Health, Education & Government Government & Public Sector Defense Systems & Programs

Command, Control & Intelligence Systems

Multi-agency, multi-stakeholder programs where procurement, compliance, and mission alignment determine success.

Lockheed Martin Northrop Grumman L3Harris CACI International
Inside this journey
  1. Pre-Discovery

    Align the room on outcomes, decision process, and constraints before deeper discovery.

    1. Stakeholder Alignment

      Confirm decision roles, funding profile, timeline, and program-level success criteria.

      Alignment Questions

      Quick introductions — who should we be talking to first?

      • Which people and roles on your team should we know by name and title for this program? (select all that apply) Options: Program Manager / PEO, Deputy PM / PMO Lead, Systems Engineer / Lead Architect, Acquisition Officer / Contracting Officer, Cybersecurity / RMF Lead, Test & Evaluation Lead, Logistics / Fielding Lead, Foreign Liaison / Partner Rep, Other — will specify next
      • If you selected 'Other' above, list the names, titles, and best contact approach for those people.
      • What is the program name, current milestone or phase, and the top-line objective you are being held accountable for?
      • How is this effort funded today and through the next 18–36 months? Options: Congressional O&M, RDT&E, Procurement (APN), Foreign Military Sales, Other/Hybrid
      • What contract vehicle or acquisition pathway is in use or planned (e.g., IDIQ, OTA, GSA, FMS)? Options: IDIQ / BPA, OTA, Firm-Fixed-Price (FFP), Cost-Plus / CPIF, FMS Case, Not decided / planning stage

      If this program missed its next milestone, what would keep you up at night?

      • Which specific mission effects would degrade first if the program fell behind (select up to three)? Options: Commanders lose situational awareness, Intelligence gaps / delayed threat detection, Communications blackout / degraded C2, Loss of secure data sharing with partners, Regulatory or congressional scrutiny, Other
      • Tell us about a recent incident or exercise where existing capabilities failed to meet operational needs—what happened and why did it matter?
      • How often do these capability shortfalls occur today? Options: Daily, Weekly, Monthly, Rarely, Unknown
      • How do these failures typically show up to senior leadership or oversight bodies (data, stories, metrics)?

      Where does your architecture actually break under real mission pressure?

      • Which systems are core to the mission picture today (select all that apply)? Options: Tactical radios / comms, Sensor feeds (EO/IR, radar), Mission planning workstations, Data fusion / correlation engines, SATCOM / relay, Cross-domain solutions, Legacy C2 systems, Other — specify
      • Describe the most persistent interoperability gap between those systems—what data or capability can't you share reliably?
      • What are the common failure modes you see during integration or live events (e.g., latency, data loss, auth failures, encryption incompatibilities)? Options: High latency / jitter, Packet loss / data drop, Authentication/authorization mismatches, Protocol mismatch / translators missing, Accreditation prevents connectivity, Other
      • Which of these gaps do you believe are caused by policy or accreditation limits rather than pure technical constraints? Options: Mostly policy/accreditation, Mostly technical, Even mix of both, Unsure — need assessment
      • Can you point to a plugin, gateway, or adapter that has been tried and did not deliver—what was the main reason it failed?

      Who really signs off when things go wrong—and who will sign for success?

      • Who holds the formal acceptance authority for this capability (select one)? Options: Program Executive Officer (PEO), Service Acquisition Executive (SAE), Component Commander / Authority to Operate (ATO) Holder, Test & Evaluation Approval Authority, Other / Multiple
      • Beyond formal signatories, which informal influencers can block or accelerate acceptance (committees, sponsor offices, partner nations)?
      • How fixed or flexible is your funding profile across the next two fiscal years? Options: Firmly fixed to milestones, Some flexibility within accounts, Contingent on congressional approval, Unclear / shifting
      • What timeline pressure points are non-negotiable (e.g., fielding windows, exercises, congressional reporting)? Please list dates and consequences if missed.
      • When trade-offs are required, who decides which requirements are relaxed (e.g., the PMO, user reps, contracting officer)? Options: PMO / Program Manager, User Community / Operational Sponsor, Acquisition / Contracting, Higher HQ / PEO, Other

      What would mission success actually feel like to the operators on day one?

      • List 3–5 measurable signs you would accept as evidence of operational success (e.g., % target coverage, latency thresholds, time-to-decision reductions).
      • Which of these outcomes is the single highest-priority metric for leadership (select one)? Options: Situational awareness completeness (%), Detection-to-action time (minutes), Interoperability uptime (%), Accreditation / ATO achieved, Mission task success rate
      • How do you currently validate those metrics—real exercises, synthetic tests, red-team, or operational feedback loops? Options: Live exercises, Hardware-in-the-loop tests, Tabletop / wargames, User feedback / after-action reports, Automated telemetry
      • What constraints (policy, funding, personnel clearance) would force you to lower your success bar?
      • If we had to deliver an initial capability that proved value quickly, what small but decisive change would demonstrate that value within 90 days?

      What’s actually standing between you and a clean accreditation path?

      • What is the current RMF/J-AB or equivalent status for this program (select one)? Options: Not initiated, In progress (SSP/POA&M drafted), Security Control Assessment underway, ATO granted for limited enclaves, ATO granted for full operational capability
      • List any outstanding POA&Ms, high-risk controls, or formal cybersecurity blockers that must be closed before fielding.
      • Who owns the RMF artifacts and accreditation submissions today (select one)? Options: Contractor (prime/sub), PMO / Program Office, Component Cybersecurity Office, Combined team, Not yet assigned
      • Have you attempted cross-domain or enclave transfers before? If so, what policy or technical hurdle proved decisive?
      • What level of system and personnel clearance will be required for integration and test events at your sites? Options: TS/SCI, Secret Releasable, Secret, Confidential, Unclassified with JA

      If we were honest, what single thing would make the project deliverable on schedule?

      • What are the top three dependencies that must be resolved before a first successful fielding (select up to three)? Options: Cleared personnel availability, Test environment access, Network enclave / ATO, Interoperability interface specs, Hardware procurement lead times, Funding release
      • Describe any known integration windows, factory test slots, or site access constraints that would shape sequencing.
      • Who will be the onsite owners and point-of-contact during installation and acceptance testing?
      • What fallback or mitigation plan is acceptable if a dependency slips (e.g., phased roll, degraded mode, temporary gateway)? Options: Phased capability delivery, Use of temporary gateway, Alternate test environment, Scope-reduction with later backfill, Other
      • How would you prefer we report progress and risk—weekly dashboards, technical deep-dives, executive summaries, or a combination? Options: Weekly dashboards, Bi-weekly technical deep-dive, Monthly executive summary, Real-time portal access, Combination

      What do you need from us to decide to move forward in the next 30 days?

      • Which immediate deliverable would be most persuasive right now (select one)? Options: Detailed gap analysis with recommendations, Proof-of-concept or lab demo, Preliminary schedule and cost estimate, Accreditation impact assessment, Reference visits with similar programs
      • Which documents or artifacts should we prepare and share first (select all that apply)? Options: System architecture diagram, Preliminary SSP outline, Integration interface control document (ICD), Initial POA&M draft, Test plan / success criteria, Other
      • What would constitute a 'no-go' from your side—conditions that would stop this effort before it starts?
      • How quickly can you assemble the stakeholders we listed earlier for a focused 90-minute alignment session? Options: Within 1 week, 2 weeks, Within a month, Longer / uncertain
      • Who should receive a brief executive one-pager summarizing risks, trade-offs, and the recommended next step after our discovery?
    2. Current State Mapping

      Document existing architectures, interoperability gaps, accreditation posture, and operational failure modes.

