AI & CRM Consulting · Atlanta, GA

Intelligent Systems.
Measurable Results.

Graydots International Concepts LLC embeds inside your Salesforce org, your Azure tenant, and your workflows — and doesn't leave until outcomes are measurable.

Explore Services Schedule a Consultation
SAM.gov Registered
CAGE Code: 10KT0
5× Salesforce Certified
Microsoft Azure Partner
Minority Owned Business
Salesforce CRM·Microsoft Azure· AI Automation·Workflow Optimization· OmniStudio·Service Cloud· CMMC Compliant·Government Contracting· Digital Transformation·Minority Owned· CAGE 10KT0· Salesforce CRM·Microsoft Azure· AI Automation·Workflow Optimization· OmniStudio·Service Cloud· CMMC Compliant·Government Contracting· Digital Transformation·Minority Owned· CAGE 10KT0·
10+
Years Enterprise IT Experience
Salesforce Certifications
3
Government & Enterprise Verticals
2
Tier-1 Cloud Partnerships
Who We Are

Built on Expertise.
Driven by Outcomes.

Graydots International Concepts LLC is an Atlanta area technology consulting firm specializing in CRM strategy, AI powered automation, and enterprise cloud solutions — led by a practitioner who has operated at the intersection of enterprise IT and academic research for over a decade.

Our methodology is evidence-based. Every engagement is grounded in Information Systems research frameworks — TAM, UTAUT, and change management theory — ensuring technology decisions translate into measurable adoption, not just deployment.

Headquartered in Smyrna, Georgia, we serve government agencies, mid market enterprises, and mission driven organizations across commercial and public sectors.

SAM.gov · CAGE 10KT0 Minority Owned Business Research Backed Methodology CMMC Level 1 In Progress
AO
Amos Oyekanmi
Founder & CEO · PhD Candidate, Information Systems
With over 10 years spanning Diamond Bank, Tiffany & Co., Accenture, and Salesforce Inc., Amos brings practitioner grade expertise to every engagement. As a doctoral researcher in Information Systems at Kennesaw State University, he applies peer reviewed frameworks to ensure technology adoption — not just implementation.
PhD Candidate · KSU MSc International Business Salesforce × 5 Azure Partner Designated Cyber Owner
10+
Years Enterprise IT
Salesforce Certified
3
Industry Verticals
2
Cloud Platforms
What We Do

Core Services

We embed where your team works — inside your Salesforce org, your Azure tenant, your workflows — and don't leave until outcomes are measurable.

Salesforce CRM Consulting
Strategy, implementation, and optimization across Salesforce platforms. From initial architecture to advanced customization, managed support, and user adoption programs.
Sales CloudService CloudOmniStudioAdmin
AI & Automation Solutions
Leverage AI to automate workflows, reduce manual overhead, and unlock intelligent decision-making. Built on platforms your team already uses — with adoption baked in from day one.
Azure OpenAIAgentforceAutomation
Microsoft Azure Integration
Cloud architecture, integration services, and managed Azure solutions. Scalable, secure, and connected enterprise ecosystems built to government and enterprise standards.
Azure CloudIntegrationArchitecture
Workflow & Process Optimization
Analyze, redesign, and automate business processes to eliminate bottlenecks and reduce costs. Grounded in process improvement methodologies with measurable efficiency outcomes.
Process DesignEfficiency AuditsAutomation
Government IT Consulting
Technology solutions for federal, state, and local agencies — delivered by a SAM.gov registered, minority owned firm with active CAGE Code and NAICS 541511 alignment.
FederalState & LocalNAICS 541511
CMMC Readiness Advisory
Gap assessments, policy development, access control implementation, and incident response playbooks for small businesses pursuing DoD and government contracts.
CMMC Level 1Level 2 RoadmapNIST 800-171
Credentials

Certified. Verified. Trusted.

Every engagement is backed by active certifications from the platforms that power enterprise and government technology today.

