Health, Education & Government Government & Public Sector Defense Systems & Programs

Cyber Operations Systems

Multi-agency, multi-stakeholder programs where procurement, compliance, and mission alignment determine success.

Booz Allen Hamilton Leidos MITRE Raytheon
Inside this journey
  1. Pre-Discovery

    Align the room on outcomes, decision process, and constraints before deeper discovery.

    1. Stakeholder & Classification Alignment

      Confirm decision roles, classification constraints, timeline, and success criteria across mission stakeholders.

      Alignment Questions

      Quick Introductions: Who's in the Room?

      • Start by telling us your name, title, and the program or task order this conversation is about.
      • Which organization(s) are you representing on this program? Options: NSA/IC element, Combatant Command, Service component, DoD program office, Civilian agency (DHS, DOJ, etc.), Contracting office, Other
      • What triggered this need: a new IDIQ task order with a 60‑day start, a failed operational test, a surge requirement, or something else? Options: New IDIQ task order (60‑day start), Failed operational test requiring tool redevelopment, Urgent surge for cleared operators, Routine capability refresh or sustainment, Other
      • Who will be the primary decision-maker evaluating vendors for this work? Options: GS‑15 / SES technical director, Mission commander / COCOM lead, Division chief (IC), Contracting officer representative (COR), Acquisition program manager, Other
      • What is the target date for initial performance start or first capability delivery? Options: Within 2 weeks, Within 30 days, Within 60 days, Within 3 months, Later than 3 months, Unsure
      • Which classified or collaboration channels will be available for vendor onboarding and day‑to‑day work? Options: TS/SCI enclave, JWICS/NSANet, SIPR (Secret), Unclassified with Controlled Comms/Share, Other

      Are You Surprised by How Fragile This Mission Is?

      • If this program failed tomorrow, what single failure would you point to first?
      • How frequently has that failure mode occurred in the past 12 months? Options: Almost every month, A few times a year, Once or twice, Rarely, Never / Unsure
      • Tell us about the last time it happened: what broke, what decisions were rushed, and what the immediate impact was.
      • What previous fixes have you tried and why did they fail to stick?
      • How does this recurring problem affect morale, retention, or the team’s willingness to take on risk? Options: Significant negative impact, Moderate impact, Some impact, Little impact, No impact / Unsure

      Where Do Your Tools Quietly Fail You?

      • Which tool, integration point, or data pipeline most often hides a critical blind spot during operations?
      • Which types of tools have caused the most operational pain in the last year? Options: Custom exploitation tools, C2 platforms, Forensics / malware analysis, Data analytics / pipelines, SIEM / logging, Vulnerability scanners, Identity & access systems, Other
      • How many toolchain components failed security review or accreditation in the last 12 months? Options: None, 1–2, 3–5, More than 5, Unsure
      • When a tool fails review, what is the typical remediation timeline? Options: 1–2 weeks, 3–4 weeks, 1–2 months, 3+ months, Variable / Unsure
      • What are the top reasons tools fail review or get pushed back (pick all that apply)? Options: Unsupported 3rd‑party libs / dependencies, Insufficient build provenance, Data flow crossing classification boundaries, Missing test artifacts / evidence, Lack of vetted hardening baseline, Other
      • Describe a recent integration or security-review failure and its downstream operational impact.

      Who Can Actually Execute This Mission — Right Now?

      • How many people on your roster (or contractor bench) would be mission‑ready within two weeks? Options: None / 0, 1–5, 6–15, 16–30, More than 30, Unsure
      • Which cleared roles are hardest for you to staff quickly? Options: Operational cyber operators (24/7), Tool engineers / developers, Reverse engineers / malware analysts, SIGINT / network exploitation specialists, DevSecOps / CI/CD engineers, Program managers / CORs, Other
      • What clearance posture do most required staff need? Options: TS/SCI, TS/SCI + polygraph, Secret (SIPR) only, Collateral only, Mixed set (varies by role), Unsure
      • What is your typical annual attrition rate for those mission roles? Options: <5%, 5–15%, 15–30%, >30%, Unsure
      • Which onboarding bottleneck creates the longest delay (access, training, accreditation, facility, other)? Options: Network / enclave access provisioning, Role‑specific technical training, Tool accreditation / ATO paperwork, Physical facility / SCIF access, Clearance processing, Other
      • Tell us about the last surge you ran: how quickly did you staff, what failed, and what lessons mattered most?

      Who Signs Off, And What Can’t They See?

      • Which approval gate or reviewer typically delays delivery the most? Options: Security accreditation/A&A board, Program office technical lead, Contracting/Financial office, Mission commander / sponsor, Legal/Policy, Other
      • Which roles must explicitly approve the technical solution, staffing, and timeline? Options: Mission sponsor / commander, Technical director / GS‑15, Security control owner / ISSO, A&A / DIACAP board, COR / Contracting office, Other
      • What is the typical SLA you see for those approvals? Options: <1 week, 1–2 weeks, 2–4 weeks, 1–3 months, Longer / unpredictable
      • Which documentation or artifacts most often trip up approval boards (pick all that apply)? Options: Threat model / data flow diagrams, Build provenance / SBOM, Test evidence / acceptance tests, Personnel vetting packages, Security architecture / enclaves, Other
      • How often do classification or compartmentation rules prevent your team from completing essential discovery? Options: Always, Often, Sometimes, Rarely, Never
      • Describe an approval that moved surprisingly fast or painfully slow—what caused that outcome?

      If This Program Succeeded, What Would That Change?

      • Name the single measurable mission outcome you would point to as proof this engagement worked.
      • Which operational metrics must improve (select all that matter)? Options: Time‑to‑detect / hunt, Mean‑time‑to‑remediate (MTTR), Time‑to‑onboard cleared operators, Rate of successful security reviews / ATOs, Coverage of threat telemetry, Reduction in manual toil
      • Who on your team benefits most from that improvement and how would their daily work change?
      • What hiring, retention, or bench metrics would signal long‑term success to leadership? Options: Reduced attrition %, Faster fill times for cleared slots, Larger pre‑cleared bench, Improved operator proficiency scores, Other
      • What would success look like at 90 days versus 18 months—be specific about capabilities and operational behaviors.

      What Would Kill This Contract — Before It Really Begins?

      • If you had to pick one event or decision that would cause you to cancel or pause award, what is it?
      • Which risk categories worry you most right now (select all that apply)? Options: Cleared workforce shortfall, Security accreditation failure, Scope creep / uncontrolled change, Contractual SLAs not met, Budget or funding instability, Leadership / sponsor turnover, Other
      • How much schedule slack do you have to absorb a setback (days/weeks/months)? Options: Less than 7 days, 1–2 weeks, 2–4 weeks, 1–3 months, 3+ months, No slack / Unsure
      • What mitigation approaches would you be willing to fund or accept up‑front (e.g., vendor covering cleared ramp, incremental acceptance, staged ATO)? Options: Vendor provides pre‑cleared bench slots, Staged deliveries with incremental acceptance, Shared risk / performance milestones, Vendor handles initial accreditation effort, Other
      • Describe a past contract or program you canceled or put on hold—what happened and what would have changed the decision?

      Can We Get to a Working Start in 60 Days?

