Health, Education & Government Government & Public Sector Defense Systems & Programs

Secure Networks

Multi-agency, multi-stakeholder programs where procurement, compliance, and mission alignment determine success.

General Dynamics IT SAIC Leidos BAE Systems
Inside this journey
  1. Pre-Discovery

    Align the room on outcomes, decision process, and constraints before deeper discovery.

    1. Stakeholder Alignment

      Confirm decision roles, timelines, mission-critical windows, and what 'good' looks like for each stakeholder.

      Alignment Questions

      Starting Here: Your Mission, Timeline, and Stakes

      • In one sentence, describe the mission or program that requires this classified or multi‑classification connectivity.
      • What is your target timeline for delivered connectivity and any fixed accreditation deadlines? Options: Immediate (0–3 months), Near-term (3–6 months), Quarter (6–12 months), Beyond 12 months, Date-driven (specific deadline — please specify)
      • Who are the primary decision-makers, approvers, and technical leads for this effort? (select all that apply) Options: Agency CIO/Director of Enterprise Services, J6/G6 Communications Officer, Network Branch Chief / NOC Lead, Program Manager / PMO, Authorizing Official (AO), Acquisition / Contracting Officer, Facility Security Officer / ISSM, COMSEC Custodian, Other (please name), Prefer not to list
      • If there are named stakeholders or points of contact we should include, list their role, name, and best contact method.
      • Which single outcome would make you declare this engagement a clear success? Options: ATO within first RMF assessment cycle, Zero mission downtime during transition/cutover, Accredited cross-domain transfers, Full Type 1 crypto installed and operational, Sustainable long-term sustainment plan in place, Other (please specify)
      • How urgent is avoiding mission disruption during modernization? Options: Critical — no disruption acceptable, High — only planned brief windows, Moderate — short planned windows okay, Low — flexible

      What risks are you quietly telling yourself are 'good enough'?

      • When you audit past modernization projects, what trade-offs did you accept that you now worry about?
      • How often have prior modernization efforts required accreditation rework or additional RMF cycles? Options: Never, Once, Multiple times, Ongoing / frequent
      • Describe the most recent accreditation or RMF failure: what was the finding, and what caused it?
      • How frequently do vendor devices or new integrations introduce interoperability exceptions during testing? Options: Frequently, Sometimes, Rarely, Never, Unknown
      • When accreditation or interoperability problems surface, what internal pressures (timeline, budget, career risk) most influence the decisions you make?

      Where in your network would a failure be catastrophic?

      • Which classification enclaves and boundaries are in scope for this project? (select all that apply) Options: Unclassified, SBU / Sensitive, Secret, TS/SCI, TS/SCI with SAP access, Other (please list)
      • Do you have current topology and enclave boundary documentation available? Options: Complete and up-to-date, Partial—some maps and diagrams, Outdated documentation, No formal documentation
      • If your documentation is partial or outdated, what are the most critical gaps we should know about (e.g., missing cross-domain flows, unknown chokepoints)?
      • Which failure modes worry you most if a change is made (select all that apply)? Options: COMSEC compromise or mishandling, Encryption device mis-provisioning, Cross-domain data leakage, Single point of infrastructure failure, Configuration drift causing outages, Insufficient RMF evidence / documentation, Other (please specify)
      • Share a recent incident or near-miss that revealed one of these failure modes and what the immediate impact was.

      Imagine the day you receive the ATO — what will be different?

      • What measurable success signals must be present to convince the Authorizing Official to sign off? (select all that apply) Options: Complete RMF evidence package, End‑to‑end encryption validated in production, Interoperability test matrix passed with legacy systems, Penetration tests remediated to AO satisfaction, Zero mission downtime observed during cutover, User acceptance and operational handover complete
      • Which Zero Trust controls are non‑negotiable for your environment (e.g., identity assurance, microsegmentation, flow logging)?
      • What is your ATO or accreditation deadline and are there intermediate gating milestones we must observe? Options: Fixed calendar date (please specify), Aligned to procurement milestones, Rolling / no fixed date, Unknown
      • What KPIs will your leadership use to judge success (select all that apply)? Options: Time to ATO, Mission downtime hours, Packet loss / latency SLAs, Number of RMF findings, Engineers cleared & certified on site, On‑time procurement & staging
      • List any acceptance criteria or test cases the Authorizing Official has already specified.

      What's quietly blocking progress that vendors keep promising to fix?

      • Which operational blockers are most likely to derail the schedule if not resolved? (select all that apply) Options: Insufficient NSA‑certified engineers, COMSEC handling and cleared facilities, Procurement lead times for crypto hardware, Lack of equipment staging and inventory control, Contractual ambiguity on responsibilities, Interoperability with legacy/third‑party systems, Other (please specify)
      • What are your typical procurement lead times for critical encryption hardware, and have you experienced recent supplier delays (weeks)?
      • How many cleared/NSA‑certified engineers are available internally right now? Options: None, 1–2, 3–5, 6–10, More than 10, Unknown / contractor‑mixed
      • How many NSA‑certified engineers would the schedule realistically require from a partner during peak install windows?
      • If staffing or procurement slips occur, describe the operational, political, or personal impacts you fear most.

      If we partnered, how should we prove we deserve the keys to your environment?

      • Which proof points matter most when evaluating a secure network integrator? (select all that apply) Options: Roster of NSA‑certified engineers with clearances, Documented ATO success rate and RMF histories, COMSEC custody and chain‑of‑custody procedures, Product‑specific integration experience (list vendors), References from comparable agency programs, DISA STIG and STIG remediation evidence, Other (please specify)
      • What format of demonstration or evidence would most influence your acquisition decision? Options: Technical architecture assessment report, Lab demo / staged Type 1 provisioning, On‑site pilot installation, Whitepapers and compliance artifacts, Customer reference calls and site visits
      • Are there named encryption devices, cross‑domain products, or versions we must demonstrate experience with? Please list them.
      • Would you prefer iterative milestones with go/no‑go decision points during delivery, or a single approval gate at ATO? Options: Iterative milestones with go/no‑go, Single gate at ATO, Hybrid approach
      • Who should be included in technical walkthroughs, demos, and vendor briefings on your side?

      Three months from now — what will convince you we were the right choice?

      • Which 90‑day milestone package would most increase your confidence? (select up to three) Options: Verified facility clearance & COMSEC handling plan, Completed and validated topology & enclave documentation, Staged equipment with chain‑of‑custody records, Type 1 crypto provisioning completed in lab, Interoperability test report with legacy systems, Draft RMF evidence package delivered
      • How flexible are your installation and access windows for field engineering teams? Options: Fixed windows only — no exceptions, Somewhat flexible with notice, Very flexible, Unknown / depends on facility
      • What would be an acceptable remediation SLA if an accreditation finding arises after deployment (timeframe and scope)?
      • What communication cadence during deployment will put you at ease (select one)? Options: Daily standups with technical team, Twice‑weekly tactical updates, Weekly executive summary, Ad‑hoc on critical issues only
      • Who will be the single technical point of contact for field engineers, and what is your preferred escalation path for critical issues?
    2. Current State Mapping

      Document network topology, enclave boundaries, accreditation gaps, and failure modes that risk mission continuity.

      Current State

      Quick Snapshot: Where are we starting from?

