AUGUSTA, GA — FORT EISENHOWER CORRIDOR

Veteran-owned software consulting for the Army Cyber and NSA Georgia mission

SDVOSB-certified engineers building secure-by-design software for the primes, program offices, and cyber units operating out of Fort Eisenhower. CMMC 2.0 aligned from day one.

Veteran-Owned SDVOSB
001 / 005 Field Conditions

Most software shipped to the Augusta cyber mission was built for a different threat model

Situation

The corridor around Fort Eisenhower runs on software that was scoped against commercial assumptions and then bolted into a CUI or classified context after the fact. Repos live on commercial GitHub with no boundary documentation. CI pipelines pull dependencies from public registries with no SBOM. AI features get added by piping prompts to commercial endpoints with no thought to data spillage. Primes inherit this stack mid-program, then scramble when the C3PAO shows up or when a program office asks where exactly the CUI lives. The fix is not another binder — it's engineers who knew the controls before they wrote the first line.

  • Repos and CI runners sitting in commercial tenants while the program handles CUI
  • No SBOM, no signed artifacts, no evidence trail when CMMC assessment lands
  • AI/LLM features wired to public endpoints, leaking prompt context out of the boundary
  • Legacy .NET and Java systems on EOL Windows Server with no documented modernization path
SDVOSB
SBA-certified, sole-source eligible
2-3 wks
From signed SOW to committing code
110 controls
CMMC 2.0 Level 2 coverage in our baseline
002 / 005 Operational Approach

How we build software for the Augusta cyber mission

  1. STEP-01

    Map the authorization boundary first

    Before writing code we diagram the system boundary, data flows, and CUI touchpoints against NIST SP 800-171 controls. That artifact drives every later decision — repo topology, CI/CD runners, logging sinks, and which workloads land in GovCloud vs commercial.

  2. STEP-02

    Stand up a CMMC-aligned dev environment

    GitHub Enterprise or GitLab in a controlled enclave, hardened runners, FIPS 140-2 validated crypto, SSO with PIV/CAC, and audit logging into a SIEM the assessor can actually query. We document the SSP as we build, not after.

  3. STEP-03

    Ship secure-by-design increments

    Two-week iterations with threat modeling baked into each story. SAST, SCA, container scanning, and IaC policy checks gate every merge. We deliver working software to a staging enclave the prime or program office can touch in week three.

  4. STEP-04

    Integrate with mission systems

    We connect to the systems Augusta actually runs on — Jira, ServiceNow, Splunk, Elastic, Nessus, existing C2 and SIEM feeds — through documented APIs and message buses, not screen scraping. Every integration ships with replay and backpressure handling.

  5. STEP-05

    Hand off with a runbook, not a deck

    Final delivery is source, IaC, runbooks, an updated SSP, POA&M entries where relevant, and a recorded walkthrough for the government engineers who will own it. We stay on retainer for 90 days to absorb the first round of real-world findings.

YAML PATTERN 
# .github/workflows/cmmc-gate.yml
# Merge gate for a CUI-handling repo supporting an Army Cyber program
name: cmmc-gate
on:
  pull_request:
    branches: [main]

jobs:
  controls:
    runs-on: [self-hosted, govcloud, fips]
    steps:
      - uses: actions/checkout@v4

      - name: SAST (SI.L2-3.14.1 flaw remediation)
        run: semgrep ci --config p/owasp-top-ten --error

      - name: SCA (SI.L2-3.14.2 malicious code)
        run: |
          trivy fs --severity HIGH,CRITICAL --exit-code 1 .
          syft packages dir:. -o spdx-json > sbom.spdx.json

      - name: IaC policy (CM.L2-3.4.2 baseline config)
        run: |
          checkov -d infra/ --framework terraform --soft-fail false
          conftest test infra/ -p policy/

      - name: Secrets (IA.L2-3.5.10 cryptographic protection)
        run: gitleaks detect --redact --exit-code 1

      - name: Evidence upload to SSP artifact bucket
        run: |
          aws s3 cp sbom.spdx.json \
            s3://ssp-evidence-${{ github.repository }}/${{ github.sha }}/

Sample merge gate we drop into client repos on cyber programs — every check maps to a CMMC 2.0 Level 2 control and writes evidence to the SSP artifact store.

003 / 005 Common Questions

Field FAQ.

