The questions buyers actually ask.

How engagements and pricing work.

How do engagements actually work?

We run the full program, not a gap analysis. A typical engagement moves through four overlapping stages: design the target-state compliance architecture (control selection, boundary definition, technical specifications); implement it with your team (technical controls, hardened configurations, identity and access, logging and monitoring); document it to the standard an assessor expects (System Security Plan or equivalent, policy library, POA&M, Statement of Applicability); and support the assessment itself, including a pre-assessment dress rehearsal and sitting with you through the assessor or auditor interviews. We do not hand you a report and leave — the engagement runs from kickoff to assessor sign-off.

Why don't you publish pricing?

Because an honest number depends on scope, and scope is set by your environment — the number of systems in the boundary, how much regulated data you handle, what already exists versus what has to be built, and whether one framework or several are in play. A flat published price would either be padded to cover the worst case or wrong for most cases. We price each engagement after a scoping call: firm fixed-price (one number, milestone payments) for well-scoped programs, or time and materials against a not-to-exceed ceiling for advisory or evolving scope. You see the total or the ceiling before you commit.

What does a typical CMMC Level 2, FedRAMP Moderate, or SOC 2 engagement cost and take?

Cost is scope-dependent and set in a scoping call — we will not quote a figure without understanding your boundary. Timelines, though, are honest floors the frameworks impose. CMMC Level 2 typically runs six to nine months from first engagement to C3PAO assessment. FedRAMP Moderate runs twelve to eighteen months through authorization. SOC 2 Type I readiness is roughly three months, after which a Type II observation window (commonly three to twelve months) has to elapse before the Type II report. ISO 27001 runs around eight months through certification. Any vendor promising materially faster is selling a point-in-time snapshot, not operating maturity.

Do you guarantee certification?

No — and a firm that does is a red flag. CMMC certification is decided by an independent C3PAO; FedRAMP by an agency or the PMO with a 3PAO assessment; SOC 2 and ISO by independent auditors and certification bodies. None of them are ours to promise, and a vendor claiming to guarantee an independent third party's outcome is either overstating its influence or planning to cut corners. What we do commit to is architecting a defensible posture: controls that genuinely meet the requirement, evidence that holds up under examination, and a dress rehearsal before the real assessment so there are no surprises. Our CMMC Level 2 track record is perfect-score assessments, but we earn that on the work, not on a promise.

Are you a prime or a subcontractor?

Both, depending on the work. We are subcontractors by preference — we team with primes and large integrators, augment small internal security functions, and deliver the compliance scope on their contracts. We also engage directly with commercial clients (cloud providers, defense subcontractors, enterprises) on their own programs. We are teaming-friendly and happy to sit under a prime's contract vehicle, or to bring the compliance architecture to a teaming arrangement you are assembling.

Do you require an NDA?

Yes. We work NDA-first. Compliance engagements expose system architecture, security gaps, and sometimes regulated or classified context, so a mutual NDA is in place before any substantive technical discussion. If your organization has its own NDA template, we will work from yours; otherwise we provide one. This is non-negotiable on both sides — it protects your environment as much as our methodology.

Frameworks, classified work, and scope.

Do you handle classified work? Can you do SCIF or SAPF accreditation?

Yes. Classified network and facility accreditation is a core pillar. We provide accreditation support under ICD 705 (SCIF and SAPF physical and technical standards), CNSSI 1253, NISPOM, and RMF, and our team has operated classified network enclaves — JWICS, SIPRNet, and a Space Force program — in parallel inside a single accredited facility envelope. We have cleared personnel for work that requires it. Specifics of clearance level and facility scope are confirmed under NDA and against your program's requirements.

How are you different from a compliance platform like Vanta or Drata?

They solve a different problem. Platforms like Vanta, Drata, and Secureframe are tooling — they automate evidence collection and auditor coordination, and they work well for SOC 2 and ISO 27001 self-service on a standard cloud stack where the bottleneck is gathering evidence, not designing controls. They do not architect the human-judgment frameworks: FedRAMP SSP depth, the 3PAO and C3PAO assessment methodology, DoD IL5, or a CUI enclave boundary. That is the work we do. We are not anti-platform — when a client already runs one, we use it alongside our architecture so evidence collection stays automated while the control design and assessor strategy get senior human judgment.

How are you different from a big consultancy?

We are boutique and senior-only. On a Big 4 or large-consultancy engagement, a partner pitches and junior consultants deliver against templates. On ours, the senior practitioners who scope the work are the ones doing it, from day one. We architect and implement rather than audit-and-advise, we sit through the assessment itself, and we can run several frameworks in parallel rather than staffing a separate workstream for each. That suits a single company with a specific certification target far better than a multi-year advisory portfolio sized for Big 4 blended rates.

Can you run multiple frameworks at once?

Yes, and it is usually the smart way to do it. CMMC, FedRAMP, SOC 2, and ISO 27001 share a large base of common controls and evidence. Run sequentially, you pay to build, document, and prove overlapping controls more than once. Run in parallel on a shared control set and a single evidence pipeline, a second framework typically adds around thirty percent rather than doubling the cost. Common pairings: CMMC alongside SOC 2, FedRAMP alongside DoD IL4/IL5, ISO 27001 alongside SOC 2. We designed the firm to run across frameworks rather than specialize in one lane.

What is the situation with NIST 800-171 Rev 2 versus Rev 3 right now?

As of mid-2026, build to Rev 2. CMMC Level 2 and the DoD Assessment Methodology (your SPRS score) are anchored to NIST SP 800-171 Revision 2 and its 110 controls — that is what a C3PAO grades against today. NIST published Revision 3 in 2024, but DoD has not yet incorporated it into the DFARS clause or the CMMC program; the rulemaking to do so is expected in late 2026 or early 2027, with a transition period after that. Our posture: architect for Rev 2 compliance now, and design controls so the move to Rev 3 (which reorganizes families and adds requirements) is a tracked update rather than a rebuild. We track the rulemaking and flag client-specific impact as it firms up.

The apps, and who we are.

Are the practitioner apps free?

Mostly, yes. We publish three apps for compliance practitioners. The DFARS Reference and the NIST 800-171 Reference each have a free tier covering the substance — full control and clause text, discussion, search, and notes — with an optional Pro upgrade at $9.99 one-time (Pro adds the 800-171A assessment objectives on the NIST app, and decision rules, cross-walks, and enforcement history on the DFARS app). The CMMC SPRS Score Calculator is fully free, no Pro tier. All three run on-device: your inputs and scores stay local, and nothing is submitted to SPRS or to us.

Where are you based, and what is your business standing?

Fortinetics is a limited liability company (Fortinetics LLC) formed in the Commonwealth of Virginia, operating as a small business. Our primary NAICS code is 541512 (Computer Systems Design Services), the standard vertical for the federal-contractor compliance work we do. We serve clients across the United States.

Are you registered in SAM.gov? Do you have a CAGE code?

We register in SAM.gov and obtain a CAGE code when a teaming arrangement requires it. This is a deliberate consequence of our subcontractor-by-preference posture: we typically deliver under a prime's contract vehicle, so we complete federal registration to match the specific requirement rather than maintaining it speculatively. If your teaming or contracting setup needs us registered, we handle it as part of standing up the engagement.