      • Give a one-line summary of your current classified/sensitive network footprint (sites, number of enclaves, primary classification levels).
      • Which classification levels and enclave types are in scope today? Options: Unclassified, SBU (Sensitive But Unclassified), Confidential, Secret, Top Secret, TS/SCI
      • How many physical sites and logical enclaves are we looking at for this effort? Options: 1, 2–5, 6–20, 21–50, 51+
      • Roughly how many end systems, servers, and network devices (combined) fall inside the scoped enclaves? Options: <100, 100–499, 500–1,999, 2,000–9,999, 10,000+
      • Who is the single decision owner for network accreditation and mission continuity (title/role)?

      What single outage would stop everything right now?

      • If one specific failure could immediately halt mission operations, what is it? Options: Loss of Type 1 crypto provisioning, Cross-domain transfer failure, Accreditation/AO denial, WAN backbone outage, Single-point hardware failure, Other
      • How many times in the last 24 months has that kind of failure occurred (or nearly occurred)? Options: Never, Once, 2–3 times, 4–9 times, 10+
      • When that failure happened or nearly happened, what mitigations were attempted and how effective were they?
      • How quickly must you restore service before mission impact becomes unacceptable (RTO)? Options: Minutes, Under 1 hour, 1–8 hours, 8–24 hours, More than 24 hours
      • How does the possibility of that outage affect your team’s willingness to approve changes or upgrades? Options: Very cautious, Cautious but open, Neutral, Eager to change

      When 'segmented' might actually be porous

      • Are you confident that enclave boundaries are fully documented and enforced — or could hidden flows cross boundaries today? Options: Confident — fully documented/enforced, Some uncertainty — partial documentation, Not confident — undocumented or porous
      • List the primary data flows (source -> destination) that must never cross classifications or that require cross-domain guard controls.
      • Which technologies currently enforce boundary controls (select all that apply)? Options: VLANs/VRFs, Firewalls (NGFW), Cross-domain solution (CDS), Diodes/Guards, Encryption devices (Type 1/Commercial), ACLs/NAC, Other
      • How often do you reconcile logical diagrams with actual routing/firewall rules to catch 'drift'? Options: Weekly, Monthly, Quarterly, Annually, Never
      • If we asked to review a current network diagram and an actual flow capture, would they match or reveal surprises? Options: Match closely, Some minor differences, Major discrepancies likely, We don't have both artifacts

      Where accreditation is quietly fragile

      • If your ATO deadline were moved up by 90 days, which accreditation element would you expect to struggle to meet? Options: System Security Plan (SSP), POA&M closure, RMF step evidence, Interoperability test records, COMSEC/keying evidence, Other
      • Which RMF step is your program currently in? Options: Categorization, Select security controls, Implement controls, Assess controls, Authorize, Monitor
      • How many open POA&Ms exist that directly affect connectivity or COMSEC, and how long have the oldest been open? Options: 0, 1–5 (oldest <3 months), 1–5 (oldest 3–12 months), 6–20 (oldest >12 months), 20+ / chronic
      • Who is your Authorizing Official (AO) or Designated Accrediting Authority, and what are their top concerns about this environment?
      • What evidence packages (e.g., test logs, DISA STIG checklists, COMSEC inventories) are available immediately versus those that will need creation? Options: Most evidence ready, Partial evidence ready, Most evidence needs creation, Unsure

      Secrets, Keys, and the Clock on Crypto

      • Do you have a complete, audited inventory of all cryptographic devices and keying material that must be reprovisioned or migrated? Options: Yes — audited and current, Partially — some gaps, No — inventory incomplete, Unsure
      • How many devices require Type 1 provisioning or Type 1-equivalent handling as part of this project? Options: None, 1–10, 11–50, 51–200, 200+
      • Who holds COMSEC custody today and what is their capacity to support inventories, turnover, and escorted installs?
      • What is the longest lead-time item in the crypto provisioning chain (e.g., device procurement, NSA keying, courier windows, certified engineer availability)? Options: Device procurement, NSA key distribution, NSA-certified staff scheduling, Facility/escort approvals, Transport/logistics, Other
      • On a scale from 1–5, how confident are you that crypto provisioning timelines will align with your deployment windows? Options: 1 — Not confident, 2, 3 — Somewhat confident, 4, 5 — Very confident
      • If there is a shortfall in NSA-certified engineers, what fallback do you have (e.g., contractors, phased installs, remote provisioning)?

      When 'it's compatible' turns out to be wishful thinking

      • Have you ever assumed two vendors/protocols would interoperate and then discovered they didn't in the field? Options: Yes — caused delays, Yes — worked-around quickly, No — always tested beforehand, Unsure
      • List the major vendors, models, and firmware versions of devices involved in cross-enclave connectivity (firewalls, routers, encryption devices, CDS).
      • Which interoperability tests have been run in a lab environment and which remain untested? Options: End-to-end encryption provisioning, Cross-domain transfer validation, Protocol translation tests, Performance under load, None tested
      • When interoperability exceptions were found previously, how long did remediation take and who owned the fix?
      • Would you allow a staged lab rehearsal with our engineers before field installation (requires sanitized test data and access)? Options: Yes — schedule immediately, Yes — after approvals, No — not possible, Unsure

      Have we actually practiced the worst-case?

      • When was the last time you executed a full cutover rehearsal (including rollback and accreditation evidence capture)? Options: Within 3 months, 3–12 months, 1–2 years, Never
      • Which failure scenarios have you not practiced but worry about (select all that apply)? Options: COMSEC compromise, Cross-domain data leakage, Partial device compatibility failure, Key provisioning delay, Backout/rollback failure, AO rejection of evidence
      • Do you have a documented rollback plan with clear decision gates and owner signatures? Options: Yes, documented and rehearsed, Documented but not rehearsed, No documented rollback plan, Unsure
      • How comfortable would your operations team be executing a rollback under AO direction, emotionally and technically? Options: Very comfortable, Somewhat comfortable, Reluctant, Would require external support
      • What monitoring and alerting would tell you in time to avoid a mission-ending failure?

      If constraints vanished for a moment

      • If budget, staff, and lead times were not constraints, what would an ideal migration look like for your program?
      • What are the non-negotiable success criteria the AO and CIO must see to sign off on an ATO? Options: Full STIG compliance, Complete COMSEC inventory & keying evidence, Interoperability test logs, Performance benchmarks met, POA&Ms closed/acceptable
      • Which measurable signals would make you say, 'This migration succeeded' (e.g., latency, throughput, no POA&Ms, AO endorsement)?
      • What level of transparency and update cadence do decision-makers expect during cutover (daily, twice-daily, on-demand)? Options: Daily, Twice daily, Weekly, On-demand/real-time
      • Emotionally, what would relief look like to your team after acceptance (confidence, reduced overtime, fewer meeting escalations, other)? Options: Renewed confidence, Lower operational stress, Fewer emergency tasks, Other

      Concrete next steps we can take together

      • Which artifacts can you share immediately to accelerate mapping (network diagrams, STIG reports, COMSEC inventories, RMF artifacts)? Options: Network diagrams, STIG/SCAP reports, COMSEC inventory, RMF evidence packages, None ready
      • Are you able to grant our engineering team a controlled lab or sanitized data environment for pre-deployment testing? Options: Yes — immediate access, Yes — with approvals, No — cannot provide, Unsure
      • What is the single highest-priority gap you'd like us to assess first?
      • How soon can we schedule a 90–120 minute technical deep-dive with your network, COMSEC, and RMF leads? Options: This week, Within 2 weeks, Within a month, Longer
      • Who else should be included in discovery to remove blockers (list names/roles: AO, COMSEC custodian, network ops, procurement, facilities)?
  2. Outcome Discovery

    Define target connectivity outcomes, Zero Trust requirements, measurable success signals, and accreditation deadlines.