Salesforce Certified Administrator
Salesforce OmniStudio Consultant
Salesforce Service Cloud Consultant
Salesforce Certified ×2 Additional
Microsoft Azure Partner
SAM.gov Registered Vendor
Minority Owned Business Enterprise
CMMC Level 1 Self-Attestation In Progress
Industries Served

Deep Domain Experience

01
Financial Services
CRM and automation for banks, credit unions, and financial firms — improving client management and compliance workflows.
02
Healthcare
Patient engagement, care coordination, and operational automation enabling providers to focus on outcomes, not administration.
03
Retail & Commerce
Customer journey optimization and commerce automation powering personalized experiences at scale.
04
Government & DoD
Federal, state, and local agency technology modernization by a registered, compliant, minority owned, CMMC-pursuing vendor.
Government Contracting

Built for Public Sector Procurement

Graydots understands the procurement landscape. We're fully registered, compliant, and positioned as a minority owned vendor — making us an ideal partner for agencies with supplier diversity mandates.

Registered, Compliant & Minority Owned
With active SAM.gov registration, a Microsoft Azure partnership, and deep enterprise IT experience, Graydots is positioned to support federal, state, and local procurement needs. Our minority owned status supports supplier diversity goals, and our active CMMC Level 1 self-attestation journey positions us for DoD supply chain inclusion.
NAICS 541511 · Custom Computer Programming Services  |  Team Georgia Marketplace Registered  |  CAGE Code 10KT0  |  CMMC Level 1 In Progress
CAGE Code
10KT0
Registration
SAM.gov
NAICS
541511
CMMC
L1 Active
Why Us

The Graydots Difference

Research Backed Methodology
Led by a doctoral researcher in Information Systems, our engagements apply peer reviewed frameworks — TAM, UTAUT, change management theory — so technology drives adoption, not just deployment.
Practitioner Led Delivery
Every project is led by a certified, experienced consultant — not handed off to junior staff. You get senior expertise from discovery through delivery, every time.
Cross Platform Fluency
We speak Salesforce, Azure, and AI natively. Our cross platform perspective means we recommend what's right for your business — not what we happen to sell.
Government Ready & CMMC Pursuing
SAM.gov registered, CAGE coded, minority owned, NAICS aligned, and actively pursuing CMMC Level 1 self-attestation and Level 2 roadmap. We understand what DoD procurement demands.
Outcome Focused Engagements
We measure success by adoption rates, efficiency gains, and business outcomes — not deliverables submitted. If it's not working, we stay until it does.
Agile & Responsive
As a focused consultancy, we move fast and stay close to our clients. Clear communication, rapid iteration, and results — with none of the bureaucracy of large firms.
Get In Touch

Let's Work Together

Ready to transform your technology?

Whether you're implementing Salesforce, automating workflows with AI, modernizing on Azure, or exploring a government contracting partnership — we'd love to hear from you.

📍
HeadquartersSmyrna, Georgia (Atlanta Metro Area)
✉️
Emailinfo@graydots.org
🏛️
Government RegistrationSAM.gov · CAGE Code 10KT0 · NAICS 541511
☁️
Technology PartnershipsSalesforce · Microsoft Azure
🔒
CMMC StatusLevel 1 Self-Attestation In Progress · Level 2 Roadmap Active

We typically respond within 1 business day. For urgent government procurement inquiries, please include your agency name and timeline.

White Paper · April 2026 · Version 1.0

CMMC 2.0 Compliance &
Security Posture Overview

A comprehensive overview of Graydots International Concepts LLC's cybersecurity posture, CMMC 2.0 compliance journey, and readiness framework for DoD and federal government contracting.

CAGE Code: 10KT0 SAM.gov Registered NAICS 541511 CMMC Level 1 In Progress Level 2 Roadmap Active
🔒 Confidential — For Authorized Distribution Only
Table of Contents
01 Executive Summary 02 What is CMMC 2.0? 03 Our Security Posture 04 Data Classification & CUI/FCI 05 Access Control Policy 06 Incident Response Plan 07 Third-Party & Vendor Risk 08 Compliance Framework Alignment 09 AI & Automation Security 10 Client Readiness Roadmap 11 10-Step Checklist 12 Level 1 Self-Assessment
Section 01

Executive Summary

Graydots International Concepts LLC is a Smyrna, Georgia-based IT and CRM consulting firm pursuing federal and DoD contracts through SAM.gov registration (CAGE Code 10KT0), NAICS 541511 alignment, and active engagement with the SBA 8(a) and minority owned business certification pathways.