      Current State

      Start with the Big Picture: How Your System Runs Today

      • Who are the primary users, teams, and physical locations relying on this system right now? Options: Tactical units, Operational HQ, Strategic command, Coalition/allied partners, Intelligence elements, Other
      • Describe the deployment model that hosts your core capabilities today. Options: Cloud (DoD/Commercial), On‑prem data centers, Edge/ruggedized local compute, Hybrid (edge + cloud), SaaS or managed service, Other
      • Which major subsystems or capability blocks are in-scope for integration (e.g., sensor ingest, fusion engine, C2 workstation)?
      • Which operating environments and classification domains must this architecture span? Options: Unclassified, Secret, Secret/TS with compartmenting, TS/SCI, Cross-domain/multi-domain, Other
      • How would you summarize the mission workflows that depend on this system (short narrative or bullet list)?

      Show Me How It Actually Runs

      • If you had to bet a mission on this system tomorrow, what single technical reality would make you most uneasy? Options: Unknown failure modes under load, Interoperability gaps with partners, Incomplete accreditation paperwork, Network latency or saturation, Personnel/clearance shortfalls, Other
      • Which specific external integrations routinely cause the most friction (pick all that apply)? Options: Tactical datalinks (e.g., Link formats), Cross-domain transfer solutions (CDS/guards), Coalition message formats, DISA/enterprise services (email, AD, DNS), Third‑party sensor feeds, Custom partner APIs
      • How do you currently validate end-to-end interoperability before field use? Options: Lab integration only, Tabletop / CONOPS reviews, Full system integration tests, Live exercises/OT, Ad-hoc manual checks, No consistent validation
      • How often do integration failures surface during exercises or operations? Options: Almost every event, Several times a year, Occasionally, Rarely, Never
      • Tell me about the last time an integration failed — what happened and what was the immediate operational impact?

      Where Things Break Under Pressure

      • Think back to the last crisis or exercise — what architectural blind spot was exposed most painfully? Options: Network congestion, Authentication/identity failure, Data mismatch/corruption, Incompatible messaging, Accreditation/legal hold, Other
      • When that failure occurred, who owned the fix and how fast could they respond? Options: Program office, Prime integrator, Subsystem OEM, Contractor support team, On-site ops team, Other
      • How long does full recovery typically take after a major outage (hours/days/weeks)? Options: <1 hour, 1–8 hours, 8–48 hours, 2–7 days, >1 week
      • What field workarounds do operators use when systems fail, and how sustainable or risky are they?
      • Have past workarounds introduced security or accreditation exposure? If so, where and why? Options: Yes—data exfiltration risk, Yes—improper cross‑domain handling, Yes—unapproved software use, No, Unsure

      What’s Really Missing Between Systems

      • Which kinds of data or messages consistently fail to translate cleanly between partner systems? Options: Geospatial tracks, Sensor telemetry/feeds, Imagery/COMINT products, Logistics/status updates, Command and control messages, Identity/authorization tokens
      • Which standards or protocols do partners expect that you do not fully support today? Options: Link‑16/VMF, STANAG formats, DDS/RTPS, REST/JSON or gRPC, Custom binary protocols, None / proprietary only
      • How much of your integration is custom point‑to‑point versus adapter-based reusable interfaces? Options: Mostly custom point-to-point, Mostly reusable adapters, Even mix, Unknown
      • Where do manual handoffs still exist (operator copy/paste, USB transfer, email), and why haven't they been automated?
      • What would you estimate is the percent of total integration effort consumed by translation and normalization work? Options: <10%, 10–25%, 25–50%, 50–75%, >75%

      Is Accreditation a Roadblock or a Checklist?

      • If accreditation could be redesigned for speed, what single change would accelerate fielding the most? Options: Standard baseline packages, Reusable artifacts across programs, Automated evidence collection, Pre‑approved cloud templates, Coordinated assessment windows, Other
      • Where are you in the RMF lifecycle today? Options: Not started, Categorization, Control selection, Implementation, Assessment, Authorization / ATO achieved, Continuous monitoring
      • Which accreditation artifacts are complete and available right now? Options: System Security Plan (SSP), Security Assessment Report (SAR), Plan of Actions & Milestones (POA&M), Authorization to Operate (ATO), Interconnection Security Agreement (ISA), Continuous Monitoring Plan (CMP)
      • What percent of POA&M items are funded and scheduled versus unknown or unfunded? Options: 0–25%, 25–50%, 50–75%, 75–100%, Unknown
      • Which parts of the accreditation process are most manual or brittle for your team? Options: Evidence collection, Configuration management, Testing/assessment, Authorization paperwork, Cross‑org coordination, Other

      Who Has to Sign Off When Things Go Sideways

      • When a residual risk needs acceptance, who in your governance structure is the ultimate decider? Options: Program Manager / PEO, Authorizing Official (AO), DoD CIO/Enterprise Authority, Mission Owner / O6, Contracting Officer Representative (COR), Other
      • List the decision roles, organizations, and typical clearance levels that must be engaged for accreditation and operational acceptance. Options: Top Secret/SCI, Top Secret, Secret, Confidential, Unclassified, Mixed/varies by role
      • Are these decision makers and subject‑matter experts co‑located for rapid decisions or spread across organizations and time zones? Options: Co‑located, Distributed but reachable, Highly distributed with slow cycles, Varies by decision
      • Describe the most common friction point between program, security, and operations teams when negotiating acceptance criteria.
      • How often do clearance or personnel availability issues delay accreditation or testing windows? Options: Often, Sometimes, Rarely, Never, Unknown

      Data: The Straitjacket or the Superpower

      • Which data flows are currently most constrained by classification, access policy, or format incompatibility? Options: Sensor telemetry, Tracks and fusion outputs, Imagery and video, SIGINT/ELINT products, Logistics and status, Identity and personnel data
      • What metadata, tagging, or schema standards do you use to make data shareable? Options: STIX/TAXII, DCAT/ISO, Custom schema, No formal standard, Other
      • How are cross‑domain transfers implemented today? Options: Accredited CDS/guard, Manual reviewed export, Jump servers with controls, Encrypted file movement, No cross‑domain allowed
      • What latency or throughput SLAs are mission‑critical for the data types you just selected? Options: <100 ms, 100–500 ms, 500 ms–2 s, >2 s / batch acceptable, Variable by message type
      • Share a concrete instance where poor data quality (missing fields, duplication, stale info) caused an incorrect or delayed decision.