      • What is the minimum vendor deliverable on day one that would make you confident they can meet the initial start date?
      • Would you accept a staged start where cleared personnel are placed first and tooling is accredited later? Options: Yes, Maybe, No
      • Which of the following should be prioritized in the initial SOW or tasking (pick all that apply)? Options: Cleared operator slots with ramp plan, Baseline security artifacts and SBOMs, Prototype on an unclassified environment, Onsite onboarding & shadowing, Knowledge transfer and training plan, Acceptance test criteria and schedule
      • What proof points would convince you to run a paid pilot (e.g., cleared team in 10 business days, successful unclassified demo, first‑submission security pass)? Options: Cleared team available in 10 business days, Unclassified technical demo with scenario replay, First submission passes security review, Reference from comparable classified contract, Other
      • How soon can contracting, funding, and internal approvals be ready to accept a vendor start (select the best estimate)? Options: Immediately, Within 2 weeks, Within 30 days, Within 60 days, Longer than 60 days, Unsure
      • Who on your side will own vendor onboarding, technical acceptance, and ongoing program decisions? Options: Mission sponsor / commander, Technical director / GS‑15, COR / contracting office, Security accreditation lead / ISSO, Program manager, Other
      • Is there anything else that would make or break the first 60 days that we haven’t asked about?
    2. Current Operational Mapping

      Document mission tempo, existing toolchain gaps, failure modes, and staffing shortfalls that risk delivery.

      Current State

      Setting the Scene: Your Mission in One Breath

      • In two sentences, describe the mission this team must deliver in the next 60 days.
      • How soon must capability begin producing operational value? Options: Immediately (days), Within 2 weeks, Within 1 month, Within 2 months, Longer than 2 months
      • What classification/compartmentation level will most work occur under? Options: Unclassified, TS/SCI, TS/SCI with SAP restrictions, Other/Multiple
      • Which internal stakeholders must be engaged for day-to-day decisions about operations? Select all that apply. Options: Mission Commander/Director, Technical Director (GS-15), Tasking COTR/COR, Security/COMSEC Officer, Program Manager, SCO/Accreditation POC, Other
      • Who is the single person who ultimately signs off that the system is acceptable to operate (name and role if known)?

      What Would Break Everything If It Went Wrong?

      • If one thing failed tomorrow and forced mission pause, what would it be? Options: Cleared personnel availability, Primary exploit/toolchain failure, Security accreditation rejection, Network/data access loss, Other
      • Tell the story of the last time that failure happened—what unfolded, and how long before recovery?
      • How often do mission-stopping incidents like that occur? Options: Weekly, Monthly, Quarterly, Yearly, Rare/never
      • What are the emotional and operational consequences when that failure occurs (e.g., loss of confidence, missed tasking, leadership escalations)?
      • Who usually owns the fix when that type of failure happens? Options: Internal engineering team, Contractor partner, Combined team, Ad hoc responder, Other

      Where Your Tools Drop the Ball

      • What part of your toolchain most frequently produces false starts, failed accreditation, or repeated rework? Options: Custom tool security reviews, Data ingestion pipelines, Operator tooling UI, Interop between classified and unclassified systems, Other
      • List the primary tools and platforms currently relied on for mission execution (names, versions, whether commercial or custom).
      • Which integration points consistently take the longest to stabilize? Options: Identity/access provisioning, Data formatting and normalization, Telemetry pipelines, Cross-domain solutions, API compatibility, Other
      • How many times in the past 12 months did a tool fail security review or require >1 resubmission? Options: 0, 1, 2–3, 4–6, More than 6
      • When a tool fails review or integration, what is the typical delay to restore capability (estimate in days)?

      Who Does the Heavy Lifting — and Who Is Gone When It Matters?

      • If three cleared operators left tomorrow, what immediate mission gaps would appear?
      • Provide current counts for cleared roles we care about (operators, engineers, SSO/IA, program security) — list role:count.
      • Which critical skills are consistently hardest to recruit or retain? Options: Kernel/OS reverse engineering, Network exploitation tradecraft, Secure tool engineering, SCIF-accredited operators, Certification/IA SMEs, Other
      • How long does it currently take to fill an open cleared operator slot from requisition to first productive day? Options: <10 business days, 10–20 business days, 1–2 months, 3–6 months, >6 months
      • When staffing gaps occur, how is work redistributed and what gets deprioritized?

      When Pace Moves Faster Than Policy

      • If mission tempo accelerated to require 24/7 coverage within ten business days, what would be your likely first three blockers?
      • How often do unplanned surges happen that require immediate ramping (select frequency)? Options: Weekly, Monthly, Quarterly, Biannually, Rarely
      • What parts of your approval or accreditation process typically create the longest hold-ups during a surge? Options: Personnel vetting/clearance, Platform accreditation, Network/ACL changes, Contracting/PO issuance, Data sharing agreements, Other
      • Describe an example where policy or compartmentation prevented a rapid operational response—what changed and what didn’t get done?
      • What shortcuts (if any) have you permitted during prior surges, and what were the downstream consequences?

      Safety Nets and Failure Modes You Don't Talk About

      • Which single process or dependency would silently cause mission failure if it had a silent defect right now? Options: Operator credentialing, Data pipeline validation, Toolchain build reproducibility, SCIF connectivity, Incident response handoff
      • Do you have documented runbooks and handoffs for that dependency? If yes, how often are they exercised? Options: No runbook, Runbook but rarely exercised (<1/year), Exercised annually, Exercised quarterly, Exercised monthly or more
      • What redundancy exists for the most fragile components (people, tools, networks)?
      • How quickly can you declare a degraded-but-operational posture and who must authorize it?
      • Recall a near-miss where a failure was avoided—what early sign was missed and what would you change now?

      Measure Success — Not Just 'Worked' but 'Trusted'

      • What measurable signals would convince leadership that the capability is mission-ready (pick up to three)? Options: Time-to-first-task (days), Operator proficiency score, Successful security review on first submission, MTTR for incidents, Sustained ops days without human-intervention, Other
      • What current KPIs or SLAs do you use to track operational readiness?
      • What level of staffing SLAs do you require for cleared personnel (e.g., bench-to-fill timelines, replacement guarantees)? Options: 10 business days, 2–4 weeks, 1–2 months, No SLA defined, Other
      • How do you measure operator proficiency and how frequently must a new operator demonstrate mission competency? Options: Scenario-based evaluation, Completed runbook tasks, Shadowing period + certification, Peer review, Other
      • Who will be responsible for accepting the initial capability and what acceptance tests are non-negotiable?

