CybrIQ for government · First 90 days
CybrIQ
Government/First 90 days
Deployment timeline

What the first 90 days look like, with the deliverables an agency keeps at each step.

Most federal evaluators have been told a deployment "takes a few weeks." That is rarely a useful number. This page walks the actual shape — week 1, week 2, month 1, month 2, and month 3 — with concrete artifacts at each step, the realistic edge cases that change the shape, and the SCIF / air-gap variant where it differs.

Horizontal five-phase deployment timeline for the first 90 days. Week 1 is readiness — scope confirmation, host hardware, SNMP read-only credentials, draft SSP boundary — delivering a signed readiness checklist. Week 2 is install — ESE and main instance installed on agency hardware, reference library loaded, first 30-second poll, first Device DNA identifications — delivering a first per-port inventory. Month 1 is baseline — authorization-list policy, threshold tuning, SIEM and NAC integrations live, first Section 889 sweep — delivering a baselined policy and deviation report. Month 2 is evidence — signed audit trail, NIST 800-53 Rev 5 controls mapped, CDM feed live, eMASS package contribution — delivering an audit-grade evidence pack. Month 3 is steady state — predictable event volume of roughly half an event per port per week, one ESE handling 500 switches, optional USB agent rollout complete, quarterly check-in — delivering a continuous-monitoring deployment in production. SCIF and air-gapped variants add about one week; multi-site adds an ESE per site; older switch families may require a network-side conversation in Week 1.

Week 1 — environment readiness

The week is procurement-side and network-side. CybrIQ has nothing installed yet. The agency confirms scope, identifies the host hardware, and prepares the read-only switch access.

  • Scope confirmation. Which buildings, which VLANs, which switch families. One pilot building is typical scope; a single CUI enclave is typical scope for CMMC programs.
  • Host hardware. A small Linux or Windows server for the External Scan Engine (ESE), and another for the main instance — both on agency-controlled hardware. Specs are light; the briefing call confirms the right size.
  • SNMP credentials. Read-only SNMP v3 credentials, scoped to the switches in scope, prepared by the agency's network team.
  • SSP boundary diagram. Initial draft of where CybrIQ sits in the authorization boundary, for the authorization team's reference.

Deliverable at end of week 1: a written environment-readiness checklist, signed off by the agency, that confirms install can begin.

Week 2 — install and first identification

Software install on agency hardware. ESE pulls its first read of the in-scope switches. The reference library begins identifying.

  • Install. ESE and main instance installed on the agency's hardware. SSL between components, inside the agency network. No outbound vendor connectivity required.
  • Reference library load. Initial library (signed package) installed. Library updates configured for the agency's chosen path: online (where allowed), staged via update server, or signed offline packages.
  • First poll. ESE polls the in-scope switches at the default 30-second cadence. First Device DNA fingerprints generated.
  • First identifications. Within hours: known device classes identified against the 750-million-device reference library. Unknown or low-confidence devices flagged for review.

Deliverable at end of week 2: a first inventory of every device on every in-scope port, with identification confidence, vendor, model class, MAC, VLAN, switch port, and last-seen timestamp.

Month 1 — baseline and tuning

The first month is where the deployment moves from "operating" to "in production for evidence." The agency baselines what is normal and tunes thresholds to that baseline.

  • Authorization-list baseline. The agency reviews the inventory against the existing asset register and decides which devices are authorized for which VLANs. The result is a baseline policy.
  • Threshold tuning. Default event volume is roughly one event per 100 ports per week in stable production; the agency tunes per VLAN where volume is noisier or quieter.
  • SIEM integration. Syslog (RFC 5424) or REST feed to the agency's SIEM (Splunk, Sentinel for Government, QRadar, Elastic). Sample detection content delivered.
  • NAC integration (if applicable). pxGrid / REST / context-server integration with the agency's NAC. Event payload aligned with the NAC's quarantine workflow.
  • First Section 889 sweep. Full inventory matched against the covered-entity reference library; deviation report produced.

Deliverable at end of month 1: baselined authorization-list policy, deviation report, and SIEM/NAC integration in production.

Month 2 — evidence and reporting

Month two is when the deployment moves from "tuned" to "producing audit-grade evidence." Audit trail begins. POA&M references are prepared. Continuous-monitoring strategy is documented.

  • Audit trail. Signed CSV / JSON exports — signed at the control plane with a SHA-256 hash — begin running on the cadence the agency selects (typically weekly or monthly).
  • Controls-mapped evidence pack. NIST SP 800-53 Rev. 5 controls (CM-8 family, SI-4, SR-3, SR-11, IA-3, AC-19) mapped to the evidence the deployment now produces. The agency's SSP can reference this directly.
  • CDM data feed (federal civilian). Field names aligned with HWAM expectations. The CDM dashboard sees more rows than it did before deployment.
  • eMASS package contribution (DoD). Per-device records, deviation logs, signed audit-trail exports structured for direct attachment to the program's eMASS authorization package.
  • Board / oversight reporting (where applicable). First monthly inventory + deviation summary in the format the agency's CIO or oversight committee reads.

Deliverable at end of month 2: first month of audit-grade evidence, controls-mapped, with the audit-trail format the agency's authorization team and assessors expect.

Month 3 — steady state and scale

Month three is the steady-state shape. The agency operates the deployment as part of routine continuous monitoring. CybrIQ's involvement narrows to library updates, product updates, and the quarterly check-in.

  • Steady-state event volume. Around half an event per port per week at default thresholds in stable production. Volume is predictable; alert fatigue is the failure mode CybrIQ is built to avoid.
  • Scale considerations. One ESE handles up to 500 switches. Larger deployments add ESEs without adding main instances; multi-site deployments add ESEs at each site.
  • USB protection (optional, opt-in). If the agency added the optional workstation agent for USB-protection, month 3 is typically when the agent rollout reaches the steady-state population.
  • Quarterly check-in. Library version review, product release review, tuning review, and any change-management items for the next quarter.

Deliverable at end of month 3: a steady-state continuous-monitoring deployment producing audit-grade evidence on the agency's selected cadence.

Variants that change the shape

  • SCIF / air-gapped. Add roughly one week for the disconnected-environment operations brief and the approved-media path for library updates. Otherwise the install and tuning shape is the same.
  • Multi-site. Each additional site adds one ESE install. The main instance is shared across sites if the agency's network design allows it; otherwise each site has its own.
  • Older switch families. Where the in-scope switches do not expose modern LLDP/CDP or do not support SNMP v3, week 1 includes a network-team conversation about supplementary signal sources. Sometimes a network refresh has to precede.
  • Active C3PAO assessment. CMMC L2 contractors going into an assessment compress the shape: install in week 1, tuning in week 2, evidence pack in week 3.

What does not change

Regardless of variant: customer-installed software on agency hardware, no vendor cloud in the path, read-only switch access via SNMP, no SPAN / mirror / inline taps, no agents on managed devices (USB-protection agent is optional, separate, and opt-in). The deployment posture sits inside the agency's authorization boundary the whole time.

Walk this timeline against your environment

30 minutes: we walk the 90-day shape against your scope, your authorization route, and your existing SIEM / NAC. The end of the call is a concrete week-by-week plan you can show your authorizing official.

Schedule briefing