attesting to something the institution must be able to prove. That is the difference between a checkbox self-assessment and a score in which every one of the 110 practices is answered at the objective level, backed by attached evidence, and timestamped in a record you can hand to an assessor β or a government attorney.
The structural realities of research make that bar genuinely hard to clear. IT is decentralized across colleges, departments, and individual labs. Central security teams are lean, working inside a faculty culture where autonomy is the norm. And on top of the technical work sits the documentation: a System Security Plan and a living body of policy and evidence that thin teams struggle to produce, let alone keep current. What these organizations needed was a single system of record β every requirement laid out as a concrete question, a status and owner for each, evidence attached, and a live score that is always the current truth.
Selected journeys from the data
The journeys below come from timestamped LakeRidge records, aggregated and anonymized: dates are coarsened to seasons, counts are approximate, and descriptors identify only the kind of organization β never which one.
The recovery. A research university onboarded in fall 2024, then went quiet the way university programs usually do β grant deadlines, semester crunch, competing priorities. For months, nothing moved. But the record held its place: every practice status exactly where the team had left it. When work began in earnest in mid-2025, there was no starting over β just the gaps, worked in focused bursts until the program finished at a perfect self-assessed 110 in early 2026. At roughly sixteen months end to end, it was the longest climb in this group, and the most instructive: a stalled program is not a failed program when the record is durable.
The fastest university climb. Another research university went from the unassessed starting state to a perfect self-assessed 110 in roughly three and a half months, from spring 2025 to early fall. The pace looks dramatic; the pattern behind it is disciplined. The team worked in concentrated bursts β LakeRidge holds state between sessions, so a lean staff could pick the assessment up whenever calendars allowed β and drove roughly a hundred practices to audit-ready across about three focused working weeks, largely by capturing and evidencing controls its environment was already running.
The lab that formalized what already worked. A scientific R&D lab arrived in spring 2024 with a tight, well-bounded research environment already in operation. What it lacked was a defensible record. The team spent a handful of concentrated working days answering the assessment at the objective level, attached evidence for controls that were already live, cleared its short remediation list within about a week, and recorded a perfect self-assessed 110 roughly three weeks in β with its System Security Plan generated from the same answers along the way, and revisions published as the environment evolved. The speed was never attestation velocity. It was existing discipline, finally captured in a timestamped record.
The steady climb. A research university that started in summer 2025 shows the opposite tempo. Over roughly four months it kept coming back to the work, spreading remediation across more distinct working weeks than any other organization in the group β the most sustained weekly cadence here β finishing at a perfect self-assessed 110 by late autumn. No sprint, no stall: gap analysis, remediation, audit-ready, each step dated in the record.
How they got compliant
Every firm followed the same LakeRidge path, whatever its starting point.
It begins with the guided gap assessment. Each of the 110 CMMC and NIST SP 800-171 practices is worked at the assessment-objective level, with a determination and supporting evidence recorded per objective and a timestamp on every answer β the difference between an evidence-backed, objective-level 110 and a checkbox self-assessment.
Every practice moves through a plain-English lifecycle β not started, gap analysis, remediation, audit-ready β so a managing partner, a client, or a prime can see at a glance how done the program actually is, without translating anyoneβs spreadsheet.
Gaps become a working POA&M. Each finding turns into a task with an owner and a due date, broken down to the checklist grain small teams actually execute β so the Plan of Action and Milestones doubles as the weekβs work plan rather than a shelf document.
The SPRS score recalculates live. As tasks close and practices reach audit-ready, the score updates on its own β no spreadsheet math, no stale number waiting for someone to remember it.
The SSP is generated, versioned, and kept alive. LakeRidge builds the System Security Plan directly from the assessment answers and publishes it as a versioned release; when the environment changes, firms republish rather than rewrite.
And for the strongest programs, scoping came first. The top performers drew the smallest honest boundary they could β consolidating CUI work into a purpose-built enclave in a government cloud tenant and documenting inherited controls in the SSP instead of leaving them implied.
Aggregate results
Across the twelve organizations β eight universities and four scientific R&D labs β eight hold a perfect self-assessed, evidence-backed 110. All eight universities finished at 100 or above, averaging 109 of a possible 110, with a median climb of about 5.4 months from the unassessed β203 starting state. Eleven of the twelve began exactly there, with no defensible record. Today, 82% of tracked practices are audit-ready, and roughly 100 of about 110 POA&M remediation tasks have been closed. This is what certification preparation should look like: a timestamped, evidence-backed account of how each score was earned and exactly what remains.
In their words
βThe app generated all the required CMMC policies and documentation as well as setting up a compliant Office environment, LakeRidge has been a pleasure to work with.β
β Steve Solomon, President, Acumen Scientific
Ready when you are
See where you actually stand β run the guided gap assessment and get your live, evidence-backed SPRS score in your first week.