[ MODERNIZATION ] // FEDERAL & STATE AGENCIES

Modernize legacy government systems without losing your ATO — or your funding.

SDVOSB-certified. We rebuild Oracle Forms, ColdFusion, mainframe, and early-2010s .NET systems into FedRAMP-aligned cloud architectures, one authorizable slice at a time.

Veteran-Owned SDVOSB
[001 / 005] Field Conditions

Most agency modernizations fail not at the code, but at the ATO and the contract.

// SITUATION

The pattern is familiar. A modernization gets funded, a 24-month rebuild plan goes to a prime, and 18 months in there's a partially rebuilt system, an expired ATO, a new CIO, and an appropriations cycle that didn't go the way anyone hoped. The legacy COBOL or ColdFusion system is still running because nobody dared turn it off. The new platform never reached production because no one budgeted the FedRAMP Moderate authorization timeline honestly. Meanwhile the contract vehicle the work was bought under doesn't have headroom for another option year.

  • Big-bang rewrites that assume a 24-month runway through an election year and two continuing resolutions.
  • ATO packages written as a deliverable at the end instead of generated continuously alongside the build.
  • Procurement vehicles chosen for speed of award rather than scope flexibility, capping modernization at the first hard problem.
  • No exit strategy — code, infra, and tribal knowledge live with the contractor, so a re-compete means starting over.
SDVOSB
Certified, sole-source eligible up to $5M
12-18 mo
Realistic FedRAMP Moderate ATO path
0
Big-bang cutovers — every slice is reversible
[002 / 005] Operational Approach

Modernize in slices that can each clear ATO on their own.

  1. STEP-01

    Map the ATO boundary first

    Before touching code we read the existing SSP, POA&M, and ATO letter. We identify the authorization boundary, control inheritance from the host (often a FedRAMP Moderate IaaS like AWS GovCloud or Azure Government), and which controls are agency-implemented vs. inherited. That dictates what we can safely change in 90 days.

  2. STEP-02

    Strangler-fig around the legacy core

    We don't rewrite the COBOL/Oracle Forms/ColdFusion monolith in flight. We put an API gateway in front, route reads to a new service, then writes, then retire modules. Each slice is independently deployable and independently authorizable so a stop-work order doesn't strand a half-rebuilt system.

  3. STEP-03

    Build the ATO package alongside the code

    Control evidence is generated by the pipeline: SBOMs from the build, scan results from Anchore/Trivy, IaC compliance from Checkov, and OSCAL-formatted SSP fragments. By the time the ISSO reviews, 70-80% of the package is machine-generated artifacts, not Word documents written the week before submission.

  4. STEP-04

    Ship under the right vehicle

    Scope and contract type are co-designed. 8(a) sole-source, SDVOSB set-aside, GSA MAS, GWACs like CIO-SP3/4, or agency BPAs each have different ceiling, period-of-performance, and modification rules. We structure deliverables so an option-year non-exercise doesn't kill the modernization mid-migration.

  5. STEP-05

    Hand off with the documentation a successor can use

    Administrations change. We assume the team running this in year three is not us. Runbooks, ADRs, threat models, and a working local dev environment ship with the code. The next contractor — or an in-house team — can pick it up without a six-month archaeology phase.

// YAML PATTERN 
component-definition:
  uuid: 7c2f9a14-3b8e-4d2a-9f1c-6e3d2b1a8f04
  metadata:
    title: Claims Intake API - Auth Component
    version: 2.4.0
    oscal-version: 1.1.2
  components:
    - uuid: a1b2c3d4-0001-4000-8000-000000000001
      type: software
      title: claims-intake-api
      description: Public-facing intake service, FedRAMP Moderate boundary
      control-implementations:
        - uuid: ci-001
          source: '#NIST_SP-800-53_rev5'
          description: Inherited + agency-implemented controls
          implemented-requirements:
            - control-id: ac-2
              description: |
                Account lifecycle managed via agency Okta tenant.
                Service accounts rotated every 60 days via Vault.
              props:
                - name: implementation-status
                  value: implemented
            - control-id: au-2
              description: |
                All API requests logged to CloudWatch, shipped to
                agency SIEM (Splunk) within 5 minutes. Retention 1 year hot,
                3 years cold per AU-11.
            - control-id: si-4
              description: |
                GuardDuty + custom Lambda detectors. Alerts route to
                ISSO via PagerDuty, P1 SLA 15 min.

An OSCAL component definition fragment generated from CI — the same artifact feeds both the SSP and the deployment pipeline, so control evidence stays in sync with what's actually running.