This white paper serves three purposes: (1) to document Graydots' current cybersecurity posture and policies transparently, (2) to demonstrate our understanding of CMMC 2.0 requirements as both a contracting entity and an advisor, and (3) to position Graydots as a credible CMMC readiness partner for organizations pursuing government IT contracts.

Cybersecurity readiness is not a checkbox exercise — it is a living operational discipline. For any company pursuing DoD or federal agency contracts, failure to demonstrate CMMC compliance will result in disqualification from the Defense Industrial Base (DIB) supply chain.

Key Takeaway: CMMC 2.0 became a contractual requirement across most DoD procurements in 2025. Any company in the Defense Industrial Base — including IT consultants, MSPs, and cloud solution partners — must demonstrate compliance or risk contract ineligibility.

Section 02

What is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's framework for ensuring contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Brief History

  • 2010 — Executive Order (CUI Program): Established the Controlled Unclassified Information program to standardize sensitive government data handling across agencies and contractors.
  • 2016 — DFARS 7012: Required DoD contractors to implement NIST SP 800-171 and self-attest compliance. Self-attestation alone proved insufficient — audits revealed widespread non-compliance.
  • 2021–2025 — CMMC 2.0: Streamlined to three levels. Level 1 self-attestation retained. Level 2 requires third-party C3PAO assessment for CUI programs. Finalized and enforced across DoD acquisitions.

The Three Levels

Level 1
Foundational
17

practices · FCI protection · Annual self-attestation by company leadership · Based on FAR 52.204-21

Level 2
Advanced
110

practices · NIST 800-171 Rev 2 · 14 control families · Third-party C3PAO assessment required

Level 3
Expert
110+

practices + NIST 800-172 · Government-led DIBCAC assessment · Highest CUI sensitivity programs

Critical Insight: CMMC is not a checkbox — it is a living, maturing program. False attestations carry criminal liability under the False Claims Act. The era of unchecked self-attestation without documentation is over.

Section 03

Our Security Posture

Graydots maintains a documented, operationally active cybersecurity posture. The following elements are currently implemented and maintained as living policies — not aspirational documents.

  • Cyber Owner Assigned: The Founder and Executive Director serves as designated Cyber Owner — responsible for all cybersecurity decisions, policy enforcement, and compliance documentation. Formalized in writing.
  • Written Cyber Policy: Formal one-page cyber policy covering: purpose, scope, password rules, MFA requirements, approved tools, and consequences for non-compliance.
  • Device Inventory: Maintained inventory of all company-owned devices — laptops, desktops, tablets, mobile. Each logged with owner, OS version, and compliance status.
  • Identity & Access Management: Unique user accounts enforced. MFA mandatory across email, VPN, admin portals, and cloud platforms. All legacy and unused accounts removed.
  • Centralized File Storage: Single approved file storage location enforced. Restricted folder access by role. USB storage policy in place. Personal file sharing platforms prohibited.
Section 04

Data Classification & CUI/FCI Handling

CUI is sensitive but unclassified government information requiring safeguarding per law, regulation, or government-wide policy. It moves through everyday channels — email, shared drives, collaboration platforms — making disciplined handling essential.

  • CUI Identification: All government-related data reviewed upon receipt for CUI/FCI classification per the CUI Registry categories.
  • Defined Storage Locations: CUI/FCI stored only in approved, access-controlled locations. Never on personal devices or unapproved cloud platforms.
  • Email Protection: CUI/FCI never transmitted via unprotected email. Encryption required for digital transmission of sensitive government data.
  • Social Media Policy: Formal policy prohibits sharing client information, contract details, or project specifics that could constitute FCI/CUI disclosure.
  • Data Mapping: Sensitive data mapped — what exists, where it lives, who has access, and what protections apply.
Section 05

Access Control Policy

Access control is one of the 14 NIST 800-171 control families and is foundational to CMMC at every level. Our policy follows least-privilege principles and is actively maintained.