      How Will You Know You’ve Fixed It

      • If fixes were deployed tomorrow, which operational measures must improve for you to call the effort a success? Options: Time to decision, Track/target accuracy, System uptime/availability, Mean time to restore, Time to accreditation/ATO, Interoperability pass rate
      • What are the current baseline values for those metrics (numbers, percentages, or narratives)?
      • Which test events or certification milestones must be achieved to validate those improvements? Options: Development test (DT), Operational test (OT), Integration lab events, Coalition exercise, Red/Blue team assessment, Authorizer inspection
      • Who must witness and formally sign off on test success (organizations or named roles)? Options: Program Office, Operational Test Agency, Authorizing Official, DISA/Enterprise, Coalition partner rep, Other
      • How frequently do you want progress reports and in what format (dashboard, slide pack, working demo)? Options: Weekly dashboard, Bi‑weekly slides + demo, Monthly executive summary, Per milestone delivery, Ad‑hoc as needed

      Constraints, Contracts, and Calendars

      • What contractual or funding constraint, if ignored, will cause the program to fail its next major milestone? Options: Fixed FY funding profile, Contract type limitations (FP/CP), Congressionally mandated dates, Export/ITAR restrictions, Security accreditation gating, Other
      • Which milestone dates are immovable for you (e.g., CDR, MS B/C, IOC)? Please name and date them if available.
      • Are there contract clauses that limit changes to architecture, suppliers, or integration approaches? Options: Yes—major restrictions, Yes—some constraints, No significant clauses, Unsure / need review
      • What change‑control rhythm would allow progress without jeopardizing compliance (formal board, sprint approvals, emergency lanes)? Options: Formal change board only, Regular sprint-level approvals, Fast track for security/interop fixes, Ad‑hoc case-by-case, Other
      • How much schedule slack is realistically available for integration, testing, and accreditation activities? Options: None—dates fixed, Little—1–4 weeks, Some—1–3 months, Significant—>3 months, Unknown

      Ready to Act — What’s the First Risk We Should Remove?

      • If we could eliminate one risk in the next 90 days, which would move the program forward most reliably? Options: Critical interop gap, Accreditation bottleneck, Lack of test environment, Missing cleared personnel, Unfunded POA&M items, Other
      • Who are the three people or roles that must be engaged immediately to remove that risk?
      • What immediate, low‑cost evidence (demo, artifact, or test result) would convince decision makers that the risk reduction is real? Options: Working interface demo, Updated SSP extract, Successful cross‑domain transfer, Test report from lab, Signed intent/memo, Other
      • How do you prefer remediation options be presented to leadership: a technical prototype, a risk‑reduction roadmap, or costed phases tied to milestones? Options: Technical prototype + demo, Risk‑reduction roadmap, Costed phased approach, Combined (prototype + roadmap), Other
      • Would you be willing to commit to a 30‑day discovery sprint to produce a concrete first deliverable (yes/no and any caveats)? Options: Yes—no caveats, Yes—with approvals/constraints, Maybe—need further info, No
  2. Outcome Discovery

    Define target operational effects, measurable success signals, and constraints tied to funding and milestone schedules.

    Discovery Questions

    Tell Us the Mission That Matters

    • Which program or mission are we focusing on for this conversation? Options: Program of Record (POR), New Capability Development, Urgent Operational Need (UON), Allied partner fielding, Classified program / sensitive effort, Other
    • Who are the primary users and decision-makers who will operate, evaluate, or approve this capability? Options: Tactical operators (e.g., squads, crews), Mission commanders (O-6/Colonel+), Program Executive Office (PEO), Acquisition Program Manager (PM), Intelligence/analytic cells, Cybersecurity/CISO office, Allied partner representatives, Other
    • In one sentence, how would the sponsor describe mission success for this effort?
    • Which funding lines and appropriation types are expected to be used for development, integration, and fielding? Options: RDT&E, Procurement, Operations & Maintenance (O&M), MILCON, Foreign Military Sales (FMS), Other
    • What fixed milestone events (e.g., CDR, OT/DT, IOC/FRP decision) are on the calendar that we must align to?

    Are We Mistaking Activity for Effect?

    • What if ‘delivered capability’ isn’t the same thing as ‘operational advantage’—which of your current metrics might be giving you a false sense of progress? Options: Features completed / lines of code, Number of integrations shown, Test cases passed, Schedule milestones met, Training hours logged, Cyber artifacts submitted, Other
    • Which operational effects do commanders explicitly say they need (for example: shortened decision time, improved target certainty, or sustained situational awareness)? Options: Reduced decision latency, Improved detection/identification rate, Higher track correlation fidelity, Reduced false alarms, Increased mission tempo, Improved coalition interoperability, Other
    • Of those effects, which currently have a clear, agreed metric and where (unit logs, test reports, analytics dashboards)? Please give examples.
    • Who in your organization is responsible for measuring and reporting those operational effects today? Options: Program Office / PMO, Operator unit / Tactics cell, PMO analytics team, Contractor analytics / integrator, Operational Test Agency / JTE, Other
    • How frequently must those signals update to be tactically useful (real-time, hourly, daily, etc.)? Options: Real-time / near real-time, Hourly, Daily, Weekly, Monthly

    Where the Schedule Really Bites

    • Which milestone—if missed—would effectively derail the fielding plan or congressional deliverable? Options: Critical Design Review (CDR), Initial Operational Test (IOT)/Operational Test (OT), Initial Operational Capability (IOC), Full Rate Production decision (FRP), Funding reprogramming date, Other
    • Which external dependencies present the highest schedule risk (accreditation, lab/test range access, funding release, interoperability with legacy systems)? Options: RMF/ATO approvals, Test range / lab availability, Funding disbursement timing, Legacy system interface readiness, Personnel clearances, Contractor staffing, Other
    • Have similar programs experienced slips? If yes, what were the top one or two root causes you encountered? Options: Requirements changes, Accreditation delays, Integration failures, Funding delays or reprogramming, Testing failures, Personnel/clearance gaps, Other
    • What percentage of your schedule is non-negotiable because of congressional, operational, or inter-service commitments? Options: 0–10%, 11–25%, 26–50%, 51–75%, 76–100%
    • If funding were reduced by 10–20% this FY, which capability areas would you consider deprioritizing or deferring?

    What Would Operational Success Feel Like at the Tip of the Spear?

    • Imagine the system is in sustained use and commanders are bragging about it—what single operator behavior would change first and prove it works?
    • Describe a concrete mission vignette where the platform changes the outcome—what happens differently, step by step?
    • Which quantitative thresholds would prove that effect for you (select all that apply)? Options: Decision time reduced (seconds/minutes), Target detection/identification rate (%), False alarm rate (%), Mean time to correlate tracks (seconds), Operator workload reduction (%), Mission completion rate (%), Network uptime (%)
    • Are there operational, ROE, or coalition constraints that will limit how those effects can be realized? Options: Yes — doctrinal limits, Yes — ROE constraints, Yes — coalition interoperability limits, No, Unsure
    • Who will be the authoritative reviewer that signs off this outcome as ‘mission effective’ during acceptance testing? Options: Combatant commander representative, Program Manager (PM)/PMO, Operational Test Agency / JTE, Technical lead / Systems Engineering, Other

    The Hidden Acceptance Criteria No One Asks For

    • What tacit, political, or cultural acceptance criteria have derailed similar programs here before?
    • Which cybersecurity and accreditation artifacts are non-negotiable for your ATO path? Options: System Security Plan (SSP), POA&M, Continuous Monitoring Plan, DISA STIG compliance evidence, ATO/ATO package, Interconnection Security Agreement (ISA), ST&E report
    • What environmental and operational constraints must the system survive in deployment (bandwidth, EMCON, climate, mobility)? Options: Limited bandwidth / SATCOM constraints, EMCON / emissions control, Austere power / battery-limited, Extreme temperatures, Salt/fog/high humidity, High vibration/shock, Other
    • What levels of personnel clearance, facility, or role presence are required for installation, testing, and handoff? Options: Top Secret / SCI cleared engineers, Secret cleared personnel, Facility clearance (FCL) for contractor, DOD cyber personnel on-site, Local unit SMEs, Other
    • Which acceptance tests, demonstrations, or artifacts from past programs won commander confidence fastest?

