Fortinetics
Compliance Architects · 2026

Compliance,
architected.

A boutique compliance architecture firm for organizations operating at the hardest certification bars in cybersecurity. SCIF accreditation to SOC 2 Type II, delivered by a team that helped draft CMMC.

Book a scoping call → Start readiness quiz →
110 / 110
Perfect CMMC L2 scores
Multiple clients. Repeatable because we design around evidence-as-byproduct.
2019
Team helped draft CMMC
A member of our team contributed to the CMMC standard at the Department of Defense.
3 ×
Classified enclaves in parallel
JWICS, SIPRNet, and a Space Force program network inside one SAPF envelope.
Deadline
Nov 10
2026

CMMC Phase 2 begins. Level 2 C3PAO certification required at contract award.

Every defense subcontractor handling Controlled Unclassified Information must have a Level 2 certificate in hand at the time of contract award. C3PAO capacity is finite. A Level 2 preparation window is typically six to nine months. The math is tight.

Book a scoping call →
CMMC 2.0 phased rollout timeline Horizontal timeline of the DoD's four-phase CMMC 2.0 rollout. Phase 1, self-assessment, is in effect. Phase 2 begins November 10 2026 — third-party C3PAO assessment required at contract award. Phase 3 adds Level 3 DIBCAC assessment one year later. Phase 4 applies the full CMMC requirement to all applicable DoD solicitations. PLATE HP-01 · CMMC 2.0 PHASED ROLLOUT 48 CFR · DFARS 7021 · DEC 2024 DoD CONTRACTOR IMPACT Time flows left → right NOV 2025 MAY 2026 NOV 2026 MAY 2027 NOV 2027 MAY 2028 NOV 2028 PHASE 01 SEP 2025 Self-assessment
L1 and L2 self-attestations required in new DoD solicitations. DFARS 7021 in force.
PHASE 02 NOV 2026 C3PAO required
CMMC Level 2 third-party assessment required at contract award for all L2 contracts.
PHASE 03 NOV 2027 L3 assessment
Level 3 (DIBCAC-led) assessment required for contracts with L3 CUI.
PHASE 04 NOV 2028 Full rollout
All applicable DoD solicitations subject to the CMMC level that matches the program CUI.
TODAY ~70,000 DEFENSE CONTRACTORS HANDLING CUI Each needs a valid CMMC L2 certificate in hand at contract award after Nov 2026. 6–9 MONTHS TYPICAL L2 PREP WINDOW, FIRST-TIME Architecture, implementation, evidence, dry-run, C3PAO scheduling. FINITE C3PAO CAPACITY THROUGH PHASE 2 Demand will exceed assessor throughput; booking position matters.
Fig. 01 · Four-phase rollout per the DFARS 7021 final rule (Dec 2024).
C3PAO assessor capacity versus demand, 2026–2027 Chart contrasting cumulative CMMC Level 2 assessment demand from DoD contractors with authorized C3PAO assessor capacity. Demand ramps sharply as Phase 2 begins in November 2026; assessor capacity grows more slowly because C3PAO authorization itself takes about eighteen months. The practical booking window with real headroom is well before Phase 2 begins. PLATE HP-02 · C3PAO CAPACITY vs. DEMAND CYBER AB DIRECTORY · APR 2026 CUMULATIVE VOLUME → APR 2026 JUL OCT NOV PHASE 02 JAN 2027 APR JUL OCT DEC 2027 NOV 10 2026 PRACTICAL BOOKING WINDOW DEMAND CURVE L2 CONTRACTS AT AWARD SUPPLY CEILING AUTHORIZED C3PAO CAPACITY ~50 C3PAOs AUTHORIZED AS OF APR 2026 ~18 MO. TO CERTIFY A C3PAO SUPPLY CANNOT CATCH UP DURING PHASE 02 BOOK NOW, NOT IN Q4 HEADROOM EXISTS UNTIL ~Q4 2026
Fig. 02 · Authorized-assessor capacity vs. expected L2 demand through Phase 2. Directional; Cyber AB public directory, Apr 2026.
Six pillars

The hardest certification bars in the industry.
All of them.

All services →
01 · Classified Networks

SCIF & SAPF Accreditation

Secure network architecture and facility accreditation support for defense primes. JWICS, SIPRNet, and Space Force network enclaves. Designed to ICD 705, CNSSI 1253, NISPOM, and RMF.

Learn more →
02 · IT & Security Buildout

Turnkey compliant infrastructure

For startups winning their first defense contract and firms opening new CUI-handling facilities. We design, build, and deploy the full stack — network, identity, endpoints, cloud, SIEM, enclave — CMMC-ready on day one.