      Decision Dynamics: Who Signs Off When Stakes Are High

      • Who has the authority to change scope or pause mission activity mid-execution—and how quickly do they typically act? Options: Mission Commander, Technical Director, Program Manager, Contracting Officer, Joint approval required, Other
      • Describe the last urgent change-control decision: who was involved, how it was made, and what slowed it down.
      • What contracting or administrative levers most often prevent timely staffing or tooling changes? Options: Rigid statement of work, Slow modification process, Funding restrictions, Security restrictions, Other
      • If we needed to accelerate onboarding or push a critical patch today, who are the five people or roles we must engage immediately?
      • How does escalation to senior leadership typically get triggered and what timeframe do they demand for resolution? Options: Immediate (hours), Within 24 hours, 48–72 hours, Weekly briefing, Depends on mission impact

      If You Had a Magic Wand — The Operational State You’d Sleep Well About

      • Imagine you woke up to a perfect operational day one month from now—what three things are noticeably different?
      • Which of those three changes would be the highest priority to achieve first? Options: Faster cleared staffing, Toolchain stability and first-pass security approvals, Better integration across enclaves, Clearer runbooks/handovers, Other
      • What trade-offs would you accept to get that highest-priority improvement faster (cost, scope, temporary risk tolerance)?
      • If a partner guaranteed to deliver that highest-priority improvement in your timeline, what evidence would you need in the first 14 days to trust them? Options: Named cleared personnel assigned, Initial runbook and onboarding plan, PoC demonstrating tool integration, Security pre-submission checklist, Other
      • What would be the one question you’d want us to answer honestly before you’d consider handing over any operational control?

      Concrete Next Steps: Turning Discovery Into Action

      • Given everything above, what are the top three immediate risks you want us to help mitigate first?
      • What quick wins could we aim to deliver within the first 30 days that would visibly reduce your risk? Options: Assign cleared bench staff for immediate coverage, Complete one tool security submission, Deliver a runbook and run a tabletop, Establish cross-domain data path, Other
      • Who should join a 30-minute follow-up to validate priorities and commit owners (list names and roles)?
      • How would you prefer we represent progress and risks during execution (choose formats)? Options: Daily standup notes, Weekly dashboard, Biweekly exec brief, Shared backlog with issues, Ad hoc emails
      • Are you ready to schedule an operational deep-dive within the next week to review gaps and start mitigation? If not, when? Options: Yes — within 3 business days, Yes — within 1 week, Within 2 weeks, Later than 2 weeks, Unsure
  2. Customer Discovery

    Clarify desired mission outcomes, constraints, stakeholders, and measurable success signals for the program.

    Discovery Questions

    Kickoff — What's Driving This Right Now?

    • What recent event triggered you to explore new support or tools today? Options: New IDIQ/task order, Failed operational test, Urgent surge requirement, Planned program start or refresh, Other
    • Which parts of the program are under the most immediate time pressure? Options: Cleared staffing slots, Tool redevelopment, Security accreditation, Integration with mission systems, Contracting / funding, Other
    • How soon do you need initial personnel or demonstrable capability in place? Options: Within 10 business days, 2–4 weeks, 1–2 months, 3+ months, Unsure
    • Who in your organization will sign off on initial capability, and what is the single metric they care about first?
    • How does this timeline pressure feel to you—are you calm, worried, or urgently constrained? Options: Confident, Concerned but manageable, Highly worried, Panicked/urgent

    Are We Sure We're Solving the Right Problem?

    • If we fixed the obvious staffing and tooling gaps, how likely is it that the mission would still fail because of hidden assumptions? Options: High, Moderate, Low, Unsure
    • Tell me about a recent failure or near-miss—what exactly happened, who noticed it, and what was the ripple effect?
    • Which assumptions about classification, access, or operational context have misled teams before?
    • How long have these hidden assumptions been tolerated before they surfaced as problems? Options: A few weeks, Several months, Over a year, They’re recurring/ongoing
    • Which secondary issues tend to follow the primary failure and make recovery harder? Options: Attrition/bench shortages, Procurement delays, Tool security rejection, Misaligned acceptance criteria, Operational handoff gaps, Other

    Who's Holding the Keys (and Who's Missing)?

    • If one person left tomorrow, who would break the mission? Options: Program manager, Lead operator, Security accreditation lead, Tooling engineer, Contracting officer rep, No single point of failure, Unsure
    • List the stakeholders (names/roles) who must be engaged to make decisions and the private success signals each will use.
    • Which stakeholder groups most often slow decisions or create rework? Options: Legal / policy / security, Acquisition / contracting, Program leadership, Operators / analysts, External oversight, Other
    • How do decision rights and compartmentation affect who can see mission context and when?
    • Give a concrete example when stakeholder misalignment created a measurable delay—what changed afterward?

    What Keeps You Up at Night?

    • What is the worst-case outcome you fear if capabilities are late or underperform? Options: Mission disruption, Compromised operations, Loss of funding/contract, Safety or security breach, Reputational damage, Other
    • How likely do you assess that worst-case outcome is today (give a percent or short rationale)?
    • Which failure modes worry you most right now: personnel ramp, tool security rejection, integration failure, or something else? Options: Personnel ramp and proficiency, Security accreditation rejection, Tool incompatibility with mission systems, Data handling or leakage, Operational process mismatch, Other
    • How have previous vendor engagements either increased your confidence or reinforced these fears?
    • If the start date slips, what are the organizational consequences—political, budgetary, or operational?

    If Everything Worked — What Would Success Actually Look Like?

    • Imagine we hit every milestone perfectly—what single signal would let you sleep at night?
    • Which measurable success signals do you need to see in the first 30, 90, and 180 days? Options: Cleared operators staffed, Initial capability delivered, Security authorization/granted interim access, Successful operational exercise, Integration with mission systems, SLA adherence
    • What operational metrics will you use to prove mission impact (examples: mean time to detect, task throughput, operator uptime)?
    • Who in your chain will declare 'mission achieved' and what exact evidence will they require?
    • What level of initial defect or limitation is acceptable to you in order to meet the timeline? Options: Zero defects (must be production-ready), Minor defects only (non-critical), Operationally acceptable with mitigations, Flexible depending on impact

    The Hidden Constraints We Need to Respect

    • Which non-negotiable constraints are most likely to kill a solution before it starts? Options: Classification level / enclave rules, Facility accreditation / IL2/IL4/IL5 requirements, Interoperability / protocol standards, Budget ceilings or funding windows, Personnel clearance requirements, Legal / policy restrictions
    • Describe the specific environment(s) or enclaves we must support and any STIG/ACAS or baseline requirements to meet.
    • Are there pre-approved vendors, tool baselines, or code libraries that any solution must use? Options: Yes — approved vendor list / baselines, Yes — approved code libraries / toolkits, No strict pre-approvals, Under discussion internally, Unsure
    • How rigid are your security review timelines, and where have they historically slipped?
    • What training, certifications, or cleared slots must staff present before they can access critical systems?

    How Will the Team Ramp and Stay Stable?

    • If a partner promised cleared operators in 10 business days, what would your immediate reaction be inside the program? Options: Relief — fast-track onboarding, Skepticism — need verification, Demand for proof points and bios, Questions about process and compliance, Other
    • What onboarding steps and approvals are required for new staff to be mission-effective on your systems?
    • Which staff profiles do you need first to de-risk the program? Options: Senior operators (10+ yrs), Mid-level operators, Tooling engineers (dev/secops), Security accreditors/IAOs, System integrators, Analysts / data scientists
    • What are the primary drivers of attrition on your program, and what stabilizing actions have worked before?
    • How do you validate operator proficiency and maintain continuous learning while operating inside classified environments?

    How Do We Prove This Will Pass Security and Accreditation?

