Fortinetics
Frameworks · 7

Every framework that matters
at the hardest bars.

CMMC 2.0. FedRAMP. DoD Cloud Computing SRG Impact Levels 4, 5, and 6. SOC 2 Type I and II. ISO/IEC 27001:2022. SCIF and SAPF accreditation under ICD 705. We run these end-to-end — design through certificate — often multiple in parallel.

DEFENSE · CUI

CMMC 2.0

End-to-end CMMC Level 1, 2, and 3 readiness and implementation — and the NIST SP 800-171 architecture underneath it that still binds you during the Phase 2 suspension.

6–9 months from engagement kickoff to assessment-ready. Third-party certification events are paused during the Phase 2 suspension; the readiness work is not.
Read more →
DEFENSE · CUI

NIST SP 800-171

NIST SP 800-171 implementation for defense contractors protecting CUI — the 110 controls that underpin CMMC Level 2.

6–9 months to a genuine 110/110 posture from a sound IT baseline; the same program that supports CMMC Level 2 certification.
Read more →
FEDERAL CLOUD

FedRAMP

FedRAMP certification for cloud service providers entering the federal market — Classes B, C, and D (formerly Low, Moderate, and High) under the Consolidated Rules for 2026.

12–18 months for FedRAMP Moderate (Class C) from sponsor engagement to certification. Class D (High) follows a similar cadence.
Read more →
DoD CLOUD · IL4 / IL5 / IL6

DoD Cloud Computing SRG · Impact Levels 4, 5, 6

DoD Cloud Computing SRG authorization for Impact Level 4, 5, and 6 workloads handling DoD CUI and classified data.

4–6 months from clean FedRAMP Moderate to IL4 PA. IL4 → IL5 adds another 4–6 months. IL6 is a separate tier with classified-network preconditions.
Read more →
COMMERCIAL · SaaS

SOC 2

SOC 2 Type I and Type II attestation support for commercial SaaS proving security posture to enterprise buyers.

3–6 months from kickoff to Type I report. Type II runs on top with a 6–12 month audit window.
Read more →
GLOBAL ISMS

ISO/IEC 27001:2022

ISO/IEC 27001:2022 Information Security Management System design and certification for global enterprise compliance.

6–9 months from ISMS kickoff to Stage 2 certification audit for a first-time certification.
Read more →
CLASSIFIED · ICD 705

SCIF & SAPF Accreditation

Sensitive Compartmented Information Facility and Special Access Program Facility accreditation for defense primes and government programs.

12–18 months for a purpose-built SCIF; 18–24 months for a SAPF with multiple classified enclaves.
Read more →
Pursuing more than one?

We run frameworks in parallel.

CMMC alongside SOC 2. FedRAMP alongside IL4. ISO 27001 alongside SOC 2. Shared controls, a shared evidence pipeline, and a meaningful cost reduction versus running them sequentially. That's the normal shape of our engagements.

Book a scoping call →