How we work, in five principles.

Compliance work rewards discipline more than ingenuity. Most CMMC engagements fail not because the technical or analytical work was wrong, but because the engagement structure created perverse incentives for everyone involved. Our methodology is designed around five commitments that we believe make compliance work more useful for clients and more honest for us.

Principle I : Fixed scope, fixed fee.

Every engagement we offer is priced and scoped in writing before it begins. The deliverable, the timeline, and the cost are defined. We do not bill hourly during the engagement; we do not pass through “additional discovery” charges; we do not retain advantage from open-ended scope.

The discipline this imposes on us is real: if we underestimate, we absorb the cost. The discipline it gives clients is also real: there is a defined endpoint to every engagement and you know what it costs before you commit.

Principle II : A narrow practice.

We consult on CMMC and NIST 800-171. We do not consult outside this domain. We do not sell software, run managed security operations, build websites, or take referral fees from cloud providers. The discipline of a narrow practice is the foundation of useful expertise, and the absence of that discipline is the root of most generic compliance consulting.

Principle III : Separation of remediation and assessment.

Once we are an authorized C3PAO, we will not assess organizations we have substantially remediated. The Cyber AB’s rules establish a baseline; our practice goes further. The conflict of interest is structural, not theoretical, and treating it as such is the only way the broader CMMC ecosystem maintains integrity.

We will tell you, before any engagement begins, whether that engagement creates a conflict that would prevent us from later being your assessor. You will then know what you are choosing.

Principle IV : Published methodology.

The frameworks, checklists, decision matrices, and assessment objectives we use are documented and shared with clients during the engagement. There is no proprietary black box. Our methodology is publishable because it is built on the DoD’s own assessment guidance, NIST’s control specifications, and the Cyber AB’s assessor objectives. The value we add is judgment in applying those frameworks, not the frameworks themselves.

This commitment limits our ability to package methodology as proprietary intellectual property. It also limits the rate at which we can be undercut by less rigorous competitors. We accept the trade-off.

Principle V : Honest scoping.

The most useful consultant is the one willing to recommend silence over engagement when silence is right. If your contracts do not require CMMC, we will say so. If a free resource would serve you better than a paid engagement, we will point you to it. If our capabilities are not the right fit for your situation, we will name a competitor we believe would be a better partner.

We borrow these principles from the auditors who taught us, the engineers who keep us honest, and the contractors who pay us to be specific.

---

If you would like to read the methodology applied in a specific engagement, our published service pages describe the deliverables and process for each. Review services here.