    If This Was Done Wrong, What Would We Regret?

    • What is the single worst operational consequence if this program underdelivers or is fielded late? Options: Mission failure / degraded mission capability, Increased risk to forces / casualties, Loss of intelligence advantage, Compromise of classified data, Program cancellation or loss of funding, Erosion of allied trust, Other
    • Which specific failure modes do you think are most likely during first 12 months of fielding? Options: Interoperability mismatches, Network saturation / bandwidth exhaustion, Operator overload / usability issues, Cyber vulnerability exploited, Hardware reliability/failure, Logistics / sustainment shortfalls, Other
    • How would a failure be recognized at the unit level—formal incident report, AAR, performance drop, or informal user complaints? Options: Formal incident report / SITREP, After Action Review (AAR), Performance metrics drop, User/operator complaints, Other
    • What is your acceptable level of residual risk in order to meet an immovable milestone (choose the best fit)? Options: Very low (near-zero residual risk), Low (controlled, documented residual risk), Moderate (mitigations planned), High (acceptable to meet urgent timelines)
    • Which contingency options should we prepare now if a critical dependency slips (e.g., alternate funding, limited initial capability, staged fielding)?

    Agreeing Next Moves — What We Should Lock Today

    • Which commitments, if made today between your team and ours, would most reduce program risk? Options: Firm milestone dates, Agreed funding profile / release schedule, Dedicated cleared staff onsite, Access to test ranges/environments, Shared acceptance criteria and measurement plan, Security artifact handover dates, Other
    • Which decisions need to be made immediately versus those that can wait until after operational experiments or pilot events? Options: Technical interfaces and APIs, Scope of initial fielded modules, Accreditation path and artifact owners, Test and evaluation plan, Procurement lot sizing, All can wait, Unsure
    • Who (roles or names) must be in the room for the next milestone decision to be authoritative? Options: Combatant command rep, Program Manager (PM)/PMO, Acquisition contracting officer, Security/accreditation lead, Operator/unit representative, Prime integrator technical lead, Other
    • When can we realistically convert the operational outcomes we discussed into formal acceptance criteria (pick the best timeline)? Options: Within 2 weeks, Within 1 month, Within 2–3 months, After the next test event, Unsure
    • List the top three open questions or information gaps that we must resolve before committing to contract milestones.
  3. Solution Experience

    Run scenario-based sessions that map the offering to the customer’s mission workflows, accreditation path, and measurable effects.

    Experience Meetings

    • Current State Confirmation Workshop
    • Consequence & Success Metrics Alignment
    • Scenario-Based Mission Walkthroughs
    • Accreditation Path & Security Mapping
    • Validation Exercise & Acceptance Criteria Check
    • Define mitigations that lower ATO risk while preserving the validated future state.
    • Integrator to draft a simple ROI/impact memo showing how meeting thresholds reduce program cost/risk.
    • Customer to confirm availability of telemetry/logging or provide alternate data feeds for metric verification.
    • Scenario Selection & Objectives
    • Validate that the solution workflow produces the defined future-state outcomes for each scenario.
    • Tie each scenario step to at least one measurable success signal and record verification approach.
    • Identify and document integration touchpoints and residual risks requiring technical spikes.
    • Produce detailed scenario maps annotated with solution steps, metric tie-ins, and responsible owners.
    • Create a prioritized list of technical spikes or integration tasks to close gaps found in walkthroughs.
    • Schedule targeted SME sessions to resolve any disputed operational assumptions.
    • Current RMF/ATO Status Review
    • Produce a mapped accreditation checklist showing existing vs missing artifacts tied to scenario steps.
    • Agree on owners and realistic delivery dates for each missing artifact and test event.
    • Introductions & Objectives
    • Draft an accreditation (RMF) gap report with owners, POA&M entries, and recommended mitigations.
    • Schedule required security test events and identify lab/factory environments needed for evidence collection.
    • Integrator to prepare artifact templates (SSP, SAR) pre-populated with scenario-specific controls for customer review.
    • Recap Future State & Acceptance Criteria
    • Demonstrate at least one success signal achieving its threshold with evidence.
    • Obtain explicit customer validation (or recorded exceptions) against the acceptance criteria.
    • Agree the next decision: pilot/test event schedule, remediation plan, or acceptance to move toward contract/milestone.
    • Produce a short validation report with raw measurements, pass/fail against thresholds, and recommended remediation (if any).
    • Update acceptance criteria and any contractual language or milestone definitions based on customer redlines.
    • Schedule the full pilot or field test with owners, environments, and success metrics confirmed.
    • Produce one clear, evidence-backed current-state sentence that all participants agree is accurate.
    • Catalog top 3–5 operational failure modes with supporting evidence and owners.
    • Confirm stakeholder list and who will validate later scenario outcomes.
    • Agree on pre-work artifacts and timeline required to run scenario-based sessions.
    • Draft and circulate the one-sentence current state and supporting evidence pack.
    • Customer to deliver missing artifacts (interface specs, logs, accreditation docs) within agreed timeline.
    • Assign SMEs for each documented failure mode and confirm availability for scenario sessions.
    • Restate Current State & Gaps
    • Document 3–5 prioritized success signals with quantifiable thresholds tied to program milestones.
    • Produce consequence statements with at least one numeric estimate (days, $K, probability) for each top failure mode.
    • Agree on measurement methods and owners for each metric.
    • Create a metrics specification (definitions, thresholds, data sources, owners) and circulate for sign-off.
    • One-Sentence Current State
    • Map Scenario Behaviors to RMF Artifacts
    • Scenario Walkthrough #1 (Live/Tabletop)
    • Quantify Consequences
    • Run Validation Exercise
    • Measure Outcomes vs Metrics
    • Forced Validation Checkpoint #1
    • Define Ownership & Deliverables
    • Define Success Signals & Thresholds
    • Evidence Walkthrough
    • Map Metrics to Milestones/Funding
    • Scenario Walkthrough #2 (Live/Tabletop)
    • Mitigations & Risk Reduction Steps
    • Operational Failure Modes
    • Customer Validation & Redlines
    • Forced Validation Checkpoint #2
    • Decide Next Steps & Pilot/Fielding Plan
    • Stakeholder & Role Confirmation
    • Validation & Measurement Methods
    • Accreditation Timeline & Milestone Alignment
    • Pre-work & Next Deliverables
    • Capture Integration Touchpoints & Risk Items
    • Recap & Agreement on What Was Proven
  4. Solution Scope

    Specify modules, responsibilities, integration boundaries, security controls, and acceptance criteria tied to DoD standards.