    • Why have custom tools failed security review in the past—was it design, process, documentation, or something else? Options: Design flaws, Insufficient documentation, Misaligned requirements, Lack of test artifacts, Compliance gaps, Other
    • What artifacts and evidence does your security review board insist on for a first submission?
    • How often do tool submissions historically pass on first review within your organization? Options: Most of the time (>75%), About half (~50%), Rarely (<25%), Never, Don't track
    • Walk me through your accreditation process and typical timeline for a new tool or cleared personnel access.
    • What common feedback from security teams could we proactively address to avoid rework?

    Decision Tradeoffs — What’s Worth Compromising?

    • If you must trade between speed, capability breadth, and security posture, which two would you prioritize for this program? Options: Speed & Security, Speed & Capability, Security & Capability, None — must have all three, Depends on mission phase
    • How open is your program to phased deliveries or capability-limited initial releases to meet urgent timelines? Options: Very open, Somewhat open, Rigid but negotiable, Not open
    • What contractual terms, performance milestones, or SLAs would be deal-breakers for you?
    • Would you accept a rapid proof-of-capability in a controlled environment as a temporary substitute for full accreditation? Options: Yes, with conditions and controls, Maybe, with strict controls and timebox, No — must be fully accredited first, Unsure
    • What contingency plans should we prepare if initial staffing or tools fail to meet expectations?

    Next Steps — Commitments, Evidence, and Timelines

    • What explicit evidence and decision points would convince you to move from exploration to a mutual commitment within 30 days?
    • Which artifacts should we deliver within the first two weeks to build confidence and accelerate approval? Options: Staffing bios & clearance verification, Security design and threat model, Unclassified code demo / PoC, Detailed accreditation plan with milestones, Draft SOW with delivery cadence, Other
    • Who needs to approve the initial deliverable package (roles/names) and what is their preferred acceptance evidence?
    • What communication cadence and escalation path do you prefer during the first 60 days? Options: Weekly status updates, Bi-weekly demos, Daily standups (first 2 weeks), As-needed by exception, Other
    • Is there anything we haven't asked that, if addressed, would materially increase your confidence in a partner?
  3. Solution Experience

    Use the customer’s scenarios to confirm how cleared workforce posture, rapid onboarding, and secure tool engineering deliver the needed outcomes.

    Experience Meetings

    • Pre-Experience Alignment (Pre-Work & Roles)
    • Scenario Confirmation & Root-Cause Walkthrough
    • Live Experience: Cleared Workforce Onboarding & Operator Flow
    • Live Experience: Secure Tool Engineering & Accreditation Proof
    • Synthesis, Acceptance Criteria, and Mutual Next Steps
    • Seller to provide redacted security artifacts and a draft accreditation milestone plan within 3 business days.
    • Both parties to agree on measurement methods and logging/detail required during the live run.
    • Context & Run Rules
    • Demonstrate operator productivity on a customer scenario within the agreed target timeframe.
    • Produce measurable evidence linking cleared workforce posture and onboarding to operational impact.
    • Surface any remaining people/process gaps and commit to mitigations with timelines.
    • Seller to deliver operator performance report (metrics vs acceptance signals) within 48 hours.
    • Customer to confirm whether operator output meets mission commander expectations or list required changes.
    • If gaps noted, assign owners and dates for remediation steps (training, SOP updates, additional tooling).
    • Reconfirm Problem-to-Proof Mapping
    • Prove that the tool engineering approach will meet accreditation constraints and avoid the delays the customer fears.
    • Show concrete controls and artifacts that support a high first-pass security review rate.
    • Agree the accreditation milestones, owners, and timelines required to reach initial operational capability.
    • Introductions & Objectives
    • Customer to identify the accreditation office POC and any non-negotiable control requirements or checklist items.
    • Both parties to sign off on the subset of features that proved the future state and will be included in pilot acceptance criteria.
    • Evidence Recap Against Acceptance Signals
    • Achieve explicit customer judgment on whether the Solution Experience proved the future state for each acceptance signal.
    • Create a mutual plan (pilot scope, schedule, owners) to move from experience to execution with clear success metrics.
    • Assign owners and deadlines for any remediation items required before pilot or contractual commit.
    • Seller to deliver a consolidated Solution Experience report (evidence, metrics, agreed acceptance criteria, and pilot proposal) within 48 hours.
    • Customer to provide formal written acceptance (or list of outstanding concerns) against agreed acceptance signals within 5 business days.
    • Both parties to schedule the pilot kickoff meeting and confirm resource/cleared-staffing slots and accreditation milestones.
    • If contractual or security approvals are required, customer to identify gatekeepers and target decision dates so procurement and accreditation timelines can be coordinated.
    • Lock a single-sentence current state that all participants accept as accurate.
    • Surface and quantify the consequence of doing nothing or failing to act.
    • Agree a single-sentence future-state outcome to guide the experience and acceptance criteria for success.
    • Confirm all logistical pre-work and environment needs so the Solution Experience can proceed without surprises.
    • Customer to deliver sanitized scenario packet and quantified consequence data (loss/time/risk) 5 business days before live session.
    • Seller to produce one-line statements of current state and proposed future state for stakeholder sign-off.
    • Both parties to confirm environment access and list of operator seats/cleared personnel for demonstration.
    • Schedule the live experience window and assign a single point-of-contact for run coordination.
    • Select & Prioritize Scenarios
    • Convert customer scenarios into clear, testable problem statements and failure metrics.
    • Confirm staffing and onboarding assumptions that will be proven during the live experience.
    • Agree a prioritized list of scenario acceptance signals to validate at the end of the solution runs.
    • Customer to annotate scenario packet with specific mission-critical steps and any non-negotiable constraints (classification or tool bans).
    • Seller to prepare a step-by-step test plan that maps each scenario step to the evidence that will prove improvement.
    • One-Sentence Current State
    • Secure Architecture Walkthrough
    • Onboarding Pipeline Demonstration
    • Operational Flow Mapping
    • Customer Validation & Decision
    • Resolve Open Gaps & Contingencies
    • Operator Task Execution (Scenario Walk)
    • Explicit Consequence Quantification
    • Evidence of Rapid Security Review Success
    • Identify Failure Modes & Costs
    • Define Pilot Scope & Success Metrics
    • Staffing & Onboarding Constraints
    • Define Future State (One Sentence)
    • Targeted Feature Proofs (Only What Proves Future State)
    • Evidence of Productivity
    • Mutual Next Steps & Commitments
    • Gap Identification & Mitigation
    • Accreditation Path & Milestones
    • Success Signals & Acceptance Triggers
    • Pre-Work & Environment Checklist
    • Forced Validation
    • Decision & Acceptance Criteria Confirmation
  4. Solution Scope

    Define modules, staffing profiles, security review milestones, acceptance criteria, and delivery cadence.

