Fortinetics
Services

The hardest certification bars
in the industry.

Six service pillars. From classified network accreditation to turnkey CUI-ready IT infrastructure to commercial SOC 2 Type II. Each pillar is delivered end-to-end — design, implementation, documentation, evidence, assessment support — by a team with authorship-level knowledge of the standards.

Capabilities statement (PDF) ↓ Book a scoping call →
Jump to 01 · Classified Networks 02 · IT & Security Buildout 03 · CMMC 2.0 04 · FedRAMP & DoD CC SRG 05 · SOC 2 06 · ISO 27001
01 · Classified Networks

SCIF & SAPF Accreditation

The most elite work we do. Design, engineering, and accreditation support for classified network enclaves and secure facilities operating under U.S. Government control.

Multi-enclave SAPF network topology Plan-view plate showing three classified network enclaves — JWICS at Top Secret with Sensitive Compartmented Information, SIPRNet at Secret, and a Space Force network at TS/SI/SAR — separated under ICD 705 within a Special Access Program Facility envelope. Perimeter treatments and Authorizing Official accreditation flow are annotated. PLATE 01 · SAPF MULTI-ENCLAVE TOPOLOGY ICD 705 · CNSSI 1253 · NISPOM SAPF ENVELOPE ICD 705 ICD 705 TOP SECRET / SCI JWICS NET-01 · INTEL COMMUNITY RACK WORKSTATIONS × 3 SEPARATE RUN · NO CROSS-DOMAIN SECRET SIPRNet NET-02 · DOD SECRET RACK WORKSTATIONS × 3 AIR-GAPPED · CNSSP-15 · STIG TS / SI / SAR SGN NET-03 · SPACE FORCE SAP RACK WORKSTATIONS × 3 COMPARTMENTED · READ-ON · TSCM AO AUTH. OFFICIAL RMF ATO PERIMETER · ICD 705 §3 RF SHIELDING ACOUSTIC · STC-50 ACCESS CONTROL IDS · ALARM · CCTV

We advise defense primes building or retrofitting Sensitive Compartmented Information Facilities (SCIFs) and Special Access Program Facilities (SAPFs). Our technical scope includes multi-enclave classified network architectures — JWICS (TS/SCI), SIPRNet (Secret), and Space Force networks including SGN (TS/SI/SAR) — operating within a single facility envelope.

Our team contributes network separation strategies, rack and cabling layouts, shielding and grounding considerations, vendor-agnostic Bill of Materials development, and draft content for accreditation packages. We coordinate with your Facility Security Officer and Information System Security Manager through Authorizing Official reviews.

Our role is advisory. Final accreditation decisions rest solely with the U.S. Government Authorizing Official. We do not handle classified information under these engagements — all classified activities are performed by appropriately cleared Client personnel.

Frameworks & standards
ICD 705 CNSSI 1253 NISPOM RMF (NIST 800-37) DoDM 5105.21
Typical duration
6–12 months
Client profile
Defense primes under Space Force, Intelligence Community, and DoD program offices
02 · IT & Security Buildout

Turnkey compliant infrastructure.

Our most hands-on pillar. For venture-backed startups winning their first defense contract, and commercial firms opening new facilities that will process CUI — we design, build, and deploy the full IT and security infrastructure from scratch. Network to endpoints to cloud to SIEM to CUI enclave. CMMC-ready on day one.

Greenfield IT and security buildout stack Six-layer stack diagram showing the full greenfield IT and security infrastructure deployed during a CUI-ready buildout engagement: physical, network, identity, endpoint, cloud and productivity, observability. CUI enclave boundary and CMMC Level 2 readiness milestones are annotated. PLATE 02 · GREENFIELD IT & SECURITY BUILDOUT CMMC L2 · NIST 800-171 Rev 2 L6 Apps & Productivity CUI LICENSING M365 GCC HIGH TEAMS · OUTLOOK SHAREPOINT CUI PURVIEW · DLP L5 Observability EVIDENCE PIPELINE SIEM · 3-YR LOG EDR · MDR BACKUP · DR VULN MGMT L4 Endpoint STIG-HARDENED INTUNE MDM JAMF (MAC) BITLOCKER / FV2 APP ALLOWLIST L3 Identity LEAST-PRIVILEGE ENTRA ID · AD SSO · SAML MFA · FIDO2 PAM · CONDITIONAL L2 Network CUI-SEGMENTED CUI VLAN NGFW · IDS SD-WAN · VPN WIFI WPA3-ENT L1 Physical VIA SUBCONTRACTOR LOW-V CABLING RACK · UPS ACCESS CTRL CCTV · BADGES CUI ENCLAVE L6 L5 L4 L3 L2 L1 DELIVERY TIMELINE KICKOFF CABLE · CORE UP USER CUTOVER CMMC-READY

