Background 

Cayuse Holdings is a family of Native-owned companies that service three primary industry segments: Government (federal, state, and local), Commercial (non-government), and Native Solutions (tribal governments, tribal entities, or native owned businesses). Cayuse expanded from commercial clients into federal contracting in the mid-2010s which introduced new compliance requirements, including the Cybersecurity Maturity Model Certification (CMMC). "CMMC means you have to prove what you said you were doing with your cybersecurity,” explained Brady Murry, Information Systems Security Manager (ISSM) at Cayuse Government Operations, LLC. “The best way we found to do that was by moving our companies associated with federal contracts into Microsoft GCC High and Azure Government environments.” 

Challenge 

Initially, Cayuse partnered with another large MSP to stand up their Microsoft Government Community Cloud (GCC) High and Azure Government environments. Although the setup met technical needs, post-implementation support quickly faltered. “We found that the implementation was good, but as soon as it was done, those experts weren’t as available,” Murry noted. “We had poor support, slow responses, and very slow resolve time. So, we started looking for other companies who could fulfill our needs, and Summit 7 quickly became the frontrunner because of their extensive experience in cybersecurity and compliance.”  

Solution 

In 2022, Cayuse transitioned to Summit 7, a provider recognized for its expertise in CMMC compliance and reliable post-implementation support. Summit 7 began with a detailed assessment of Cayuse's IT environment to identify necessary upgrades and security controls. The Summit 7 team then introduced their Guardian Managed Services (MSP) and Vigilance Managed Security Services (MSSP) to provide ongoing monitoring and compliance support. “The support from everyone at Summit 7—project managers, billing team leads, and even individual techs within Guardian and Vigilance—has been phenomenal,” Murry added. 

Proactive Compliance Efforts

In 2023, with CMMC certification timelines still pending, Cayuse decided to enroll in the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) Joint Surveillance Voluntary Assessment (JSVA) program. The JSVA allowed Cayuse to undergo a full assessment against CMMC Level 2 controls, ensuring they met federal requirements ahead of schedule. Cayuse passed their JSVA, which automatically qualifies Cayuse for a CMMC Level 2 certification once the rulemaking process is finalized.  

Summit 7’s involvement was crucial during Cayuse’s April 2024 assessment. Murry highlighted, "Summit 7 brought in their most knowledgeable team members to support us through our JSVA. These were the same experts I’ve worked with closely and have been consistently impressed by. They answered all of the assessors’ questions clearly and succinctly, playing a crucial role in helping us achieve a perfect score of 110 out of 110." Summit 7’s expertise and familiarity with Cayuse’s environment ensured they met every requirement. 

Results

Cayuse’s proactive approach has positioned them competitively among contractors – most of which are not prepared for a CMMC certification. "We are a part of the 1% of companies that are ready for when contracts require CMMC compliance to be assessed,” Murry shared. “It puts us ahead of the curve to win contracts and gives our potential clients confidence that we have done this when very few other people can say that they have." 

Conclusion

Cayuse’s compliance journey demonstrates the value of selecting a trusted compliance partner. Summit 7 has the largest team of certified experts in the Defense Industrial Base and is on track to become one of the first CMMC-certified MSPs. Our expertise - from initial assessments to continuous managed services - ensures Cayuse’s systems remain secure, compliant, and ready for future regulatory evolutions. Through collaboration with Summit 7, Cayuse is set for CMMC Level 2 compliance and gained an edge in federal contracting.