    Scope Configuration

    • Deploy cleared cyber operators for surge support
    • Onboard cleared operators to classified mission systems
    • Deliver hardened network exploitation toolchain
    • Deploy malware analysis sandbox in classified enclave
    • Integrate custom tooling into government security baseline
    • Implement classified data ingest and normalization pipeline
    • Deploy threat-hunting platform within classified enclave
    • Develop and deploy exploit/payload test framework
    • Migrate legacy logs into mission analytics data lake
    • Deliver OPSEC-hardened CI/CD for classified tooling
    • Provide 24/7 cleared operator shift coverage
    • Deploy mission-management dashboard with RBAC

    Scope Questions

    Deploy cleared cyber operators for surge support

    • Do you anticipate a near-term surge requirement for cleared cyber operators? Options: Yes, No, Undecided
    • What quantity of cleared operators would you need for the surge? Options: 1-5, 6-15, 16-30, 31+
    • Which clearance and access levels are required for surge personnel? Options: TS/SCI with poly, TS/SCI without poly, Secret, Other (specify)
    • What mission skills or specialties must surge operators possess (e.g., red-team, threat hunt, malware reverse engineering)?
    • What is the required time-to-first-capability for surge personnel (i.e., how quickly must they be mission productive)? Options: Within 5 business days, Within 10 business days, 2-4 weeks, More than 4 weeks
    • Are there fixed shift models, union or government policies, or other scheduling constraints that affect surge staffing? Options: 24/7 shifts required, Day-only with overtime, On-call augmentation, Other (describe)
    • Define measurable acceptance criteria for surge operator performance (e.g., ramp productivity metrics, certification checklist, handoff readiness):

    Onboard cleared operators to classified mission systems

    • Do you need full system onboarding for cleared operators (accounts, ACLs, SSO, credentials) or limited sandbox access? Options: Full production onboarding, Restricted/test enclave onboarding, Both
    • Which enclaves/classification levels will operators require access to? Options: Unclassified, Secret, TS/SCI, TS/SCI with SAP compartments
    • What internal sponsor or COR approvals are required before onboarding can begin?
    • What onboarding artifacts must be completed (e.g., background checks, sponsored POCs, cyber awareness, role-based training)?
    • What is the expected timeline to complete onboarding per operator (days/weeks)? Options: <5 business days, 5-10 business days, 2-4 weeks, 4+ weeks
    • Are there system integrators, ops teams, or data owners we must coordinate with during onboarding? Options: Yes, No
    • List acceptance criteria to confirm an operator is fully onboarded and mission-capable (e.g., successful access, checklist signoff, shadow shift completion):

    Deliver hardened network exploitation toolchain

    • Is the tooling intended for development, operational use, or both? Options: Development only, Operational only, Both
    • What classified enclave(s) must the exploitation toolchain reside in? Options: Secret enclave, TS/SCI enclave, TS/SCI SAP, Unclassified for dev, classified for deploy
    • What hardening baselines or STIGs must the toolchain meet? Options: DoD STIGs, Agency-specific baseline, FISMA/NIST 800-53, Other (specify)
    • What languages, platforms, and dependencies must the toolchain support (e.g., Windows/Linux, python/C, virtualization)?
    • Do you require automated security testing and review evidence for government submission (e.g., SBOM, SAST results, vulnerability scan reports)? Options: Yes, No, Partial (specify)
    • Describe success criteria for delivery (e.g., first-run exploitation in enclave, security accreditation milestone, operator acceptance tests):

    Deploy malware analysis sandbox in classified enclave

    • Will the sandbox be used for static analysis, dynamic execution, or both? Options: Static only, Dynamic only, Both
    • Which classification level should host the sandbox? Options: Secret, TS/SCI, TS/SCI SAP, Unclassified dev with classified deployment
    • What telemetry and logging export/retention requirements exist for sandbox runs? Options: Short-term (30 days), Medium-term (90 days), Long-term (1+ year), Custom (specify)
    • What analysis tooling and integrations are required (e.g., debuggers, DLL/API hooks, dynamic taint analysis, YARA, threat intel feeds)?
    • Are there constraints on network egress or synthetic target creation within the enclave? Options: No egress allowed, Controlled egress via proxy, Can simulate targets internally, Other (specify)
    • List acceptance criteria for the sandbox (e.g., safe detonation, reproducible artifacts, operator workflows validated):

    Integrate custom tooling into government security baseline

    • Is the integration aimed at achieving formal accreditation (e.g., Authority to Operate) or informal operational alignment? Options: Formal accreditation, Operational alignment only, Both
    • Which baseline documents or authorities must the tooling comply with (e.g., STIGs, ATO package, ATO POC, agency ISCM)?
    • What artifacts are available or required for submission (e.g., design docs, threat model, SBOM, test reports)?
    • Who are the accreditation stakeholders (e.g., ISSO, AO, IATO holder) and do they have fixed review SLAs?
    • Do you require remediation support for security findings or a service-level commitment on closure timelines? Options: Yes, remediation support, No, we will remediate, Need guidance on prioritization
    • Define success criteria for baseline integration (e.g., ATO granted, minor findings closed, baseline checklist accepted):

    Implement classified data ingest and normalization pipeline

    • What data classes and sources will be ingested (e.g., network logs, PCAP, host telemetry, sensor feeds)?
    • What classification level will the pipeline operate at, and are there cross-domain transfer requirements? Options: Secret, TS/SCI, Cross-domain required, Unclassified
    • What ingest rates and retention volumes do you expect (e.g., GB/day, TB/month)? Options: <100 GB/day, 100 GB - 1 TB/day, 1 TB - 10 TB/day, 10+ TB/day
    • Which normalization schema or data model should be used (e.g., custom, Elastic Common Schema, STIX/TAXII), or will you accept recommendation? Options: ECS, STIX/TAXII, Custom schema, Recommend based on data
    • Are there PII/PHI handling rules, redaction, or transformation requirements we must implement before storage or analysis? Options: Yes, No, Partially (specify)
    • Describe acceptance criteria for the pipeline (e.g., percent successful ingest, schema validation rate, latency SLAs):

    Deploy threat-hunting platform within classified enclave

    • Is the platform focused on real-time detection, retrospective hunting, or both? Options: Real-time detection, Retrospective hunting, Both
    • Which data sources must the platform consume (select all that apply)? Options: Network telemetry, Endpoint logs, Proxy/Firewall logs, Email/IM telemetry, Custom sensors
    • What analyst headcount and shift model will use the platform? Options: Small team (1-3), Medium (4-10), Large (10+)
    • Are there playbook or automation requirements (e.g., SOAR integrations, scripted enrichments)? Options: Yes — SOAR/playbooks required, No automation needed, Advisory only
    • What retention and search performance SLAs are required for hunting queries? Options: Short retention, fast search, Long retention, slower queries, Specify metrics
    • Define success criteria for platform deployment (e.g., number of successful hunts, mean time to detect improvement, operator satisfaction):

    Develop and deploy exploit/payload test framework

    • Will the framework be used for safe testing only or for integrated CI validation of exploit chains? Options: Safe testing in isolated lab, CI-driven validation, Both
    • Which languages, runtime environments, and target modalities must the framework support?
    • Are there containment, telemetry capture, and artifact extraction requirements for each test run? Options: Yes, full containment and telemetry, Basic logging only, Custom—specify
    • Do you require repeatable test harnesses and regression suites for every tool change? Options: Yes, No, Partial
    • What approval and safety processes must tests pass before execution in classified environments?
    • List acceptance criteria for the framework (e.g., reproducible test cases, captured artifacts, CI pass rates):

