BASELINE BY BEDROCK    INDEPENDENT NISP READINESS ASSESSMENT    FIXED-FEE PRE-INSPECTION
Bedrock
Bedrock Security Advisory Group Cleared ICD 705 · SCIF · FSO Advisory
+1 937.301.9776
PRODUCT · BASELINE BY BEDROCK™ · NISP READINESS ASSESSMENT

Find your NISP gaps before the next DCSA inspection.

BASELINE by Bedrock is an independent NISP Readiness Assessment for cleared contractors. Establish your current security posture, identify inspection risk, and receive a structured corrective-action roadmap before formal review. Structured control intake mapped to NISPOM Chapter 2, 5, and 8, ICD 705, insider threat program maturity, and FOCI posture. Reviewed and signed by a cleared Bedrock principal. Fixed-fee advisory engagement structured to fit common government purchase-card and simplified acquisition workflows.

FIXED-FEE PRE-INSPECTION REVIEW 14-DAY DELIVERY CLEARED PRINCIPAL SIGNATURE NON-CUI INTAKE
Request an assessment +1 937.301.9776
ADVISORY · ENGAGEMENT POSTURE

Bedrock provides advisory analysis based on customer-supplied information. Bedrock identifies gaps, risks, and recommended next actions against the published NISPOM, ICD 705, 32 CFR Part 117, and related standards. Bedrock does not guarantee compliance, accreditation, certification, inspection results, or government acceptance. The deliverable is an opinion. The decision authority on accreditation and inspection outcomes rests with the cognizant security agency.

THE CATALYST

The gap is not theoretical. The GAO named it.

In 2026 the Government Accountability Office published GAO-26-107861 documenting NISP enforcement findings across the cleared industrial base. The report is public. The numbers are real. Every cleared facility operates within the inspection ecosystem the GAO reviewed.

GAO-26-107861 · PUBLIC RECORD

Eight hundred fifteen NISP violations recorded in fiscal year twenty twenty-five.

The findings span personnel security, classified information handling, insider threat program maturity, FOCI posture, and physical security at cleared facilities. Small and mid cleared contractors are over-represented in the findings, mostly because the big primes have full-time FSO benches and the small ones do not.

If you hold an FCL or are pursuing one, you are inside the population the GAO is reporting on. A structured pre-inspection review against the published standards is one way cleared contractors prepare for the next DCSA touch point. It does not predict what DCSA will find, and it does not substitute for the agency's own determination.

815
NISP violations · FY25
12,000+
Cleared facilities · scope of population
14 days
Bedrock turnaround · kickoff to signed report
AUDIENCE

Who this is built for.

If you recognize your facility in any of the lines below, the assessment is built for you. Two seconds to self-identify.

Cleared small businesses without full-time FSO benches
New FCL holders preparing for first DCSA interaction
Growing contractors expanding into classified work
Firms preparing for self-inspection cycles
Contractors inheriting security programs after turnover
Companies unsure whether current NISP processes are actually defensible
WHAT YOU GET

One intake. One review. One signed report.

No drip emails, no upsell phase, no software seat to provision. Three artifacts, delivered in fourteen days.

DELIVERABLE 01

Structured control intake

Structured intake the customer fills out at their own pace, on their own schedule. Mapped control by control to NISPOM Chapter 2, 5, and 8, ICD 705, insider threat program maturity, and FOCI mitigation posture. The form is the easy part. The interpretation is the value.

DELIVERABLE 02

Cleared-principal review

The intake is read line by line by Bedrock's cleared principals. We are cleared. We have run inside-the-fence FSO and SSO programs. We are not subcontracting this to a junior consultant in a different time zone.

DELIVERABLE 03

Gap analysis and remediation roadmap

Signed PDF. Each identified gap is cited to the published rule it touches. Each recommended remediation step is sequenced and effort-scoped. You can use it as an internal action plan, an FSO record, or an artifact for your sponsor. It is an advisory opinion based on the intake you provided, not a determination of inspection outcome.

DELIVERABLE 04

Optional debrief call

One thirty-minute call after delivery to walk you through the report, prioritize the gaps, and answer questions. Included in the fixed fee. No add-on, no metered minutes.

SCOPE

Where the control questions live.

The intake is structured around the same control families DCSA uses on inspection. No surprises in either direction.

