In 2021, RIB U.S. Cost, a long-standing leader in construction cost estimating for federal projects, experienced a breach. A hard drive tied to an affiliate—containing Controlled Unclassified Information (CUI)—was compromised. No data was lost, but the incident was costly and destabilizing.
“We spent more in a month with forensics than I spend in a year now with Summit 7,” said Suzanne Moltzen, CEO of RIB U.S. Cost. “That was the moment I realized—we can’t afford not to take this seriously.”
Though RIB U.S. Cost had already implemented many best practices, most of its compliance know-how lived in Suzanne’s head. That became a liability as they faced increasing pressure to meet CMMC Level 2 requirements. Suzanne knew what needed to be done but lacked the structure and resources to scale it.
“Even if we’re doing the right things, we need to be able to show that we’re doing the right things,” she explained. “Commander Managed GRC helped us translate that into policy and documentation.”
Commander is Summit 7’s new Managed Government, Risk, and Compliance (GRC) Advisory Solution, empowering DoD Contractors to build a fully compliant and sustainable cybersecurity program. With dedicated guidance, Commander offers in-depth support while clearly defining responsibilities. Your organization remains responsible for compliance, but expert consultants provide direct support and strategic oversight to meet every requirement.
For many DoD contractors, compliance feels like climbing Everest alone—with countless steps, a complex map, and uncertainty about where to start. Even when those steps are broken down, the path forward can remain overwhelming.
Commander is your trusted guide for compliance: offering step-by-step oversight through the entire compliance journey and ensuring that at any given moment you’re not alone in navigating CMMC and NIST SP 800-171.
We’ll stick with you all the way to the top—even joining you to support during your assessment.
Many contractors manage compliance with a patchwork of vendors: an MSP on one side, a security provider on the other, and a rotating cast of consultants in between. When something goes wrong, accountability gets murky—and the result is confusion, delays, and finger-pointing.
Commander turns scattered compliance efforts into one streamlined program.
It brings together your technology, security operations, and compliance oversight under a single, structured program so there’s no ambiguity about who’s responsible for what.
With Commander, you gain unified direction, shared responsibility, and coordinated execution across all 320 CMMC assessment objectives.
Commander follows a five-phase path that takes organizations from uncertainty to certification:
Commander worked closely with RIB U.S. Cost’s internal cybersecurity analysts, tailoring documentation and practices to reflect how the company actually operates instead of just what auditors expect.
“The Commander team made sure the policies and procedures flowed with how we do business,” Suzanne said. “It was the biggest sigh of relief when we got that certificate.”
CMMC certification is not a one-time milestone. Most people think the only hard part is getting certified, but very commonly overlook the ongoing burden of compliance.
Without continuous support, documentation updates, and internal accountability, companies risk falling out of compliance without even realizing it.
That’s why Commander was designed not as a one-time engagement, but an ongoing partnership. It prepares contractors for future assessments, supports triannual affirmations, and continuously strengthens their security posture.
By integrating with Summit 7’s Guardian (MSP) and Vigilance (MSSP), Commander adds a third and essential pillar: long-term compliance leadership.
Your cybersecurity stack now has aligned technology, active defense, and sustainable governance all working together.
Commander solves this through real-time governance development. The service builds and maintains policies, defines ownership, and documents execution in ways that stand up to audits, all without disrupting day-to-day operations.
This is made possible through Summit 7’s Shared Responsibility Matrix (SRM), which defines the ownership model across all 320 assessment objectives.
Commander influences, supports, or owns 100% of the required controls. Not one objective is carried by your organization alone.
Commander includes:
In short, the Managed GRC advisory approach makes compliance a “we” problem—not just a “you” problem.
Commander is designed to work in tandem with Summit 7’s managed IT and security services—Guardian and Vigilance. These services are a prerequisite, forming the operational and technical foundation needed to support a compliant environment. Once in place, Commander sits on top, aligning your security, IT, and compliance functions into a single, cohesive program.
If your organization already uses Guardian and/or Vigilance, Commander is the natural next step to build a complete and sustainable compliance program. It brings governance and oversight to the foundation already in place—closing the gap between technical controls and audit readiness.
If you're new to Summit 7’s managed services, consider how Guardian, Vigilance, and Commander work together as an integrated solution covering your IT, security, and compliance needs in a unified, purpose-built model.
For RIB U.S. Cost, Commander transformed compliance from a reactive scramble into a proactive program. It turned scattered, undocumented practices into an auditable system that not only achieved compliance—but sustains it.
If you’re a DoD contractor trying to make sense of CMMC—or trying to stay on top of it—Commander gives you structure, support, and staying power.
About Summit 7
Summit 7 is the trusted partner for DoD cybersecurity, compliance, and managed services, with the largest team of certified experts in the Defense Industrial Base (DIB). Specializing in NIST 800-171 and CMMC compliance, Summit 7 supports proactive, excellence-driven federal contractors in securing their systems and achieving regulatory readiness.