    Migrate legacy logs into mission analytics data lake

    • What legacy log sources and formats must be migrated (e.g., syslog, Windows Event, proprietary appliance logs)?
    • What is the total historical volume to migrate and the desired migration window? Options: <1 TB, 1-10 TB, 10-100 TB, 100+ TB
    • Do logs require transformation, enrichment, or normalization during migration? Options: Yes—transform/enrich, No—raw migration, Partial—specify
    • Are there retention, access control, or chain-of-custody requirements for migrated logs? Options: Yes, No
    • Will migration require coordination with legacy system owners or maintenance windows? Options: Yes—maintenance windows required, No—hot migration possible
    • Describe success criteria for migration (e.g., percent records migrated, validation sampling, query parity):

    Deliver OPSEC-hardened CI/CD for classified tooling

    • Is the CI/CD pipeline intended to operate inside the classified enclave or as a gated/unclassified pipeline with secure transfers? Options: Inside classified enclave, Gated unclassified pipeline with transfer, Hybrid
    • Which pipeline stages are required (e.g., build, unit test, static analysis, packaging, security gating, deployment)? Options: Build, Unit Test, SAST, Packaging, Security Gating, Deploy
    • What OPSEC constraints must be enforced (e.g., no external artifact mirrors, strict SBOM control, developer access limitations)?
    • Do you require signed artifacts and reproducible builds as part of the pipeline? Options: Yes, both, Signed artifacts only, No
  5. Mutual Commit

    Resolve contract modules, SLAs for cleared staffing, security accreditation milestones, and change-control obligations.

    Agreement Modules

    • Non-Disclosure Agreement (NDA)
    • Master Services Agreement (MSA)
    • Statement of Work (SOW)
    • Service Level Agreement (SLA) — Cleared Staffing & Performance
    • Security Accreditation & Milestone Plan
    • Personnel Clearance & Vetting Addendum
    • Change Control & Scope Modification Agreement
    • Acceptance & Validation Test Plan
    • Pricing, Billing & Payment Schedule
    • Data Rights, Classification & Handling Agreement
    • Intellectual Property & Source Code Escrow
    • Transition, Offboarding & Knowledge Transfer
  6. Deployment

    Operationalize rollout with readiness checks, enablement, and outcome validation.

    1. Security & Onboarding Readiness

      Confirm environments, accreditation path, access, cleared personnel slots, and training required before execution.

      Readiness Questions

      Quick Grounding: Who We're Talking About

      • Please tell us your name, role, organization, and the mission or program this discussion should focus on.
      • Which best describes your organization? Options: Military cyber command, Intelligence agency division, Defense contractor program office, Civilian agency technical directorate, Other
      • What triggered this engagement right now? Options: New IDIQ/task order with 60-day start, Failed operational test requiring redevelopment, Surge requirement for cleared operators, Planned capability refresh, Other
      • What is your hard deadline for initial capability or performance start date (give the calendar date or window)?
      • Which metrics or signals will you use to decide the initial delivery was acceptable? Options: Operator competency (proficiency test), Security accreditation milestone, Operational acceptance test (OAT) pass, Time-to-first-op (weeks), Other
      • Who will sign the acceptance and who holds final technical authority for staffing and tool choices? Options: Program manager (PM), Technical director / GS-15, Contracting officer representative (COR), Mission commander, Other

      If This Goes Sideways, Who Pays the Price?

      • Three months in, what would a real failure look like for your mission (concrete outcomes, not abstract worries)?
      • How often have you encountered those failure outcomes in past programs? Options: Never, Rarely (once), Occasionally (2–3 times), Frequently (4+ times)
      • When those failures happened, what immediate operational impacts did you see (pick all that applied)? Options: Mission pause or reroute, Loss of intelligence collection windows, Increased risk to forces/personnel, Extra contractor cost/stop-gap hires, Negative leadership/oversight attention
      • Tell us a specific past incident where staffing, tooling, or accreditation caused mission harm—what happened and how long did recovery take?
      • How does the risk of failure make you or your leadership feel—frustrated, exposed, defensive, or something else? Options: Frustrated, Exposed/vulnerable, Defensive/protective, Uncertain/hesitant, Other

      Why Does Ramp Time Still Feel Normal?

      • Why does onboarding routinely take months when many missions now require results in weeks?
      • What is your typical onboarding timeline today from award to first cleared operator on system? Options: <2 weeks, 2–4 weeks, 1–3 months, 3–6 months, >6 months
      • Which bottlenecks most extend ramp time for you? Options: Clearance processing, Environment/credentials access, Training/certification schedule, Tool accreditation delays, Operational compartmentation, Other
      • What percentage of candidates who join your program already hold the required clearance and relevant system access? Options: 0–10%, 11–30%, 31–60%, 61–90%, >90%
      • Describe the last time ramp went fast—what specific decisions or shortcuts made it possible and how repeatable are they?
      • If we proposed a compressed onboarding path, which internal approvals would we need to change or accelerate? Options: COR sign-off, Security/IA approval, Training waiver, Badge/credentialing lane prioritization, None/other

      Where Do Tools Actually Break Down Under Pressure?

      • Why do tools that succeed in demos often fail security review, accreditation, or live ops in your environment?
      • Which failure modes have you seen most often when a tool is moved to classified systems? Options: Data exfiltration risk, Undefined dependency or library, Insufficient documentation for review, Performance under load, Compatibility with MIL/NSA baselines, Other
      • How many custom tools or integrations are currently under development for this program? Options: None, 1–2, 3–5, 6–10, More than 10
      • When a security review requires rework, how many iterative submissions does it usually take before approval? Options: First submission usually passes, 2 submissions, 3 submissions, 4+ submissions
      • Who owns the accreditation path and artifacts in your program (IA office, primes, or program security officer)? Options: Program IA/CSO, Prime contractor, Government security office, Shared responsibility, Other
      • Share an example of a tool rejection or major rework: what was the rejection reason and how did it affect schedule?

      What Would Real Operational Readiness Look Like?

      • If you could achieve initial operational capability in six weeks instead of six months, what would be different about your mission day-to-day?
      • Which of these would you count as hard acceptance criteria for mission-ready status? Options: Security accreditation milestone, Operator proficiency threshold, Operational acceptance test (OAT) pass, Continuous incident-handling capability, Sustained 24/7 coverage capability
      • What operator proficiency standard matters most to you (pick the closest match)? Options: Observe-only trained, Basic operator able to follow playbooks, Fully mission-capable with minimal supervision, Senior operator able to lead ops and mentor
      • Which measurable signals would prove early success during the first 90 days? Options: Authorized access to environments, First successful mission task, Passing security checkpoint, Operator retention >90 days, Reduced incident response time
      • Describe one real-world scenario or mission thread we should use to validate the solution during initial deployment.

      What Would It Take to Shift Accountability (and Schedule)?

