PGH Networks is a Pittsburgh-based managed services provider serving small and mid-market businesses across the Pittsburgh metro within roughly 75 miles of 15220, including Cranberry Township, Coraopolis, Bethel Park, Monroeville, Washington, New Kensington, and Beaver. This Pittsburgh small manufacturer MSP case study describes — in anonymized form — how we support a precision-machining shop that needed reliable ERP, defensible CMMC Level 2 readiness, and a shop floor that wouldn't go dark when the office network had a bad day.
The client is representative of a customer profile we see often in southwestern Pennsylvania: a privately held, second-generation manufacturer with a tight engineering team, a small back office, and a growing book of work for defense and aerospace primes. Names and identifying details have been generalized; the technical scope and outcomes below reflect a real engagement.
The buyer scenario: a 60-person precision machining shop
Picture a 60-person precision-machining manufacturer in the Pittsburgh metro running two shifts out of a single 35,000-square-foot facility. The front office runs Epicor Kinetic (the platform formerly sold as JobBOSS/E10) for quoting, routing, and shop scheduling. The shop floor mixes late-model CNC controls with a handful of older Windows 7 machines that vendors will not let anyone patch. A two-person internal IT function — really one IT manager and a willing controls engineer — keeps everything alive.
The owner came to PGH Networks after a Tier 1 defense customer sent a flow-down letter referencing CMMC 2.0 Level 2. The internal team had three concerns at once: ERP downtime was costing roughly $4,000 per hour in idle machinists and missed ship dates, the CMMC clock was real, and nobody had a clean answer for what would happen if ransomware hit the file server holding 15 years of programs and fixtures.
When a defense flow-down letter arrives, the question stops being "do we need an MSP?" and becomes "can we prove our controls in writing before the next audit window?"
The challenge: ERP uptime, CMMC pressure, and an unsegmented shop floor
The technical baseline was typical for a small manufacturer that had grown organically. Epicor was hosted on aging on-prem hardware with a single backup target in the same rack. The shop-floor VLAN did not exist — CNCs, badge readers, the office printer, and the CFO's laptop all shared one flat /24. Microsoft 365 was in place but without conditional access, and several shared mailboxes still used legacy authentication. There was no documented incident response plan, no SSP, and no asset inventory that an auditor would accept.
The CMMC Level 2 gap assessment we ran against NIST SP 800-171 r2 surfaced 47 controls that were either not implemented or not documented. Most were documentation and process gaps rather than expensive tooling problems — which is the usual story for small manufacturers in this region.
How a Pittsburgh small manufacturer MSP engagement was structured
TL;DR: We sequenced the work so ERP stability and ransomware resilience landed in the first 90 days, and CMMC Level 2 documentation followed on a 9-month track aligned to the customer's audit window.
The engagement started with a two-week assessment covering network, identity, endpoint, backup, and OT. From there, work ran on three parallel tracks.
The infrastructure track moved Epicor to a properly sized virtualization host with a hot standby, replaced the flat network with segmented VLANs separating office, CUI-handling workstations, CNC/OT, guest, and management traffic, and deployed a next-gen firewall with east-west inspection between segments. Immutable, offsite backups with a tested 4-hour RTO replaced the single-target arrangement.
The identity and endpoint track moved Microsoft 365 to a CMMC-aligned configuration: conditional access with phishing-resistant MFA, disabled legacy auth, GCC-equivalent data handling controls for CUI mailboxes, EDR on every Windows endpoint, and a managed SOC watching alerts 24×7. Older Windows 7 CNC hosts were isolated on the OT VLAN with explicit allow-list rules to their vendor servers and nothing else.
The compliance track produced the artifacts an auditor actually reads: a System Security Plan, an asset inventory tied to data flows for CUI, an incident response plan rehearsed in a tabletop exercise, and a POA&M tracking the remaining gaps with owners and dates. PGH Networks acts as the external IT provider documented in the SSP, with shared-responsibility boundaries written down rather than assumed.
Outcomes after the first 12 months
Twelve months in, the measurable picture looked like this. Epicor uptime moved from a self-reported "mostly fine" to a contracted 99.9% SLA, with two unplanned outages in the year, both under 20 minutes and inside the failover window. Help-desk ticket volume dropped roughly 35% after the first quarter as identity and endpoint hygiene eliminated the recurring password and printer-driver fires.
On the security side, the customer passed a Tier 1 prime's supplier security questionnaire without remediation items for the first time, and the CMMC Level 2 self-assessment score moved from a starting point of 38 (out of 110) to 102, with a documented POA&M for the remainder. A simulated ransomware tabletop demonstrated full ERP restore from immutable backup in 3 hours 40 minutes against a 4-hour RTO target. OT segmentation has held: zero lateral-movement events from office to shop floor across the year, verified by firewall logs.
The shop floor stayed running through two office-side incidents that, a year earlier, would have stopped production for a full shift.
Takeaway for other Pittsburgh-area manufacturers
Most small manufacturers in the Pittsburgh metro are closer to CMMC Level 2 readiness than they think, and further from real ransomware resilience than they hope. The pattern in this Pittsburgh small manufacturer MSP case study — assess against NIST 800-171, stabilize ERP and backups first, segment OT from IT, then close documentation gaps on a calendar tied to a real audit date — is repeatable for shops in the 25 to 150 employee range running Epicor, Global Shop, ProShop, or similar ERPs.
If you run a manufacturer in Allegheny, Butler, Beaver, Washington, or Westmoreland County and a prime contractor has started asking harder questions, that is the right time to talk. PGH Networks scopes these engagements specifically for small manufacturers, and the first conversation is an assessment discussion, not a sales pitch.