How to use this page
- Each card opens the live portfolio pane for that prospect. Drag-to-reorder, editable, backed by Atlas. Status pills at top: in_scope_for_tcp = absorbed into onboarding · separate_quote = own SO · open = undecided. Hari can move items between buckets and change status live.
- The orange box per card is engineering scope decisions I need from you (absorbed vs quoted, build vs reuse, walkthrough involvement). The grey box is sales/commercial-side items or items downstream of decisions made elsewhere.
- All hour estimates on the cards can be filled in live during the call.
The three accounts (in time-sensitivity order)
OCS
· Optimal Care ServicesNYC Early Intervention provider · HIPAA-covered · shared-profile workstations today
Sector
SMB nonprofit (EI services)
Key people
- Frantz Brevoir · CEO · "love language" is cybersecurity + backups
- Jovonnie Charles · DOO · day-to-day contact
Key facts (engineering context)
- 24 in-office admin users today, all sign in under a single shared CEO profile (no per-user identity)
- +11 EI-division admin coming with 11th-floor expansion in August
- 360 part-time SEIT contractors with @ocservices.org email + SIS (Dragon) access from personal devices
- HIPAA-covered (NPI 1134886286, Early Intervention Agency taxonomy)
- Verizon Fios all-in-one router/AP combo · Verizon OneTalk recently re-platformed · AllNet door + cameras (stays out of CTS)
- No on-prem servers per prep doc, needs verification
Pricing summary
| Recurring base | $5,232 / mo | TCP $4,800 + site $250 + OneTalk $182 |
| + 360-contractor MDR cyber | + $800 / mo | OPTIONAL · MDR + CDR only, no EFI/SAT |
| + MCA-Premium | + $1,850 / mo | OPTIONAL · moved from "included" |
| Onboarding | $12,000 | $15K discount applied |
Engineering scope questions for Hari
- 41-device unification scope (item #2, status open)
Migrate 21 desktops + 20 laptops off the shared CEO profile onto Intune w/ per-user identity. MFA via CA, BitLocker w/ escrow, CTS RMM + EP, M365 per-user, asset tag, user handoff. Sachin left this open at the huddle: does 41 devices absorb into the $12K onboarding line, or quote at 41 × CTS-SVC-PC + PM? Two complicating factors: (a) existing Intune consultant in flight (#14); inherit WIP or let them finish? (b) tenant hygiene unknown; shared-profile setup implies the M365 tenant has not been actively administered for identity.
- 11th-floor network build, August 2026 (items #18–19, status separate_quote)
Empty closet, no existing infrastructure. ~11 new EI-division admin users by fall. Verizon installs web/phones/basic internet; CTS fills the actual networking gap. Need switches, APs, firewall, UPS, cabling. Open questions: gear tier (SMB stack vs enterprise-lite); coverage estimate / AP count; cabling in-house or sub; refine the $15K to $30K rough; one SO or two (design then procure+install)?
- In-flight vendor coordination (items #14–16)
Four consultants we're sequencing around: Intune setup consultant (in flight); EI-division SharePoint restructure consultant; Dom workflow-automation consultant; AllNet (door + cameras, stays). My instinct: most is sales-handoff + Layer-5 absorption. But on Day 1 we coexist with these vendors. Anything you want flagged differently?
Parking lot (sales/commercial side or downstream)
- $4,800 vs $3,600 CW reconciliation — pricing detail, Joe resolves with Sachin
- "1800 hours / 10–12 hrs/mo support" interpretation — Sachin to clarify (likely MCP MDR block for the 360)
- 360-contractor cyber framing for Jovonnie — sales framing, Sachin's call
- MCA-Premium positioning vs Frantz's "love language" — Joe + Sachin sales-side
- Cyber insurance carrier ID — Jovonnie owes the name; renewal-cycle timing
- HIPAA SRA, NIST CSF, Part 121 supplemental, breach proc, DPO, AI Use Policy — all inside MCA-P if Frantz takes it
- HIPAA BAA execution at MSA signing (blocking)
- DMARC + SPF + DKIM — small project, rough-quote later
- DNS admin delegation, M365 tenant admin role transfer, OneTalk admin handoff — engagement-standard
- Network discovery + topology mapping, server inventory confirmation — engagement-standard
- Year-2+ items: Verizon Fios billing split, phone extensions for new floor, custom web/app coordination (Winter 2027), Dragon SIS touch points, Y2 pentest
Other surfaces
NYCOBS
· NYC Outward Bound SchoolsNonprofit · 50 staff · hybrid IT today · CYBER incident last year (type undisclosed)
Sector
SMB nonprofit (NOT charters)
Key people
- Marta Noriega · Sr Director of Finance & Ops · primary contact
- Laurie · New CEO
- Gifford Miller · Board Finance Committee Chair
Key facts (engineering context)
- 25 FT central office at LIC HQ (5-floor building, mostly Mac post-transition)
- 25 PT Crew Coaches at NYC DOE partner schools + Catskills rented site
- Internal on-site coordinator handles physical tasks (mouse swaps, iPads, hardware handoffs); STAYS post-engagement
- Florida-based IT provider handles Google + network + email investigations today; gets DISPLACED
- Google Workspace Nonprofit (primary identity); legacy M365 residue likely
- FreshService just deployed; adoption failed
- Legacy server fleet, unused per Marta · "lot of wiring from the past" · old camera system, unmanaged