      • If we moved from blaming process to holding specific parties accountable for delivery milestones, who would you be willing to make accountable? Options: Program office/PM, Prime contractor, Vendor/host provider, Joint owner model, Unwilling to assign
      • How open is your acquisition or COR team to modular milestones, where we deliver a secure, limited-scope capability fast and iterate after? Options: Very open, Somewhat open, Unsure, Not open
      • Which tradeoffs would you accept to cut delivery time in half? Options: Reduced initial scope, Limited classification footprint, Short-term waivers for non-critical controls, Higher vendor staffing commitment, No tradeoffs acceptable
      • Do you have the authority to approve accelerated staffing slots (cleared hires) or does that require additional leadership sign-off? Options: Yes, I can approve, Requires PM/Lead approval, Requires contracting approval, Other
      • If we proposed SLAs for cleared staffing, security milestones, and acceptance tests, which SLA would you prioritize? Options: Cleared personnel delivery time, Security milestone adherence, Tool accreditation turnaround, Operator proficiency targets, Other

      Practical Next Steps: What We’d Need to Mobilize Fast

      • If you had to list five non‑negotiables we must have to start within ten business days, what are they (names, access, approvals, or artifacts)?
      • Which environment and access items can you provide within two weeks? Options: Unclassified test range, Prod-simulated VM images, Controlled classified enclave access, Service accounts/privileged creds, None immediately available
      • What is the current status of your security accreditation path for new tools (pick the closest)? Options: Preliminary concept only, Existing baseline with gaps, Accreditation in progress, Accredited for required classification, Unknown
      • How many cleared personnel slots could you commit to filling from a vendor bench within ten business days? Options: 0, 1–3, 4–10, 11–20, 20+
      • Who should we schedule as decision owners for commerce and security—please list names, roles, and contact emails for 1–3 POCs.
      • On a scale of confidence, how ready do you feel to begin a compressed onboarding and accreditation push? (Low/Medium/High) Options: Low, Medium, High
    2. Deployment Enablement

      Schedule onboarding, staff ramp, tool integration, and operational handoffs with clear owners and milestones.

    3. Validation Checklist

      Verify security approvals, operator proficiency, and acceptance tests to confirm initial mission capability.

      Validation Questions

      Tell Us the Mission That Keeps You Up at Night

      • What's the immediate mission driver for this engagement? Options: New IDIQ task order (60‑day start), Failed operational test requiring rebuild, Surge requirement for cleared operators, Capability modernization, Other
      • What classification/compartmenting level will the work operate at? Options: Unclassified, Secret, Top Secret, TS/SCI, Special Access/Compartmented (SAP)
      • What's your target operational start date or the deadline that matters most?
      • Name the top three non‑negotiable success criteria for this effort.
      • Which timeline constraint worries you most right now? Options: Onboarding speed for cleared staff, Security accreditation path, Contracting/procurement schedule, Integration with legacy systems, Sustained staffing over mission life
      • How will you know the program is off to a good start at 30 days?
      • Who is ultimately accountable for program success and who signs milestone approvals? Options: Mission commander, Division chief, GS‑15 technical director, Contracting officer representative (COR), Program manager, Other

      Are You Running On Hope or Hardened Capacity?

      • How confident are you that your current cleared workforce can absorb this work without months‑long ramping? Options: Very confident, Somewhat confident, Not confident, Unknown
      • How many cleared operators could you reliably assign within 10 business days? Options: None, 1–5, 6–20, 21–50, 50+
      • What has been your typical time‑to‑productivity for newly onboarded cleared staff? Options: <2 weeks, 2–8 weeks, 2–3 months, 3–6 months, >6 months
      • What's the annual attrition rate for the critical cyber roles we would need? Options: <5%, 5–15%, 16–30%, >30%, Unknown
      • Tell us about a recent staffing surprise that materially impacted mission delivery—what happened and how long to recover?
      • Which skill sets are hardest for you to replace quickly? Options: Network exploitation, Malware reverse engineering, Threat hunting/DFIR, Mission systems engineering, TS/SCI cleared senior leadership, Other
      • If a vendor guaranteed X cleared operators in Y days, what would that change about your plan?

      Where Do Your Tools Betray You?

      • Which parts of your toolchain are most likely to fail a government security review today? Options: Custom tooling, Third‑party dependencies, Integration/middleware, CI/CD and build provenance, Data handling and storage, Unknown
      • How frequently do security reviews force a redesign or cause program delays? Options: Almost always, Often, Sometimes, Rarely, Never
      • When a tool fails accreditation, what is the most common root cause you see? Options: Insufficient documentation, Sensitive data flows, Dependency vulnerabilities, Operational separation issues, Unknown
      • Describe the last tool or component that failed accreditation—what specifically blocked approval?
      • Which target platforms or systems must any solution integrate with to be mission‑useful? Options: Mission management system, SIEM/analytics, Network sensors/NSM, Forensic/data labs, Secure cloud enclaves, Cross‑domain solutions (CDS), Other
      • How quickly do you need a clear, compliant engineering path—weeks, months, or longer? Options: Within 2 weeks, Within 4 weeks, 1–3 months, 3+ months, Unsure
      • What pass rate on first security submission would you consider acceptable? Options: >80%, 60–80%, 40–60%, <40%, No specific expectation

      When Ops Go Sideways, Who Feels the Burn?

      • What single operational failure would trigger an immediate leadership escalation? Options: Loss of critical capability, Compromise of classified data, Sustained staffing shortfall, Mission tool outage, Contractual breach, Other
      • Describe a recent incident that required rapid remediation—how did your team respond and what lessons stuck?
      • How long can degraded capability persist before mission impact becomes unacceptable? Options: Hours, 1–3 days, 1 week, 2+ weeks, Depends on mission
      • Which telemetry, alerts, or human signals do you trust to detect mission degradation? Options: Automated alerts, Operator reports/comms, Periodic integrated tests, External audits/assessments, Other
      • Who leads incident response and what decision authority do they hold during an outage?
      • How has prior attrition amplified operational fragility—can you give a concrete example and timeframe?
      • What contingency measures do you currently have to preserve critical functions during staff gaps? Options: Cross‑training, Contractor bench, Automated playbooks, Mission triage/prioritization, None/limited

      Are Decision Paths Clear—or Hidden in a Smoke‑Filled Room?

      • Whose approval could actually stop this program from moving forward? Options: Budget holder, Security accreditation authority, Contracting officer, Mission lead, Legal/compliance, Other
      • List the core stakeholders who must be engaged for milestone sign‑off (names/titles if possible).
      • How often do cross‑organizational dependencies (security, procurement, operations) delay your programs? Options: Frequently, Sometimes, Rarely, Never, Unsure
      • Which contractual or procurement terms typically become sticking points in your experience? Options: Clearance staffing SLAs, Security accreditation milestones, Change control process, IP/data rights, Pricing/option periods, Other
      • Tell us about a recent approval process that surprised you—what held it up and how long did it take?
      • Who on your side should we keep closely informed during discovery and demos? Options: Program manager, Security lead/PSO, Operations lead, Contracting officer rep, Legal, Other
      • How do you prefer to evaluate technical capability—unclassified sandbox, tabletop, or representative live demo? Options: Unclassified sandbox demo, Tabletop walkthrough, Live demo in representative environment, Recorded technical deep dive, Other

      If We Could Deliver a Win in 90 Days, What Would It Look Like?

