Do you work directly with agencies or only as a subcontractor?

Both. We deliver direct engagements with state and municipal agencies and subcontract to prime contractors on federal vehicles where teaming makes sense. The model fits the procurement pathway each agency prefers.

Can you support FedRAMP authorization end-to-end?

Yes. We advise on path selection (JAB versus Agency-Authorized), 3PAO selection, gap analysis, SSP and SAR support, POA&M management, and continuous monitoring program design. We do not perform 3PAO assessments ourselves; we coordinate with assessors clients select.

What is your relationship to NIST 800-53 and the Risk Management Framework?

Every recommendation is documented against NIST 800-53 control families. For new systems we walk clients through the Risk Management Framework end-to-end: categorize, select, implement, assess, authorize, monitor.

Do you support state-level StateRAMP authorization?

Yes. We advise SaaS providers and state agencies on StateRAMP authorization paths and on the reciprocity options between StateRAMP and FedRAMP for shared underlying control sets.

What does a typical first engagement look like?

Most agencies start with a 4 to 8 week discovery and roadmap engagement: a fixed-fee assessment of a defined scope (modernization candidates, AI readiness, cloud posture, or compliance gap) producing a written roadmap with phased recommendations and cost ranges.

Are you cleared to work on classified material?

Our current focus is unclassified federal civilian, state, and municipal work. Specific clearance status by team member is shared inside the formal capability package under NDA.

Practice Area / Government

Government IT Modernization

Government technology problems do not look like enterprise technology problems. The procurement cycles are different, the budget cycles are different, the political tolerances are different, and the consequences of getting the security posture wrong are different. Johnson Intelligence Group's government practice is structured around those realities. We advise federal civilian agencies, state agencies, county-level governments, and municipalities through technology decisions that have to clear procurement review, survive an audit, and deliver to citizens who do not get to choose another vendor.

Who we serve

Federal civilian agencies. Mission-support modernization, citizen-facing digital services, AI pilot programs, FedRAMP-authorization advisory for SaaS partners. We typically engage as a subcontractor to a prime that holds the agency contract, occasionally directly under a small-business set-aside or task order.

State agencies. Health and human services, transportation, revenue, workforce development. State agencies often run with smaller IT teams than their federal counterparts and benefit from senior advisory that does not crowd out the in-house staff. We have experience navigating cooperative purchasing arrangements (NASPO, MHEC, others) for state-level engagement.

County and municipal. County technology departments and city CTO offices. Most municipal IT teams are running 5 to 15 staff supporting a portfolio that would be 50 staff in a comparable enterprise. Senior advisory has to be efficient. Our engagements with municipalities are scoped tightly: a defined deliverable, a fixed price where possible, no scope creep.

Services we deliver

The most common engagement types in our government practice. Each is led by a partner-level technologist who delivers the work, and each produces written, procurement-defensible artifacts.

Legacy system modernization

Mainframe and AS/400 retirement strategy, COBOL-to-modern migration paths, Visual Basic and FoxPro application replacement, ERP modernization. We do not pretend any of this is fast or easy. We help clients sequence the work so that the most operationally fragile or budget-bleeding systems retire first, and so the agency's institutional knowledge gets captured before the people who built the original system retire themselves.

Citizen-facing platforms

Permitting portals, benefits eligibility systems, licensing renewals, complaint and service-request platforms. The 21st-Century IDEA Act compliance, accessibility (Section 508 / WCAG 2.1 AA), language access, and mobile-first design are non-negotiable. We help agencies write RFP language that gets responsive bids and select platforms that hold up under load and under public scrutiny.

Data warehousing and analytics

State and federal agencies are sitting on twenty years of operational data in systems that were never designed to be reported against. We design lakehouse and warehouse architectures that respect FOIA obligations, records-retention rules, and privacy requirements while still letting agency analysts answer questions in hours instead of weeks.

Cybersecurity posture

NIST 800-53 control gap analysis, NIST CSF posture assessment, FedRAMP and StateRAMP readiness, SOC 2 readiness for SaaS partners, supply-chain risk reviews, identity and access modernization. Many of our engagements begin with a security gap that an audit or incident surfaced; the modernization work follows from there.

AI pilot programs

Where AI is appropriate for public sector use cases, where it is not, and how to run a pilot that does not blow up politically. Most successful government AI pilots in 2025 and 2026 are narrow back-office uses: document classification, FOIA-request triage, eligibility verification with human-in-the-loop. We help agencies start there, build trust with elected officials and the public, and expand from a position of demonstrated competence.

Compliance frameworks we work in

Compliance is the floor. Every recommendation we make is documented against the appropriate framework so that procurement officers, auditors, and inspector general offices can trace the rationale.

FedRAMP — for SaaS partners selling to federal civilian agencies. Both JAB-authorized and Agency-Authorized paths.
FISMA — the underlying statute that drives federal information security. We help clients walk the Risk Management Framework end-to-end.
NIST 800-53 — the control catalog. Every recommendation maps to a control family so that gaps are visible.
NIST CSF (Cybersecurity Framework) — for posture assessments where a control-by-control walk is too granular.
StateRAMP — for SaaS partners selling to state agencies. We advise on reciprocity strategy with FedRAMP.
CJIS — for systems handling criminal justice information.
HIPAA — for state Medicaid programs, county health departments, and any agency handling protected health information.

Typical engagement structure

Most government engagements run through four phases. We size the engagement to the client's procurement pathway and budget cycle.

1. Assessment. 4 to 8 weeks. Site interviews, document review, current-state architecture documentation, control-family gap analysis, stakeholder alignment. Output: a written assessment with prioritized findings and a phased roadmap.

2. Roadmap. Continues from assessment or runs as a stand-alone engagement. Sequences the modernization work in 6, 12, and 24-month windows; identifies the procurement vehicles to use; estimates cost ranges; calls out the risks the agency leadership team needs to own. Output: a written roadmap document and an executive briefing.

3. Pilot. Narrow-scope implementation that proves the roadmap is real. We deliver alongside the agency team or a prime-contractor partner; we do not displace in-house staff or replace existing system integrators. Output: a working pilot, lessons-learned writeup, and a go / no-go recommendation for scale.

4. Scale. Sustained advisory through full implementation. Typically a retainer or fixed-monthly engagement model rather than time-and-materials. We act as the senior technology voice in the room while the client team or prime contractor delivers the build. Output: weekly check-ins, document review, vendor evaluation, on-call advisory.

How we differ from larger consulting incumbents

The largest federal consulting incumbents have institutional advantages we do not try to match: vehicle access, security infrastructure, and brand familiarity inside specific agencies. They also have institutional disadvantages we explicitly avoid: junior-heavy delivery teams, partner-level personnel disappearing after the kickoff briefing, billing-rate structures that incentivize hours over outcomes.

JIG runs the opposite playbook. We are small. The person who scopes the work delivers the work. We turn down engagements that are larger than our team can deliver senior-led. Agencies that have used larger firms previously and felt the bait-and-switch tend to like working with us.

Want to engage? Request our capability statement and we will respond within one business day with a capability package and a no-obligation discovery call to scope fit.