MRR trajectory
4.7x
$90K to $420K MRR across 22 months.
§
§ · archetype · albuquerque federal saas
An Albuquerque federal-adjacent SaaS · $90K → $420K MRR.
Industry archetype drawn from patterns across federal-adjacent B2B SaaS engagements in the Sandia + Kirtland corridor of Albuquerque, New Mexico. Representative metrics across 22 months: 4.7x MRR, NIST 800-171 attestation shipped, FedRAMP-Low-aware engineering, NRR 128 percent, Sandia-area defence-prime partner pipeline 6x.
Industry archetype. Based on patterns across multiple defense-adjacent SaaS clients in the New Mexico / Albuquerque corridor. Brand name and identifying details are illustrative; metrics are representative ranges across the engagement type. No fictional brand identity is being claimed as a real client.
§ 01 · in short
A federal-adjacent B2B SaaS sitting in the Sandia + Kirtland corridor of Albuquerque, with $90K MRR and 9 commercial customers, scaled to $420K MRR over 22 months once it shipped a NIST SP 800-171 Rev. 3 self-attestation, migrated to AWS GovCloud (US), and built a partner channel through defence primes operating near Sandia National Laboratories. Five-pillar shape: 4.7x MRR, 22-month horizon, NRR 128 percent, partner pipeline 6x, single operational change = NIST 800-171 attestation that unblocked CUI-handling contracts.
- MRR delta: $90K to $420K in 22 months · 4.7x trajectory.
- Growth multiple: 4.7x with the partner-channel cohort contributing 41 percent of the lift.
- Time horizon: 22 months from kickoff to milestone, including a 14-week build window.
- NRR uplift: 102 percent to 128 percent on the back of multi-year defence-prime expansions.
- Operational change: NIST SP 800-171 self-attestation + AWS GovCloud migration unblocked CUI-handling contracts.
partner pipeline
6x
Defence-prime partner channel pipeline post NIST 800-171.
NRR
128%
Net Revenue Retention from multi-year defence-prime expansion.
§ 02 · the challenge archetype
A commercial SaaS sitting next to a federal-procurement gravity well.
The archetype represents a pattern we ship into reliably: a commercial-first B2B SaaS founded by ex-Sandia or ex-Kirtland engineers, operating from somewhere between Uptown ABQ and the Sandia Science and Technology Park, with $90K MRR across 9 commercial customers and an inbound queue of defence-prime subcontractors asking, "are you NIST 800-171 attested? do you run in GovCloud? can you handle CUI?" The founder knows the answer is no and that the next 18 months of revenue is locked behind those three questions.
Pre-engagement state: $90K MRR on a commercial AWS commercial-region deployment, single-tenant, no Controlled Unclassified Information handling boundary, no NIST 800-171 self-attestation on file in the SAM.gov Supplier Performance Risk System (SPRS) score record, no audit trail, no separation-of-duty controls, no SAML SSO. Stack was a typical commercial-SaaS combination: Next.js front end, a Python service tier, Postgres, Stripe, Auth0, vanilla AWS networking inside a single VPC. Nothing wrong with any of those choices on the commercial side, but every one of them was a question mark the moment a defence prime's security team asked, "show us your boundary diagram and your CUI flow-down".
The founder had three structural problems compounding the revenue ceiling. One, defence-prime subcontractor contracts that touch CUI (Controlled Unclassified Information) require the supplier to have a current NIST SP 800-171 self-assessment posted to SPRS. Without it, the SaaS could not even appear on the prime's approved-vendor short-list, regardless of how strong the product was on the technical merits. Two, several of the prime's downstream customers (notably the Air Force Research Laboratory at Kirtland and a couple of Sandia program offices) required FedRAMP-Low-aware controls for any tool that crosses into their environment, even if the SaaS itself did not need a full Authorization to Operate. Three, the partner motion required for the defence corridor (vendor onboarding, security questionnaires, Trade Agreements Act flow-down, ITAR-aware data residency assertions, past-performance documentation, capability statements) was simply not a thing the founding team had ever run.
The deeper problem under all three: the prime's procurement clock runs in fiscal-year cycles tied to the federal calendar, so missing one round of vendor-onboarding paperwork means waiting six to nine months for the next prime-led teaming opportunity. Two of the founder's strongest inbound inquiries had already moved that direction. The cost of doing nothing was not just slow growth, it was a measurable opportunity-cost line on the founder's own deal log.
§ 03 · the approach
The Federal-Ready Stack. 14 weeks. Five workstreams.
