Summit 7 Trust Center
When Security Engineering is done right, compliance naturally follows.
At Summit 7, we practice what we preach. We believe that compliance and security go hand in hand. We use the same platform and security design for our day-to-day workloads that we provide to our customers. We leverage our own helpdesk and security operations center professionals that provide services to our customers. We live, eat, and breathe NIST 800-171 in all that we do – and are constantly using that experience to improve our customer experience.
While many service providers leverage the hottest tools and outsourced security services, Summit 7 leadership set the mandate from the outset that only FedRAMP Moderate or High solutions found in the FedRAMP Marketplace would be leveraged in our service delivery, with stringent compliance and security reviews when considering new solutions.
How we meet CMMC Level 2 Security Requirements
NIST SP.800-171r2 and DFARS 252.204-7012
Summit 7’s internal policies, procedures, work instructions, and technical infrastructure fully meet the NIST SP.800-171r2 requirement set of 110 requirements and 320 Assessment Objectives. This includes the infrastructure used to support Summit 7 internal requirements as well as Summit 7 Guardian and Vigilance customers. All in-scope Cloud Service Providers in use by Summit 7, including CUI Assets and Security Protection Assets meet FedRAMP Moderate or FedRAMP High requirements. This includes Microsoft 365 GCC High, Microsoft Azure Government among others. In reference to the DFARS 252.204-7012 (c) – (g) requirements, Summit 7 maintains the appropriate DoD medium security certificates and relationships with the DoD Cyber Crime Center (DC3) to both report cyber incidents as well as malicious software. Additionally, Summit 7 is prepared to support the DoD with access to conduct forensic analysis and cyber incident damage assessment activities. All Cloud Service Providers used by Summit 7 also support the forensic analysis and cyber incident damage assessment activities if requested by the DoD.
Summit 7’s internal policies, procedures, work instructions, and technical infrastructure fully meet the NIST SP.800-171r2 requirement set of 110 requirements and 320 Assessment Objectives. This includes the infrastructure used to support Summit 7 internal requirements as well as Summit 7 Guardian and Vigilance customers. All in-scope Cloud Service Providers in use by Summit 7, including CUI Assets and Security Protection Assets meet FedRAMP Moderate or FedRAMP High requirements. This includes Microsoft 365 GCC High, Microsoft Azure Government among others. In reference to the DFARS 252.204-7012 (c) – (g) requirements, Summit 7 maintains the appropriate DoD medium security certificates and relationships with the DoD Cyber Crime Center (DC3) to both report cyber incidents as well as malicious software. Additionally, Summit 7 is prepared to support the DoD with access to conduct forensic analysis and cyber incident damage assessment activities. All Cloud Service Providers used by Summit 7 also support the forensic analysis and cyber incident damage assessment activities if requested by the DoD.
Affirmation Requirements
Summit 7 senior officials maintain the appropriate DoD medium security certificates to annually affirm continuing compliance with the NIST SP.800-171r2 requirements in SPRS.
Summit 7 senior officials maintain the appropriate DoD medium security certificates to annually affirm continuing compliance with the NIST SP.800-171r2 requirements in SPRS.
CMMC Level 2 Assessment
Summit 7 successfully passed dual CMMC L2 Certification assessments with a date of January 31, 2025. Our Certification is valid through January 30, 2028. Summit 7 completed two separate CMMC L2 certifications. The first certification was for Summit 7’s Corporate environment and the second certification was for Summit 7’s Managed Services scope that includes our Guardian (MSP) and Vigilance (MSSP) services. Copies of our certification are available upon request.
Summit 7 successfully passed dual CMMC L2 Certification assessments with a date of January 31, 2025. Our Certification is valid through January 30, 2028. Summit 7 completed two separate CMMC L2 certifications. The first certification was for Summit 7’s Corporate environment and the second certification was for Summit 7’s Managed Services scope that includes our Guardian (MSP) and Vigilance (MSSP) services. Copies of our certification are available upon request.
Customer Responsibility Matrix (CRM) / Shared Responsibility Matrix (SRM)
Summit 7 provides a Shared Responsibility Matrix to all of our Guardian and Vigilance customers that illustrates how Summit 7 services help satisfy the underlying dependencies that span the requirements contained in NIST SP.800-171r2. The CRM addresses all 320 Assessment Objectives defined in NIST SP.800-171A. The matrix identifies if the Customer, Summit 7 Guardian or Summit 7 Vigilance have the appropriate actions for a given Assessment Objective. This is a critical component to successfully complete a third-party assessment as it outlines which party is responsible for answering the questions for each assessment objective in a given scope.
