Offset Strategic Services: How a Defense Innovator Achieves Enterprise-Wide CMMC Compliance Beyond GCC High

The Results

With Virtru's FedRAMP authorized encryption platform as part of its enterprise security architecture, Offset Strategic Services was able to achieve the following:

• Real Security, Not Compliance Theater: Moved beyond checkbox compliance to protect sensitive data across the entire enterprise, including CUI, ITAR-controlled information, and proprietary data that adversaries actively target.

• Secure External Collaboration: Enabled secure data sharing with less-secure partners (including academia, large OEMs, and other contractors) while maintaining granular control over sensitive files and preventing data exfiltration.

• Enterprise-Wide Protection: Deployed a unified security toolset across the entire organization rather than creating isolated enclaves, allowing all employees to operate at the same security level with Virtru for Outlook and Virtru Secure Share integrated into their Microsoft GCC High environment.

• CMMC Level 2 In-Scope Solution: Successfully integrated Virtru into their compliance architecture for upcoming CMMC Level 2 recertification, filling critical gaps that GCC High alone couldn't address.

Offset Strategic Services (OSS) provides weapon systems engineering, research, development, and prototyping to the Department of Defense, with a focus on next-generation warfighting technologies including AI, automation, and robotic warfare systems. Founded eight years ago by former DoD program managers with "two guys and hope," the company has grown into a sophisticated defense contractor that takes cybersecurity as seriously as the threats it helps defend against.

Lloyd Sanders, CTO of OSS, brings decades of experience from his time as an infantryman, special operations drone subject matter expert, and Army acquisition professional. His background managing classified drone fleets for special operations and intelligence customers gave him firsthand knowledge of what's at stake when security fails. "Our products have Chinese knockoffs," Sanders explained. "Some of these products are relatively new and yet the Chinese have got wonderful copies of them. How did that happen? Well, it's because of small businesses, right?"

That threat landscape shaped OSS's approach from day one. "We vowed that that was not going to be us," Sanders said. The company recognized that compliance and security aren't the same thing, a distinction many in the industry miss. "Since cyber security became a requirement about 12 years ago in the FAR and DFARS, it absolutely has been compliance theater without any real need to get compliant,” Sanders noted. “If you knew what to say and how to say it and what artifacts to provide, you didn't actually have to do any cybersecurity."

OSS took a different path. They examined what data adversaries actually target, "right down to our unique corporate identity number, our taxpayer ID number—everything that would be PII for you as an individual is also PII for a company." They understood that seemingly mundane information could be weaponized, potentially allowing threat actors to create fraudulent company entities in other states. This comprehensive threat awareness drove them to protect data far beyond contractual CUI requirements.

The Challenge: Enterprise Security That Goes Beyond Government Cloud

As early CMMC adopters, OSS watched the compliance landscape evolve from the beginning. "We were believers from the beginning. We were early adopters from the beginning," Sanders explained. "We've been adapting as the program changes, but we know that when you're actually doing it right, it costs a lot more money."

That evolution meant constantly reassessing their technology stack. "We've even selected products that we thought were right. And then we had to go back and say, well, this isn't right because the program has evolved," Sanders said. When vendors couldn't demonstrate a credible roadmap to compliance, OSS had to part ways regardless of past relationships.

The company made a strategic architectural decision that shaped all their technology choices: they would operate as an enterprise, not create enclaves. "A lot of folks are taking the enclave approach which for many small businesses they have to just because of how big they are and how deep their pockets are," Sanders noted. "But we were born thinking enterprise on day one... We didn't want to have haves and have-nots. We wanted everybody at the same level."

This enterprise approach created unique requirements. While OSS operates in Microsoft's GCC High environment for internal collaboration, they still had a gap to solve for: securely sharing sensitive data with external partners who don't have the same level of security. "We're in GCC high and we can't do things like they can in the commercial sector," Sanders explained.

The business development team needed to share proprietary data with potential partners. Technical teams were integrating concepts from multiple companies, each with their own intellectual property. Everyone needed to send invoices and payment instructions to partners who might be compromised. And crucially, they needed to collaborate with academic institutions on ITAR-controlled technologies—partners who may not have the resources or bandwidth to reach DoD-level security.

The question became: how do you maintain enterprise-wide security while working in an ecosystem of varying security postures?

The Solution: FedRAMP Authorization and Zero-Trust Data Control

The enterprise architecture decision immediately narrowed the field: "We have to start at FedRAMP Marketplace period because of the CMMC program and what it requires,” said Sanders. “Our school of thought is that we are an enterprise and not an enclave."

Sanders reached out to multiple FedRAMP authorized vendors, comparing costs, capabilities, and feature sets. "We got their costs, we got their estimates, we figured out, based on their menu of services, which ones if we went forward," he said. "Virtru was the clear winner across all those capabilities."

But competitive pricing and feature parity weren't enough. Sanders wanted assurance that any vendor could evolve with CMMC requirements. "If you can show me a roadmap where you're going to get right, we can continue to do business," he explained. After discussions with Virtru leadership about future capabilities, Sanders was convinced: "I think if we're patient, we're going to get all the things that we want by staying with Virtru based on the road map expressed to us."