  • Unique User IDs: Shared accounts strictly prohibited. Every user has a unique identifier. Account sharing is a documented policy violation with consequences.
  • MFA Everywhere: Multi-factor authentication enforced on all email, VPN, admin portals, cloud services, and Salesforce orgs.
  • Remote Access: All remote access through approved methods only. VPN or equivalent required. Unsecured direct connections prohibited.
  • Vendor Access: Written approval required. Scoped to minimum permissions. Expiration date mandatory. Sessions logged and reviewed.
  • Mover/Joiner/Leaver Process: Documented procedures for account creation, modification, and deprovisioning. Termination completed within 24 hours of separation.

Flow-Down Policy: All third-party subcontractors and vendors who access our systems or client data are subject to the same access control standards. This flow-down requirement is documented in all vendor agreements.

Section 06

Incident Response Plan

Graydots maintains a documented, plain-language Incident Response Plan (IRP). The Founder/Executive Director is the primary Incident Response Owner. The five-phase response cycle:

PHASE 1
Detection
Classify incident. Log time, scope, affected systems.
PHASE 2
Containment
Revoke access. Isolate systems. Suspend integrations.
PHASE 3
Notification
Client notification within 24 hrs. DoD via DIBNet within 72 hrs.
PHASE 4
Eradication
Remove threat. Patch. Restore from clean backup.
PHASE 5
Post-Incident
Root cause analysis. Policy update. Lessons learned.

Compliance Note: This IRP complies with US data breach notification requirements and DFARS 252.204-7012, which requires cyber incident reporting to the DoD within 72 hours via the DIBNet portal.

Section 07

Third-Party & Vendor Risk Management

  • Pre-Engagement Vetting: All third parties vetted before engagement — business verification, service scope, and security posture evaluation.
  • OFAC Screening: Screening against the SDN list and Consolidated Sanctions list for all new vendors, subcontractors, and international partners.
  • Confidentiality Agreements: All third parties must execute an NDA/confidentiality agreement prior to system or data access.
  • FedRAMP Cloud Services: Cloud providers used in government engagements must be FedRAMP authorized. Current platforms under FedRAMP review.
  • Third-Party Risk Framework: Formal framework in development. Target completion: Q3 2026.
Section 08

Compliance Framework Alignment

FrameworkRelevanceStatus
NIST CSFFoundational risk management — Identify, Protect, Detect, Respond, RecoverActive
NIST 800-171 Rev 2110 requirements, 14 control families — CMMC Level 2 foundationIn Progress
DFARS 7012DoD clause for cyber incident reporting and CUI protectionActive
CMMC 2.0 Level 117 practices, FCI protection, annual self-attestationSelf-Attestation In Progress
CMMC 2.0 Level 2110 practices, CUI protection, C3PAO assessmentRoadmap 2026
SOC 2Trust service criteria for enterprise client assuranceRoadmap Q4 2026
FedRAMPCloud service authorization awareness for Level 2 readinessAwareness Active
Section 09

AI & Automation Security Policy

As an AI and automation consulting firm deploying Salesforce Agentforce and Azure OpenAI, Graydots applies formal responsible use policies to all AI deployments — internally and in client engagements.

  • Responsible Use Policy: Formal AI policy governing all Agentforce and Azure OpenAI deployments — data handling, output review, and client disclosure requirements.
  • Data Minimization: Minimum necessary data principles applied to all AI workflows. Only required data used to train, test, or operate models.
  • CUI/FCI Prohibition: Client CUI or FCI data is never entered into unapproved AI tools. Any AI tool used in government engagements must be reviewed and approved prior to use.
  • Output Review: All AI-generated outputs reviewed by a qualified human before client delivery. No automated outputs submitted as final work product without oversight.

