[ DEFENSE CONSULTING ] // SDVOSB SOFTWARE ENGINEERING

Software consulting for defense programs, built by people who wore the uniform.

SDVOSB-certified. CMMC-aligned SDLC. We integrate with primes on SeaPort-NxG, OASIS+, and direct-to-DoD work without making the program manager's life harder.

Veteran-Owned SDVOSB
[001 / 005] Field Conditions

Most software shops can't tell a CDRL from a sprint goal — and it shows on day 30.

// SITUATION

Defense programs do not fail because the engineering is impossible. They fail because the contractor treats the program like a commercial SaaS build. The team commits to commercial GitHub before anyone checks the DD-254. Someone emails ITAR-controlled drawings to a personal Gmail. The prime's IPT asks for SSP artifacts at the integration review and gets a Confluence page. The ATO slips two quarters. Now the program manager is explaining to the colonel why the schedule moved, and your subcontract is the line item with the red dot next to it.

  • Commits and CI runners hosted in commercial cloud regions, putting CUI in a boundary that won't pass a CMMC Level 2 assessment.
  • Engineers without clearances or citizenship verification touching ITAR-controlled technical data because nobody read the export-control clause.
  • Sprint demos that ignore CDRL deadlines, TRRs, and the prime's stage-gate reviews — the program office finds out at PDR.
  • ATO documentation written the week of assessment instead of generated as a build artifact, leading to POA&Ms that block production deployment.
SDVOSB
SBA VetCert certified, set-aside eligible
CMMC L2
Aligned SDLC with auditable build evidence
100%
U.S.-based, U.S. person engineering team
[002 / 005] Operational Approach

Build like the audit and the ATO are already scheduled.

  1. STEP-01

    Map the compliance boundary first

    Before writing code, we draw the CUI boundary, identify ITAR-controlled artifacts, and decide what runs in GovCloud vs. commercial. This drives repo topology, CI runner placement, and which engineers can touch which branches. Get this wrong and you rewrite later.

  2. STEP-02

    Stand up a CMMC-aligned SDLC

    GitHub Enterprise or GitLab in GovCloud, signed commits, FIPS 140-2 validated crypto, SBOM generation per build, and SSP artifacts produced as a byproduct of the pipeline — not a Word doc someone updates the night before assessment.

  3. STEP-03

    Integrate with the prime's stack

    Primes have opinions: Jira workflows, ClearCase or Azure DevOps, ServiceNow for change control, specific static analysis tooling (Fortify, Coverity). We adapt to their SDLC instead of fighting it, and we deliver artifacts in the formats their IPTs already consume.

  4. STEP-04

    Ship in increments the program office accepts

    Defense procurement runs on milestones, not sprints. We structure delivery around CDRLs, TRRs, and PDR/CDR gates while keeping engineering cadence weekly internally. Demos go to the warfighter or program manager, not just the prime's PMO.

  5. STEP-05

    Hand off with documentation that survives

    Code outlives contracts. We leave behind ATO packages, threat models, runbooks, and onboarding docs sized for a follow-on contractor who has never seen the system. No tribal knowledge, no hero engineers required to keep it running.

// YAML PATTERN 
# .github/workflows/cmmc-build.yml
# Runs on self-hosted runners inside AWS GovCloud (us-gov-west-1)
name: build-and-attest
on:
  push:
    branches: [main, release/*]

jobs:
  build:
    runs-on: [self-hosted, govcloud, fips]
    permissions:
      id-token: write   # OIDC into GovCloud, no long-lived keys
      contents: read
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }

      - name: Verify signed commits (CMMC L2 SI.L2-3.14.1)
        run: git verify-commit HEAD

      - name: SAST (Fortify)
        run: fortifyscan --fail-on high

      - name: Generate SBOM (CycloneDX)
        run: syft . -o cyclonedx-json > sbom.json

      - name: Sign artifact with HSM-backed key
        run: cosign sign-blob --key awskms:///alias/build-signing dist/app.tar.gz

      - name: Push SSP evidence to eMASS
        run: ./scripts/emass-upload.sh sbom.json scan-results.sarif

A CMMC-aligned pipeline produces SSP evidence as a build artifact — assessors get auditable proof, not a screenshot collected the week of the assessment.

[003 / 005] Common Questions

Field FAQ.

Are you actually SDVOSB-certified, and does that matter for my contract?