We named the methodology The Federal-Ready Stack: a 14-week, five-workstream build that takes a commercial-first SaaS from a commercial AWS deployment to NIST 800-171 attested, FedRAMP-Low-aware, partner-channel-ready, and SPRS-scored. The five workstreams ran in parallel with weekly Tuesday MT standups and Friday demos, every milestone Loom-recorded for the founder's federal advisor. We anchored the timeline to the prime's fiscal-year teaming windows so the SPRS score posted at week 9 lined up with the next round of vendor-onboarding calls, instead of arriving mid-cycle when the prime's procurement team was already locked out for the quarter.
Workstream 1 · NIST SP 800-171 Rev. 3 self-attestation. Full gap assessment against the 110 security requirements in NIST SP 800-171 Rev. 3. System Security Plan drafted, Plan of Action and Milestones tracked weekly, and the resulting score posted to SPRS via SAM.gov. Coverage areas: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, system and information integrity.
Workstream 2 · AWS GovCloud (US) migration with FedRAMP-Low controls. Migrated workloads from commercial AWS regions to AWS GovCloud (US). Aligned to the FedRAMP-Low baseline (a subset of NIST 800-53 Rev. 5 controls), with FIPS 140-3 validated cryptography, US-citizen-only operations staffing for the GovCloud tenancy, and full audit logging into CloudWatch + an immutable S3 GovCloud archive. The architecture is ATO-ready, even though a full ATO is a 12 to 18-month follow-on project.
Workstream 3 · Continuous-compliance tooling. Stood up continuous compliance evidence collection through Vanta with the NIST 800-171 framework template, then layered Drata for the SOC 2 Type II evidence trail the founder's commercial customers still required. Daily automated control checks, monthly evidence packages exported to a defence-prime portal, quarterly internal audit.
Workstream 4 · SSO, RBAC, and CUI-handling boundary. Implemented SAML 2.0 SSO via a federal-friendly identity provider, role-based access control with separation-of-duty enforcement, and a clearly-bounded CUI-handling module that segregates Controlled Unclassified Information from commercial-tier data. Audit-trail every administrative action; export the trail on demand for prime-subcontractor security questionnaires.
Workstream 5 · Sandia-corridor partner channel. Built the partner motion: capability statement aligned to the prime's Statement of Work language, past-performance write-ups stripped to the redactable subset, sub-tier vendor onboarding kits, security questionnaire library (the common 280-question security review pre-answered), and a partner enablement portal. Channel pipeline 6x'd over 12 months once the NIST 800-171 attestation landed in SPRS.
Two cross-cutting choices made the workstream timing work. First, the SPRS score posting in week 9 (right after the Workstream 1 gap-close) became the unlock signal for every other workstream's outbound conversation. Second, the GovCloud migration in Workstream 2 ran ahead of the partner-channel work in Workstream 5 by exactly six weeks, so by the time the first prime asked for an architecture diagram, the GovCloud tenancy was already a live production environment with three weeks of operational telemetry behind it. Sequence matters; we have rebuilt this 14-week plan four times and the sequencing is the part that did not move.
§ 04 · tech stack named
Federal-aware core. GovCloud-deployable. Boring choices.
The stack is intentionally boring. Every component is in a documented, audited deployment pattern that an outside 3PAO (third-party assessment organisation) or a prime's security team can recognise in 10 minutes. No bespoke crypto, no untested infra, no proprietary policy-as-code language. Every choice maps to a recognised federal control baseline.
infrastructure
AWS GovCloud (US)
AWS GovCloud (US) with FedRAMP-Low alignment, FIPS 140-3 cryptography, US-citizen-only operations.
compliance framework
NIST SP 800-171 Rev. 3
110-requirement framework from the NIST Computer Security Resource Center, scored to SPRS.
continuous compliance
Vanta + Drata
Vanta for the NIST 800-171 evidence trail; Drata for SOC 2 Type II.
identity
WorkOS SAML + PIV-ready
SAML 2.0 SSO via WorkOS; PIV-card-ready login path for future federal-direct deployments.
procurement registration
SAM.gov SPRS posted
SAM.gov entity registration; NIST 800-171 score posted to the Supplier Performance Risk System.
observability
CloudWatch + S3 GovCloud archive
Immutable audit logs with object-lock retention aligned to the prime's record-retention flow-down.
§ 05 · 22-month detail
The numbers behind the headline.
Five metric pillars: 4.7x MRR growth ($90K to $420K), 22-month time horizon, NRR moved from 102 percent to 128 percent on multi-year defence-prime expansions, partner-channel pipeline 6x'd through Sandia-corridor primes, and one operational change (NIST SP 800-171 self-attestation posted to SPRS) that gated everything else. Specific brands inside the pattern range plus or minus 25 percent on each line.
| metric | pre-engagement | month 8 | month 22 |
|---|---|---|---|
| MRR | $90K | $185K | $420K |
| Defence-prime sub-tier wins | 0 | 3 | 11 |
| NIST 800-171 score (SPRS) | not posted | 68 / 110 | 102 / 110 |
| GovCloud + FedRAMP-Low-aware | none | migrated | aligned |
| Partner pipeline (count) | 2 | 6 | 12 |
| NRR | 102% | 115% | 128% |
Metrics representative of the archetype; specific brands within the pattern range plus or minus 25 percent on each line.
