Skip to content
CyberAutopsySHIELD · COMPLIANCE
CMMC Level 2ServicesThe MethodIndustriesResourcesAbout Client PortalBook Contract Risk Audit →
METHOD

The CyberAutopsy Method.
Five phases. No surprises.

Compliance is a documentation discipline before it is a technology problem. Every phase below produces a specific artifact, signed by a specific owner, defensible against a specific NIST 800-171A determination statement. The certificate is the byproduct.

THE CYBERAUTOPSY METHOD

Five phases. No surprises.

Built from the inside of dozens of C3PAO assessments. Each phase produces an artifact that survives audit, not a slide that survives a meeting.

  1. 01 · DIAGNOSEWeek 1

    Map the CUI boundary

    We trace every system, person, and data flow that touches Controlled Unclassified Information. Anything in scope is documented; anything out of scope is excluded with evidence. The boundary decision sets the cost of everything that follows.

    DeliverablesScoping Memo, Network Diagram, Data Flow Map
  2. 02 · EXPOSEWeek 2

    Evidence gap heatmap

    Every one of the 110 controls is scored against artifacts you can actually produce in an assessment. Implemented, partially implemented, or not implemented — with a per-control owner and severity weight.

    DeliverablesSSP v1, POA&M, SPRS Score
  3. 03 · OPERATEWeeks 3–12

    Remediate, with your IT

    A surge team works beside your engineers. Configurations applied, policies authored, training delivered, evidence captured. We do not hand you a backlog — we close it with you.

    DeliverablesImplemented Controls, Artifact Library
  4. 04 · CERTIFYAudit window

    C3PAO handoff and pass

    Your Assessment Packet is built like we are the assessor. We escort the engagement — reading rooms, evidence defense, real-time clarification. Findings get answered before they become findings.

    DeliverablesAssessment Packet, Pass Letter
  5. 05 · MONITOROngoing

    SPRS and affirmation, forever

    Annual affirmation, configuration drift detection, control re-test. Your score stays at 110 because someone is watching it weekly, not annually.

    DeliverablesQuarterly Reviews, Annual Affirmation
PRINCIPLES

How we work, codified.

01

Boundary before tooling

We do not buy a single license before the CUI boundary is signed. Tooling decisions made before scoping produce overspend and audit headaches.

02

Artifacts over assertions

A control is implemented when the artifact survives a hostile read. Until then it is a draft, no matter what the policy says.

03

Weekly war rooms

One standing, one-hour engagement per week with the executive sponsor, IT lead, and compliance surgeon. No status decks; only blockers and decisions.

04

Plain-English deliverables

Every executive memo is one page, written in language a CFO or contracting officer can read aloud in a meeting.

05

Evidence as code

We treat artifacts the way engineers treat code: versioned, reviewed, and signed. The Evidence Library is a repository, not a folder.

06

No subcontracting of judgment

A partner signs every Assessment Packet that leaves the firm. No junior staff to assessor handoff. Ever.

Book a Contract Risk Audit →