Greenfield IT is the moment where most compliance programs are made or broken. A startup that wires up its infrastructure without CMMC in mind spends the next six months retrofitting. A commercial firm that opens a new facility without CUI segmentation designed in ends up with a scope-sprawl problem that the first assessor flags immediately. Getting the foundation right is cheaper than fixing it.

We handle the full stack. Network architecture (wired, wireless, VPN, CUI-segmented VLANs). Identity and access management (Active Directory, Entra ID, SSO, MFA, privileged access). Endpoint deployment (Intune, JAMF, EDR/MDR across all workstations). Cloud tenant setup in Azure GovCloud, GCC High, or AWS US Gov depending on workload class. Email and productivity with compliance licensing. Centralized SIEM with retention tuned to 800-171 and CMMC expectations. Backup and DR. Physical security integration (badges, cameras, access control) via trusted subcontractors. Low-voltage cabling and rack install. Optional help desk and L1 support.

We don't vanish after cable-pulling. Typical engagements include a three-to-six-month operating period where we run the environment while your internal IT and security team comes online, then hand off with full documentation and runbooks — or continue as a managed retainer if that is the better fit.

Frameworks & standards
NIST 800-171 Rev 2 NIST 800-53 Rev 5 DFARS 252.204-7012 CMMC Assessment Guide v2.13 CIS Benchmarks DISA STIGs
Typical duration
3–9 months buildout + optional managed retainer
Client profile
Seed-to-Series-B startups winning first defense contracts; commercial firms opening CUI-handling facilities
03 · CMMC 2.0

Level 1, 2, and 3 Certification

End-to-end support for defense subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Our team includes a practitioner who worked on the CMMC standard at the Department of Defense in 2019.

CMMC Level 2 — 14 control families, 110 controls Grid of the fourteen NIST 800-171 Rev 2 control families that define CMMC Level 2 assessment scope, with control counts for each family totaling 110. Fortinetics track record is perfect score across all engagements. PLATE 03 · CMMC L2 CONTROL MAP NIST 800-171 REV 2 · 14 FAMILIES · 110 CONTROLS AC 22 CTL +12 ACCESS ▪ ASSESSED AT 3 CTL AWARENESS ▪ ASSESSED AU 9 CTL AUDIT ▪ ASSESSED CA 4 CTL ASSESSMENT ▪ ASSESSED CM 9 CTL CONFIG ▪ ASSESSED IA 11 CTL +1 IDENTITY ▪ ASSESSED IR 3 CTL RESPONSE ▪ ASSESSED MA 6 CTL MAINTENANCE ▪ ASSESSED MP 9 CTL MEDIA ▪ ASSESSED PE 6 CTL PHYSICAL ▪ ASSESSED PS 2 CTL PERSONNEL ▪ ASSESSED RA 3 CTL RISK ▪ ASSESSED SC 16 CTL +6 COMMS ▪ ASSESSED SI 7 CTL INTEGRITY ▪ ASSESSED PERFECT ASSESSOR SCORE · TYPICAL 6–9 MO. ENGAGEMENT 110 / 110 MULTIPLE CLIENTS · CMMC L2 CERT. C3PAO-ASSESSED · NO REOPENED ITEMS

CMMC Phase 2 enforcement begins November 10, 2026. Every defense subcontractor handling CUI will need a Level 2 C3PAO certificate in hand at the time of contract award. C3PAO capacity is finite, and a Level 2 preparation window is typically six to nine months. The clock is already running.

Level 1 covers FCI handling — 17 controls from FAR 52.204-21, self-assessed. Level 2 covers CUI — 110 NIST 800-171 Rev 2 controls across 14 families, assessed by a C3PAO (or, for limited scopes, self-assessed). Level 3 covers advanced CUI — adds selected NIST 800-172 controls, assessed by DIBCAC.