What transfers to a comparable Albuquerque build. Five capabilities move directly from the archetype to a paired engagement: a NIST SP 800-171 Rev. 3 gap assessment with the System Security Plan and Plan of Action and Milestones drafted to defence-prime audit standards; an AWS GovCloud (US) migration sized to the federal-tier workloads only, with the commercial cohort left on cheaper commercial regions; a continuous-compliance evidence trail in Vanta plus Drata so the monthly export to a prime's security portal is a five-minute task instead of a five-day fire drill; SAML 2.0 SSO with PIV-card-ready paths and a clean separation-of-duty role model; and a Sandia-corridor partner-channel kit including the pre-answered 280-question security questionnaire library, a redacted past-performance section, and a capability statement aligned to common Statement of Work language from the primes operating near Kirtland.
The five-pillar metric shape (4.7x MRR over 22 months, NRR 128 percent, partner pipeline 6x, single operational change = NIST 800-171 attestation posted to SPRS) is intentionally a benchmark, not a promise. Each engagement we have shipped on this pattern landed inside plus or minus 25 percent of those numbers, and the variance is almost entirely driven by how quickly the founder's existing prime relationships moved from "interested" to "request for proposal". Two engagements hit $420K MRR in 18 months; one took 28 months because the founder's largest prime relationship froze for a fiscal-year transition.
§ 06 · founder perspective
"We spent two years explaining to primes why we were almost ready. The NIST 800-171 score posted to SPRS, then the GovCloud tenancy went live, and inside six weeks the conversation flipped from 'maybe next cycle' to 'can you onboard by the end of the quarter'. The work was tedious. The unlock was immediate."
§ 08 · questions we get
Five questions Albuquerque founders always ask first.
Is a NIST SP 800-171 self-attestation the same as a CMMC certification? +
No. NIST SP 800-171 is the underlying control catalogue; CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense programme that, at Level 2, requires a third-party assessment against those same 800-171 controls. A self-attestation posted to SAM.gov SPRS is sufficient for many prime-subcontractor flow-downs today; CMMC Level 2 third-party certification is the harder, more expensive step that unlocks the full DoD contract base. In the archetype above, the self-attestation was the gate that mattered.
Does AWS GovCloud cost more than commercial AWS? +
Yes, typically 10 to 25 percent more on compute and storage than the comparable commercial AWS regions, plus the operational overhead of US-citizen-only staffing and a separate billing account. For the archetype, we sized the GovCloud footprint to the federal-tier workloads only and kept commercial customers on the commercial-region deployment. That split keeps the cost premium aligned with the revenue that actually requires it. See the AWS GovCloud pricing page for current rates.
Do I need a full FedRAMP Authorization to Operate to sell to defence primes near Sandia? +
Usually not for sub-tier work. Most defence-prime subcontractor relationships flow the prime's own ATO down to the supplier, so what the prime needs from you is NIST 800-171 attestation plus FedRAMP-Low-aware engineering (so their security team can map your controls into their authorization boundary). A full Moderate or High ATO is a 12 to 18-month, six to seven-figure project and is only the right path if you are selling directly to a federal agency rather than through a prime.
You are based in New York and Delhi. Can you handle ITAR-aware work for an Albuquerque client? +
For any workstream that touches ITAR-controlled technical data, we staff with US-citizen-led teams only and keep the work inside our US-citizen-operated GovCloud tenancy. For commercial-tier work (the front-end build, the customer-facing marketing site, the SOC 2 evidence trail), we use our standard global production cadence. The line is drawn at the data, not at the org chart, and every engagement starts with a written scope clarifying which workstreams are US-citizen-only and which are global.
How long does the 14-week Federal-Ready Stack take in calendar time, including review cycles? +
14 weeks of build plus roughly four to six weeks of evidence collection and SPRS posting. The first defence-prime sub-tier win typically lands in months six to nine, and the full 6x partner pipeline materialises across months 12 to 18. The 22-month horizon to $420K MRR cited in the archetype includes the build window, the first prime contract close, the first expansion, and a second wave of prime onboarding. Faster paths exist (we have shipped the build in 11 weeks) but the SPRS scoring and prime security-review cycles set the floor on the calendar.
§ 09 · book the albuquerque call
Sandia corridor. 4.7x trajectories don't ship themselves.
30-minute call on Mountain Time. Written scope and fixed-price quote in 48 hours. US-citizen-led staffing on any ITAR-aware workstream.
More from Aaradhya.
Senior Backend Engineer · Python · Delhi · 4 posts on the site
Published · Last updated .