Meridian Cyber is a Huntsville-based consulting practice helping Defense Industrial Base contractors get their systems through the Risk Management Framework — from categorization to Authorizing Official signature. ATO packages built defensibly. IATTs delivered on accelerated timelines. Stalled efforts unstuck. Senior-level attention on every engagement, no exceptions.
One-page PDF for primes, contracting officers, and small business liaisons evaluating Meridian Cyber for ATO and IATT consulting work.
Getting a system authorized rewards precision, discipline, and institutional memory. Most small and mid-sized defense contractors don’t have the bandwidth to build those muscles in-house — and the cost of getting RMF wrong is a delayed program, a stalled package, or a denied authorization. That’s where we operate.
These represent program environments the founders have worked in during prior employment — not engagements delivered by Meridian Cyber LLC. The firm is newly established and actively pursuing its first client contracts.
Six engagement types covering the path from "we need an ATO" to "we have one and need to keep it." Each engagement has defined scope, fixed deliverables, and clear success criteria — your authorization decision, not open-ended hours. Engagements are sold individually or bundled as needed for your system.
Before you commit to a full RMF push, know where you actually stand. Comprehensive gap analysis of your system against applicable NIST 800-53 controls, with a defensible roadmap, realistic timeline, and honest assessment of whether your AO will sign.
Your system, through the full Risk Management Framework, to authorization. Categorization, control selection, SSP authoring, evidence collection, eMASS submission, AO engagement. We drive the package; your team contributes technical content as needed.
You need to test on a connected network before full ATO is realistic. Accelerated IATT package development with a clean transition path to full authorization — so the IATT work isn't thrown away later. Common for test-range integration and prototype connections.
Your team has the technical knowledge but doesn't have time to write. Stand-alone authoring of System Security Plans, control implementation narratives, POA&Ms, and supporting artifacts — built to withstand assessor scrutiny on first review.
ATO granted is not ATO kept. Post-authorization sustainment: POA&M management, annual security reviews, configuration change assessments, and re-authorization preparation. Monthly retainer keeps your authorization defensible.
For client teams running their own RMF effort that has stalled — assessor findings piling up, prior consultant gone, schedule slipping. Specialized advisory and package hygiene work to diagnose what broke and get authorization back on track.
Meridian Cyber is a newly established consulting practice. We believe in being direct about that — because the founders’ track records in prior roles, not a pretend corporate history, are what earn a first conversation. This section exists to make the distinction clear.
A newly formed Alabama LLC dedicated to RMF and authorization services. SAM.gov registered and active. The firm has no completed client engagements yet — and is open about that.
The co-founders bring complementary RMF backgrounds: one has shepherded ATO packages through the full process as a practitioner; the other has assessed packages and audited eMASS in prior roles. The combination — not a pretend firm history — is the foundation of Meridian Cyber’s value.
New firms bring something established consultancies cannot: the founders are the practitioners. Every engagement gets principal attention from both perspectives — practitioner and assessor. No junior analysts learning on your package. Lean structure, competitive rates, direct accountability.
How a typical engagement actually unfolds. Every consulting relationship begins with scoping discipline and ends with defensible documentation in front of the AO. We don’t improvise — we apply a methodology the founders have executed in prior RMF work, with measurable gates at each phase so you always know where your authorization stands.
System boundary definition, FIPS 199 categorization, overlay identification, authorization pathway decisions. The work that prevents rework.
Gate: Package Plan ApprovedControl selection aligned to categorization, implementation guidance for your engineering team, and early evidence collection planning.
Gate: Controls SelectedSSP authoring, POA&M development, evidence package assembly, and eMASS submission ready for independent Security Control Assessment.
Gate: eMASS SubmittedAssessor support through the SCA, AO engagement, and transition into continuous monitoring cadence after authorization is granted.
Gate: ATO GrantedDefense contractors don’t hire RMF consultants in the abstract — they hire them to solve specific, expensive problems. These are the ones we handle.
A prime puts a CUI-handling requirement in your statement of work and you have no idea where to start. We take you from zero to submitted package without making you learn the framework yourself.
Assessor findings keep piling up, your prior consultant is out of ideas, and the schedule is slipping. Package rescue is work the founders have done before — diagnosing what broke and restructuring what remains is well within scope for us.
The tool is unforgiving, and most cybersecurity consultants have never actually used it. We’re eMASS-fluent — comfortable with workflows, package hygiene, and the quirks assessors flag.
Tier-1 consultancies charge $400–$600/hour and bury you in process. We deliver senior-level execution at defensible rates — no layered hierarchies, no junior analysts on your package.
Your engineering team is delivering capability; you can’t ask them to stop and write control narratives. We shield your technical staff from compliance paperwork while still capturing what the package needs.
Huntsville-based, clearance-active, on-site-capable. We show up when the work benefits from in-person engagement — working sessions, AO briefings, prime coordination meetings.
In federal contracting, clients want to know exactly who will be on their package. Meridian Cyber is a co-founded practice with two principals — the people you meet are the people who execute. Together, we cover both sides of the RMF table: the practitioner who builds the package and the assessor who reviews it.
Cybersecurity engineer with hands-on experience shepherding ATO packages through the full Risk Management Framework lifecycle in prior roles. Has responded to eMASS findings, sat through SCA interviews, and watched AOs make risk decisions firsthand.
Brings the assessor’s perspective to every Meridian Cyber engagement. Experience as an ATO assessor and eMASS auditor in prior roles means packages are built with the questions assessors actually ask — not the questions consultants assume.
A consultant who mishandles your CUI is a liability, not an asset. Meridian Cyber operates with the same data handling standards we advise clients to implement — the posture that allows us to work with sensitive material safely and credibly.
Internal security posture aligned to the same 800-171 controls we’ll advise clients to implement. We run the program we help others build. CUI-specific handling is structured per engagement — we work within client-furnished compliant environments or stand up engagement-specific controls as needed.
Meridian Cyber is registered in federal contracting systems and carries the designations required for immediate engagement on DoD work, either directly or as a subcontractor.
Meridian Cyber actively pursues prime subcontractor roles, teaming arrangements, and joint ventures where our RMF capabilities strengthen a broader offering. Direct outreach from prime small business liaisons, capture managers, and teaming partners is welcomed.
Whether you need a readiness assessment, a full package, help with a stalled effort, or a subcontractor on a capture — start with a conversation. Most initial discussions take thirty minutes and result in a clear scope before any commitment.