    Scope Configuration

    • Ruggedized Operator Workstation Deployment
    • Secure Communications Gateway Installation
    • Real-Time Data Correlation Engine Deployment
    • Role-Based Access Control Implementation (DISA STIGs)
    • Sensor Interface Adapter Integration
    • Cross-Domain Solution Integration
    • Factory Integration and System Assembly
    • Site Rack, Power, and Network Cabling Installation
    • On-site Operational Test Execution
    • STIG Hardening and Security Control Implementation
    • COMSEC and Key Management Device Installation
    • Interoperability Middleware Deployment (STANAG/NATO)
    • Operator Training and System Handoff

    Scope Questions

    Ruggedized Operator Workstation Deployment

    • Do you require ruggedized operator workstations to be deployed as part of this effort? Options: Yes, No
    • How many operator workstations are required per site (estimate)? Options: 1-4, 5-10, 11-50, 50+
    • What environmental and shock/vibration standards must the workstations meet? Options: MIL-STD-810, IP67, TEMPEST, Other
    • List required workstation peripherals and specialized I/O (e.g., multi-touch displays, joysticks, printers, crypto tokens).
    • Will these workstations connect to classified enclaves or require separation between enclaves? Options: Yes, No
    • What are the acceptance criteria for workstation deployment (e.g., boot time, application load, environmental tests)?

    Secure Communications Gateway Installation

    • Do you require a secure communications gateway to be installed and configured? Options: Yes, No
    • Which network domains must the gateway support? Options: Unclassified, Secret/JWICS, TS/SCI, Cross-Domain
    • What expected throughput and concurrent session capacity is required? Options: <100 Mbps / <100 sessions, 100 Mbps–1 Gbps / 100-1,000 sessions, >1 Gbps / >1,000 sessions
    • Which crypto or compliance standards must the gateway meet (select all that apply)? Options: DISA STIGs, DoD IL2/IL4/IL5, NSA Type 1, Other
    • Who will supply the WAN/transport circuits and termination (customer, prime, other)? Options: Customer, Prime/Seller, Other
    • Define the acceptance criteria for the gateway (e.g., latency, packet loss thresholds, crypto validation steps).

    Real-Time Data Correlation Engine Deployment

    • Is a real-time data correlation/fusion engine required as part of the solution? Options: Yes, No
    • What data sources and formats must the engine consume (list sensors, message formats, streams)?
    • What latency and throughput SLAs must the engine meet for correlation and distribution? Options: <100 ms, 100-500 ms, 500 ms-2 s, >2 s
    • Does the engine need to host or integrate third-party analytics, ML models, or external inference services? Options: Yes, No
    • Will the engine run in classified enclaves, unclassified environments, or a hybrid architecture? Options: Classified enclave, Unclassified environment, Hybrid
    • Specify measurable acceptance criteria for data correlation (e.g., detection accuracy, false positive rate, end-to-end latency).

    Role-Based Access Control Implementation (DISA STIGs)

    • Do you require RBAC to be implemented in accordance with DISA STIG guidance? Options: Yes, No
    • How many distinct user roles and role hierarchies are required (estimate)? Options: 1-5, 6-15, 16-50, 50+
    • Is PIV/CAC integration and multi-factor authentication required for role access? Options: Yes, No
    • What audit/logging retention period and reporting requirements apply to RBAC events? Options: 30 days, 90 days, 1 year, Custom
    • Are there special separation-of-duty or dual-control requirements for privileged roles? Options: Yes, No
    • Define the acceptance criteria for RBAC implementation (e.g., access matrix sign-off, successful STIG scan, audit trail verification).

    Sensor Interface Adapter Integration

    • Which sensor types must be integrated via adapters (select all that apply)? Options: EO/IR, SAR, SIGINT, Radar, Acoustic, Other
    • How many sensor feeds and what average data rates or sample rates are expected?
    • Which interface protocols or standards are required for adapters (e.g., STANAG, DDS, serial/analog, custom SDK)? Options: STANAG, DDS, Serial/Analog, REST/JSON, Custom SDK
    • Will sensor data be classified, and at what classification levels? Options: Yes, No
    • Are vendor SDKs, drivers, or documentation already available for the sensors? Options: Available, Not Available, TBD
    • Specify acceptance criteria for sensor integration (e.g., data fidelity, timestamp sync PTP/UTC accuracy, end-to-end latency).

    Cross-Domain Solution Integration

    • Is a Cross-Domain Solution (CDS) required to move or share data across security domains? Options: Yes, No
    • Which security domains must be bridged by the CDS (select all applicable)? Options: Unclassified, Secret, TS/SCI, Coalition/Allied
    • What policy or accreditation constraints govern cross-domain transfers (e.g., allowed file types, sanitization rules)?
    • Estimate daily transfer volumes and typical file sizes to size the CDS. Options: <1 GB/day, 1 GB-100 GB/day, 100 GB+ / day
    • Who will own licensing, maintenance, and operational responsibility for the CDS? Options: Customer, Seller, Shared/Joint
    • Define CDS acceptance criteria (e.g., sanitization verification, policy enforcement tests, accreditor sign-off).

    Factory Integration and System Assembly

    • Will systems be assembled and integrated at the seller's factory prior to shipment? Options: Yes, No
    • How many complete systems or units are planned for factory assembly? Options: 1-5, 6-20, 21-100, 100+
    • Are automated test harnesses, build automation, and acceptance scripts required for factory testing? Options: Yes, No
    • Is serialization, chain-of-custody tracking, and asset tagging required during assembly? Options: Yes, No
    • Are there export control, customs, or transportation constraints we should plan for?
    • Define factory acceptance criteria and required deliverables (FAT report, test logs, build documentation).

    Site Rack, Power, and Network Cabling Installation

    • How many deployment sites and how many racks per site are in scope?
    • What power configuration and redundancy are required at each site? Options: Single feed, Dual feed, UPS with generator, Other
    • What rack unit (RU) space, cooling, and floor-loading constraints exist at sites?
    • Does the site require accredited physical security (e.g., SCIF, GSA container) for installed equipment? Options: Yes, No
    • Who will provide local cabling and electrical work (Customer, Seller, third-party)? Options: Customer, Seller, Third-party
    • Define acceptance criteria for site installation (power/load tests, cable certification, environmental validation).

    On-site Operational Test Execution

    • Which test types are required on-site (select all that apply)? Options: Factory Acceptance Test (FAT), Site Acceptance Test (SAT), Integration Test, Operational Test & Evaluation (OT&E)
    • Who will witness and approve on-site tests (customer representatives, third-party test labs, accreditor)? Options: Customer, Seller, 3rd Party, Accreditor
    • What is the expected schedule window and duration for on-site testing?
    • What data will be used for testing (sanitized, synthetic, or live data)? Options: Sanitized data, Synthetic data, Live data
    • Are formal test plans, procedures, and acceptance checklists required to be delivered? Options: Yes, No
    • Specify pass/fail criteria and required artifacts for test acceptance (test logs, issues disposition, sign-offs).