Why This Matters: Emerging DoD guidance is beginning to address AI use in government contracting. Proactively establishing AI governance positions Graydots ahead of anticipated regulatory requirements.

Section 10

CMMC Readiness Roadmap for Clients

Graydots offers CMMC readiness advisory services grounded in the Georgia MEP / GT Apex Accelerator CMMC training program framework, adapted for small businesses under 10 employees pursuing Level 1 self-attestation or Level 2 C3PAO assessment.

  • CMMC Gap Assessments: Current-state review against Level 1 (17 practices) and Level 2 (110 practices) to identify gaps and build an achievable roadmap.
  • Policy Development: Drafting and implementation of cyber policies, access control procedures, incident response playbooks, and data handling policies.
  • Access Control Implementation: Salesforce and Azure security configuration, MFA enforcement, and role-based access controls aligned to CMMC.
  • Incident Response Playbook Development: Plain-language playbooks tailored to small business operations that satisfy C3PAO assessment criteria.
  • SPRS Score Support: Assistance with Supplier Performance Risk System score calculation and documentation for DoD self-attestation submission.

Reference Program: Our advisory methodology is informed by the Georgia MEP / GT Apex Accelerator CMMC training program. We partner with the Apex Accelerator network to connect clients with CMMC Registered Practitioners and C3PAO referrals when third-party assessment is required.

Section 11

10-Step CMMC Readiness Checklist

Based on the Georgia MEP / GT Apex Accelerator 30–60 day foundational program for small businesses under 10 employees. Complete these steps in order to establish a defensible CMMC posture.

01
Assign a Cyber Owner
⏱ ~1 hour💲 $0
✅ Complete
  • Formally name one person responsible for all cybersecurity decisions
  • Document the designation in writing — even a signed memo suffices
  • Ensure the Cyber Owner understands their full scope of accountability
CMMC Tie-in: Governance and accountability appear across all CMMC control families. Assessors will ask "who owns cybersecurity?" — you must have a documented answer.
02
Write a One-Page Cyber Policy
⏱ ~2–3 hours💲 $0
✅ Complete
  • Cover: purpose, who it applies to, password rules, MFA requirements
  • List approved tools and platforms explicitly
  • State consequences for non-compliance clearly
  • Date and sign the document — update it when practices change
CMMC Tie-in: Policies must match actual practice — documentation cannot be aspirational. Assessors compare written policy to observed reality.
03
Inventory All Devices
⏱ ~2–3 hours💲 $0
✅ Complete
  • List every laptop, desktop, phone, tablet, printer, and scanner
  • Note: owner name, company-owned vs. personal, OS version
  • Flag any personally owned devices used for work (BYOD risk)
  • Review and update quarterly
CMMC Tie-in: Asset and configuration management is foundational. You cannot protect what you cannot see.
04
Lock Down Identity & Access
⏱ ~1–2 days💲 Low cost
✅ Complete
  • Enforce unique user accounts — no sharing, no group logins
  • Enable MFA on all platforms: email, VPN, admin portals, cloud services
  • Audit and remove all legacy, unused, and former-employee accounts
  • Review admin-level accounts — limit to minimum necessary
CMMC Tie-in: Access Control (AC) is one of the 14 NIST 800-171 control families. MFA alone addresses multiple Level 1 and Level 2 practices.
05
Centralize File Storage
⏱ ~1 day💲 Low / already paid
✅ Complete
  • Pick one approved location: SharePoint, OneDrive, or FedRAMP-authorized equivalent
  • Restrict sensitive folder access by role — not everyone needs everything
  • Eliminate USB storage usage for business data
  • Prohibit personal cloud drives (Dropbox, personal Google Drive) for work files
CMMC Tie-in: Required for FCI/CUI protection and system scoping. Level 2 requires FedRAMP-authorized cloud storage. Centralization reduces scope and risk simultaneously.
06
Define Sensitive Data Handling
⏱ ~Half day💲 $0
✅ Complete
  • Document: what data would cause harm if leaked, where it lives, who has access
  • Define email handling policy — what can/cannot be sent unencrypted
  • Establish LinkedIn and social media posting rules for project/client information
  • List approved collaboration tools — and explicitly prohibit unapproved ones
CMMC Tie-in: Builds the CUI awareness muscle needed for Level 2. Smaller CUI scope = lower assessment cost.
07
Enable Automatic Updates
⏱ ~1 hour💲 $0
⚠️ In Progress
  • Enable automatic OS updates on all Windows and Mac devices
  • Enable automatic browser updates across all devices
  • Enable automatic mobile OS updates on all company and BYOD devices
  • Document update cadence and verify compliance quarterly
CMMC Tie-in: Configuration Management (CM) and vulnerability management requirements recur throughout Level 1 and Level 2. Unpatched systems are the most common assessment finding.
08
Enable and Test Backups
⏱ ~1–2 days💲 Low cost
⚠️ In Progress
  • Configure cloud backups for email (Microsoft 365 or Google Workspace backup)
  • Configure cloud backups for all file storage
  • Set up local device backups as secondary redundancy
  • Schedule and actually perform a restore test quarterly — document the result
CMMC Tie-in: Level 2 includes specific requirements for data backup and recovery. An untested backup is not a backup.
09
Draft an Incident Response Playbook
⏱ ~2 hours💲 $0
✅ Complete
  • Define: what counts as an incident (phishing success, ransomware, unauthorized access)
  • Name: who to notify internally and externally
  • List: what systems to disconnect immediately
  • Identify: who is authorized to speak to clients and regulators
  • Keep it to one page — complexity is the enemy of execution under pressure
CMMC Tie-in: Incident Response (IR) is required at all CMMC levels. DFARS 7012 requires DoD notification within 72 hours of discovery.
10
Train All Employees
⏱ ~30 min/session💲 $0 – Low
⚠️ In Progress
  • Cover phishing recognition, password hygiene, and social engineering awareness
  • Make training recurring — quarterly or bi-annual minimum
  • Use free resources: CISA free trainings, DoD CUI Cyber Awareness Training
  • Reference: DoD CMMC scoping and assessment guides (publicly available)
  • Log all training completions — dates, attendees, topics covered
CMMC Tie-in: Awareness and Training (AT) is required at all CMMC levels. Documented, recurring training is assessed — verbal assurances are not sufficient.
Section 12