Pricing summary
| S1: TCP + MCP (full outsource) | $6,550 / mo | Hybrid sizing · MCA-S included |
| S2: CMIT + MCP (co-managed) | $5,625 / mo | Keeps internal coordinator · L3 escalation |
| Hybrid sizing rationale | 25 / 50 | TCP/CMIT @ 25 FT · MCP+SaaS @ 50 endpoints |
| Scheduled Onsite (S1 only) | $3,193 / mo | OPTIONAL · OFF by default |
Engineering scope questions for Hari
- Win-to-Mac handling (item #5, status separate_quote)
Only Bucket-1 item whose absence breaks the all-Mac CMIT pricing on S2. Marta said transition is mid-flight, count unknown. Three paths: (a) defer to Day-14–30 amendment after we have admin access to inventory; (b) quote at signing as CTS-SVC-PC × ~25 + PM, in-house ~$7,500 / white-glove ~$13,500; (c) bundle into a Foundation Project line (Win-to-Mac + DMARC + tenant audit + network discovery). My instinct is (a). Your call?
- Server decom + cabling rationalization (items #7, #34)
Marta: "we have servers but we are not using them" + "lot of wiring from the past." Five-floor building. #7 (server decom + closet cleanup, status open) sketched at ~$3K to $6K labor + e-waste. #34 (full cabling rationalization, status separate_quote) sketched larger. Combine into one SOW at signing or split? My instinct: combine, one field engagement, walkthrough drives both. Plus: NIST 800-88 wipe if servers held data, need confirmation on walkthrough.
- In-person walkthrough Wed 5/27 AM, Thu 5/28 AM, or Wed 6/4
I want you on this. It's the engineering scoping pass for: network discovery + topology (#6), legacy server decom (#7), camera audit (#8), training-space AV (#22, ~$8K to $20K), full cabling (#34), camera replacement (#23, ~$15K to $35K if recommended). Plus probe the cyber-incident postmortem (#17): Marta hasn't disclosed type, drives the IRP shape. Which slot works?
Parking lot (sales/commercial side or downstream)
- Hybrid sizing endorsement — Joe pitching to Sachin tonight; +$800/mo delta vs v1.5/v1.2
- Indicative-pricing banner on quote — invoice-review condition per Sachin 5/18
- MCA-Standard default toggle (ON for both) — sales-side
- FreshService handoff Path A (deprecate, migrate to CTS) vs Path B (re-deploy properly) — rec Path A; sales positioning
- AI Use Policy (#18) — Marta named as 6-month thing; inside MCA-S
- Drive reorg (#19), SaaS integration project (#20), staff training (#21) — Marta-driven post-signing
- Florida provider handoff (#3), Internal coordinator handoff (#2), Google admin handoff (#1) — engagement-standard prereqs
- Salesforce / Monday / Slack admin coordination (#12–14) — engagement-standard
- DOE data classification (#16) — engagement-standard
- iPad fleet management (#29), Catskills field-staff connectivity boundary (#30) — engagement-standard
- Phone fleet decommission (#28) — Marta phasing cells out, light coordination
- Year-2 pentest, board cyber report, MCP SAP rollout — Year-2+
Other surfaces
Archway
· Archway Charter SchoolMississippi's first hybrid charter · opens 2026-08-03 · 253 Chromebooks · 14 of 15 staff remote
Sector
Charter (hybrid/cyber school)
Key people
- Derek Hinckley · Champion · uses "out-of-the-box thinking" repeatedly
- David Herndon · ED
- Raymonda Alexander · Outgoing tech director · offboarding 5/26 ELT meeting
Key facts (engineering context)
- 230 students Y1 (G7–10), scaling to 310 by Y5 (G7–12)
- 253 student Chromebooks (NO PCs, NO AV)
- 15 staff, 14 of 15 remote (one in Belzoni)
- Phase 1: Upper Room Fellowship church 2 days/month for staff convergence (Aug to Oct)
- Phase 2: modular building dropped on 9-acre property, target Oct 2026
- Full Wi-Fi/network buildout DEFERRED to E-Rate FY27 (window opens Jan 2027, funding July 2027)
- MCSAB initially voted Archway DOWN on family broadband concerns; re-approved later
- Derek's hard rule: "no IT day" means engineers off-site on the 2 church days/month, except emergency
Pricing summary
| TCP per device | $450 / device | Up from $350; bakes in repair logistics |
| Repair logistics surcharge | $5 / device / mo | Covers FedEx + margin; DOO is handoff point |
| MCP staff-only (optional) | + $329 / mo | 15 staff × ~$22 · students excluded by default |
| MCA-Standard | $750 / mo | Justified by zero governance + first-MS-cyber-charter audit risk |
| Student helpdesk | NOT included | Block-hour option: $12K/yr as 12 × $1,000 if Derek pushes |
Engineering scope questions for Hari
- Google for Education setup process (item #2, status separate_quote)
Derek 5/18: "we need to get Google for education. Right now we have Google for nonprofits. I think we need to transition." They open 2026-08-03 so this has to land before opening. What's the process? Verification path for a brand-new K-12 (proving educational-institution status, coordination with MSDE/MCSAB authorization, EIN/state ID); migration mechanics from Nonprofits to EDU (account preservation vs fresh tenant, data carryover, admin role transfer); OU structure (staff, students by grade, admin, contractors), baseline policies, audit log, retention; coordination with Raymonda's existing Clever SSO + PowerSchool roster; lift estimate (absorbed into onboarding or separate SOW? hours/weeks?); timeline vs 8/3 opening.