Are you actually based near Augusta, or just claiming a location page?

VooStack is a US-based, veteran-owned firm with engineers who work directly with programs anchored around Fort Eisenhower, Army Cyber Command, and NSA Georgia. We staff on-site in the CSRA when a program requires it and run hybrid teams the rest of the time. We're not a referral shell — the engineers you scope with are the ones who write the code and sit in the SCIF when access allows.

Do you hold SDVOSB certification, and can you prime or sub?

Yes. VooStack is SDVOSB-certified through SBA's Veteran Small Business Certification program, which makes us eligible for sole-source and set-aside awards up to the statutory thresholds. We sub to large primes on cyber mission contracts in the Augusta corridor and prime on smaller task orders where the vehicle fits. We can provide our certification letter, CAGE code, and SAM registration on request.

What does CMMC 2.0 readiness actually look like in your deliverables?

Every repo we ship for a CUI-handling program comes with an updated System Security Plan section, a POA&M for anything not yet at parity, evidence artifacts wired into CI, and a control-to-code crosswalk. We don't hand you a binder — we hand you queryable evidence. If a C3PAO walks in tomorrow, your assessor can pull SBOMs, scan history, and access logs without our help.

Can you support cleared work, and what clearance levels do your engineers hold?

Our engineering bench includes personnel cleared at Secret and TS/SCI levels, with some holding CI poly. Clearance availability varies by engagement, so we scope it explicitly during contracting. For programs that require full-time on-site SCIF presence, we recruit and badge against the specific contract. For unclassified CUI work — the bulk of CMMC Level 2 — we use our standard hardened development enclave.

How do you handle the GovCloud vs commercial cloud decision?

We make it a deliberate call, not a default. Workloads touching CUI, ITAR data, or DoD IL4/5 boundaries go to AWS GovCloud or Azure Government with FedRAMP-aligned services only. Public-facing marketing surfaces, anonymized analytics, and pre-award R&D often stay in commercial regions to control cost. The boundary diagram from step one of our approach drives this — we document the rationale so your authorizing official has something to sign against.

We're a prime that just won a cyber task order — how fast can you spin up?

For a senior engineering pod of three to five people on an unclassified CUI program, we typically have engineers committing code in two to three weeks from signed agreement. Cleared work or programs requiring contract-specific badging take longer — usually six to ten weeks depending on the facility and adjudication backlog. We'll tell you honestly during scoping which timeline applies.

Do you do AI integration on cleared or CUI-handling systems?

Yes, with caveats we'll be direct about. We deploy retrieval-augmented generation and Claude or GPT integrations against on-prem or GovCloud-hosted models — typically Bedrock in GovCloud, Azure OpenAI in IL4/5, or self-hosted Llama and Mistral variants where sovereignty matters. We do not pipe CUI to commercial OpenAI or Anthropic endpoints. Every AI feature ships with prompt logging, output filtering, and a human-in-the-loop pattern for anything consequential.

What does application modernization look like for a program office still on legacy systems?

Most modernization work we see in the Augusta orbit is moving custom .NET or Java applications off aging on-prem VMware estates into GovCloud containers, replacing brittle scheduled jobs with event-driven pipelines, and untangling Oracle or SQL Server schemas that grew organically over fifteen years. We strangler-pattern the migration so the old system keeps running until the new one earns trust, and we document the cutover in advance.

How do you price work for federal customers and primes?

We support T&M, FFP, and labor-hour structures depending on the vehicle. For primes subbing to us, we typically work T&M with not-to-exceed ceilings during discovery and shift to FFP once scope is locked. We publish our labor categories and rates against common GSA mappings on request. We do not play the body-shop game of bidding cheap and staffing junior — every engineer we put on a contract has shipped production systems.

004 / 005 Adjacent Files

Continue recon.

REL-01

Services overview

Custom development, AI integration, modernization, and senior staff augmentation.

 REL-02

Case studies

How we've delivered on cyber, CUI, and federal modernization engagements.

 REL-03

Engagement packages

Scoped pods and fixed-fee discovery options sized for federal task orders.

 REL-04

Talk to us

Reach a senior engineer directly — no SDR funnel, no discovery call theater.
Next step

Building software for a cyber mission out of Fort Eisenhower? Let's talk.

Talk to a VooStack operator. We respond within one business day.

Open a Channel Full Services