[ STAFF AUGMENTATION ] // DEFENSE & DOD

Cleared engineers who already speak DD-254, ATO, and PI planning.

Q: Are your engineers actually cleared, or do you sponsor on demand?

Both, depending on the billet. We maintain a bench of engineers with active Secret and TS/SCI clearances who can transfer in via DISS within days, and we sponsor Public Trust and interim Secret for new hires when a program has runway. We're upfront on every SOW about which roles are 'available now' versus 'available after crossover,' so your PM isn't planning around a clearance that doesn't exist yet.

Q: How does SDVOSB status help our prime contract?

If you're a prime carrying SDVOSB subcontracting goals under FAR 52.219-9, our verified status counts directly toward those goals and toward category management credit. For DoD-direct work, SDVOSB set-asides under 13 CFR 128 let contracting officers route sole-source awards up to the simplified threshold. We can provide our SBA VetCert verification letter, CAGE code, and SAM registration on request during teaming discussions.

Q: Will your engineers follow our SDLC or impose their own?

Yours. We've worked inside Azure DevOps Government, GitLab Dedicated for Government, Bitbucket Data Center on classified enclaves, and legacy ClearCase environments. We adopt your branching model, your code review rules, your CM board process, and your IV&V handoff. The only thing we bring is engineering judgment — we don't ask programs to absorb a new toolchain, retrain badged staff, or rewrite their ATO documentation around our preferences.

Q: How do you handle ITAR and export control on shared repositories?

Every engagement on ITAR or EAR-controlled work is staffed exclusively with U.S. persons as defined under 22 CFR 120.62. Code remains inside your enclave or, for unclassified controlled work, our SDVOSB-controlled CONUS environment. We never subcontract offshore. Before kickoff we walk through which repositories carry technical data, document the export-control assumption per repo in writing, and brief our staff on disclosure events and the reporting chain to your empowered official.

Q: Can you support program-of-record cadence rather than commercial sprints?

Yes, and frankly this is where most commercial body shops break. Defense programs run on PI planning, CDR/PDR/TRR gates, DT&E windows, and CDRL delivery dates — not two-week velocity charts. Our engineers map their work to your increment plan and your contract data requirements list. We produce burn-down and earned value artifacts in the format your DCMA or program office actually consumes, not in whatever Jira dashboard a commercial scrum master prefers.

Q: What roles do you typically fill for defense primes?

Senior software engineers (backend, full-stack, embedded), cloud and DevSecOps engineers familiar with IL-4/IL-5 environments and Platform One, application modernization leads moving legacy Java/.NET workloads into cATO'd cloud, AI/ML integration engineers for RAG over controlled technical data, and systems engineers who can write to a SRS and trace requirements. We don't staff junior generalists into program billets — every engineer we send has shipped production work in a regulated environment.

Q: How fast can you ramp once a subcontract is in place?

For roles requiring an active clearance our engineer already holds, we typically have someone billable within two to three weeks of the DD-254 being executed and the visit request approved. Roles requiring a new clearance sponsorship run on the government's timeline — usually three to nine months for Secret. We're transparent about both paths and structure SOWs so uncleared prep work (architecture, unclassified prototypes, documentation) starts immediately.

Q: Do you work as a sub to primes or directly to the government?

Both. We sub to large primes under teaming agreements and prime our own SDVOSB set-asides and sole-source awards on smaller programs and BPAs. As a sub we're comfortable with the standard FAR/DFARS flow-downs, CMMC Level 2 obligations, and the prime's own supplier code of conduct. As a prime we carry the contract, manage the CDRLs, and coordinate any further teaming through SBA-compliant subcontracting plans.

Q: What about CMMC and NIST 800-171 compliance on your side?

We operate to NIST SP 800-171 controls on any environment touching CUI and are aligned to CMMC Level 2 practices. For program work, our engineers operate inside your accredited environment whenever possible — that's the cleanest compliance posture for everyone. When we must hold CUI on our side, we do so in a documented enclave with MFA, FIPS-validated crypto, audit logging, and an SSP we'll share with your supply chain risk team.

SDVOSB-certified, U.S.-based senior engineers who plug into your prime's existing SDLC — Jira, Azure DevOps Gov, GitLab, ClearCase — without forcing your program to absorb a new vendor's process.