    Discovery Questions

    Quick Win: The One Outcome That Changes Everything

    • Which single connectivity outcome would validate this entire effort for you? Options: Seamless classified cross-domain sharing, Zero downtime during cutover, Zero Trust compliance by deadline, High-bandwidth support for ISR and VTC, ATO within first RMF cycle, Other (please specify)
    • Can you briefly describe the current baseline for that outcome (what works today, what doesn't)?
    • How long has this outcome been unmet or partially met? Options: Less than 3 months, 3–12 months, 1–2 years, Over 2 years, Unknown
    • Who will be the final decision authority that signs off this is achieved? Options: Authorizing Official (AO), CIO / Director of Enterprise Services, J6/G6 Communications Officer, Mission Owner / Director, Program Manager, Other
    • What absolute constraints must we honor to pursue that outcome (blackout windows, no-touch periods, accreditation freeze, COMSEC rules)? Options: No mission downtime > X hours, Specific blackout windows/dates, Restricted COMSEC handling windows, Facility access limitations, Procurement/funding constraints, None, Other (please detail)

    What Would Keep the Mission Up at Night?

    • If connectivity failed during a critical operation, what would the immediate and downstream consequences be?
    • Which failure modes worry you most right now? Options: WAN saturation/insufficient bandwidth, Encryption device misconfiguration, Cross-domain transfer failure, Accreditation rejection / AO denial, COMSEC compromise or mishandling, Equipment lead-time or delivery delays, Other (please specify)
    • How often have near-misses, partial outages, or service degradations occurred in the past 12 months? Options: Weekly, Monthly, Quarterly, Rarely, Never, Unknown
    • What current mitigations or workarounds exist, and why haven’t they been sufficient?
    • For each mission type affected, how long can it tolerate degraded or lost classified connectivity? Options: Minutes, Hours, Up to 24 hours, Multiple days, Not tolerable / immediate impact, Varies by mission (please describe)
    • If we could remove one technical or process risk overnight, which would it be and why?

    Who Must Be Convinced Before You Can Move Forward?

    • Who will say 'go' — and who could veto — when accreditation evidence lands on their desk?
    • Map the key stakeholders and what 'good' looks like to each (role → top acceptance criteria).
    • Which stakeholder has the most conservative risk appetite for this program? Options: Authorizing Official (AO), CIO / Director, Mission Owner, Program Manager, Security/IA Office, Other
    • How aligned are stakeholders on timeline, scope, and acceptable trade-offs? Options: Fully aligned, Mostly aligned with minor gaps, Significant disagreements, Unclear / alignment unknown
    • What communication artifacts and cadence reassure these stakeholders most (pick all that apply)? Options: Weekly technical brief, ATO evidence package preview, Architecture walkthrough demo, Cutover war-room during migration, Risk and mitigation tracker (POA&M), Executive one-pager
    • Has any stakeholder previously blocked or delayed similar work? If yes, describe what resolved it.

    Are You Sure Your Zero Trust Isn't a Paper Tiger?

    • Which Zero Trust requirement do you expect will expose the biggest gaps in your current environment?
    • Which Zero Trust pillars are mandatory for this deployment? Options: Identity & Access Management (IAM), Least privilege & micro-segmentation, Device posture and endpoint controls, Encrypted transit & COMSEC integration, Continuous monitoring & analytics, Data protection / DLP
    • What identity and authentication systems must integrate (e.g., PKI, CAC/PIV, SSO providers)?
    • Are device posture checks, endpoint agents, and MFA currently enforced at enclave boundaries? Options: Yes, consistently across enclaves, Partially – some enclaves only, Planned but not yet implemented, No
    • What telemetry, logs, and retention window are required for continuous monitoring and accreditation? Options: NetFlow / flow records, Packet captures (PCAP) for forensics, Authentication logs (IAM), Endpoint telemetry, COMSEC custody logs, SIEM retention policy (specify days)
    • If time or budget forces us to phase Zero Trust features, which must come first and which can wait?

    Is the Accreditation Deadline a Cliff or a Guiding Line?

    • If the accreditation deadline slips, what will you be forced to sacrifice—capability, scope, or security posture?
    • What is the firm accreditation/AO deadline you must meet (or your target date)? Options: Within 30 days, 31–60 days, 61–90 days, 3–6 months, 6–12 months, No firm deadline / target only
    • What RMF step is the system currently in? Options: Categorization (Step 1), Select (Step 2), Implement (Step 3), Assess (Step 4), Authorize (Step 5), Monitor (Step 6), Unsure
    • Which accreditation artifacts are already complete or partially complete? Options: System Security Plan (SSP), Security Assessment Report (SAR), Plan of Actions & Milestones (POA&M), Test & Evaluation Plans, COMSEC handling SOPs, None
    • Historically, how many RMF cycles did similar projects require before AO approval? Options: Zero (first cycle approval), One cycle with minor remediation, Two cycles, Three or more, Not applicable / new program
    • What maximum remediation window is acceptable after assessment before mission risk becomes intolerable? Options: <30 days, 30–60 days, 61–120 days, >120 days, Remediation not acceptable

    How Will We Know This Worked—Without Guessing?

    • What would make your leadership confidently declare 'mission success' on day one of operations?
    • Which measurable acceptance criteria must be demonstrable at cutover? Options: End-to-end encrypted channels operational, Cross-domain transfer validated, Performance thresholds met (latency/bandwidth), Interoperability tests passed, User authentication & SSO working, COMSEC keys and devices provisioned
    • What specific performance thresholds (latency, throughput, jitter) matter for your top three applications?
    • Which monitoring and reporting outputs would satisfy both operations and the AO? Options: Real-time NOC dashboard, Daily compliance digest, Weekly executive brief, Automated SOC alerts, Accreditation evidence bundle
    • Which acceptance test scenarios must be included (select all that apply)? Options: Full mission traffic validation, Failover and resiliency drills, Rollback / restoration test, Interoperability with legacy devices, COMSEC provisioning verification, Accreditation evidence capture
    • How should COMSEC and Type 1 installation validation be independently observed and signed off?

    Who Will Carry the Torch When Things Go Sideways?

    • If an installation fails accreditation or a device bricks in cutover, who is ultimately accountable—and is that realistic given cross-organizational dependencies?
    • Which responsibilities must our integrator team own and which will remain with your staff (please list major domains or provide a RACI outline)?
    • How many NSA-certified engineers do you expect on-site during staging and installation, and at what phases? Options: 1–2 during staging, 3–5 during install, 3–5 during staging & install, 6–10 engineers for parallel installs, >10 for rapid multi-site installs, Unsure / want recommendation
    • What procurement lead-times, supply chain, or customs constraints should we plan for explicitly? Options: Encryption device lead times, COMSEC material shipping & receipting, Facility access/clearance timelines, Customs/transport holds, None known, Other (please specify)
    • What escalation path and decision authority will be available during critical windows (names, roles, response SLAs)?
    • What training, documentation, or shadowing do you require to transition sustainment to your team after deployment? Options: Formal runbooks and SOPs, Hands-on shadowing period, Train-the-trainer sessions, Annual refresher training, None / prefer integrator sustainment

    If We Succeed, What Does Day 120 Look Like?

