Post-assessment services that close the gaps.
Targeted engagements and operational tools built around what transit agencies actually need to address after a CRR or NIST assessment.
Email Security and Platform Hardening
Email remains the primary attack surface at most agencies. We assess your current platform posture, close the most critical gaps, and deliver a hardening roadmap your team can execute.
- Email platform security assessment
- Password and credential policy review
- Filtering and separation recommendations
- Hardening roadmap with prioritized actions
MFA and Identity Gap Remediation
Admin accounts and remote access without MFA are the most exploited gaps in small agency environments. We map your identity exposure and deliver a phased implementation plan that works with your existing tools.
- Admin and remote access MFA gap inventory
- Identity exposure mapping
- Phased MFA enforcement plan
- Compatible with existing infrastructure
AI Governance and Security Architecture
Most agencies already have staff using AI tools outside any governance framework. We deliver an acceptable use policy, model risk assessment, and a network architecture roadmap that controls what's happening now and positions the agency for what comes next.
- AI tool inventory and shadow usage assessment
- Acceptable use policy and governance framework
- Model risk assessment
- AI-ready network architecture roadmap
Third-Party and Vendor Risk Management
Most agencies have no structured view of their vendor relationships or the risk each one carries. We build a vendor risk inventory, tier your third parties by exposure, and deliver a repeatable framework for onboarding and reviewing vendors going forward.
- Vendor and third-party inventory
- Risk tiering by data access and criticality
- Contractual security requirement templates
- Repeatable vendor review framework
Network Segmentation Design
We analyze your existing infrastructure and deliver a complete segmentation design separating corporate, email, and operational traffic — without requiring rip-and-replace. The output is a firm-fixed-price implementation plan your team or local IT can execute.
- Current-state infrastructure analysis
- Network segmentation design document
- Firm-fixed-price implementation plan
- Works with existing infrastructure
Fractional CISO Services
Most transit agencies don't need a full-time CISO, they need senior security leadership without the overhead. We embed as your dedicated security executive, owning program strategy, board reporting, and vendor oversight while your team stays focused on operations.
- Security program ownership and roadmap
- Board and executive-level reporting
- Policy governance and compliance oversight
- Baseline risk matrix and ongoing quarterly risk management
Responsible AI Development for Transit
AI can help stretched transit teams work faster - routing requests, flagging compliance risks, summarizing records. We build and govern the tools, so humans stay in control of critical decisions and every deployment is defensible, auditable, and transit-specific.
- AI use case discovery and prioritization
- Purpose-built tools for transit operations and compliance
- Human-in-the-loop design and decision guardrails
- Governance framework, monitoring, and incident response integration
IRP Build-Out and Tabletop Exercise Program
Most agencies have an IRP in a drawer or a COOP that hasn't been updated in years. We build or update the plan, then run a facilitated tabletop against real-world threat playbooks. A document is not a capability.
- IRP development and/or COOP update
- Facilitated TTX: phishing, ransomware, lost or stolen device
- After-action report and gap remediation plan
- Proven quarterly methodology
All engagements are scoped, deliverable-defined, and time-bound. No retainer. No MSP entanglement. Designed to complement your existing IT team.