Fortinetics
Case studies

What we've actually done.

Case studies from active and completed engagements. Client names are withheld per engagement confidentiality. Technical and commercial structure is shared because the patterns matter more than the logos.

Commercial Software (Cloud SaaS)

FedRAMP Moderate for a commercial cloud provider: winning a first federal agency

A commercial cloud SaaS provider pursuing its first federal agency opportunity through an agency-sponsored ATO (name withheld per engagement confidentiality)

FedRAMP Moderate NIST SP 800-53 Rev 5 FedRAMP ConMon
Scope
  • · Authorization boundary design and a dedicated Gov-region tenant
  • · System Security Plan (SSP) authoring to 3PAO-assessable standard
  • · Control implementation across the FedRAMP Moderate baseline (NIST 800-53 Rev 5)
Duration
15 months
Read case study →
Commercial Software (Global SaaS)

ISO 27001:2022 certification for a global SaaS company: meeting European enterprise buyers

A SaaS company with European and global enterprise buyers requiring ISO 27001 certification (name withheld per engagement confidentiality)

ISO/IEC 27001:2022 ISO/IEC 27017 SOC 2 (parallel program)
Scope
  • · Information Security Management System (ISMS) design under ISO 27001:2022
  • · Risk assessment and treatment methodology, with an asset and risk register
  • · Statement of Applicability against the 93 Annex A controls
Duration
8 months
Read case study →
Commercial Software (B2B SaaS)

SOC 2 Type II for a Series B SaaS platform: clearing enterprise procurement gates

A Series B commercial B2B SaaS company whose deals were stalling at enterprise security review (name withheld per engagement confidentiality)

SOC 2 (AICPA TSC) SOC 2 Type I SOC 2 Type II
Scope
  • · Trust Services Criteria scoping — Security, Availability, and Confidentiality
  • · Control framework design mapped to the 2017 TSC (with 2022 points of focus)
  • · Evidence pipeline — control evidence produced as a byproduct of operations
Duration
9 months
Read case study →
Defense Industrial Base

CMMC Level 2 certification with a perfect 110/110 assessor score for a defense subcontractor

A defense subcontractor handling Controlled Unclassified Information, pursuing CMMC Level 2 certification ahead of contract flow-down requirements (name withheld per engagement confidentiality)

CMMC 2.0 Level 2 NIST SP 800-171 Rev 2 DFARS 252.204-7012 DFARS 252.204-7021
Scope
  • · CMMC 2.0 Level 2 readiness and certification support — end to end
  • · NIST SP 800-171 Rev 2 control implementation across all 14 families
  • · System Security Plan (SSP) authorship to assessor-grade standard
Duration
8 months
Read case study →
Defense — Space Systems

Government-direct SCIF network integration: network lead for a Space Force program office

A U.S. Space Force program office bringing an existing federal facility back into service as an accredited SCIF, with a defense prime as the executing contractor (names withheld per engagement confidentiality)

ICD 705 CNSSI 1253 NISPOM RMF (NIST 800-37) DoDM 5105.21
Scope
  • · Primary network integration point of contact, appointed by the government program office
  • · Network prioritization advisory across SGN, SIPRNet, JWICS, and connected federal networks
  • · Architecture coordination for reuse of a previously commissioned federal facility
Duration
6 months
Read case study →
Defense — Space Systems

Multi-enclave SAPF advisory for a Space Force prime

A prime contractor supporting U.S. Space Force mission operations (name withheld per engagement confidentiality)

ICD 705 CNSSI 1253 NISPOM RMF (NIST 800-37)
Scope
  • · Special Access Program Facility (SAPF) design and accreditation support
  • · Three classified network enclaves: JWICS (TS/SCI), SIPRNet (Secret), and a Space Force network (TS/SI/SAR)
  • · ICD 705, CNSSI 1253, NISPOM, and RMF documentation
Duration
9 months
Read case study →
Software

Zero to CMMC Level 2 certification in six months: greenfield IT buildout for a venture-backed startup

A venture-backed software startup preparing to handle Controlled Unclassified Information under a compressed customer timeline (name withheld per engagement confidentiality)

NIST 800-171 Rev 2 CMMC 2.0 Level 2 DFARS 252.204-7012 NIST 800-53 Rev 5 CIS Benchmarks
Scope
  • · Full IT and security infrastructure buildout from near-zero baseline
  • · Cloud architecture and tenant setup with CUI workload isolation
  • · Microsoft 365 migration with compliance-tier licensing
Duration
6 months
Read case study →
Team experience

The engagements behind the firm.

Fortinetics is a new firm. Our team is not. The case studies above are Fortinetics-led engagements. The list below is the broader body of work the team has executed in prior and concurrent senior security roles — at scale, under assessment, with real auditors and real outcomes. These inform how we architect every Fortinetics engagement, even when they aren't Fortinetics engagements themselves.

CMMC 2.0

Full-program CMMC Level 2 builds, end to end

Led complete CMMC Level 2 programs at DoD-adjacent software companies, taking organizations from near-zero documentation to assessment-ready across all 110 NIST 800-171 Rev 2 controls. Coverage spans dual-cloud environments (AWS GovCloud plus Azure GCC High), Microsoft 365 tenant hardening, Intune-managed endpoints, Yubikey and SSO identity stacks, STIG-aligned baselines, DISA RMF / eMASS alignment, and C3PAO engagement. Deep familiarity with what happens in the room during a Level 2 assessment.

FedRAMP · DoD IL4 / IL5

Multi-year FedRAMP High and DoD IL5 authorization programs

Led multi-year authorization programs for cloud service providers pursuing FedRAMP High ATO plus DoD Cloud Computing SRG IL5, including 3PAO selection, 7-step authorization sequencing, System Security Plan authorship with structured documentation tooling, continuous monitoring program build, and Agency / JAB sponsor coordination. Experience with IL4 deployments via FedRAMP-authorized brokers for DoD mission applications, and with Azure Government GCC High plus AWS GovCloud as parallel authorization environments.

SOC 2 · ISO 27001

Recurring SOC 2 Type II and ISMS programs at SaaS scale

Led recurring SOC 2 Type II annual audits at Series C aviation and AI SaaS organizations, covering control design, evidence pipeline, auditor coordination, bridge letters, and multi-year observation windows. Experience with ISO 27001:2022 alongside SOC 2 for organizations scaling into international markets. Deep familiarity with the points at which software-only compliance platforms (Vanta, Drata, Secureframe) stop being sufficient and where architectural judgment is required.

Zero Trust · SIEM · Incident response

Zero Trust migrations, SIEM build-outs, and incident response activations

Designed and deployed Zero Trust architectures at government-cloud scale, migrating organizations off legacy VPN to modern ZTNA with identity-aware policy enforcement. Built centralized SIEM pipelines with CMMC / FedRAMP-aligned retention and review cadences. Authored and activated incident response plans including full-lifecycle post-incident analysis on real events. Tabletop exercises, breach-cost modeling, and cross-functional IR coordination are core to how we operate.

Team experience is drawn from senior roles at defense-aligned SaaS companies and space startups. Specific employer names, client names, and dollar figures are withheld for professional and contractual confidentiality. Engagement patterns, frameworks, and operational approach are shared here because those are what inform a Fortinetics engagement's design.