    • Picture the network on day 120—what's different in how people work, what they see, and what they no longer worry about?
    • Which operational handoffs must be complete by day 120? Options: NOC monitoring fully transitioned, COMSEC custody & SOPs transferred, Sustainment SLA established, Change control process operational, Documentation & runbooks delivered, Staff training completed
    • What SLA levels and response times do you expect in steady-state sustainment? Options: 24/7 NOC with 1-hour response, Business hours with 4-hour response, On-call engineers for emergencies, Tiered SLAs by severity, Other (please specify)
    • How should sustainment success be measured at months 3, 6, and 12 (examples: compliance score, uptime, mean time to remediate)?
    • Which governance model do you prefer for post-deployment changes? Options: Joint change advisory board, Host-led change control, Seller-led with host approvals, Automated minor change workflow, Other (describe)
    • What unresolved questions or red flags would stop you from committing to a deployment plan today?
  3. Solution Experience

    Walk through a tailored deployment scenario showing how architecture, COMSEC provisioning, and Type 1 installation deliver required secure connectivity without mission disruption.

    Experience Meetings

    • Current State & Risk Confirmation
    • Tailored Deployment Walkthrough (Architecture → COMSEC → Type 1 Install)
    • COMSEC & Type‑1 Provisioning Operational Plan
    • Interoperability & Failure‑Mode Tabletop
    • Decision & Acceptance Criteria Review
    • Assign owners for each mitigation and rollback action to remove ambiguity in a live event.
    • COMSEC Handling and Custody Overview
    • Establish a validated COMSEC and Type‑1 provisioning timeline with clear custody and staffing commitments.
    • Map each required RMF artifact to an owner and delivery date to avoid accreditation rework.
    • Agree contingency actions to mitigate common provisioning delays or key custody issues.
    • Deliver the COMSEC custody matrix listing custodians, approval authorities, and handling procedures.
    • Confirm and publish the NSA‑certified engineer roster with committed availability windows for provisioning and install.
    • Create an RMF artifact tracker mapping provisioning events to evidence needed for ATO submission.
    • Define Critical Interoperability Points
    • Validate that the deployment plan contains robust mitigations for realistic failure modes and preserves mission continuity.
    • Agree clear test acceptance criteria and escalation paths for interoperability exceptions.
    • One‑Sentence Current State
    • Produce a tabletop report documenting scenarios, root causes, mitigations, and residual risks.
    • Finalize and publish interoperability test scripts and acceptance criteria for field execution.
    • Assign and confirm on-call escalation contacts for the install window with backup coverage.
    • Recap: Current State, Consequence, Future State, and Proof
    • Obtain explicit mutual commitment to proceed with the proposed plan, including milestone dates and responsible owners.
    • Finalize measurable acceptance criteria tied to RMF evidence and ATO milestones so there is no ambiguity at acceptance.
    • Confirm procurement lead times and lock staffing commitments that were presented during the Solution Experience.
    • Produce the Solution Experience Summary (one-page) containing current-state, consequence, future-state, proof highlights, and agreed milestones for signatures.
    • Create a procurement and staffing commitment tracker with delivery dates and named engineer commitments.
    • Schedule the Pre‑Deployment Readiness checkpoint and assign owners for evidence collection prior to fieldwork.
    • Produce one agreed single-sentence current-state that all parties confirm.
    • Surface and quantify the concrete consequences (time, cost, mission risk, accreditation delay) tied to not addressing the problem.
    • Identify the stakeholders whose signoff is required during the Solution Experience and their definition of 'good'.
    • Publish the agreed one-sentence current-state to the shared channel and attach quantified consequence metrics.
    • Produce an initial stakeholder map with names, roles, and success criteria for use in subsequent sessions.
    • Collect and share any pre-read artifacts (network diagrams, accreditation history, recent outages) required for the walkthrough.
    • Identify required hardware/firmware versions and confirm device procurement staging and lead times against the proposed schedule.
    • Future‑State One‑Line Recap
    • Prove, step-by-step, that the proposed deployment achieves the agreed future-state and eliminates the documented consequences.
    • Obtain customer confirmation at each validation checkpoint that the approach meets their operational definition of 'good'.
    • Agree on the primary sequence of activities, cutover windows, and rollback criteria.
    • Produce an annotated deployment runbook showing tasks, owners, durations, and validation checkpoints tied to RMF evidence.
    • Schedule a hands-on staging window and assign the lead NSA‑certified engineer for the staging exercise.
    • Consequence Quantification
    • Tabletop Scenario 1: Cutover with Minimal Disruption
    • Type‑1 Device Staging & Provisioning Timeline
    • Scenario Context & Assumptions
    • Deliverables & Measurable Acceptance Criteria
    • NSA‑Certified Staffing & Roles
    • Stakeholder Impact Map
    • Stepwise Deployment Sequence (Proof)
    • Procurement Lead Times & Staffing Commitments
    • Tabletop Scenario 2: Device Failure During Cutover
    • Milestones, Signoffs, and Mutual Commit
    • Accreditation Evidence Mapping
    • Tabletop Scenario 3: Accreditation Exception / Interop Mismatch
    • Mission Continuity Safeguards
    • Agreement & Validation
    • Agree Test Acceptance Criteria & Escalation
    • Next Steps & Owner Assignment
    • Contingency for Key Material & Chain of Custody
    • Validation Checkpoints & Metrics
    • Forced Validation
    • Customer Q&A and Validation
  4. Solution Scope

    Define deliverables, NSA-certified staffing, cross-domain modules, equipment staging, responsibilities, and measurable acceptance criteria tied to RMF cycles.

    Scope Configuration

    • Install Type-1 Encryptors and Perform Key Injection
    • Deploy and Configure Cross-Domain Guard Appliances
    • Implement VLAN/VRF Segmentation Across Classified Enclaves
    • Apply DISA STIG Hardening to Network Devices and Servers
    • Install and Certify Fiber Optic Links Between Enclaves
    • Install and Configure Core and Edge Switches with QoS
    • Provision Encrypted WAN Circuits and Configure Secure Tunnels
    • Stage and Validate Encryption Firmware, Licenses, and Modules
    • Perform COMSEC Key Custody Transfer and Inventory
    • Execute Interoperability Testing and Resolve Protocol Conflicts
    • Harden and Configure Classified Workstations per STIGs
    • Implement Cross-Domain Transfer Rules and Content Filters
    • Deploy Guarded Remote Access Gateway with MFA

    Scope Questions

    Install Type-1 Encryptors and Perform Key Injection

    • How many Type-1 encryptor units need to be installed? Options: None, 1-5, 6-20, 21-50, 51+
    • Which classification levels must the encryptors support? Options: Unclassified, SBU, Secret, TS/SCI
    • Do you require on-site NSA-certified key injection, or will a controlled remote keying process suffice? Options: On-site injection required, Remote/central keying acceptable, Hybrid (some on-site, some remote)
    • Are the installation locations cleared for Type-1 COMSEC handling and NSA-certified personnel? Options: All locations cleared, Some locations cleared - list will be provided, No locations currently cleared
    • What are the acceptance criteria for successful installation and keying (e.g., OTDR results, crypto self-tests, authorizing official signoff)?
    • What is the target schedule/window for injection and activation (dates or lead time required)? Options: ASAP (within 2 weeks), 1-2 months, 2-4 months, Flexible

    Deploy and Configure Cross-Domain Guard Appliances

    • Which enclaves/domains will the guard connect (list classification pairings)?
    • What throughput and latency requirements must the guard support (GB/s, concurrent sessions)? Options: Low (<100 Mbps), Medium (100 Mbps - 1 Gbps), High (1-10 Gbps), Very High (>10 Gbps)
    • Do you have existing guard appliance models preferred or approved for use? Options: Approved models available, Require vendor recommendation, No preference
    • What policy enforcement capabilities are required (file type filtering, AV scanning, label-based transfer)? Options: File type only, File + metadata, AV/inspection + DLP, Label/marking-based
    • Are there accreditation or ST&E requirements the guard must pass prior to go-live? Options: Yes - ATO/RMF milestones defined, No formal ST&E required, Unknown / need to define
    • Who is the authorizing official or accreditation POC for guard acceptance testing?