    STIG Hardening and Security Control Implementation

    • Which STIG baselines must be applied as part of hardening? Options: Windows STIGs, Linux STIGs, Network Device STIGs, Database STIGs, All
    • Will automated vulnerability scanning and remediation (SCA tools) be used? Options: Yes, No
    • Who will perform scanning and remediation activities (Seller, Customer, or joint)? Options: Seller, Customer, Joint
    • What timeline is required to achieve baseline compliance prior to accreditation? Options: <30 days, 30-90 days, 90+ days
    • Do you require full documentation for STIG compliance (SCA reports, mitigation plans, POA&Ms)? Options: Yes, No
    • Specify acceptance criteria for STIG hardening (SCA pass thresholds, vulnerability severity limits, auditor sign-off).
  5. Mutual Commit

    Finalize contract modules, delivery milestones, SLAs, and who owns accreditation and acceptance obligations.

    Agreement Modules

    • Statement of Work (SOW)
    • Master Services Agreement (MSA)
    • Pricing & Funding Profile
    • Delivery Milestones & Acceptance Schedule
    • Service Level Agreement (SLA)
    • Cybersecurity & Accreditation Responsibility Matrix
    • Test & Evaluation Plan (T&E) / Acceptance Test Procedures (ATPs)
    • Technical Annex / Interface Control Document (ICD)
    • Data Rights, Intellectual Property & Export Control
    • Change Order & Configuration Management Process
    • Warranty, Maintenance & Sustainment Agreement
    • Security & Personnel Clearance Commitments
    • Subcontracting, Supply Chain & Flow‑Down Clauses
    • Termination, Liability & Indemnification
    • Acceptance & Handover Certification
  6. Deployment

    Operationalize rollout with readiness checks, accreditation gates, and outcome validation.

    1. Pre-Deployment Readiness

      Confirm cleared personnel, test environments, data access, RMF status, and risk mitigations before fielding.

      Readiness Questions

      Tell Us About Your Program—Start Simple

      • What is the program name, primary mission, and who is the single POC we should coordinate with?
      • Which milestone or acquisition decision event is driving this effort right now? Options: Milestone A, Milestone B, Milestone C / LRIP, Full Rate Production, Other / Not applicable
      • What type of funding profile supports this program? Options: Congressional program of record (multi-year), Annual O&M, One-time procurement, Foreign Military Sales / FMS, Other / Mixed
      • Who is the program’s acceptance authority for operational fielding (rank/role and office)?
      • Have you previously fielded an integrated C4ISR capability of comparable scope? Tell us briefly about that experience. Options: Yes — internally led, Yes — with a prime integrator, No — first time at this scale, Partial experience / limited components
      • What are the top three metrics you’ll use to judge whether the fielding succeeded (e.g., ATO date, latency, detection rate)?

      Why This Program Keeps You Up at Night

      • If you had to name one outcome that, if missed, would be judged a program failure—what is it and why would it matter?
      • Which operational gaps do you feel are most likely to cause that failure? Options: Legacy interoperability, Network bandwidth/latency, Inadequate accreditation, Data quality/integrity, Operator workflow mismatch, Other
      • How often do those gaps surface during exercises or operations today? Options: Continuously, Weekly, Monthly, Rarely, Unknown / not measured
      • When these gaps appear, what is the typical downstream impact on mission outcomes or leadership decisions?
      • Think of a recent incident where capability shortfalls mattered—what happened and how did it feel to your leadership and operators?

      Where the Real Bottlenecks Hide

      • Which single phase of your current acquisition or integration process silently consumes the most time and budget? Options: Requirements definition, Systems engineering / design, Factory integration, Cybersecurity accreditation (RMF), Field testing / OT, Logistics / sustainment setup
      • Which dependencies outside your immediate control most often create schedule slip (e.g., 3rd-party vendors, cross-domain solutions, test ranges)? Options: 3rd-party software/hardware, Cross-domain guard approvals, Range scheduling / test artifacts, Supply chain / parts delays, SAP / cleared facility access
      • How well-defined are your integration boundaries and interface control documents (ICDs)? Options: Fully documented and baseline-controlled, Partially defined with key gaps, Mostly ad-hoc / not formalized, No clear ICDs exist
      • What recurring assumption in your program planning do you suspect is optimistic or wishful thinking?
      • What small, concrete changes have you tried to remove bottlenecks—and what were the results?

      If Accreditation Could Be Different

      • What single part of the RMF / ATO process would you change if you could—paperwork, testing, authority behavior, or resource allocation? Options: Reduce documentation friction, Faster security testing, Clearer acceptance authority timelines, Dedicated cybersecurity resources, Other
      • What is your current RMF step/status and what artifacts already exist (e.g., SSP, SCA, SAR, POA&M)? Options: Not started, Categorization complete, SSP in progress, SSP complete / SAR pending, ATO in progress, ATO granted
      • List any open POA&M items or high-severity findings that could block an ATO—what are they and how long to remediate?
      • Who owns cybersecurity accreditation day-to-day—program office, PMO security lead, an integrator, or a separate ISSO team? Options: Program office, PMO security lead, Prime integrator, Dedicated ISSO / external, Shared model
      • How would delays in ATO impact your milestone dates or funding drawdowns? Options: Minor schedule slip, Significant milestone risk, Funding reprogramming risk, Program re-evaluation / stop

      A Day in Your Mission—When It Works

      • Imagine commanders trust this capability fully—what specific decisions happen faster or better as a result?
      • Which measurable signals would prove the capability is delivering those mission effects (e.g., reduced sensor-to-shooter latency, higher track correlation accuracy)? Options: Latency reduction, Improved detection/true positive rate, Operator workload reduction, Faster decision cycle time, Interoperability across domains
      • Who are the operator personas that must adopt this system, and how would you describe their tolerance for workflow change? Options: Highly adaptable, Moderately adaptable, Resistant without strong training, Unknown / mixed
      • Describe a mission scenario where the system’s presence would change the outcome—what does success look like in that event?
      • What acceptance criteria would you set for a successful Operational Test or Site Acceptance Test?

      People, Clearances, and Who Can Say Yes

      • Who on your team must be present, cleared, and empowered to sign off on integration and accreditation decisions? Options: Program Manager / PEO, Designated ATO signer (AO), Information System Security Manager (ISSM), Contracting Officer Representative (COR), Operational acceptance lead
      • Count or estimate cleared personnel available for hands-on integration, testing, and accreditation support across your sites. Options: 0, 1–5, 6–15, 16–50, 50+
      • Are cleared contractor personnel allowed on-site to perform integration or do security constraints limit contractor activity? Options: Full contractor access with supervision, Limited contractor access, Contractors cannot access cleared areas, Varies by site
      • How confident are you that the right people will remain available across the next 6–12 months? Options: Very confident, Somewhat confident, At risk, Uncertain
      • What training or knowledge gaps exist today that would slow operator acceptance or maintenance after fielding?

      Data, Environments, and What You'll Need to Test in the Real World

      • How different are your test datasets and environments from what the system will face in theater—are we testing theater-representative inputs or lab-friendly samples? Options: Fully representative, Partially representative, Mostly sanitized / not representative, Unknown
      • What constraints exist around using production or classified data for integration and OT (e.g., classification level, anonymization, CUI restrictions)? Options: Production data allowed with controls, Only sanitized or synthetic data, Classified data restricted to specific sites, No access to production data
      • Which test environments are available and who controls them (e.g., range, lab, enclave, coalition testbed)? Options: Government lab/enclave, Service test range, Coalition testbed, Vendor factory test, None currently available
      • How frequently can you schedule integrated test events that include cross-domain or coalition partners? Options: Monthly, Quarterly, Infrequent / annually, Unable to schedule
      • What would need to change in order to run a fully representative end-to-end test within 90 days?