We have taken multiple clients from first engagement to Level 2 certification with perfect 110/110 assessor scores, consistently in under nine months. We design the compliance architecture, build the technical controls, author the policy library, produce assessor-grade evidence, train the internal team, and sit with the client through the assessment itself.

Frameworks & standards
NIST 800-171 Rev 2 NIST 800-172 FAR 52.204-21 DFARS 252.204-7012 / 7019 / 7020 / 7021 / 7025 CMMC Assessment Guide v2.13
Typical duration
6–9 months (Level 2)
Client profile
Defense subcontractors handling FCI or CUI, small to mid-sized primes
04 · FedRAMP & DoD CC SRG

Cloud Authorization

For cloud service providers serving federal agencies and the Department of Defense. FedRAMP is the federal-wide baseline; DoD Cloud Computing SRG layers DoD-specific controls on top for workloads handling CUI and mission-critical data.

FedRAMP and DoD Cloud Computing SRG authorization ladder Ascending tier chart from FedRAMP Moderate through FedRAMP High, then DoD Impact Levels 4, 5, and 6. Each tier shows the new requirement introduced at that level in a delta annotation row below. PLATE 04 · AUTHORIZATION LADDER FEDRAMP REV 5 · DoD CC SRG V1R4+ DATA SENSITIVITY → FR · MOD FedRAMP Moderate CUI · MOST FEDERAL WORKLOADS TIER 01 BASELINE FR · HIGH FedRAMP High HIGH-IMPACT CUI TIER 02 + HIGH-IMPACT CONTROLS IL4 DoD Impact L4 DOD CUI WORKLOADS TIER 03 + DoD OVERLAY · GOVCLOUD IL5 DoD Impact L5 MISSION-CRITICAL CUI TIER 04 + US-CITIZEN · FIPS 140 IL6 DoD Impact L6 CLASSIFIED SECRET TIER 05 + SIPRNet · CLASSIFIED FORTINETICS SCOPE BOUNDARY · SSP · CONMON 3PAO COORDINATION SPONSOR / JAB · DISA PA

FedRAMP supports three impact baselines — Low, Moderate, and High. We prepare System Security Plans, work with a 3PAO for independent assessment, and guide clients through either a Joint Authorization Board Provisional ATO or a sponsoring Agency ATO. Continuous monitoring programs are designed up front, not retrofitted.

DoD Cloud Computing Security Requirements Guide (CC SRG) defines Impact Levels for DoD cloud deployments. IL2 covers low-impact workloads. IL4 adds DoD-specific controls on top of FedRAMP Moderate for CUI. IL5 adds further requirements for mission-critical CUI and National Security Systems. IL6 covers classified Secret workloads on SIPRNet-connected infrastructure. We prepare DISA Provisional Authorization packages for clients deploying into GovCloud, Azure Government (GCC High), and AWS Secret Region.

Commercial CSPs entering the federal market need both authorizations. We sequence engagements so that work on FedRAMP directly accelerates the DoD CC SRG authorization — no duplicated effort.

Frameworks & standards
FedRAMP Rev 5 baselines NIST 800-53 Rev 5 DoD CC SRG v1r4+ FedRAMP Continuous Monitoring Strategy OMB Memo M-22-09
Typical duration
9–18 months
Client profile
Cloud service providers pursuing federal or DoD market
05 · SOC 2

Type I and Type II Attestation

For commercial SaaS and service providers proving security posture to enterprise buyers.

SOC 2 Trust Services Criteria map Map of the AICPA Trust Services Criteria showing Security as the required Common Criteria hub and four optional categories — Availability, Confidentiality, Processing Integrity, and Privacy — as satellites. Type I and Type II assessment periods shown below. PLATE 05 · SOC 2 TRUST SERVICES CRITERIA AICPA TSP-100 · 2017 / 2022 REVISIONS CC · COMMON Security REQUIRED ALL ENGAGEMENTS C · OPTIONAL Confidentiality CUI · TRADE SECRETS · IP PI · OPTIONAL Processing Integrity COMPLETE · ACCURATE · TIMELY A · OPTIONAL Availability UPTIME · SLA · DR P · OPTIONAL Privacy PII · GDPR · CCPA ADJACENT ASSESSMENT TYPE TYPE I POINT-IN-TIME · DESIGN OF CONTROLS TYPE II 3–12 MO. WINDOW · OPERATING EFFECTIVENESS

SOC 2 is attested against the AICPA Trust Services Criteria — Security (required), Availability, Confidentiality, Processing Integrity, and Privacy. The scope is chosen based on what your enterprise customers require. Most companies start with Security and Confidentiality.

