Built by the people
who wrote the standard.
Fortinetics is a boutique compliance architecture firm. We design, build, document, and sit through the assessment — for defense subcontractors, cloud providers entering the federal market, and commercial teams proving their security posture. The firm is new. The team is not. Below is who we are, how we engage, and the facts you'd want on file before a first call.
A collective of senior practitioners.
We don't list titles or headshots. What matters for the work is the depth of the bench and the standards it was forged against — so that's what we put forward.
Fortinetics is a team, not a person. Members of that team contributed to the CMMC standard at the U.S. Department of Defense in 2019 — they helped shape what assessors now test against, which is a multi-year head start on the framework's intent that no platform and no freelance consultant can claim. The lead architect holds a doctoral-level cybersecurity credential. The bench includes personnel with active clearances and senior security backgrounds built across defense-aligned SaaS programs and space-technology programs.
That combination — authorship, doctoral-level architecture, cleared operational experience, and time spent on both the federal and commercial sides of the table — is the reason we describe ourselves as architects rather than auditors. We have built CUI enclaves, stood up classified network architectures, run FedRAMP and IL5 authorizations, and carried SOC 2 and ISO 27001 programs through real audits. We have also been on the receiving end of assessments, which is the experience that teaches you what evidence actually survives scrutiny.
CMMC authorship and full-program Level 2 builds
Practitioners on the team contributed to the CMMC standard itself at the U.S. Department of Defense in 2019 — the framework C3PAO assessors now test against. That authorship informs how we read every control. We have taken organizations from near-zero documentation to assessment-ready across all 110 NIST SP 800-171 controls, with deep familiarity for what happens in the room during a Level 2 assessment.
Multi-year FedRAMP and DoD Cloud authorization programs
Multi-year authorization programs for cloud service providers pursuing FedRAMP High plus DoD Cloud Computing SRG IL5 — 3PAO selection, the seven-step authorization sequence, System Security Plan authorship, continuous monitoring build, and Agency / JAB sponsor coordination. IL4 deployments via FedRAMP-authorized brokers for DoD mission applications, with GovCloud and GCC High as parallel authorization environments.
Recurring SOC 2 Type II and ISMS programs at SaaS scale
Recurring SOC 2 Type II audits at growth-stage organizations — control design, evidence pipeline, auditor coordination, bridge letters, and multi-year observation windows — alongside ISO 27001:2022 for teams scaling into international markets. We know precisely where software-only compliance platforms stop being sufficient and architectural judgment takes over.
Classified enclaves, Zero Trust migrations, incident response
Classified network enclaves operated in parallel inside a single accredited facility envelope, with direct government-to-firm advisory relationships. Zero Trust architectures deployed at government-cloud scale, centralized SIEM pipelines with framework-aligned retention, and incident response plans authored and activated on real events — tabletop exercises and post-incident analysis included.
Specific employer names, client names, and dollar figures are withheld for professional and contractual confidentiality. The engagement patterns, frameworks, and operational approach are what inform a Fortinetics engagement — so those are what we share.
Clear commercial terms. Confidential by default.
The relationship is structured the way federal and enterprise buyers expect — defined pricing models, a non-disclosure agreement before discovery, and a posture that fits both prime-contractor teaming and direct commercial work.
Fixed-price or time-and-materials.
Well-scoped programs run firm fixed-price (FFP) — one price, milestone-based payments, no scope creep billed as extras. Evolving or advisory work runs time-and-materials (T&M) against a not-to-exceed ceiling, with budget alerts before you reach it. Pricing is scope-dependent and set during a scoping call, not published — because an honest number requires understanding your actual current state first.
NDA-first.
The work touches CUI, classified architectures, audit findings, and security gaps that should never be discussed in the open. We execute a mutual non-disclosure agreement before substantive discovery. Client names, dollar figures, and engagement details stay confidential — which is why our case studies are anonymized and our references are shared privately.
Subcontractor to primes; direct to commercial.
We operate as a subcontractor to prime contractors on federal work and direct to commercial clients on the rest. This posture lets primes bring authorship-level CMMC and classified-architecture depth to a capture without standing up that capability in-house, and lets commercial buyers engage a senior team without a Big-4 contract structure.
Frameworks run in parallel.
CMMC alongside SOC 2. FedRAMP alongside IL4. ISO 27001 alongside SOC 2. We design around shared controls and a shared evidence pipeline so overlapping requirements are satisfied once, not three times. Most firms pick a single practice lane; the firm was built to run across them.
On the record.
The registration details a contracting officer or prime's compliance desk will ask for, in one place.
- Legal entity
- Fortinetics LLC
- Jurisdiction
- Commonwealth of Virginia
- Founded
- 2026
- Classification
- Small business
- NAICS code
- 541512 — Computer Systems Design Services
- D-U-N-S number
- 141470452
- Engagement models
- Firm fixed-price (FFP) · time-and-materials (T&M)
- SAM.gov / CAGE
- Registered upon a teaming requirement
SAM.gov and CAGE registration is completed upon a teaming requirement rather than held open-ended — a deliberate consequence of the subcontractor-to-primes posture, where the prime holds the contract vehicle and we deliver the work.
The one-page capabilities statement.
Core competencies, differentiators, NAICS codes, and firm data — formatted for a prime's capture team or a contracting officer. The document buyers expect to attach to a teaming file.
Book a scoping call.
Thirty to forty-five minutes. We walk through your target, your current posture, and your constraints — and tell you honestly whether we're the right firm for it. If a platform or a freelancer fits better, we'll say so.
Book a scoping call →