Yes. VooStack is SDVOSB-certified through the SBA's Veteran Small Business Certification (VetCert) program, which replaced the old VA CVE process for non-VA contracts. That matters when your contract has SDVOSB set-aside dollars, subcontracting plan goals under FAR 52.219-9, or when a prime needs to hit small-business utilization on a large IDIQ. We can be your prime on set-asides or your sub on larger vehicles.

Do you handle CUI and work inside GovCloud?

Yes. We default to AWS GovCloud or Azure Government for any project touching CUI, with FIPS 140-2 validated endpoints, signed commits, and OIDC-based deployment instead of long-lived credentials. We've built out CMMC Level 2-aligned SDLCs including SSP artifact generation, POA&M tracking, and eMASS uploads. We do not store ITAR-controlled technical data on commercial cloud or commercial GitHub, period.

Can you hold or sponsor clearances?

Several of our engineers hold active Secret or TS/SCI clearances from prior service or contractor work. For programs requiring cleared work, we typically operate as a sub to a prime that holds the facility clearance (FCL), since standing up an FCL takes 6-12 months and requires a sponsoring contract. If your program needs cleared engineers in a SCIF, we'll be direct about what we can and can't staff before you sign anything.

How do you integrate with a prime's existing SDLC?

We adapt. Primes have entrenched tooling — Jira with custom workflows, Azure DevOps, ClearCase, ServiceNow change control, Fortify or Coverity for SAST, specific artifact repositories. Fighting that costs you months. We onboard into their environment, follow their branching strategy, deliver artifacts in the formats their IPTs consume, and attend their TRRs and CDRs. Our differentiator is engineering velocity inside their constraints, not replacing their stack.

What contract vehicles can you work under?

We can work as a sub on most prime vehicles (SeaPort-NxG, OASIS+, GSA MAS, CIO-SP3/4, Alliant 2) where the prime handles the vehicle and we deliver under their task order. As an SDVOSB we're directly eligible for set-aside awards under FAR 19.14. For direct-to-DoD work we typically engage via SBIR Phase II/III, OTAs through consortia like DIU or Tradewinds, or as a sub on a larger IDIQ.

Can you actually move fast inside DoD timelines?

Honest answer: engineering moves fast, procurement does not. We ship working software in 2-4 week increments internally, but external milestones are gated by CDRLs, ATO timelines, and program office cadence. We've found the trick is decoupling — keep weekly demos with the warfighter or program manager so feedback loops stay tight, while formal deliverables align with PDR/CDR gates. If you need an MVP in 90 days inside an ATO boundary, that's doable with the right scoping.

Do you do AI integration on defense programs?

Yes, with caveats. RAG, LLM-assisted analysis, and ML model integration are increasingly viable on defense programs, but most production LLM use requires either an on-prem model (Llama, Mistral) or a FedRAMP High / IL5 hosted service like Azure OpenAI in Government. We will not pipe CUI to commercial OpenAI or Anthropic endpoints. For unclassified workflows we'll use commercial APIs; for anything CUI or above, the model runs inside the boundary.

What does a typical engagement look like and cost?

Most defense engagements run 6-18 months with a team of 2-6 senior engineers, often as a sub under a prime. T&M rates for cleared senior engineers typically land in the $185-$260/hr range depending on clearance level, location, and contract vehicle overhead. Fixed-price is possible once scope is bounded by a clear SOW and ATO boundary. We'll give you a straight estimate after a scoping call — no six-week proposal theater.

What happens to the code and documentation when the contract ends?

It stays with the government or prime, fully documented. We deliver source, build pipelines, ATO artifacts, threat models, runbooks, and onboarding docs sized for a follow-on contractor who has never seen the system. We do not build dependencies on VooStack-specific infrastructure or licenses. The goal is that another shop could pick up maintenance in 30 days. That's the standard we hold ourselves to on every program.

[004 / 005] Adjacent Files

Continue recon.

REL-01

All services

Custom development, AI integration, modernization, and staff augmentation across our practice.

 REL-02

Case studies

Engagements we've shipped, including federal and regulated-industry work with auditable outcomes.

 REL-03

About VooStack

Veteran-owned, SDVOSB-certified, U.S.-based engineers with defense and federal experience.

 REL-04

Start a conversation

Scoping calls for primes, program offices, and contracting officers — no proposal theater.
[ NEXT ACTION ]

Have a defense program that needs engineers who can read a DD-254? Let's talk.

Talk to a VooStack operator. We respond within one business day.

Open a Channel Full Services