Personnel security and SF-312 cadenceNISPOM Chapter 2. Eligibility, indoctrination, debriefings, continuous evaluation hand-offs.
Classified information system safeguardsNISPOM Chapter 5. Storage, transmission, marking, destruction, transmission, end-of-day procedures.
Insider threat program maturity32 CFR § 117.7 (current NISPOM regulation). Designation, training, reporting integration, anomaly response.
ICD 705 physical security baselineSCIF and SAPF accreditation status, drift between cycles, change-control logs, AO and CSA liaison cadence.
FOCI mitigation postureForeign Ownership, Control, or Influence reviews and current mitigation status. Board, KMP, ownership chain.
Self-inspection programInternal cadence, finding tracking, remediation closure, evidence retention. The thing DCSA asks for first.
CMMC L2 evidence inheritanceWhere your NISPOM controls already satisfy CMMC Level 2 practices. Identifies inherited evidence so a follow-on CMMC assessment is not starting from zero.
WHAT IT IS NOT

What we removed on purpose.

If a vendor promises any of these, walk. The market is full of theater. BASELINE by Bedrock is the opposite.

Not a DCSA certification.Only DCSA can certify a facility. We identify gaps against the published NISPOM, ICD 705, and 32 CFR Part 117 standards. We do not predict DCSA findings, guarantee accreditation, or guarantee inspection outcomes. The decision authority stays with the agency.
Not continuous monitoring.This is a point-in-time readiness assessment. Continuous monitoring is a different product, and we will not pretend a one-shot is one.
Not a CUI handling engagement.The intake is non-CUI by design. We do not request, store, or transmit CUI in the assessment. Period.
Not LLM-generated.The report is read, written, and signed by a cleared principal. No model auto-fills your remediation plan.
Not a guarantee of compliance.The engagement is an advisory opinion. Bedrock does not guarantee NISPOM compliance, ICD 705 accreditation, CMMC determination, inspection success, or elimination of risk. Customer remains responsible for compliance.
Not a sales funnel.You can take the report and act on it yourself. If you want help executing the remediations, we have a path. If you don't, the report stands on its own.
TIMELINE

Fourteen days from kickoff to signed report.

Fixed cadence. We tell you what is happening on which day. You always know what is next.

DAY 01

Kickoff and intake handoff

Thirty-minute kickoff call. Intake link delivered. Scope confirmed in writing.

DAY 02-07

Customer fills intake

Customer completes the intake at their own pace. We are available for clarifications.

DAY 08-12

Principal review and drafting

Bedrock principal reads the intake line by line. Drafts the gap analysis and remediation roadmap.

DAY 13-14

Delivery and debrief

Signed PDF delivered. Optional thirty-minute debrief call scheduled inside the same window.

ENGAGEMENT

Fixed-fee engagement. Scoped on the executive call.

Most BASELINE engagements are structured as fixed-fee assessments designed to fit common government purchase-card and simplified acquisition workflows. This is not hourly consulting and it is not a six-figure engagement. It is a defined, repeatable advisory engagement with a fixed scope. Pricing is confirmed on the executive call, alongside scope, posture, and timing.

HOW IT WORKS
Call.
We scope it on the same conversation.

One thirty-minute call confirms your facility profile, your inspection posture, and whether the assessment is the right product for where you are. If it is, we schedule kickoff inside the same week. If it is not, we tell you that on the call and route you to the right path.

INCLUDED IN THE FIXED-FEE
  • Structured control intake
  • Cleared-principal review and write-up
  • Signed gap analysis PDF
  • Sequenced remediation roadmap
  • Thirty-minute debrief call
  • One fixed fee, per engagement
FIXED-FEE ENGAGEMENT · P-CARD AND SIMPLIFIED ACQUISITION COMPATIBLE · CLEARED PRINCIPAL SIGNATURE
Bedrock provides advisory services only. The deliverable is an opinion based upon customer-supplied information. Bedrock does not guarantee compliance with NISPOM, ICD 705, DCSA expectations, CMMC requirements, or any government review outcome. Customer remains responsible for compliance, accreditation, and inspection posture.

Request a BASELINE engagement. Scope on the executive call.

If your FCL is active or pending and you are inside the population the GAO is reporting on, BASELINE is built for you. Call to schedule the executive scoping conversation; engagements typically kickoff inside the same week.

+1 937.301.9776 risk@bedrocksafe.com
Chief Executive Officer · Bedrock Security Advisory Group LLC
Available 0700-1900 ET · Kickoff scheduling same-day or next-day