Our Services

Fixed-scope engagements, advisory retainers, and project-based work — all delivered directly — no subcontractors, no junior analysts.

01

FOCI Advisory

The May 2025 DFARS proposed rule means 40,000 contractors who have never touched classified work may now face SF 328 filings, beneficial ownership disclosure, and 90-day mitigation timelines triggered by option exercises and contract modifications.

What We Deliver

  • Initial FOCI risk assessment
  • SF 328 preparation and review
  • DCSA engagement strategy
  • SSA/mitigation agreement navigation
  • Beneficial ownership structure analysis
  • Ongoing retainer support through the mitigation lifecycle
Learn More →
Engagement Types
  • FOCI Readiness Assessment
    Ownership structure review, DFARS applicability analysis, SF 328 preparation guidance, written findings
  • FOCI Mitigation Advisory
    Full SSA/proxy/voting trust strategy, DCSA engagement support, documentation package
  • Ongoing FOCI Retainer
    Continuous compliance monitoring, contract action reviews, annual recertification support
Contact for Scope & Pricing
02

CMMC Compliance

32 CFR Part 170 took effect December 16, 2024. CMMC Level 2 certification is now a contract requirement for defense contractors handling CUI. Most contractors significantly underestimate their scoping and remediation burden.

What We Deliver

  • CUI scoping and data flow analysis
  • NIST SP 800-171 Rev 3 gap assessment
  • SSP development
  • POA&M creation and tracking
  • C3PAO assessment preparation
  • Policy and procedure drafting
Learn More →
Engagement Types
  • CMMC L2 Gap Assessment
    Full 110-control assessment, scoping analysis, written gap report
  • SSP + POA&M Development
    Complete System Security Plan and Plan of Action & Milestones
  • C3PAO Assessment Prep
    Evidence package, interviewing, mock assessment
  • CMMC L3 Advisory
    DIBCAC engagement prep, enhanced controls gap analysis
Contact for Scope & Pricing
03

AI in GCC High

Leadership is demanding AI adoption. Your compliance officer is demanding you don't blow up the CMMC boundary. Most AI vendors will tell you their tool is "FedRAMP authorized" and call it a day. That's not an SSP entry. It's not a boundary definition. And it won't survive a CMMC audit.

What We Deliver

  • AI use case scoping against CMMC boundary
  • GCC High architecture design (Azure OpenAI, AI Search, CosmosDB)
  • Production deployment and configuration
  • SSP amendment for AI components
  • Acceptable use policy and data handling SOP
  • Model governance documentation
Learn More →
Engagement Types
  • AI Readiness Assessment
    Use case inventory, CUI boundary analysis, GCC High compatibility audit, written report
  • GCC High AI Deployment
    Full architecture, deployment, and configuration of Azure OpenAI + RAG in client tenant
  • AI Policy Package
    Acceptable use policy, data handling SOP, SSP amendment, risk register entries
Contact for Scope & Pricing
04

Fractional vCISO

A cleared defense contractor CISO costs $250,000–350,000/year in salary and benefits, doesn't exist in the labor market anyway, and is overkill for a 75-person company whose primary compliance challenge is CMMC and FOCI — not a 24/7 SOC.

What We Deliver

  • Security program ownership and strategy
  • Board and leadership reporting
  • Vendor and tool evaluations
  • Incident response planning
  • DCSA/auditor interface
  • Compliance calendar management
  • Staff advisory
Learn More →
Engagement Types
  • Monthly Advisory Retainer
    Ongoing security program leadership, board reporting, compliance calendar management
  • Minimum 3-Month Engagement
    Scoped to client size and compliance posture
Contact for Scope & Pricing
Direct Delivery

All engagements are delivered personally. No subcontractors, no junior analysts, no bait-and-switch.

Every client engagement begins with a direct conversation about scope, timeline, and fit. If it's not the right fit, we'll say so.

Schedule a Call