Stella Maris Governance LLC β Consulting Methodology
Public Consulting Methodology | Engagement Governance Framework
Overview
This repository documents the public consulting methodology and engagement governance framework used by Stella Maris Governance LLC across all client engagements. The methodology is structured for repeatable delivery, third-party assessor traceability, and defensible documentation outcomes.
All engagements follow a five-phase structured delivery model aligned to CMMC, NIST SP 800-171, and DFARS compliance requirements.
The SMG Five-Phase Engagement Model
Phase 1: Discovery
βββ CUI scoping | System boundary | Stakeholder identification
Phase 2: Assessment
βββ 110-practice gap analysis | Control scoring | Evidence review
Phase 3: Remediation
βββ POA&M development | Gap closure prioritization | Policy development
Phase 4: Readiness
βββ SSP finalization | Evidence package assembly | Assessor preparation
Phase 5: Continuous Compliance
βββ Quarterly drift monitoring | Evidence refresh | Retainer support
Phase Descriptions
Phase 1 β Discovery
Establish the compliance scope foundation. Identify CUI data flows, define the system boundary, map personnel with CUI access, and document the assessment environment. Deliverables include a CUI scoping worksheet, system boundary diagram, and discovery findings brief.
Phase 2 β Assessment
Conduct structured gap analysis against all 110 NIST SP 800-171 practices across 14 control families. Score each practice, document evidence gaps, identify compensating controls, and produce a prioritized gap register. Deliverables include the gap analysis workbook, control scoring matrix, and evidence gap register.
Phase 3 β Remediation
Develop the Plan of Action & Milestones (POA&M) and support gap closure. Produce required policies, procedures, and documentation artifacts. Deliverables include POA&M, policy templates, and remediation tracking register.
Phase 4 β Readiness
Finalize the System Security Plan (SSP), assemble the evidence package, and prepare the organization for C3PAO assessment. Deliverables include the completed SSP, evidence package index, and readiness briefing.
Phase 5 β Continuous Compliance
Quarterly validation engagements to monitor control drift, refresh evidence, and maintain assessment readiness. Deliverables include quarterly drift reports and updated evidence registers.
Governance Model
All SMG engagements operate under the following governance principles:
- Assessment separation β Advisory services are intentionally separated from implementation to preserve assessor objectivity and assessment defensibility
- Evidence traceability β All deliverables are version-controlled and traceable to specific NIST SP 800-171 practices
- Fixed-fee discipline β Engagements are scoped and priced as fixed-fee milestones, not open-ended hourly arrangements
- Principal-led delivery β All engagement phases are led directly by the firm principal
Repository Structure
/methodology
/phase-1-discovery β Discovery phase templates and guides
/phase-2-assessment β Assessment methodology and gap analysis framework
/phase-3-remediation β POA&M framework and remediation guidance
/phase-4-readiness β SSP structure and evidence package framework
/phase-5-continuous-compliance β Ongoing monitoring and drift detection framework
/governance-model β Engagement governance principles and standards
/engagement-playbooks β Phase-specific execution playbooks
Scope
Materials in this repository are public, client-safe methodology artifacts. They demonstrate the firm's structured delivery approach and governance principles.
Exclusions
Client-specific engagement workpapers, active POA&Ms, completed SSPs, evidence packages, and internal delivery SOPs are maintained in the firm's internal source control environment and are not published here.
Stella Maris Governance LLC β Governance, compliance, and operational discipline for high-trust defense environments.