How We Work
Fixed phases, named deliverables, no black boxes. You know what you are getting before you commit to the next step.
AI tooling delivery
How we take compliance and automation tooling from problem definition to deployment inside your environment.
- 01
Discovery and Requirements
We map the target workflow, data sources, and compliance constraints, including whether the system must run on-premise, air-gapped, or in a FedRAMP-authorized cloud, and define success criteria before any code is written.
- 02
Prototype
We build a working demonstrator against your real artifacts so fit can be evaluated early. PRISM and SCORE were built with this same approach.
- 03
Integration and Deployment
We containerize and deploy into your environment with an audit-ready data layer, integrating with the systems and control frameworks your workflow already depends on.
- 04
Validation and Handoff
We validate outputs against the governing controls, document the system, and hand off with the training and support your team needs to operate it.
Proposal development process
We engage early, before topics close, to maximize technical alignment and proposal quality.
- 01
Topic Selection and Fit Analysis
We review open solicitations across DoD, DHS, NASA, and NIH and identify topics where Kastle has prototype evidence or domain depth. We brief you on fit before you commit resources.
- 02
Technical Volume Writing
We write the technical volume from scratch, incorporating your prototype details, team credentials, and the agency-specific evaluation criteria. We do not use generic templates.
- 03
SME Review and Red Team
Our senior advisor reviews all technical volumes for evaluator-readiness. We red-team weak sections and revise before submission.
- 04
Submission and Debrief
We submit through the appropriate agency portal (DSIP, Grants.gov, SBIR.gov) and, if requested, debrief you on agency feedback after the decision is returned.
Phased engagement
Our CMMC engagements follow a fixed-phase model so you know what you are getting at each step before committing to the next.
- 01
Scoping and Discovery
We define the CUI boundary, identify in-scope systems, and document your current environment. No assumptions about what you have or have not done.
- CUI enclave boundary definition
- Asset inventory (hardware, software, cloud)
- Initial POA&M draft
- 02
Gap Analysis
We assess your current posture against NIST SP 800-171 and CMMC Level 2 practices. Each gap is scored, risk-ranked, and assigned an owner.
- Control-by-control gap findings
- Risk-ranked remediation backlog
- SPRS score estimate
- 03
Remediation
We help you close gaps: writing policies, configuring systems, drafting procedures, and producing the evidence required for assessment. We do the work, not just point at it.
- Policy and procedure documents
- Evidence packages per control
- Technical configuration guidance
- 04
Documentation and SSP
We produce a complete System Security Plan with control narratives, evidence references, and POA&M entries in formats compatible with eMASS and C3PAO review.
- System Security Plan (SSP)
- Plan of Action and Milestones (POA&M)
- Self-assessment package
- 05
Assessment Readiness
We conduct a pre-assessment dry run against your completed documentation and identify any remaining issues before a C3PAO or government assessor sees the package.
- Internal readiness review
- Assessor Q&A preparation
- Final evidence review
Bring a working prototype to your next bid.
Teaming, subcontracting, CMMC readiness, or SBIR development — we respond within one business day.