Veteran-Owned SDVOSB

[001 / 005] Field Conditions

Most staff aug shops treat defense work like a commercial sprint. It isn't.

// SITUATION

Defense programs fail their augmentation vendors in predictable ways. A commercial body shop ships a contractor who has never seen a DD-254, doesn't understand why the build pipeline is air-gapped, and pushes back on documentation as 'overhead.' Six weeks in, the prime's PM is rewriting CDRLs the contractor was supposed to deliver, the FSO is chasing a clearance that was never actually in scope, and the contractor is offshoring work that should have stayed inside CONUS. The augmentation became a liability against the program's IV&V gate.

▸ Vendors quote 'cleared resources' but actually need 4-6 months to crosswalk a clearance — past the program's need-by date.
▸ Contractors push commercial Agile rituals against a waterfall-ish program of record and miss CDR deliverables.
▸ Code review and documentation get treated as optional, breaking the prime's ATO package and DT&E evidence.
▸ Offshore or non-U.S.-person staff quietly touch ITAR-controlled repos and create a disclosure event.

SDVOSB

Verified veteran-owned, set-aside eligible

100%

U.S. persons, CONUS-based engineers

< 3 wks

Typical ramp on existing-clearance billets

[002 / 005] Operational Approach

How we plug into a defense prime without breaking your SDLC

STEP-01
Clearance & access alignment

We map required clearance levels (Public Trust, Secret, TS/SCI) to roles before kickoff, coordinate with your FSO on visit requests and JPAS/DISS transfers, and stage uncleared work in parallel so we ship value during the access ramp.
STEP-02
Adopt your SDLC, don't replace it

We work inside your existing Jira, Bitbucket/GitLab, ClearCase, or Azure DevOps Government instances. We follow your branching model, your ATO-bound pipelines, and your IV&V gates. No tool migrations, no parallel processes.
STEP-03
ITAR-aware engineering posture

U.S. persons only on ITAR/EAR-controlled work, code stays on your enclave or our SDVOSB-controlled environments, no offshore subcontracting. We document export-control assumptions per repo and flag dual-use components before they hit a build.
STEP-04
Program-of-record cadence

We sync to your PI planning, CDR/PDR milestones, and DD-254 obligations rather than imposing two-week commercial sprints. Burn-down reporting maps to CDRLs and EVM where required, not to vanity velocity charts.
STEP-05
Knowledge transfer by default

Every engagement ends with your billets, not ours, owning the code. We pair-program with badged staff from week one, write runbooks against your STIG baseline, and document decisions in your ATO artifacts so audits don't re-open.

// YAML PATTERN

# .gitlab-ci.yml fragment for ITAR-aware augmentation
stages: [verify, scan, evidence]

verify-us-person-commits:
  stage: verify
  script:
    - ./scripts/check-committer-roster.sh $CI_COMMIT_SHA \
        --roster /run/secrets/cleared-roster.json \
        --fail-on non-us-person
  rules:
    - if: $CI_PROJECT_PATH =~ /^programs\/itar-/

stig-container-scan:
  stage: scan
  image: registry.gov/voostack/stig-scanner:ubi8-v3
  script:
    - oscap-podman $IMAGE xccdf eval \
        --profile stig \
        --results /artifacts/stig-$CI_COMMIT_SHORT_SHA.xml
  artifacts:
    paths: [/artifacts/]
    expire_in: 7 years   # CDRL A004 retention

attach-cdrl-evidence:
  stage: evidence
  script:
    - ./scripts/cdrl-bundle.py \
        --cdrl A004 \
        --sprint $PI_INCREMENT \
        --out /artifacts/cdrl-a004-$CI_PIPELINE_ID.pdf
  rules:
    - if: $CI_COMMIT_TAG =~ /^pi-\d+\.\d+$/

A pipeline fragment we drop into a prime's GitLab Gov instance — enforces U.S.-person commit policy, STIG-baselined container scans, and CDRL-mapped artifact retention before anything reaches the program's ATO boundary.

[003 / 005] Common Questions

Field FAQ.

→ Are your engineers actually cleared, or do you sponsor on demand?

Both, depending on the billet. We maintain a bench of engineers with active Secret and TS/SCI clearances who can transfer in via DISS within days, and we sponsor Public Trust and interim Secret for new hires when a program has runway. We're upfront on every SOW about which roles are 'available now' versus 'available after crossover,' so your PM isn't planning around a clearance that doesn't exist yet.