Summit 7 provides a Shared Responsibility Matrix to all of our Guardian and Vigilance customers that illustrates how Summit 7 services help satisfy the underlying dependencies that span the requirements contained in NIST SP.800-171r2. The CRM addresses all 320 Assessment Objectives defined in NIST SP.800-171A. The matrix identifies if the Customer, Summit 7 Guardian or Summit 7 Vigilance have the appropriate actions for a given Assessment Objective. This is a critical component to successfully complete a third-party assessment as it outlines which party is responsible for answering the questions for each assessment objective in a given scope.
How we go beyond CMMC Level 2
ISO27001 Certification
Summit 7 intends to complete ISO27001 Certification in CY 2025. This will demonstrate the formality and maturity of our existing security program.
Summit 7 intends to complete ISO27001 Certification in CY 2025. This will demonstrate the formality and maturity of our existing security program.
DoD 8570 Baseline Administrative Certifications
Summit 7 requires all personnel on our Guardian and Vigilance support teams, as well as our project services teams, to hold active DoD 8570.1 IAT Level II or Level III certifications. The approved certifications are listed here: DoD Approved 8570 Baseline Certifications – DoD Cyber Exchange. This is the same standard that the DoD requires to have administrative access to any government owned system. We believe that we should treat our customer’s systems with the same level of professionalism and care. Summit 7 encourages the growth of our employees by providing continuous financial support for our employees in their efforts to gain technical certifications that advance their knowledge of our supported platforms. This results in a better educated support team for our customers and career development for our team members.
Summit 7 requires all personnel on our Guardian and Vigilance support teams, as well as our project services teams, to hold active DoD 8570.1 IAT Level II or Level III certifications. The approved certifications are listed here: DoD Approved 8570 Baseline Certifications – DoD Cyber Exchange. This is the same standard that the DoD requires to have administrative access to any government owned system. We believe that we should treat our customer’s systems with the same level of professionalism and care. Summit 7 encourages the growth of our employees by providing continuous financial support for our employees in their efforts to gain technical certifications that advance their knowledge of our supported platforms. This results in a better educated support team for our customers and career development for our team members.
Azure Expert MSP Certification
Azure Expert MSP is the most elite of all Microsoft Partner Designations. There are only 23 companies in the United States with this designation and Summit 7 is the only partner focused on the Microsoft Government Cloud. The Azure Expert MSP certification requires an annual third-party audit that includes over 65 requirements for solution design, implementation, support and security.
Azure Expert MSP is the most elite of all Microsoft Partner Designations. There are only 23 companies in the United States with this designation and Summit 7 is the only partner focused on the Microsoft Government Cloud. The Azure Expert MSP certification requires an annual third-party audit that includes over 65 requirements for solution design, implementation, support and security.
Microsoft Solution Partner Designations
Summit 7 holds 5 Microsoft Solution Partner Designations and 11 Advanced Specializations. The requirements for these are significant and many require an annual audit in addition to meeting specific requirements. Our commitment to maintaining and expanding our skill sets across the Microsoft platform gives our customers confidence in the technical recommendations that we provide.
Summit 7 holds 5 Microsoft Solution Partner Designations and 11 Advanced Specializations. The requirements for these are significant and many require an annual audit in addition to meeting specific requirements. Our commitment to maintaining and expanding our skill sets across the Microsoft platform gives our customers confidence in the technical recommendations that we provide.
Latest Advisories
From time to time, Summit 7 will provide communications on broader security related topics that may not be linked to a specific Summit 7 product or vulnerability but are still of importance to our partner community.
Our Customers
As of August 2025, 41 Summit 7 customers have been Successfully Assessed at 110 with No POA&M via DIBCAC or JSVA, or received a CMMC L2 Certification.
Our Team
| 29 | CCPs |
| 6 | CCAs |
| 14 | CISSPs |
| 137 | Security+ Holders |
| 44 | Advanced MS Security Certifications |
Certifications
 |
CMMC Level 2 |
 |
Azure Expert MSP |
 |
ISO 27001:2022 Pending Q4 2025 |
The Cybersecurity Triad