- Phase 1 church infrastructure assess + bridge equipment (items #20, #21)
Sachin floated equipment rental: "We might even have some laptops. There is a way for us to figure something out on the cheap." Sachin commits to find inventory but someone has to engineer the Phase 1 setup. Need: site visit to Upper Room Fellowship; assess existing Wi-Fi; design interim infra (hotspot, short-term WAP rental, CTS-loan switch?); document boundary so church network isn't disrupted. Is this you or a field-engineer assignment? Typical scope shape for a 2-days-a-month convergence venue?
- Phase 2 modular building network design (items #24, #25) — the centerpiece
Modular building drops Oct 2026 on 9-acre property. Wi-Fi + switches + firewall + UPS + cabling. Pre-FY27 design work so Form 470 can spec the gear competitively. Full buildout deferred to E-Rate FY27 (~$20K to $40K hardware budget pre-discount). Sachin verbatim for Derek: "We build out trailers all the time, so we've got a ton of ideas." Three questions: engineering scope on the design work (billable Y1 or absorbed in MCA?); hardware tier you'd spec (SMB stack? E-Rate ECAM/EPC compliance vendor prefs?); cabling plan for a modular structure on undeveloped property.
Parking lot (sales/commercial side or downstream)
- Ripcord pattern (#7) + Rippling-to-Clever provisioning automation (#6) — identity engineering, real scopes, Derek asked for both. Joe handling Friday's conversation; revisit build-vs-reuse with Hari after Derek confirms direction
- Derek's "no IT day" rule (#22) — operational protocol design; calendar-block or auto-decline scheduled visits on those days?
- TECCA template pull (Sachin's cyber-school pricing reference) — Joe to dig in pipelines/dead leads/
- CW CPQ quote build w/ $5/device repair surcharge, base TCP, MCA-S — Joe's lane
- Optional MCP-cyber-for-staff line at $329/mo — sales positioning
- Optional student block-hour line ($12K/yr as 12 × $1K) — only if Derek pushes
- E-Rate consulting structure (bundled vs separate vs contingency) — open with Sachin
- Apple Edu Store rep broker (#17) — revenue around CTS; CTS keeps integrator role
- Contract length + payment terms — open with Sachin
- Google for Ed migration (#2), M365 staff licenses (#3) — real but well-bounded migrations
- Roster mgmt (#5), OU structure (#4), Clever SSO + handoff (#8), Canvas + PowerSchool handoff (#9) — engagement-standard prereqs (Raymonda offboards 5/26)
- DNS delegation (#10), DMARC + SPF + DKIM (#11) — engagement-standard
- AUPs (family #12, staff #13), FERPA docs (#14), MCSAB cyber posture (#15), CIPA (#16) — MCA scope
- E-Rate FY27 readiness (#19), Form 470 (#26), Form 471 (#27) — Joe's E-Rate expertise
- Student monitoring platform selection (Securly / GoGuardian / Bark) — advisory, Joe drives
- Family broadband-readiness assessment (#33) — reputational insurance; Joe's framing
- Touch-screen guidance — Joe steering Derek to standard Chromebook spec; agreed
- Annual NIST CSF docs, Cyber Risk Register, Quarterly Posture Review, IRP tabletop, phishing sim — MCA + MCP recurring
- VR rollout (#34), Y2 device refresh (#35), CSP grant compliance (#36) — out-year planning
Other surfaces
30-minute flow
- 0:00 – 2:00 · Frame the half-hour
- 2:00 – 10:00 · OCS (41-device unification scope; 11th-floor build; in-flight vendor coordination)
- 10:00 – 20:00 · NYCOBS (Win-to-Mac path; server decom + cabling SOW; walkthrough commitment)
- 20:00 – 28:00 · Archway (Google for Education setup process; Phase 1 church infra; Phase 2 modular network design)
- 28:00 – 30:00 · Wrap; expected pane updates; next sync