Level 1 Self-Assessment Prep — 17 Practices

Level 1 requires self-attestation by a senior company official that all 17 practices from FAR 52.204-21 are implemented.

#Practice AreaDomainStatus
1Limit information system access to authorized usersAccess Control
2Limit access to types of transactions authorized users are permitted to executeAccess Control
3Verify and control/limit connections to external systemsAccess Control⚠️
4Control CUI posted or processed on publicly accessible systemsAccess Control
5Identify information system users, processes, and devicesIdentification & Auth
6Authenticate users, processes, or devices before allowing accessIdentification & Auth
7Sanitize or destroy information system media containing FCI before disposal/reuseMedia Protection⚠️
8Limit physical access to organizational systems to authorized individualsPhysical Protection
9Escort visitors and monitor visitor activityPhysical Protection
10Maintain audit logs of physical accessPhysical Protection⚠️
11Control and manage physical access devicesPhysical Protection
12Monitor, control, and protect communications at external boundariesSystem & Comm Protection⚠️
13Implement subnetworks for publicly accessible system componentsSystem & Comm Protection⚠️
14Identify, report, and correct information system flawsSystem & Info Integrity
15Provide protection from malicious code at appropriate locationsSystem & Info Integrity
16Update malicious code protection mechanismsSystem & Info Integrity
17Perform periodic scans and real-time scans of files from external sourcesSystem & Info Integrity⚠️
Download White Paper

Get the Full PDF Report

Download the complete CMMC 2.0 Compliance & Security Posture white paper — formatted for sharing with procurement officers, prime contractors, and government clients.

Your information is used to personalize outreach and is never sold. Download begins immediately after submission.