    Implement VLAN/VRF Segmentation Across Classified Enclaves

    • How many enclaves and unique VLAN/VRF domains need segmentation? Options: 1-3, 4-10, 11-25, 26+
    • What are the logical separation requirements (east-west isolation, management VLANs, shared services)? Options: Strict isolation, Shared services allowed with controls, Mixed
    • Are there existing VLAN/VRF configurations to map or migrate? Options: Yes - documentation available, Yes - but undocumented, No, greenfield
    • Do you require automated enforcement (SDN/ACL automation) or manual ACL implementation? Options: Automated (SDN/Controller), Manual (ACLs/port configs), Hybrid
    • What acceptance tests will validate segmentation (traffic isolation tests, penetration tests, RMF evidence)?
    • List any legacy systems or OT devices that cannot be segmented conventionally and require exceptions.

    Apply DISA STIG Hardening to Network Devices and Servers

    • Which device types need STIG hardening (routers, switches, firewalls, servers, workstations)? Options: Routers, Switches, Firewalls, Servers, Workstations, Other
    • Do you already have STIG baselines or a hardening checklist to apply? Options: Yes - baseline available, No - require baseline creation, Partial baseline available
    • Are there maintenance windows or change control constraints for applying STIGs? Options: Night/weekend windows available, Limited windows - must coordinate, No scheduled windows - requires planning
    • Do you require automated SCAP/ACAS scanning and remediation reporting as part of the scope? Options: Yes - automated scanning required, No - manual validation only, Prefer automated with manual signoff
    • What level of evidence is required for RMF packages (STIG checklists, DISA reports, remediation plans)? Options: Full STIG checklists, Summary remediation report, Both
    • Are any devices running vendor software versions incompatible with current STIGs and require upgrades? Options: Yes - upgrades needed, No, Unknown - need assessment

    Install and Certify Fiber Optic Links Between Enclaves

    • How many fiber runs and what distances separate the endpoints? Options: Less than 100m, 100m-1km, 1km-10km, 10km+
    • Is dedicated, physically secured conduit available for fiber staging and installation? Options: Yes, Partial - some conduit, No
    • Do you require OTDR, end-to-end certification, and acceptance certificates as deliverables? Options: Yes - full certification, Basic continuity only, Other (specify)
    • Are there environmental or EMCON constraints affecting routing or equipment placement? Options: Yes - constraints exist, No, Unknown
    • Will fiber termination include secure enclosures and tamper-detection requirements? Options: Yes - tamper detection required, No, Discuss options
    • What acceptance criteria constitute a certified link (loss budget, OTDR splice loss, MSA test results)?

    Install and Configure Core and Edge Switches with QoS

    • How many core and edge switches are in scope for installation/configuration? Options: 1-5, 6-20, 21-50, 51+
    • What QoS policies are required (voice priority, video, mission-critical application classes)? Options: Voice + Video, Video only, Application-based classes, Custom QoS policies
    • Do switches require FIPS-compliant management, TACACS+/RBAC, and audited syslog forwarding? Options: All required, Some required, Not required
    • Are there chassis/module compatibility or license constraints to consider? Options: Yes - constraints exist, No, Unknown - need inventory
    • Will you require staged configuration templates and a rollback/test plan before production cutover? Options: Yes - staged templates required, No - direct config, Prefer staged with approval
    • What performance validation tests will be used to verify QoS (traffic generators, MOS scores, jitter/latency metrics)?

    Provision Encrypted WAN Circuits and Configure Secure Tunnels

    • Which WAN circuit types and providers are in scope (MPLS, DIA, satellite, tactical radios)? Options: MPLS, DIA, Satellite, Tactical RF, Other
    • What encryption endpoints and tunnel types are required (IPsec, GRE over IPsec, MACsec, TLS)? Options: IPsec, GRE/IPsec, MACsec, TLS/DTLS, Other
    • Are service provider demarcation points and ordering lead times already confirmed? Options: Yes - confirmed, Pending provider coordination, No - need procurement help
    • Do circuits require FIPS-certified crypto endpoints or Type-1 termination? Options: FIPS-certified required, Type-1 required, Commercial-grade acceptable
    • What acceptance tests and KPIs will validate the encrypted circuit (throughput, failover, MTTR)?
    • Is there an expected cutover window or zero-downtime requirement for WAN migration? Options: Zero-downtime required, Planned downtime acceptable, Flexible

    Stage and Validate Encryption Firmware, Licenses, and Modules

    • Do you require pre-staging of firmware and license keys in a controlled environment before field deployment? Options: Yes - full pre-stage, Partial pre-stage, No - stage onsite
    • Which firmware versions and module types are approved for use?
    • Are license counts and entitlements already purchased and documented? Options: Yes - all purchased, Partially purchased, No - need procurement
    • Will staged units require firmware hardening or custom images for accreditation? Options: Yes - custom/hardened images, No - standard images, TBD
    • What validation tests should be executed during staging (crypto self-test, interoperability matrix, regression tests)?
    • Who owns firmware change control and who must approve firmware versions for production?

    Perform COMSEC Key Custody Transfer and Inventory

    • How many key packets or COMSEC items must be transferred and inventoried? Options: Small (1-50), Medium (51-250), Large (251-1000), Very Large (1000+)
    • Are receiving sites accredited COMSEC custodian facilities with approved storage and handling procedures? Options: Yes - all sites compliant, Some sites compliant, No - need to provision storage
    • Do transfers require escorted movement, SCIF-to-SCIF handoff, or logged chain-of-custody forms? Options: Escorted/SCIF handoff, Logged chain-of-custody, Standard sealed shipment
    • Will inventory reconciliation be electronic (KMI/CKM) or manual paper inventory? Options: Electronic KMI/CKM, Manual inventory, Hybrid
    • What acceptance criteria define a successful custody transfer (signed receipts, audit trail, inventory match)?
    • Who are the authorized COMSEC custodians and what are their clearance levels?