Type I covers the design of controls at a point in time — useful to signal commitment. Type II covers operating effectiveness over a period, usually six to twelve months — this is what enterprise customers actually want to see. Most clients sequence Type I first, then roll straight into the Type II observation window.

We design the control framework, author the policy library, implement the technical controls, produce evidence for the observation period, manage your relationship with the CPA firm performing the audit, and deliver a clean, production-grade report.

Frameworks & standards
AICPA Trust Services Criteria SOC 2 Type I & Type II AICPA SOC reporting framework ISO 27001 ↔ SOC 2 control mapping
Typical duration
3 months (Type I) + 6–12 months observation (Type II)
Client profile
Series A–C SaaS, FinTech, HealthTech with lean security functions
06 · ISO 27001

Global ISMS Certification

For organizations with global operations or enterprise customers that specifically require ISO 27001. The information security management system (ISMS) framework that pairs well with SOC 2 and, with minor extensions, FedRAMP.

ISO/IEC 27001:2022 Annex A control map Four Annex A themes of ISO/IEC 27001:2022 — Organizational (37 controls), People (8), Physical (14), Technological (34) — totaling 93 controls. Extensions 27017 for cloud services and 27018 for PII in public cloud shown as appended modules. PLATE 06 · ISO 27001:2022 ANNEX A 4 THEMES · 93 CONTROLS · ISMS CLAUSES 4–10 ISMS ENVELOPE · CLAUSES 4–10 A.5 37 CTL Organizational POLICIES · ROLES · SUPPLIERS · INCIDENT MGMT +17 A.6 8 CTL People SCREENING · TRAINING · DISCIPLINE · EXITS A.7 14 CTL Physical PERIMETERS · EQUIPMENT · SECURE DISPOSAL A.8 34 CTL Technological ACCESS · CRYPTO · LOGGING · VULN MGMT +14 ANNEX A TOTAL 93 controls EXTENSIONS ISO/IEC 27017 · CLOUD SERVICES CONTROLS (+7 CSC, +28 IMP.) ISO/IEC 27018 · PII IN PUBLIC CLOUD (PROCESSOR ROLE)

ISO 27001 certification requires an operational ISMS — risk assessment methodology, Statement of Applicability (SoA), Annex A control selection, internal audit program, management review cadence, and continuous improvement loop. It's not a point-in-time checklist; it's a management system.

We design the ISMS, select Annex A controls based on your risk posture, produce the required documentation, train your team on ISMS operations, support internal audits, and manage the Stage 1 and Stage 2 certification audits with an accredited certification body.

Where relevant, we extend into ISO 27017 (cloud-specific controls) and ISO 27018 (personal data in cloud). Clients running multi-framework programs often find that ISO 27001 provides the management-system backbone that SOC 2 and FedRAMP artifacts plug into cleanly.

Frameworks & standards
ISO/IEC 27001:2022 ISO/IEC 27002:2022 ISO/IEC 27017 (cloud) ISO/IEC 27018 (PII in cloud) ISO 31000 (risk)
Typical duration
6–9 months to initial certification
Client profile
Global SaaS, European customers, enterprise buyers requiring ISO
Cross-cutting capabilities

Work that spans multiple pillars.

· CUI enclave design — isolated processing environments for controlled data
· NIST 800-171 and 800-53 gap assessments with assessor-grade evidence
· DFARS 252.204-7012 incident response readiness (72-hour DC3 reporting path)
· RMF / ATO packaging and documentation
· Continuous monitoring program design
· Third-party and supply chain risk management
· Policy library authoring
· Pre-assessment readiness reviews (dress rehearsal for the real thing)
Next step

Know which pillar fits — or need help figuring out?

Book a scoping call and we'll walk through your current posture, the target certification, and a realistic engagement shape. No commitment.

Book a scoping call → contact@fortinetics.com