Learn more →
03 · CMMC 2.0

Level 1, 2, and 3 Certification

End-to-end support for defense subcontractors handling CUI. 110 NIST 800-171 Rev 2 controls across 14 families. Track record of perfect 110/110 assessor scores in under nine months.

Learn more →
04 · FedRAMP & DoD CC SRG

Cloud Authorization

FedRAMP Low, Moderate, and High baselines — plus DoD Cloud Computing SRG Impact Levels 2 through 6 for CSPs hosting DoD workloads in GovCloud, Azure GCC High, or AWS Secret Region.

Learn more →
05 · SOC 2

Type I and Type II Attestation

SOC 2 for commercial SaaS proving security posture to enterprise buyers. Trust Services Criteria across Security, Availability, Confidentiality, Processing Integrity, and Privacy.

Learn more →
06 · ISO 27001

Global ISMS Certification

ISO 27001 certification for global and enterprise compliance requirements. ISMS design, Annex A control selection, Statement of Applicability, and certification audit preparation.

Learn more →
Interactive tools

Self-serve before you talk to us.

Tool 01 · ~5 min each

Readiness Quizzes · 5 frameworks

Self-assess across CMMC Level 1, CMMC Level 2, SOC 2, ISO 27001, and FedRAMP. Score, tier classification, weakest areas flagged.

Browse quizzes →
Tool 02 · ~2 min

Framework Overlap Explorer

Select what you have. See how much of another framework is already covered. Control-family mapping across CMMC, FedRAMP, DoD CC SRG, SOC 2, ISO 27001.

Explore overlap →
Tool 03 · ~2 min

Engagement Scoping Tool

Five questions to a rough engagement shape. Duration, intensity, suggested phases, timeline-fit check, and the risks we would flag.

Scope an engagement →
Engagement shape

Six phases, first week to certificate.

Read the full approach →
Fortinetics six-phase engagement timeline Horizontal timeline of the standard Fortinetics engagement, calibrated to a typical six-to-nine month CMMC Level 2 path. Six phases: Discovery, Gap Assessment, Architecture, Implementation, Evidence and Documentation, and Assessment. Phase widths are weighted by effort. Deliverables listed beneath each phase. PLATE HP-03 · ENGAGEMENT SHAPE 6 PHASES · TYPICAL 6–9 MO. TO CERTIFICATE ENGAGEMENT SHAPE Width ∝ typical effort 01 2–3 WKS Discovery
We sit with you. Scope CUI flow, boundary, and target state against the chosen framework.
DELIVERABLES
▪ Scoping memo
▪ Boundary draft
▪ Target-state brief
 02 2–3 WKS Gap Assessment
Control-by-control read against the baseline. Findings categorized by lift and risk.
DELIVERABLES
▪ Gap matrix
▪ Initial POA&M
▪ Budget estimate
 03 3–5 WKS Architecture
Target-state architecture and the evidence-as-byproduct plan that feeds the assessment.
DELIVERABLES
▪ Enclave design
▪ Control selection
▪ Evidence plan
 04 8–14 WKS Implementation
Technical stack + policy library + procedural controls, implemented alongside your team.
DELIVERABLES
▪ Technical controls
▪ Policies
▪ Procedures
 05 4–6 WKS Evidence & Docs
System Security Plan, artifact library, dry-run audit against the real assessor checklist.
DELIVERABLES
▪ SSP
▪ Artifact library
▪ Dry-run audit
 06 2–4 WKS Assessment
Third-party assessment. We stay present through every session. Then the ongoing cadence.
DELIVERABLES
▪ C3PAO report
▪ Certificate
▪ Ongoing cadence
 FIRST WEEK FOUR TO SIX MONTHS CERTIFICATE Scoping begins. Implementation + evidence assembly. Third-party assessment + issuance.
Fig. 03 · Standard engagement, calibrated to a typical 6–9 month CMMC Level 2 path. The six phases are constant across frameworks; durations flex with scope.
Track record
110/110

Perfect CMMC Level 2 assessor scores, consistently. Multiple clients, under nine months from first engagement to certification.

2019

The year our team worked on the CMMC standard itself with the Department of Defense. Few compliance firms can say the same.

Classified network enclaves currently handled in parallel — JWICS, SIPRNet, and a Space Force network — within a single Special Access Program Facility.

Next step

See where you stand before the assessors do.

Start the readiness quiz for your target framework. Get a live score, a gap summary, and a detailed PDF report. No commitment — just an honest look at where your posture actually is.

Start readiness quiz → Book a scoping call →