    Execute Interoperability Testing and Resolve Protocol Conflicts

    • Which vendors and device models must be tested for interoperability?
    • What protocols and versions are in-scope (BGP, OSPF, EIGRP, STP variants, SNMP versions)?
    • Do you have an existing interoperability matrix or test plan, or do you need one developed? Options: Matrix exists, Need development, Partial matrix
    • What are the criteria and escalation path for resolving protocol conflicts (workarounds, firmware changes, vendor fixes)?
    • Are lab or emulation environments available for pre-deployment interoperability testing? Options: Full lab available, Limited lab, No lab - testing onsite
    • What pass/fail metrics will be used (session stability, failover behavior, performance under load)?
  5. Mutual Commit

    Finalize terms, procurement lead times, ATO milestones, staffing commitments, and remediation responsibilities to lock the plan.

    Agreement Modules

    • Statement of Work (SOW)
    • Master Services Agreement (MSA)
    • Pricing & Payment Schedule
    • Procurement & Lead-Time Acknowledgement
    • ATO Milestone Plan
    • Staffing & NSA-Certified Personnel Commitment
    • COMSEC Handling & Type 1 Installation Plan
    • Equipment Staging & Logistics Plan
    • Change Order & Scope Adjustment Protocol
    • Acceptance Criteria & RMF Evidence Checklist
    • Remediation & Residual Risk Agreement
    • Facility Access & Clearance Confirmation
    • Governance, Reporting & Escalation Plan
    • Transition to Sustainment & Warranty Terms
    • Contract Signature / Purchase Order
  6. Deployment

    Operationalize rollout with readiness checks, enablement, and outcome validation.

    1. Pre-Deployment Readiness

      Verify facility clearances, COMSEC handling plans, staging inventories, access windows, and test environments before fieldwork.

      Readiness Questions

      Quick Read: Where We Stand Right Now

      • In one sentence, how would you describe your program’s current readiness for a classified deployment?
      • What is your target window for fieldwork to begin? Options: Within 30 days, 31–60 days, 61–90 days, 3–6 months, 6+ months, No firm date
      • Which of these is the primary driver for this deployment right now? Options: ATO/Accreditation deadline, Facility standup, Bandwidth/modernization need, Zero Trust mandate, Interoperability need, Other
      • Who is the single point of contact we should coordinate pre-deployment logistics with (name, role, phone/email)?
      • If you had to rank confidence in starting fieldwork as of today, where would you put it? Options: Very confident, Somewhat confident, Neutral, Concerned, Not ready

      What Keeps You Awake at Night About the Field Work?

      • If one thing goes wrong on day one of fieldwork and it causes a mission delay, what would that one thing most likely be?
      • How often have past deployments on similar programs encountered schedule slips due to access or clearance issues? Options: Almost always, Often, Sometimes, Rarely, Never
      • Tell us about a previous deployment hiccup that still influences how you plan today—what happened and what was the downstream impact?
      • Which outcome worries you more emotionally: mission downtime during cutover, failing accreditation tests, or not having enough certified staff on-site? Explain. Options: Mission downtime, Failed accreditation, Insufficient certified staff, Other
      • How long can the mission tolerate a deployment-related outage before leadership escalates? Options: Minutes, Hours, A day, Multiple days, Cannot tolerate any outage

      Who Has the Keys—and Will They Be There?

      • Do the facilities where work will occur already have the required personnel clearances and facility accreditation levels? Options: All required clearances present, Some personnel lack clearances, Facility accreditation pending, Facility lacks required accreditation, Unsure
      • Who controls physical and logical access during installation (e.g., facility security officer, base operations, contractor escort)? List roles and names where possible.
      • Are there scheduled access windows or blackout periods we must plan around (e.g., exercises, holidays, blackout dates)? Options: Yes—specific dates known, Yes—recurring windows, No, Unsure
      • What escorting or badging requirements will our engineers need to meet before entry (e.g., escorted access only, inbound visitor badges, COMSEC room clearance)? Options: Unescorted access allowed, Escorted access required, Special badges required, COMSEC room clearance required, Other
      • Describe any previous delays caused by access or escort logistics and what solved them.

      COMSEC and Cryptographic Material: Are We Really Ready?

      • If our COMSEC chain is even one link short on day zero, how quickly can you escalate and resolve it—hours, days, or weeks? Options: Within hours, 1–2 days, 3–7 days, Weeks, No process in place
      • List who is currently authorized as COMSEC custodians and whether custody transfer procedures are documented and practiced.
      • Which categories of cryptographic material will we need to stage (Type 1 keys, key encryption keys, device fills, or tokens)? Options: Type 1 keys, Key encryption keys, Device fills, Tokens/Smartcards, Other
      • Have you previously experienced delays due to COMSEC handling or courier limitations? If so, how was it mitigated?
      • How comfortable are your custodians with rapid in-field keying events and the associated recordkeeping? Options: Very comfortable, Somewhat comfortable, Limited experience, Not comfortable

      Staging, Inventory, and Logistics: Can Your Chain Handle It?

      • If staging is delayed by 2–4 weeks due to supply or shipping issues, which components would cause the biggest program impact? Options: Encryption devices, Cross-domain modules, Cabling/racks, Power/environment equipment, Sustainment spares, Other
      • Do you currently have an updated bill of materials (BOM) with serials, firmware versions, and vendor part numbers for every device to be staged? Options: Yes, complete and current, Partially complete, No, Unsure
      • Where will staging occur (on-site secure facility, vendor staging yard, other government facility), and what physical security controls are in place there? Options: On-site secure facility, Vendor secure staging, Other government facility, Offsite commercial staging
      • Tell us about your inventory reconciliation cadence—how often do you verify serials, bin counts, and firmware baselines before shipping to the field? Options: Daily, Weekly, Before each shipment, Ad hoc, None
      • What are the top three logistics failure modes you want us to plan contingencies for?

      Test Grounds and Fail-Safes: Where Will We Break Things First?

      • Why would running without a field test environment be risky for this deployment?
      • What type of test environment can you provide before fieldwork—lab with representative enclave, emulated network, or on-site sandbox? Options: Full lab with representative enclave, Emulated/test harness, On-site sandbox, Limited bench testing, None available
      • Which interoperability tests are mandatory to pass prior to installing in the production enclave? Options: Encryption interoperability, Cross-domain transfer tests, Routing and peering, COMSEC provisioning, Performance/load testing, Other
      • How do you prefer we handle test failures that require a design change—immediate stop to redesign or continue with mitigations and patch later? Options: Stop and redesign, Continue with mitigations and patch later, Case-by-case with AO input, Other
      • Describe the last time a test uncovered an interoperability exception and how that was resolved operationally and politically.

      People and Teams: Do We Have the Right Hands-on-Deck?

      • If we needed to put NSA-certified engineers on site tomorrow, how many are cleared and available from your side for the initial 30 days? Options: All required available, Partially available, None available, Unknown—we need to check
      • List the roles you expect to have on-site during fieldwork (e.g., NSA-certified crypto engineers, network engineers, facility security, AO representative) and who fills them today.
      • How disruptive would it be to pull mission staff into installation activities if contractor staffing falls short (minor, moderate, major impact)? Options: Minor, Moderate, Major, Not possible
      • What training or ramp-up do your in-house engineers typically need before they can safely support Type 1 installations? Options: None—already trained, Short refresher (days), Multi-week training, Formal certification required, Unsure
      • Are there union, labor, or site-specific constraints that affect contractor hours, overtime, or after-hours work? Options: Yes—significant constraints, Yes—minor constraints, No constraints, Unsure

      If the Plan Slips: What’s Our Real Backup?

