Key Takeaways
- Summit 7 reached 100 CMMC Level 2-certified clients just six months into CMMC Phase 1.
- CMMC adoption is accelerating. More than 1,240 companies were certified by the end of April, averaging 133 new certifications per month.
- Summit 7’s own CMMC journey started in 2017, building solutions around NIST SP 800-171 long before CMMC became a requirement.
- Lead by example. Summit 7 maintains two Level 2 certifications—one for its corporate environment and one for managed service delivery—even though the latter is not required.
- Assessment demand is growing rapidly. Supporting multiple assessments per week led Summit 7 to create a dedicated Assessment Engineering team.
- The NCODE program could be a game changer for small defense contractors by providing funded pathways to compliant environments.
It’s milestone season in the CMMC world. Just six months into the Phased Rollout and there are 2.5x more Level 2 certifications than DoD expected. Meanwhile, a significant portion of those certs are Summit 7 clients. We now work with more than 100 Level 2 certified companies. Last but not least, Summit 7 was awarded the Army’s NCODE contract to help bring secure and compliant enclaves to micro-sized defense contractors. Exciting times.
Transcript
Summit 7 Milestones, 100 CMMC Certifications & NCODE Program
Jacob: All right, folks. It is May of 2026, and it is milestone season. We are officially six months into CMMC Phase 1.
Summit 7 now has 100 CMMC Level 2-certified clients. Summit 7 was also recently awarded a contract with the Army’s NCODE program, providing a solution to the compliance and cost challenges that NIST SP 800-171 and CMMC create for very small businesses.
And for the first time ever on the Summit Up podcast, Summit 7 CEO Scott Edwards is joining us. That’s what we’re talking about today.
Summit 7 Origin Story
Jacob: Scott, we’ve had you on webinars, conferences, Summit 7 Live, and the Hotline, but somehow we’ve never had you on the podcast. Since this is your first appearance, tell us a little about your background and Summit 7’s story.
Scott: Summit 7 was founded on June 7, 2008, so we’re approaching 18 years in business.
For the first eight years, we focused primarily on data and information management consulting, especially around SharePoint. In 2016, we began pivoting toward the Defense Industrial Base and helping contractors comply with NIST SP 800-171, DFARS 7012, and eventually CMMC.
We’ve been focused on that mission for nearly a decade now.
Jacob: The company stayed relatively small for many years before experiencing tremendous growth.
Scott: That’s right. For much of our first decade, we hovered around 25 employees. Today we’re approaching 350 employees.
The growth has really been driven by an incredible team and a commitment to helping customers solve difficult compliance and cybersecurity challenges.
Summit 7’s CMMC Certification Journey
Jacob: Summit 7 has always emphasized leading by example. Can you talk about the experience of obtaining your own Level 2 certifications?
Scott: Our journey really started in 2017 when we began designing our managed services offering around the NIST SP 800-171 requirements.
At the time, we had government contracts that required compliance, and we were trying to figure out how to meet those requirements using the Microsoft licensing we already had because, frankly, we didn’t have unlimited resources.
We built the technology stack, updated our internal processes, and continually refined our documentation. Looking back, we probably rewrote our documentation six or more times between 2017 and certification.
Like everyone else at the time, we were figuring it out as we went.
Jacob: Were those changes driven by evolving requirements or by increased understanding?
Scott: Mostly by increased understanding. Early on, we didn’t fully appreciate the assessment objectives behind the controls. As our knowledge grew, our documentation and implementation matured.
One thing we did consistently was take a high-watermark approach. We treated everything as if it needed to meet the highest compliance standards possible.
That decision ended up positioning us well for long-term growth and customer support.
Why Summit 7 Has Two Level 2 Certifications
Jacob: Summit 7 has two Level 2 certifications—one for government contracting operations and one for managed service delivery. The managed services certification isn’t actually required. Why pursue it?
Scott: We believe in practicing what we preach.
Our corporate environment consumes our managed services just like our customers do. We wanted to demonstrate that our own systems and services could meet the same standards we ask customers to achieve.
One certification supports our government contracting activities, while the other validates our managed service delivery environment.
From First Certification to 100 Clients
Jacob: What do you remember about helping your first client achieve certification?
Scott: Before CMMC assessments existed, we had already supported multiple DIBCAC High assessments. That experience gave us a strong foundation and familiarity with assessment processes.
The biggest challenge came when demand accelerated.
There was a week in July when we supported four or five client assessments simultaneously. We quickly realized that the same engineers supporting customer environments were also needed during assessments.
That led us to create a dedicated Assessment Engineering team focused exclusively on helping customers through assessments while allowing managed services teams to continue supporting operations.
100 Certified Clients and Growing
Jacob: We’re now at 100 Level 2-certified clients. How do you view that milestone?
Scott: Every successful certification strengthens the Defense Industrial Base.
Each certified contractor becomes another secure link in the supply chain capable of supporting the Department of Defense.
As of the end of April, there were approximately 1,240 certified organizations. Certifications are increasing by more than 100 per month, and that number continues to grow.
The goal is to get as many capable contractors into the ecosystem as possible so they can continue delivering products and services that support national defense.
NCODE and Supporting Small Businesses
Jacob: Let’s talk about NCODE. Why is this program important?
Scott: NCODE is particularly important for very small businesses—organizations with one to twenty employees.
These companies often have innovative products or services but lack dedicated IT, cybersecurity, and compliance teams.
The Army recognized this challenge and created NCODE to help those businesses access compliant environments and services.
The goal is to support approximately 6,000 small businesses.
Perhaps most importantly, this is one of the first major examples of the Department of Defense providing meaningful funding to help contractors meet compliance requirements.
Jacob: Some people assume Summit 7 only works with large enterprises.
Scott: That’s simply not true.
We’ve worked with organizations ranging from just a few employees to companies with thousands of users.
Some of our smallest customers have been with us for years. The right solution depends on the company’s needs, not its size.
What’s Next?
Jacob: Looking ahead, what do you see happening through the rest of Phase 1?
Scott: Demand isn’t slowing down.
We already have dozens of assessments scheduled, and I could easily see us reaching 200 certified clients by the end of the year.
NCODE will likely accelerate adoption even further.
The biggest challenge over the next 24 to 36 months will be scaling assessment capacity across the entire ecosystem. We’re moving from discussing individual assessments to supporting dozens of assessments every week.
Jacob: Thanks for joining us, Scott.
Scott: I look forward to coming back.
Jacob: Thanks, everybody. We’ll see you next week.
Scott: See you next week.
Contact
Speak With Our Team
Our team of compliance and cybersecurity experts are on standby and ready to help. We’ll walk you through what you need and what to expect.