01

FOCI Advisory

The May 2025 DFARS proposed rule means 40,000 contractors who have never touched classified work may now face SF 328 filings, beneficial ownership disclosure, and 90-day mitigation timelines triggered by option exercises and contract modifications.

What We Deliver

  • Initial FOCI risk assessment
  • SF 328 preparation and review
  • DCSA engagement strategy
  • SSA/mitigation agreement navigation
  • Beneficial ownership structure analysis
  • Ongoing retainer support through the mitigation lifecycle
Learn More →
Engagement Types
  • FOCI Readiness Assessment
    Ownership structure review, DFARS applicability analysis, SF 328 preparation guidance, written findings
  • FOCI Mitigation Advisory
    Full SSA/proxy/voting trust strategy, DCSA engagement support, documentation package
  • Ongoing FOCI Retainer
    Continuous compliance monitoring, contract action reviews, annual recertification support
Contact for Scope & Pricing
02

CMMC Compliance

32 CFR Part 170 took effect December 16, 2024. CMMC Level 2 certification is now a contract requirement for defense contractors handling CUI. Most contractors significantly underestimate their scoping and remediation burden.

What We Deliver

  • CUI scoping and data flow analysis
  • NIST SP 800-171 Rev 3 gap assessment
  • SSP development
  • POA&M creation and tracking
  • C3PAO assessment preparation
  • Policy and procedure drafting
Learn More →
Engagement Types
  • CMMC L2 Gap Assessment
    Full 110-control assessment, scoping analysis, written gap report
  • SSP + POA&M Development
    Complete System Security Plan and Plan of Action & Milestones
  • C3PAO Assessment Prep
    Evidence package, interviewing, mock assessment
  • CMMC L3 Advisory
    DIBCAC engagement prep, enhanced controls gap analysis
Contact for Scope & Pricing
03

AI in GCC High

Leadership is demanding AI adoption. Your compliance officer is demanding you don't blow up the CMMC boundary. Most AI vendors will tell you their tool is "FedRAMP authorized" and call it a day. That's not an SSP entry. It's not a boundary definition. And it won't survive a CMMC audit.

What We Deliver

  • AI use case scoping against CMMC boundary
  • GCC High architecture design (Azure OpenAI, AI Search, CosmosDB)
  • Production deployment and configuration
  • SSP amendment for AI components
  • Acceptable use policy and data handling SOP
  • Model governance documentation
Learn More →
Engagement Types
  • AI Readiness Assessment
    Use case inventory, CUI boundary analysis, GCC High compatibility audit, written report
  • GCC High AI Deployment
    Full architecture, deployment, and configuration of Azure OpenAI + RAG in client tenant
  • AI Policy Package
    Acceptable use policy, data handling SOP, SSP amendment, risk register entries
Contact for Scope & Pricing
05

Fractional vCISO / vCIO

A defense contractor at 10 to 300 people typically needs both security program leadership and strategic IT direction. These functions are usually split across two executive roles. At this scale, one advisor can cover both. The overlap between security, compliance, and technology decisions is often where the real gaps are.

What We Deliver

  • Security program ownership and strategy
  • Technology roadmap and platform advisory
  • Board and leadership reporting
  • Vendor and tool evaluations
  • DCSA and auditor interface
  • Compliance calendar management
  • Incident response planning
  • Staff advisory
Learn More →
Engagement Types
  • Monthly Advisory Retainer
    Ongoing security program leadership, board reporting, compliance calendar management
  • Minimum 3-Month Engagement
    Scoped to client size and compliance posture
Contact for Scope & Pricing
05

GCC High Platform Solutioning

Most defense contractors running GCC High got there because a contract required it. The tenant exists, the licenses are paid, and Teams handles calls. What was never addressed: migrating data out of commercial Microsoft 365, right-sizing the license stack, getting voice off the legacy PBX, converting on-premises Exchange and file servers to the cloud, and actually building out the employee communications and engagement layer.

What We Deliver

  • Commercial M365 to GCC High tenant migration — identity, mailboxes, SharePoint, Teams
  • M365 GCC High licensing review and SKU rationalization (E3/E5, add-ons, Teams Phone)
  • On-premises to cloud conversion — Exchange Server, Active Directory, file servers, Skype for Business
  • Teams Voice via Direct Routing — certified SBC architecture, E911, compliance recording
  • Employee communications — SharePoint news hub, structured Teams channels, Viva where GCC High supports it
  • Teams governance, SharePoint intranet architecture, CUI-aware document management
  • Communication compliance: retention policies, DLP, sensitivity labels, eDiscovery
  • Power Platform assessment against GCC High connector availability
Learn More →
Engagement Types
  • GCC High Environment Assessment
    Current-state audit across tenant configuration, on-premises infrastructure, licensing, and voice — written findings and prioritized roadmap
  • Migration & Platform Build
    End-to-end migration execution, on-premises conversion, Direct Routing voice deployment, and platform governance build
  • Compliance & Governance Package
    Retention policies, DLP, sensitivity labels, E911 configuration, and eDiscovery readiness for CMMC assessment prep
Contact for Scope & Pricing
06

Corporate Communications

Defense contractors are disciplined about external compliance. Internal communications are a different story. Compliance announcements go out as email blasts nobody reads. Policy changes reach employees informally. System migrations go live without a communication plan. The intranet hasn't been updated in years. Nobody owns it because nobody was ever assigned to own it.

What We Deliver

  • Internal communications audit — channel inventory, audience mapping, gap assessment
  • Channel strategy and editorial governance model
  • SharePoint news hub and company intranet design and build
  • Viva Connections branded employee portal (M365 commercial)
  • Executive and leadership communications cadence and templates
  • Teams Live Events for all-hands and town halls
  • Change management communications — migrations, compliance launches, policy rollouts
  • Measurement framework — analytics, engagement metrics, feedback channels
Learn More →
Engagement Types
  • Communications Assessment
    Channel and content audit, audience analysis, gap assessment, and written strategy recommendation with prioritized action plan
  • Strategy & Platform Build
    Full communications strategy, SharePoint intranet, Viva Connections portal, editorial governance, and 90-day launch support
  • Change Management Comms
    Scoped to a specific initiative — migration, compliance launch, policy rollout — from stakeholder mapping through go-live
Contact for Scope & Pricing
How We Work

Advisory is personal. Specialists are selected, not assigned.

Strategic advisory, assessments, and retainer work are led personally. Where the scope calls for specialist execution — SF 328 preparation, C3PAO coordination, legal counsel, technical implementation — we identify the right consultant for your specific situation, not the nearest available resource. We stay engaged throughout to provide oversight and ensure you receive work product that fits your actual circumstances, not a template SOW written for a different client's problem.

Schedule a Call