      • When timelines slip, what contingency has historically preserved mission continuity (e.g., temporary bridging, phased cutover, fall-back circuits)? Options: Temporary bridging, Phased cutover, Fallback circuits, Manual procedures, No contingency
      • How quickly can your program activate a fall-back plan if an accreditation test fails at final validation? Options: Same day, 1–3 days, 1 week, Multiple weeks, No fall-back
      • What operational compromises are acceptable during remediation (reduced bandwidth, scheduled windows only, degraded cross-domain capability)? Options: Reduced bandwidth, Scheduled windows, Degraded functionality allowed, No compromises allowed, Other
      • Who must sign off to trigger the contingency plan and how reachable are they during field operations? Options: Program director, Authorizing Official, Facility commander, Operations lead, Other
      • Describe a contingency activation you ran before—what worked, what failed, and what you would change next time?

      Signoffs, Evidence, and the Path to Green

      • What is the minimal set of RMF evidence and accreditation artifacts your AO will require at final validation to accept the deployment? Options: POA&M closed items, Test reports, COMSEC logs, Configuration baselines, Other
      • Who is the Authorizing Official (AO) or AO’s representative we should engage early, and how do they prefer evidence presented?
      • Have you ever had an AO reject acceptance because evidence format or traceability was insufficient? What was missing? Options: Yes—format issues, Yes—traceability issues, Yes—content gaps, No
      • Would you prefer our team pre-package accreditation folders for review (recommended), or to provide raw artifacts for your integration? Options: Pre-packaged folders, Raw artifacts, Hybrid—pre-package major items, Unsure
      • What would success look like to your leadership at handover, in one short sentence?
    2. Deployment Enablement

      Schedule installs, assign NSA-certified engineers, sequence encryption device provisioning, and coordinate interoperability testing.

    3. Validation Checklist

      Execute accreditation acceptance tests, capture RMF evidence, resolve interoperability exceptions, and obtain authorizing official signoff.

      Validation Questions

      Quick Intro — What Brought You Here Today?

      • What's the primary trigger prompting you to explore secure network modernization right now? Options: Aging infrastructure, Zero Trust mandate / CIO deadline, New facility standup, Performance for intelligence/video workloads, Recent security incident, Other
      • Which program or mission does this modernization support (name or short description)?
      • What is your decision timeframe to have a deployed, accredited capability? Options: <= 3 months, 3–6 months, 6–9 months, 9–12 months, More than 12 months, Undetermined
      • Who would you like to have in the room for an initial technical intake (roles, names or offices)?
      • On a scale from 1–5, how urgent does this program feel to your leadership (1 = advisory, 5 = mission-critical with deadline)? Options: 1, 2, 3, 4, 5

      Are You Comfortable Betting the Mission on 'Good Enough'?

      • If a modernization hiccup interrupted classified communications for 24–72 hours, what would happen to mission operations? Options: Operations stop entirely, Severe degradation, mission at risk, Manageable degradation with workarounds, Minor impact, Don't know
      • Can you describe a recent outage, failure mode, or near-miss that affected secure connectivity and what the immediate impact was?
      • Which workloads or systems are most sensitive to connectivity loss (select all that apply)? Options: Intelligence data feeds, Video teleconferencing, Cross-domain transfers, Command and control, Logistics/ERP, Other
      • How long could the mission continue without classified connectivity before unacceptable risk occurs? Options: < 4 hours, 4–24 hours, 24–72 hours, > 72 hours, Unknown
      • How worried are you—emotionally—about the risk of disruption during modernization efforts? Options: Not worried, Somewhat concerned, Very concerned, Extremely anxious

      Show Me Your Map — Where Does the Network Hurt?

      • Where in your current topology are data flows most likely to break mission continuity right now? Options: Edge/transport layer, Enclave boundaries / cross-domain, Encryption device provisioning, Core routing / datacenter, Satellite / tactical links, Other
      • Do you have up-to-date network diagrams and enclave boundary definitions that reflect current state? Options: Fully up-to-date, Partially updated, Outdated, No diagrams available
      • List the classification enclaves involved and any known accreditation gaps for each (e.g., CUI, Secret, Top Secret, Cross Domain).
      • Who currently manages COMSEC custody and Type 1 provisioning for these enclaves? Options: Internal COMSEC custodian, Contractor with authorization, No formal custodian, Don't know
      • How frequently have interoperability tests between encryption devices or CDS components failed in the last 12 months? Options: Never, Rarely (1–2 times), Occasionally (3–5 times), Frequently (6+ times), Not tracked

      What’s at Stake — How Bad Would It Be if This Fails?

      • If accreditation stalls and your ATO timeline slips, what are the programmatic consequences? Options: Mission delay, Funding reprogramming, Operational risk to forces, Contractual penalties, Other
      • Have prior accreditation reviews required remediation that extended schedules? Tell us about the worst example.
      • Who is the Authorizing Official (AO) or equivalent decision authority, and what outcomes will satisfy them?
      • What specific accreditation evidence has been most difficult to produce or defend in past RMF cycles? Options: System Security Plan (SSP), Interoperability test logs, COMSEC handling plans, Continuous monitoring evidence, Other
      • How does the possibility of mission disruption make you feel when you brief leadership?

      If Accreditation Couldn’t Be Your Bottleneck, What Would You Deliver?

      • Imagine accreditation is guaranteed—what measurable connectivity outcomes would you expect at handoff? Options: ATO in first RMF cycle, Zero unresolved interop exceptions, Full Type 1 crypto installed, End-to-end latency/SLA targets met, Other
      • What are the target bandwidth, latency, and availability SLAs required for the mission?
      • Which Zero Trust capabilities are non-negotiable for your program (select all that apply)? Options: Microsegmentation, Device authentication, Least-privilege access, Continuous monitoring, Data-centric encryption, Other
      • What objective success signals will you present to your AO to demonstrate mission readiness?
      • Is there a hard accreditation deadline set by leadership or external policy that cannot be moved? Options: Yes, a fixed date, Yes, a target window, No specific date, Undetermined

      Who Are the Real Decision-Makers (and Hidden Gatekeepers)?

      • Who in your organization can singlehandedly delay or accelerate accreditation, procurement, or access? Options: CIO/Director, Authorizing Official, Contracting Officer, ISSO/CISO, Facility Security Officer, Other
      • For each stakeholder you selected, what does 'good' look like to them and how do their priorities differ?
      • Are there external stakeholders (e.g., combatant commands, IL2/IL3 authorities) who must be aligned? If so, who?
      • How do political, budgetary, or calendar constraints (e.g., end of fiscal year, deployment windows) affect your timeline?
      • What is your preferred escalation path and cadence when decisions stall? Options: Weekly leadership sync, Direct AO engagement, Program office escalation, Contracting officer notification, Other

      Where Have Attempts to Modernize Fallen Short?

      • What previous modernization efforts delivered the worst surprises, and why did those surprises happen?
      • Which vendors or approaches have you tried, and what specifically did you ask them to fix that wasn’t resolved?
      • Which failure modes caused the longest remediation cycles (documentation gaps, device interop, COMSEC mishandling, staffing shortages, procurement delays)? Options: Documentation gaps, Device interop, COMSEC mishandling, Staffing shortages, Procurement delays, Other
      • How long did remediation take in your worst-case example, and what blocked progress most of the time?
      • What would have changed your confidence in that past effort—better staffing, clearer acceptance criteria, earlier COMSEC staging, or something else? Options: More certified engineers, Clearer acceptance criteria, Earlier COMSEC staging, Stronger program governance, Other

      Who’s Going to Touch the Boxes — Are They Ready?