→ How does SDVOSB status help our prime contract?

If you're a prime carrying SDVOSB subcontracting goals under FAR 52.219-9, our verified status counts directly toward those goals and toward category management credit. For DoD-direct work, SDVOSB set-asides under 13 CFR 128 let contracting officers route sole-source awards up to the simplified threshold. We can provide our SBA VetCert verification letter, CAGE code, and SAM registration on request during teaming discussions.

→ Will your engineers follow our SDLC or impose their own?

Yours. We've worked inside Azure DevOps Government, GitLab Dedicated for Government, Bitbucket Data Center on classified enclaves, and legacy ClearCase environments. We adopt your branching model, your code review rules, your CM board process, and your IV&V handoff. The only thing we bring is engineering judgment — we don't ask programs to absorb a new toolchain, retrain badged staff, or rewrite their ATO documentation around our preferences.

→ How do you handle ITAR and export control on shared repositories?

Every engagement on ITAR or EAR-controlled work is staffed exclusively with U.S. persons as defined under 22 CFR 120.62. Code remains inside your enclave or, for unclassified controlled work, our SDVOSB-controlled CONUS environment. We never subcontract offshore. Before kickoff we walk through which repositories carry technical data, document the export-control assumption per repo in writing, and brief our staff on disclosure events and the reporting chain to your empowered official.

→ Can you support program-of-record cadence rather than commercial sprints?

Yes, and frankly this is where most commercial body shops break. Defense programs run on PI planning, CDR/PDR/TRR gates, DT&E windows, and CDRL delivery dates — not two-week velocity charts. Our engineers map their work to your increment plan and your contract data requirements list. We produce burn-down and earned value artifacts in the format your DCMA or program office actually consumes, not in whatever Jira dashboard a commercial scrum master prefers.

→ What roles do you typically fill for defense primes?

Senior software engineers (backend, full-stack, embedded), cloud and DevSecOps engineers familiar with IL-4/IL-5 environments and Platform One, application modernization leads moving legacy Java/.NET workloads into cATO'd cloud, AI/ML integration engineers for RAG over controlled technical data, and systems engineers who can write to a SRS and trace requirements. We don't staff junior generalists into program billets — every engineer we send has shipped production work in a regulated environment.

→ How fast can you ramp once a subcontract is in place?

For roles requiring an active clearance our engineer already holds, we typically have someone billable within two to three weeks of the DD-254 being executed and the visit request approved. Roles requiring a new clearance sponsorship run on the government's timeline — usually three to nine months for Secret. We're transparent about both paths and structure SOWs so uncleared prep work (architecture, unclassified prototypes, documentation) starts immediately.

→ Do you work as a sub to primes or directly to the government?

Both. We sub to large primes under teaming agreements and prime our own SDVOSB set-asides and sole-source awards on smaller programs and BPAs. As a sub we're comfortable with the standard FAR/DFARS flow-downs, CMMC Level 2 obligations, and the prime's own supplier code of conduct. As a prime we carry the contract, manage the CDRLs, and coordinate any further teaming through SBA-compliant subcontracting plans.

→ What about CMMC and NIST 800-171 compliance on your side?

We operate to NIST SP 800-171 controls on any environment touching CUI and are aligned to CMMC Level 2 practices. For program work, our engineers operate inside your accredited environment whenever possible — that's the cleanest compliance posture for everyone. When we must hold CUI on our side, we do so in a documented enclave with MFA, FIPS-validated crypto, audit logging, and an SSP we'll share with your supply chain risk team.

[004 / 005] Adjacent Files

Continue recon.

REL-01

Have a billet to fill or a teaming opportunity? Send the DD-254 and we'll send a bench.

Talk to a VooStack operator. We respond within one business day.

Open a Channel Full Services

Cleared engineers who already speak DD-254, ATO, and PI planning.

Most staff aug shops treat defense work like a commercial sprint. It isn't.

How we plug into a defense prime without breaking your SDLC

Clearance & access alignment

Adopt your SDLC, don't replace it

ITAR-aware engineering posture

Program-of-record cadence

Knowledge transfer by default

Field FAQ.

Continue recon.

All Services

Program Case Studies

SDVOSB & Team

Start a Teaming Discussion

Have a billet to fill or a teaming opportunity? Send the DD-254 and we'll send a bench.