Virtru's value proposition was clear: it allowed OSS to extend their enterprise security posture beyond the boundaries of GCC High.

"That's why we've got something like Virtru where we can send invoices and payment instructions and things like that that are sensitive if compromised from a corporate perspective," Sanders said. "We can send those to folks that we have to do business with that may not be as cyber secure and get that information to them in a way where we're still retaining control and confidence over the retention of our critical data."

Virtru in the Stack with GCC High: Enterprise-Wide Protection and Tactical Use Cases

OSS deployed two primary Virtru products to address different security scenarios across their enterprise architecture:

Virtru for Outlook serves as a safety net for high-tempo operations. "I've got some folks that operate at a horrible op tempo and get fatigued and are trying to move too fast," Sanders explained. "So I've got the web local client there to help them when they get going too fast and are just trying to answer something to keep stuff from going out." Virtru for Outlook prevents accidental data leakage when employees are under pressure, a common vulnerability even in security-conscious organizations.

Virtru Secure Share fills the vulnerable gap between internal GCC High collaboration and external partner engagement. Sanders described the distinction: "Putting someone into our tenant, that's where you're doing your longer term collaboration. You're going to write a proposal. You're really sharing data where people have got to keep coming back, keep putting input in. Secure Share is really handy for situations like pre-collaboration. When we're sending things like: 'I think you might need this. Tell me what you think.'"

The tool also handles routine but sensitive transmissions: "Secure invoicing with folks that we know may not be as secure."

These products support multiple user groups across OSS's enterprise:

Business Development Teams use Virtru when sharing preliminary concepts and proprietary information with potential partners. "Anybody passing data between companies," Sanders explained. "The business development team, the technical team as we're kind of putting together a concept for integration where we may have two or three different companies with technologies that's proprietary data to them—that's data that needs to be protected and it's our liability if we don't."

Technical Teams rely on Virtru when integrating technologies from multiple sources. "They may be sending us not only proprietary data but data that's ITAR export controlled," Sanders noted. "So not only does our environment have to be set up for that, but if we want to pass that data, I want our tools... I don't want to have a set of tools that only this group of people can use and then another set of tools. I want one set of tools that meet the security classification across the entire company so that I can operate across the enterprise at the same level."

Academic Partnerships present unique challenges that Virtru's granular access controls address directly. "When we're working especially with academia, they may have something that isn’t to our level of security but they still need to contribute," Sanders said. The dilemma: "Do I share this ITAR data with you? Well, I really don't think I can."

Virtru's waterfall key management and access control features provide the answer: "I can control that and keep it in the cloud. So at least you can get a sneak peek. No, you can't download it, but you can see enough of it to get the gist, right? And that level of control really helps us out."

This granular control, allowing viewing but preventing downloads of export-controlled data, enables collaboration that would otherwise be impossible or legally risky.

CMMC Certification: Virtru In Scope for Level 2 Recertification

As OSS approaches its three-year CMMC Level 2 recertification this summer (on top of CMMC Level 3), Virtru has moved from peripheral to central in their compliance architecture. "When we went through our first audit, it was out of scope. We didn't have Virtru back then," Sanders explained. "But it was out of scope because of the type of evaluation that we went under, but now based on the way we operate, Virtru will be in scope this time."

Virtru serves dual purposes in this recertification: meeting specific CMMC controls while enabling business operations that would be difficult or impossible otherwise. "To keep things convenient in the level two world and also for the things that we want to protect that don't fall into the CMMC construct, but still we recognize that it's that important that we're going to treat it and secure it just as well," Sanders said.

The FedRAMP authorization was non-negotiable for this in-scope use. Sanders emphasized the importance: "Authorized to me is definitely a stronger position because it says somebody in DoD has given you an ATO and at that point you know that you're golden. If DoD has run all the trap lines and given the thumbs up and they're using it, then you're not going to have any problems with an auditor."

The Value: Real Security for Real Threats

For organizations serious about protecting sensitive data from sophisticated adversaries, OSS's approach offers a roadmap. They've demonstrated that compliance and security can align, but only when organizations look beyond compliance theater to address actual threat models.

Virtru plays a specific but critical role in that architecture: extending enterprise security controls beyond organizational boundaries while maintaining zero-trust principles. In an ecosystem where partners, academics, and suppliers have varying security postures, Virtru enables collaboration without compromise.

As Sanders put it when describing what he'd tell peers evaluating similar solutions: OSS "had to go through other products to get here" before finding what actually worked. For defense contractors operating in Microsoft GCC High but needing to share sensitive data externally, that journey led to Virtru—a FedRAMP authorized platform that fills gaps government cloud environments can't address alone.

In an industry where US technology falls into adversarial hands with alarming speed, OSS has built a security posture that protects what matters—from contractual CUI to corporate identities to ITAR-controlled innovations that represent America's technological advantage. Virtru helps ensure that advantage stays where it belongs.