      • What concrete outcome in the next 90 days would make leadership call this engagement a clear win?
      • Which operator‑level capabilities should be demonstrable at 30/60/90 days (pick all that apply)? Options: Operator proficiency on mission systems, Integrated tooling deployed, Analytics dashboards producing actionable reports, First security milestone passed, Initial mission tasks completed independently
      • What measurable signals will you track to judge progress (examples: time‑to‑task, proficiency, uptime)? Options: Operator proficiency scores, Time‑to‑task completion, Availability/uptime, Security milestone completions, Customer satisfaction/leadership confidence
      • How will you validate operator proficiency—exercise, formal certification, shadowing, or live ops? Options: Scenario exercises, Formal certification, Shadowing in live ops, Simulated missions, Other
      • What cadence can your team allocate for acceptance testing and iterative feedback? Options: Daily, Weekly, Biweekly, Monthly, Limited/as‑available
      • If acceptance criteria aren't met at 90 days, what decision path or remediation will you expect?
      • Which risks would immediately trigger a pause or re‑scoping of the effort? Options: Security failure/block, Unmet staffing SLA, Budget constraints, Poor performance vs objectives, Other

      Who and What Needs Clearance Before We Start?

      • How many cleared seats are already approved and genuinely usable for this program? Options: None, Some reserved but occupied, Dedicated available seats, Unclear/depends on slots, Other
      • What level of clearance do the operators and engineers need to hold? Options: Secret, Top Secret, TS/SCI, Special access (SAP)
      • Describe your access‑provisioning timeline from request to operational access.
      • Which environments (labs, enclaves, CDS) must be available for onboarding and testing? Options: On‑prem classified lab, Secure cloud enclave, Cross‑domain solution (CDS), Air‑gapped forensic lab, Other
      • What mandatory training, indoctrination, or local processes must staff complete before contributing?
      • Who owns accreditation engagement internally (title/office), and what's their preferred reporting frequency?
      • Have past onboarding efforts hit hidden bottlenecks? If so, what were they and how long did resolution take?

      If We Built It, How Would You Prove It Worked Under Fire?

      • Do your current acceptance tests simulate real mission pressure or are they mostly checkbox exercises? Options: Realistic and stressful, Partially realistic, Mostly checkbox, Unsure
      • Which red‑team or stress testing approaches do you require before acceptance? Options: Full red‑team exercise, Scenario‑based live exercise, Live traffic injection, Tabletop only, Other
      • What quantitative thresholds must be met (examples: MTTR, false positive rate, uptime) to consider performance acceptable?
      • Which datasets, telemetry, or logs are essential for validating the solution's effectiveness?
      • Who formally signs off on test results and what documentation do they require?
      • If initial capability fails a test, how many remediation cycles are acceptable before leadership re‑assesses? Options: 1 cycle, 2 cycles, 3 cycles, Open‑ended until fixed, Depends on severity
      • What operational metrics will demonstrate operator competence post‑onboarding (pick all that apply)? Options: Independent task completion, Time‑to‑competence, Error rate reduction, Mission success rate, Other

      What's the Real Cost of Doing Nothing (Or Doing the Same Thing)?

      • If you delay or maintain the current approach, how will mission risk change over the next 6–12 months? Options: Increase significantly, Increase moderately, Stay same, Decrease, Unsure
      • Estimate the tangible operational impact of continued gaps (missed missions, delayed timelines, compromised data)—be specific.
      • How many ops‑hours or staff hours does a typical tool failure or staffing incident cost you? Options: <100 hours, 100–500 hours, 500–2000 hours, 2000+ hours, Unknown
      • Which capability gap, if left open, has the highest probability of strategic failure?
  7. Success

    Review outcomes against success signals, capture lessons learned, and manage issues and enhancements in a shared backlog.

    Success Reviews

    • Success Signals Review
    • Lessons Learned Retrospective
    • Shared Backlog Prioritization & Roadmap
    • Operational Handover & Sustainment Planning
    • Contract Closeout, Change Control & Continuous Governance

    Issues & Enhancements

    • Complete environment access provisioning and publish runbooks to the operational repository
    • Update operator onboarding checklist, runbooks, and security submission templates
    • Circulate AAR to governance and archive in shared program repository
    • Backlog Overview
    • Produce a prioritized backlog with owners, acceptance criteria, and committed delivery windows.
    • Agree SLAs and escalation paths to manage operational risk and accreditation impact.
    • Ensure backlog items are appropriately classified by classification and staffing constraints.
    • Populate prioritized tickets into the shared backlog system with owners, priority, and acceptance criteria
    • Publish the 90-day roadmap and sprint commitments to governance stakeholders
    • Implement SLA monitoring dashboards and escalation contacts
    • Flag any items requiring contract changes or additional cleared personnel and initiate procurement/AMEND process
    • Schedule operator proficiency verification and ongoing training cycles.
    • Assign monitoring and incident response ownership with SLAs and escalation paths.
    • Handover Checklist Review
    • Confirm the system and team are ready for sustainment with documented runbooks and verified access.
    • Opening & Objectives
    • Assign monitoring/incident response owners and configure alerting thresholds
    • Schedule and conduct operator proficiency assessments and certify operators against acceptance criteria
    • Finalize and collect formal handover sign-offs from GOV/CONTRACT sponsors
    • Contractual Status Review
    • Close or document all remaining contractual open items and agree remediation steps.
    • Put in place a clear change-control mechanism that preserves accreditation and staffing constraints.
    • Establish a recurring governance cadence with agreed KPIs and reporting responsibilities.
    • Draft required contract amendments or completion memos and route for signatures
    • Publish the formal change-control policy and approval matrix into the program repository
    • Schedule recurring governance meetings and distribute reporting templates
    • Assign a contract/program POC to manage escalation of SLAs and resourcing constraints
    • Confirm which success signals are satisfied with evidence and formally record acceptance status.
    • Identify and prioritize any unmet signals with agreed remediation owners and timelines.
    • Establish concrete revalidation checkpoints and deliverables for partial accept cases.
    • Produce and attach an evidence bundle mapping tests/metrics to each success signal
    • Create remediation tickets for unmet signals with owners, due dates, and acceptance criteria
    • Schedule revalidation meeting(s) at agreed checkpoints (dates and owners)
    • Update the program status brief for contracting and governance stakeholders
    • Set Retrospective Rules & Scope
    • Produce a prioritized list of actionable lessons with owners and target dates.
    • Identify systemic causes to be addressed at process or contractual level.
    • Define how lessons will be operationalized (playbooks, onboarding updates, contract language changes).
    • Draft the Lessons Learned AAR with evidence, RCA, and recommended fixes
    • Assign process improvement owners to implement onboarding, accreditations, and staffing fixes
    • Recap Agreed Success Signals
    • Triage Critical Items
    • Accreditation & Access Status
    • Timeline Walkthrough
    • SLA & Performance Metrics Reconciliation
    • What Went Well
    • Prioritization Criteria Alignment
    • Present Evidence & Metrics
    • Cleared Workforce & Roster Management
    • Change Control Process
    • What Should Improve
    • Governance Cadence & Metrics
    • Monitoring, Incident Response & SLAs
    • Roadmap & Sprint Commitments
    • Gap Analysis vs Signals
    • Ownership & Escalation Map
    • SLA & Escalation Procedures
    • Root Cause Analysis
    • Training & Proficiency Validation
    • Decision & Acceptance Path
First-Party AI

1-2 minutes please — Your AI agent is working

First-Party AI™ can make mistakes. Always check important information.