      Let’s Make Risk Tolerable—What Would You Trade?

      • If you had to accept a single additional program risk to preserve your milestone and funding, what would you accept and why?
      • How would you rank your program’s tolerance for each of these risks? Options: Cybersecurity / residual vulnerabilities, Schedule delays, Performance shortfalls, Interoperability gaps, Cost growth
      • What mitigation actions are already budgeted or planned for the top two risks you identified?
      • Who is authorized to sign a risk acceptance memorandum or change request in your chain of command? Options: Program Manager, PEO / Milestone Decision Authority, Authorizing Official (AO), Senior Contracting Official, Other
      • If a mitigation needs external support (e.g., vendor changes, cross-service coordination), what’s your preferred path to escalate and resolve it?

      Who Owns What When This Ships?

      • Where does responsibility end for the integrator and begin for the government when it comes to accreditation, sustainment, and acceptance?
      • Which sustainment model are you planning for—government logistics, contractor logistics support (CLS), or hybrid? Options: Government logistics, Contractor logistics support (CLS), Hybrid / Transition plan, Undecided
      • What SLAs or performance guarantees would be non-negotiable for you post-fielding?
      • Are there supply-chain or OEM obsolescence concerns we should flag now? Options: Yes — multiple concerns, Some components at risk, No immediate concerns, Unknown
      • Who is the single point accountable for operational acceptance after handover, and how will they measure readiness?

      Ready for One Small, High-Value Step?

      • What is the smallest, highest-impact activity we could take in the next two weeks to reduce your biggest unknown? Options: Host a 2-hour ATO readiness review, Run an interface/ICD walk-through, Schedule a cleared personnel alignment meeting, Prepare a test data access plan, Other
      • Who must attend that activity and who has final authority to approve scheduling it?
      • Realistically, when can that activity happen (choose the earliest feasible window)? Options: This week, Next 2 weeks, Within 1 month, Within 2–3 months, Longer / planning required
      • How would you like us to follow up—brief summary, detailed action plan, or a proposal for scope and price? Options: Brief summary / email, Detailed action plan, Formal proposal with SOW and LOE, Schedule a planning workshop
      • What three questions would you want answered before committing to that next step?
    2. Deployment Enablement

      Schedule factory integration, site installations, test events, and coordinate cross-domain teams with clear sequencing and owners.

    3. Validation Checklist

      Verify interoperability tests, cybersecurity accreditation artifacts, and operational acceptance against defined success signals.

      Validation Questions

      Start with the Mission: In One Line

      • In one clear sentence, what top-line mission outcome must this capability deliver?
      • Which operational domain(s) will this capability primarily affect? Options: Ground, Air, Maritime, Space, Cyber, Multi-domain / Joint
      • Who inside your organization will feel the payoff first (title/role)? Options: Program Manager / PEO, Operational Commander (O-6/Col), Systems Integrator, Cybersecurity Lead, G-3 / Operations Planner, Other
      • On a scale, how urgent is delivering this capability within the next 12 months? Options: Critical (must deliver), Important (high priority), Planned (medium), Long-term (low)
      • When you picture this program succeeding, what feeling comes to mind—relief, confidence, pressure eased, or something else? Options: Relief, Confidence, Pride, Pressure eased, Skeptical, Other

      Are We Solving the Right Problem (Even If It Isn’t What You Asked For)?

      • What assumption about the problem would you be most surprised to have proven wrong?
      • Which of these statements best describes why the problem exists today? Options: Aging/legacy systems limit integration, Policy/regulatory barriers, Lack of cleared personnel, Insufficient data standards, Funding cadence/milestones misaligned, Other
      • Tell us about a recent incident or exercise where capability gaps materially affected operations—what happened and why?
      • How long has this capability gap persisted, and what efforts have been tried to close it? Options: <6 months, 6–12 months, 1–3 years, 3+ years
      • If we focused on the wrong problem for the next 12 months, what risk would that create for your program or mission?

      The Outcomes That Matter — Not Just Features

      • What single measurable change would prove to you that the capability is mission-useful (e.g., minutes shaved from sensor-to-shooter, percent increase in track accuracy)?
      • Which of these operational effects are a must-have vs. nice-to-have for initial fielding? Options: Reduced decision cycle time, Improved sensor fusion accuracy, Resilient comms under degradation, Faster accredited on-net time, Lower operator cognitive load, Other
      • What trade-offs are acceptable between capability breadth (many features) and speed to field (deliverables by milestone)? Options: Prioritize speed to field, Balance both, Prioritize breadth/feature-complete, Undecided
      • Describe one scenario (real or plausible) where the offering must perform perfectly—what does success look like in that event?
      • Which end-state would be most damaging if unmet—mission defeat, mission delay, or bureaucratic rejection (e.g., failed accreditation)? Options: Mission defeat, Mission delay, Failed accreditation/acceptance, Budget reprogramming/stop-work, Other

      How Will You Measure 'Mission Ready'?

      • If you had to pick three objective success signals that an independent test board would accept, what would they be? Options: Latency thresholds, Throughput/scale metrics, Interoperability pass rates, RMF artifacts completed, Operational acceptance test results, Other
      • Who signs off on each of those signals today (role/office)?
      • How tight are the acceptance thresholds—are margins strict (zero-fail tolerances) or performance-banded? Options: Zero-fail / strict, Band-based / some leeway, Flexible with compensating measures, Unclear
      • What historical evidence or past performance would help prove you can hit these signals (exercises, deployments, ATOs)?
      • Are there politically or programmatically driven metrics that matter to stakeholders but won’t appear in technical tests? If so, what are they?

      Funding, Timeline & Decision Pressure: The Invisible Deadlines

      • What congressional or program milestone is the single non-negotiable deadline driving this effort?
      • How likely is funding to be reprogrammed or delayed if milestones slip? Options: Very likely, Possible, Unlikely, Unknown
      • Describe the funding profile (one-time, multi-year, incremental) and any constraints tied to fiscal year or line-item requirements. Options: One-time / CIP, Annual O&M, Multi-year procurement, Hybrid, Other
      • What would acceptance look like in a constrained-funding scenario—can capability be delivered in modular releases? Options: Yes — modular releases, No — must be full capability, Prefer phased but unsure, Other
      • Who ultimately controls funding decisions and which external stakeholders (e.g., higher HQ, DoD office, allied partner) influence the timeline?

      Hidden Constraints and Red Lines — Tell Us What We Must Never Break

      • What regulatory, accreditation, or policy constraints would immediately disqualify a proposed approach? Options: Non-compliance with DoD RMF, Non-DISA-approved encryption, Lack of cleared personnel, Cross-domain solution violations, Export control issues (ITAR/EAR), Other
      • Are there data sovereignty, classification, or partner-sharing limits that change how we design integration? Options: US-only data, Allied data share allowed, Mixed classification with CDS, C2 data must remain on-site, Other
      • Who enforces those red lines inside your organization, and how do they prefer to be engaged during design decisions? Options: Security/A&A office, Program Office leadership, Legal/Export Compliance, Operations leadership, Other
      • Have any prior vendors been rejected for policy or compliance reasons? If so, what was the cause?
      • Which constraints are negotiable with adequate compensating controls, and which are absolute? Options: Negotiable with compensating controls, Absolute / non-negotiable, Unsure — need guidance

      If This Succeeds, Who Owns the Win (and the Risk)?