      • Do you have assured access to cleared, NSA-certified engineers when the schedule is critical? Options: Yes, internal team, Yes, contractor partners, Limited availability, No assured access
      • How many NSA-certified engineers (or equivalent) are available to support installation and Type 1 provisioning when needed? Options: 0, 1–2, 3–5, 6–10, 10+
      • What is the current status of facility clearances and COMSEC handling authorizations at target sites? Options: Fully cleared for COMSEC, Partial clearance, pending actions, Not cleared, Unknown
      • What access windows, staging constraints, or installation blackout periods should we plan around?
      • If certified engineers become unavailable, what contingency options exist (alternate contractors, delayed install, phased approach)?

      What Would a Smooth Deployment Feel Like in the First 30–90 Days?

      • If deployment goes flawlessly, what will you observe on day 1, week 4, and day 90?
      • Which acceptance tests and RMF evidence items must be completed for the AO to sign off? Options: Functional interoperability tests, COMSEC inventory and handling logs, SSP and POA&M review, RMF assessment report, Continuous monitoring baselines, Other
      • How many interoperability exceptions are acceptable at handover, and how will they be prioritized for remediation? Options: None acceptable, 1–2 minor exceptions, Several acceptable with remediation plan, Undetermined
      • What training or sustainment handover will your operations team need to take responsibility after deployment? Options: Formal training sessions, Handbook + runbooks, Shadow ops with vendor, Ongoing managed services, Other
      • How would you prefer ongoing support and compliance responsibilities be divided between your team and a vendor?

      What Keeps You Up at Night in the Final 72 Hours?

      • What's the single biggest last-minute surprise that has derailed previous installs? Options: Missing COMSEC inventory, Failed interoperability test, Site access denied, Equipment delays, Staffing no-shows, Other
      • What pre-deployment checks do you wish had been done earlier to avoid that surprise?
      • Do you maintain a formal staging inventory and chain-of-custody process for COMSEC and cryptographic equipment? Options: Yes, mature process, Partial process, Ad-hoc, No
      • Who is authorized to approve last-minute changes to installation sequencing or access permissions?
      • If we identified a showstopper 48 hours before install, what is your preferred mitigation path? Options: Delay with contingency plan, Proceed with risk acceptance, Scale down scope, Escalate to AO immediately, Other

      Agreeing Small Next Steps — How Do We Make This Real?

      • If we don't lock a next step now, what is the realistic chance this program slips beyond your deadline? Options: High chance of slip, Moderate chance, Low chance, Uncertain
      • What is the most useful immediate next step from your perspective: technical architecture assessment, COMSEC staging plan, procurement lead-time review, or a stakeholder alignment workshop? Options: Technical architecture assessment, COMSEC staging plan, Procurement lead-time review, Stakeholder alignment workshop, Other
      • Who must approve any follow-up activity and who should receive an executive summary after the next engagement?
      • What documents or artifacts can you share before the next meeting to accelerate discovery (network diagram, SSP, COMSEC manifest, procurement timelines)? Options: Network diagram, SSP, COMSEC manifest, Procurement timelines, None available yet
      • When would you be available for a focused 90-minute technical intake with your technical leads and AO representation? Options: Within 1 week, 1–2 weeks, 2–4 weeks, More than 4 weeks, Undetermined
  7. Success

    Confirm operational outcomes, transition to sustainment, and maintain a shared channel for issues, enhancements, and ongoing compliance.

    Success Reviews

    • Operational Acceptance & Handoff Review
    • Sustainment & Support Playbook Workshop
    • Compliance, RMF & Accreditation Maintenance Sync
    • Issues, Enhancements & Shared Channel Setup
    • Lessons Learned & QBR Cadence Planning

    Issues & Enhancements

    • Populate an initial enhancement backlog and schedule a recurring triage cadence.
    • RMF Calendar & Key Deadlines
    • Set a documented RMF cadence with owners for each evidence artifact.
    • Establish a POA&M process with SLA targets and accountable owners.
    • Agree automation opportunities to reduce manual evidence collection and minimize rework.
    • Map evidence artifacts to named owners and automate collection where possible.
    • Create the POA&M tracking board and assign remediation SLAs.
    • Publish patching/STIG schedule aligned to maintenance windows and notify stakeholders.
    • Define Shared Channel & Access Model
    • Stand up a shared, access-controlled channel and ticketing workflow for incidents and enhancements.
    • Agree incident severity definitions, SLAs, and escalation owners.
    • Introductions & Objectives
    • Create and configure the shared channel and ticketing workflows with appropriate access controls.
    • Document severity matrix and publish on the channel; assign on-call rotations.
    • Import initial enhancement requests into backlog and schedule first prioritization meeting.
    • Project Recap & Key Outcomes
    • Produce a concise lessons learned report with assigned improvement actions.
    • Agree on a set of KPIs and QBR cadence to monitor operational health and compliance.
    • Publish an initial 90-day improvement roadmap and owner assignments.
    • Draft and distribute the lessons learned report with owners and deadlines for improvement items.
    • Define KPI dashboards and assign owners for ongoing reporting.
    • Schedule recurring QBR meetings and distribute the standard agenda and invite list.
    • Secure Authorizing Official formal acceptance or a timebound remediation plan that results in acceptance.
    • Confirm the exact cutover date and scope for transition to sustainment operations.
    • Ensure all accreditation evidence is handed to sustainment and compliance owners.
    • Obtain AO signature or documented approval and archive acceptance artifacts.
    • Deliver finalized accreditation/evidence package to sustainment team and ATO owner.
    • Publish transition schedule with agreed checkpoints and remediation milestones.
    • Current Support Model Recap
    • Produce a signed sustainment playbook covering roles, SLAs, maintenance cadence, and COMSEC procedures.
    • Confirm sustainment staffing roster and NSA-certified coverage for planned windows and emergency installs.
    • Schedule training/shadowing milestones to ensure knowledge transfer to sustainment staff.
    • Finalize and distribute the sustainment playbook with RACI and SLAs.
    • Provide clearance and certification roster for sustainment engineers and schedule shadowing.
    • Provision and document spare kit inventory and staging plan.
    • Incident Triage & Severity Matrix
    • Evidence Collection & Automation
    • Roles, RACI & Staffing Coverage
    • Acceptance Criteria Review
    • Lessons Learned: What Worked / What to Improve
    • Enhancement Request Lifecycle
    • Evidence Package & AO Findings
    • POA&M Lifecycle & Remediation SLAs
    • SLA, MTTR & Maintenance Window Definitions
    • KPI Definition & Targets
    • Patch & STIG Compliance Process
    • Reporting, Dashboards & Notifications
    • QBR Format, Cadence & Stakeholders
    • COMSEC Custody & Type 1 Device Handling
    • Open Exceptions & Remediation Plan
    • Signoff, Handoff Date & Next Steps
    • Inventory, Spare Kits & Lifecycle Management
    • Access & COMSEC Data Handling Rules
    • Roadmap & Improvement Backlog
    • ATO Change Triggers & Notification Process
    • Training, Runbook Walkthrough & Onboarding Plan
First-Party AI

1-2 minutes please — Your AI agent is working

First-Party AI™ can make mistakes. Always check important information.