[003 / 005] Common Questions

Field FAQ.

We have an existing ATO. Will modernization force us to re-authorize from scratch?

Usually no, if the work is scoped right. Significant change determinations are made by the AO, but most incremental modernization fits under a Type 2 or Type 3 change with a delta SSP and updated POA&M. We design slices that stay inside the existing authorization boundary where possible, and when a slice does require re-authorization we sequence it so the legacy system keeps its ATO until the new one lands.

How does SDVOSB status actually affect what we can buy from you?

It opens set-aside and sole-source pathways. Under the SDVOSB program, contracting officers can sole-source up to $5M (services) without competition when requirements are met, and SDVOSB set-asides are a priority category under the small business goaling framework. For agencies with veteran-spend goals — VA especially under the Vets First program — we count toward category-specific targets, not just generic small business credit.

Our system runs on a mainframe / Oracle Forms / ColdFusion. Where do we even start?

We start with traffic, not code. Two weeks of read-only observation tells us which screens and batch jobs actually carry load and which are dead weight nobody admits to using. Often 30-40% of a legacy system can be retired outright rather than rebuilt. The remainder gets prioritized by risk: anything touching PII, anything blocking a compliance finding, anything the vendor has dropped support for.

What's a realistic FedRAMP authorization timeline if we don't have one yet?

For a FedRAMP Moderate ATO via the agency path, plan on 12-18 months from kickoff to authorization letter, assuming you start with a cloud platform that's already FedRAMP-authorized (GovCloud, Azure Government, Google Assured Workloads). FedRAMP High is longer. The JAB path is mostly closed to new entrants right now. We've seen teams promise 6 months — that's only realistic if you're inheriting nearly all controls and the 3PAO is already engaged.

How do you handle a change of administration mid-contract?

We assume it will happen and design for it. That means: every deliverable is independently valuable (no big-bang go-lives at month 24), code and infra-as-code live in agency-owned repos from day one, documentation is good enough that a different vendor could continue the work, and we structure milestone payments so a stop-work order doesn't strand the agency with 60% of a system. Continuity is a deliverable, not an afterthought.

Can you work under our existing GWAC or BPA, or do we need a new vehicle?

We hold or can team into most common vehicles — GSA MAS IT, SDVOSB set-asides, and several agency BPAs. We've also subbed under CIO-SP3, Alliant 2, and OASIS+ prime holders. The right answer depends on ceiling, period of performance, and how much scope flexibility you need. We'll tell you honestly when a different vehicle would serve you better, even when it means we don't prime.

What does 'incremental modernization' actually look like in a quarter?

A representative first quarter: weeks 1-2, discovery and ATO boundary mapping; weeks 3-6, stand up the new platform inside the existing authorization boundary and route one read-only endpoint through it; weeks 7-10, migrate a single workflow end-to-end with feature-flag rollback; weeks 11-13, retire the legacy module, update the SSP delta, and demo to the AO. One slice retired, pattern proven, zero downtime, and a template for the next ten slices.

Do you handle the Section 508 accessibility work, or is that separate?

We handle it. Every UI we build is tested against WCAG 2.1 AA with axe-core in CI and manual testing with NVDA and VoiceOver before release. For modernization specifically, we treat 508 as a forcing function — most legacy government UIs fail badly, and rebuilding accessibly is often cheaper than retrofitting. We document conformance in an ACR (VPAT) that your 508 coordinator can submit without rewriting.

How do you price modernization work — fixed price, T&M, or something else?

Discovery is fixed-price (typically 2-4 weeks, $40-80K range depending on system size). Implementation is usually T&M with a not-to-exceed and milestone gates, because the unknowns in legacy work make true fixed-price either overpriced or a recipe for cut corners. For agencies that need fixed-price for appropriations reasons, we'll do it after discovery — once we've actually seen the code — not before.

[004 / 005] Adjacent Files

Continue recon.

REL-01

Modernization services

How we approach legacy-to-cloud rebuilds across regulated and federal environments.

 REL-02

Federal case studies

Examples of incremental modernization slices shipped under active ATOs.

 REL-03

SDVOSB & the team

Veteran ownership, certifications, and the engineers who actually do the work.

 REL-04

Start a discovery

Two-to-four week fixed-price assessment of your legacy system and ATO posture.
[ NEXT ACTION ]

Have a stalled modernization, an expiring ATO, or a 1990s system the next administration will inherit? Let's talk.

Talk to a VooStack operator. We respond within one business day.

Open a Channel Full Services