      • Who owns operational acceptance and long-term sustainment once the system is fielded? Options: Program Office / PM, Operational Unit, Prime Contractor, Shared ownership, Other
      • Which organization will maintain accreditation artifacts and be the point for ATO renewals? Options: Customer A&A office, Prime contractor, Designated system owner, Joint team, Other
      • Where do you expect capability handover friction to occur (people, process, tech), and how has it shown up before?
      • What level of training, documentation, and knowledge transfer must accompany fielding to prevent 'drop-off' after deployment? Options: Hands-on training + manuals, Train-the-trainer model, Virtual/CBT only, Embedded contractor support, Other
      • If an operational gap resurfaces after initial fielding, who has authority to pause or adjust fielded capability? Options: Program Manager, Operational Commander, Safety/Security Office, Contractor with POA&M, Other

      What Would Make You Say Yes (Realistically)?

      • What evidence (tests, demos, references, cleared personnel) would make you comfortable awarding a contract or moving to prototype? Options: Successful interoperability demo, ATO / RMF artifacts, Cleared engineering team, Performance in an exercise, Past program references, Other
      • How important are vendor security posture and cleared staff compared to pure technical performance? Options: Security/clearance more important, Equal importance, Performance more important, Depends on phase
      • What unresolved questions would cause you to delay commitment even if technical tests pass?
      • What timeline for decision-making feels realistic after a technical demonstration—days, weeks, or months? Options: Within 7 days, 2–4 weeks, 1–3 months, 3+ months
      • If we brought a proposed path that meets your top three success signals, what would be the minimal contractual element you’d want in place to move forward? Options: Prototype / not-to-exceed contract, Milestone-based delivery, Prototype + transition plan, Full fixed-price award, Other

      Closing the Loop: Immediate Next Steps and Shared Risks

      • What immediate actions would you like us to take after this discovery (e.g., draft success criteria, run a scenario workshop, schedule an interoperability demo)? Options: Draft measurable success criteria, Run scenario-based workshop, Schedule lab integration demo, Map accreditation path (RMF), Produce phased delivery plan, Other
      • Who should be on the core working group to move those actions forward (names/roles), and how often can they meet? Options: Weekly, Bi-weekly, Monthly, Ad hoc
      • What would make you feel confident we are treating program risk as shared rather than shifted onto your team?
      • Is there any sensitive information, stakeholder dynamic, or political reality we should respect while we co-create the path forward?
      • Finally, what is the preferred way to capture ongoing concerns and small wins during the next phase—regular report, shared channel, or embedding a liaison? Options: Shared collaboration channel (e.g., Teams/Slack), Weekly written report, Embedded liaison on-site, Monthly executive check-in, Other
  7. Success

    Confirm mission outcomes, capture lessons learned, and maintain a shared channel for issues and enhancements.

    Success Reviews

    • Mission Outcomes Confirmation
    • Operational Acceptance Board (OAB)
    • Lessons Learned Retrospective
    • Issues, Enhancements & Shared Channel Onboarding
    • Sustainment & Enhancement Roadmap Planning

    Issues & Enhancements

    • Publish triage SOP and SLA matrix to the channel and ensure stakeholders acknowledge receipt.
    • Convert lessons into a prioritized set of improvement actions with owners and delivery dates.
    • Identify which artifacts (CONOPS, test plans, SLAs, runbooks) require formal updates and assign responsibility.
    • Publish the Lessons Learned Report and distribute to program leadership, contracting, and technical teams.
    • Update the program ConOps, runbooks, and training materials based on prioritized lessons.
    • Schedule a change-control review for any contract or SOW updates required to institutionalize improvements.
    • Review Current Issue & Enhancement Inventory
    • Establish a single, accessible shared channel for issues and enhancements with defined access and classification.
    • Agree triage rules, SLAs, and escalation paths so customers and sustainment teams have clear expectations.
    • Populate the channel with the existing backlog and assign immediate owners for high-severity items.
    • Provision the agreed shared channel, invite stakeholders, and import the current backlog within 3 business days.
    • Introductions & Meeting Objectives
    • Assign owners for top 5 high-severity open items and schedule initial remediation checkpoints.
    • Context: Funding Profile & Milestone Constraints
    • Produce an agreed 12-month sustainment and enhancement roadmap with prioritization and tentative milestones.
    • Identify which roadmap items require contract modifications or additional funding and owners to pursue them.
    • Establish a quarterly roadmap review cadence and stakeholder list for ongoing governance.
    • Publish the signed roadmap with RAG status for each item and deliverable owners.
    • Initiate contract modification or funding requests for roadmap items that require additional obligations.
    • Schedule the first quarterly roadmap review and circulate pre-read materials two weeks prior.
    • Obtain formal customer acceptance for delivered mission outcomes where success signals are met.
    • Document any variances with quantified mission impact and agree mitigations, owners, and timelines.
    • Produce a one-page outcomes summary to serve as the canonical closeout artifact for the program office.
    • Publish the formal Outcomes Summary and attach acceptance signatures to the program record.
    • Create a tracked list of variances with owners, mitigations, and target close dates.
    • Schedule follow-up validation check for conditional acceptances within the agreed timeline.
    • Pre-work Verification & Agenda Review
    • Secure a documented operational acceptance decision from the board for program close or conditional actions.
    • Ensure RMF/accreditation responsibilities and residual risk owners are clearly assigned in writing.
    • Define an escalation path for any unresolved items requiring executive-level intervention.
    • Record and archive the OAB decision package including votes, dissenting opinions, and required corrective actions.
    • Assign accreditation and RMF follow-on tasks to named individuals with milestone dates.
    • If required, convene an executive escalation meeting within 7 business days to resolve blocking issues.
    • Set the Frame & Review Objectives
    • Document top 5 lessons with root causes and evidence to be shared with program stakeholders.
    • Define Triage & Prioritization Rules
    • Timeline Recap & Key Events
    • Operational Validation Presentation
    • Executive Summary of Delivered Outcomes
    • Capture Candidate Enhancements & Sustainment Needs
    • Evidence Walk-through
    • Prioritization Against Mission Impact & Funding
    • What Went Well / What Went Poorly (Breakouts)
    • Select & Configure Shared Channel Tooling
    • Risk & RMF Status Confirmation
    • Formal Vote & Outcome Recording
    • Resourcing, Contract & Schedule Implications
    • Assign Governance Roles & Escalation Paths
    • Root Cause Analysis
    • Variance & Impact Analysis
    • Roadmap Approval & Quarterly Review Cadence
    • Acceptance Decisions & Signatures
    • Action Prioritization & Institutionalization
    • Onboarding & Next Steps
First-Party AI

1-2 minutes please — Your AI agent is working

First-Party AI™ can make mistakes. Always check important information.