Opsin

Industry

Environmental & Geotechnical Services

Region

Company Size

Size

1,000+

A Third of Revenue on the Line: Cascade’s High-Stakes Compliance Mandate

Cascade Environmental (Cascade), the leading field services contractor for drilling and remediation in the United States, faced a critical inflection point. With 30 offices across the U.S. and a small but agile IT team, Cascade needed to ensure that the sensitive data tied to its field operations remained protected as it prepared to introduce Microsoft 365 Copilot to all departments. The stakes were high.

That’s a third of the company’s revenue dependent on safeguarding CMMC-regulated data, such as job site reports and worksite assessments, before any AI rollout could begin.

Simply put, it’s a third of our revenue that could be at risk. If we aren't CMMC compliant, that’s unsustainable.”
John Michael Gross, CIO and CISO, Cascade

Challenge: Sensitive Data Leaks Loomed as Copilot Rolled Out

To validate their readiness, Cascade worked with Opsin to simulate Copilot behavior across SharePoint, Teams, and OneDrive. The results were indicative:

Over 70% of Copilot-style queries returned sensitive information, including content regulated under CMMC.

The exposure wasn’t malicious—it was structural. Years of organic SharePoint growth and inconsistent permissions (such as “Everyone Except External Users”) had created an invisible attack surface, one that could be easily surfaced through natural language prompts.

“Opsin’s tools helped us prove that this wasn't a theoretical risk. Our users could be seeing sensitive results without realizing the implications.”
John Michael Gross, CIO and CISO, Cascade

Solution: Oversharing Detection and CMMC-Grade Remediation with Opsin Security

Cascade partnered with Opsin Security to assess and mitigate the risk of exposing sensitive CMMC-regulated content to AI tools like Microsoft 365 Copilot. With compliance tied directly to a third of Cascade’s revenue, it was critical to gain visibility and enforce the right guardrails before enabling AI across their environment.

Opsin’s platform provided deep visibility into the Microsoft 365 environment—including SharePoint, Teams, and OneDrive—and helped Cascade address permission sprawl, oversharing, and inconsistent governance.

Most importantly, Opsin enabled Cascade to proactively secure its data before rolling out AI:

CMMC-Centric Risk Discovery via Proactive Risk Assessment

Opsin’s Proactive Risk Assessment surfaced high-risk sites, libraries, and folders where CMMC-regulated information could be accessed by Copilot. The Proactive Risk Assessment helped identify locations where job site assessments, worksite data, and other sensitive operational documents might be unintentionally exposed.

Permission Remediation for “Everyone Except External Users”

Opsin uncovered widespread use of the permissive “Everyone Except External Users” configuration on SharePoint sites and document libraries. The platform guided Cascade through a secure, structured workflow to replace those permissions with Entra ID dynamic groups—ensuring proper access control without disrupting productivity.

Issue-Specific Fixes Without IT Bottlenecks

Opsin delivered actionable remediation workflows for both the IT team and departmental site owners. This empowered Cascade’s lean IT staff to delegate permission clean-up across business units, while maintaining centralized oversight.

Policy-Aware Copilot Readiness

With proper access controls and content-level security labeling in place, Cascade could confidently begin its Copilot rollout—knowing sensitive content wouldn’t be accidentally surfaced or leaked via AI queries.

“It’s not just about visibility. It’s about fixing the issues before they become problems.”
Lisa Choi, Director Enterprise Architecture, Cascade

Outcomes: Risk Remediated, Copilot Ready to Scale

With Opsin, Cascade moved from uncertainty to confidence—securing critical data, aligning with CMMC requirements, and unlocking the ability to scale Microsoft 365 Copilot company-wide.

Outcome	Value
Copilot Queries Now Surface Only What’s Intended	Before remediation, the majority of Copilot prompts returned sensitive or regulated content. With Opsin’s help, that number dropped from over 70% to under 15%, allowing safe usage across roles.
Safeguarded Revenue Tied to CMMC Compliance	Job site data and worksite assessments—central to CMMC contracts—were identified, locked down, and protected, preserving a third of Cascade’s business.
Clear Path to Organization-Wide Copilot Adoption	After securing access controls, Cascade is expanding from a limited Copilot test group to hundreds of users, with confidence that sensitive data won’t be unintentionally exposed.
Remediation at Scale Without Expanding IT	Opsin’s guided workflows empowered business units to resolve oversharing issues, allowing Cascade’s four-person IT team to stay focused on strategic priorities.

“This initiative is our wake-up call before we go full Copilot. Opsin helped us clean house and educate our data citizens─so when we go live, we go confidently.”
Lisa Choi, Director Enterprise Architecture, Cascade

Looking Ahead: A Culture of Responsible Innovation

As Cascade continues its phased rollout of Microsoft 365 Copilot, the groundwork laid by Opsin gives them the freedom to explore LLM use cases—without compromising security or compliance.

Cascade is now focused on defining clear, enforceable AI usage policies and continuously monitoring Copilot activity through Opsin’s continuous monitoring model, ensuring access, behavior, and data visibility remain aligned with business needs and regulatory obligations.

“We always talk about crawl, walk, run. Opsin helped us walk the path with confidence, so we don’t stumble when it’s time to run.”
Lisa Choi, Director Enterprise Architecture, Cascade

Cascade Environmental Secures CMMC-Regulated Data and Prepares for Responsible Copilot Deployment with Opsin