Five-step framework for taking a federal agency from signed contract to validated go-live. Steps populate with deployment-environment specifics once the first customer's infrastructure is confirmed.
Ch 12 of Shrink-Wrap It defines the cost of boundary violations: "New integrations, new data types, new functionality that changes security posture all trigger assessment updates." The onboarding playbook is the mechanism that keeps the product boundary clean during the highest-risk period for scope creep: the first 90 days of a customer relationship, when agencies ask for "just one more thing" before signing off on go-live.
Every step in this playbook has a boundary checkpoint. The Customer Success role is the last line of defense before a feature request becomes a boundary violation.
Duration: Day 1-5 from contract award.
| Task | Owner | Deliverable |
|---|---|---|
| Kickoff meeting with agency program manager and ISSO | Customer Success | Kickoff notes doc; agency ISSO contact confirmed in writing |
| Confirm deployment environment details | Customer Success + Platform Architect | GovCloud region confirmed; network topology documented; ingress / egress rules noted |
| Confirm user roster and access tiers | Customer Success | Initial user list with roles; PIV / CAC auth requirements confirmed |
| Review product boundary with agency ISSO | Customer Success + Authorization Architect | Zone 1-4 scope briefed to ISSO; any Zone 4 requests flagged immediately |
| Set communication cadence | Customer Success | Weekly check-in cadence agreed; escalation path documented (see nps-outcome-cadence-v0) |
Boundary checkpoint: Any agency request for features outside Zone 1-2 scope (see contract-paper-template-v0, CLIN 0003) must be logged and escalated to Authorization Architect before kickoff notes are finalized.
Duration: Days 6-21.
| Task | Owner | Deliverable |
|---|---|---|
| Deploy product to agency environment (or GovCloud tenant) | Platform Architect | Deployment confirmation; environment health check passed |
| Configure authentication (PIV / CAC / ICAM integration) | Platform Architect + Agency ISSO | Auth flow verified for at least 3 test accounts; PIV login confirmed end-to-end |
| Configure data feeds and integrations (Zone 2 configurable surface only) | Platform Architect | Approved integrations active; no Zone 4 integrations initiated |
| Provision initial user accounts | Customer Success | All users from kickoff roster provisioned; welcome email / instructions sent |
| Initial security scan | Authorization Architect | Vulnerability scan run; any findings triaged with agency ISSO; POA&M opened if applicable |
Boundary checkpoint: Confirm that no new data types have entered the system boundary beyond what was described in the SSP. Any new data type requires ISSO sign-off before integration proceeds.
Duration: Days 22-35.
| Task | Owner | Deliverable |
|---|---|---|
| User acceptance testing (UAT) with agency power users | Customer Success | UAT sign-off document; top 5 issues logged with resolution status |
| Performance baseline | Platform Architect | Response time, uptime, and error rate metrics recorded against SLA thresholds (see sla-template-v0) |
| ISSO validation of authorization posture | Authorization Architect + Agency ISSO | Written confirmation from agency ISSO that the deployment matches the authorized boundary |
| Training delivery | Customer Success | At least one training session delivered to agency end users; training materials provided |
| Feature request triage | Customer Success + First-SKU Launch | All UAT feature requests categorized as Zone 1 (decline, already standard), Zone 2 (configure), Zone 3 (future optional CLIN), or Zone 4 (custom, separate CLIN 0003) |
Boundary checkpoint: No features in the Zone 4 (custom development) category can be initiated during validation. They go to CLIN 0003 estimation separately.
Duration: Day 36-45.
| Task | Owner | Deliverable |
|---|---|---|
| Go-live readiness review | First-SKU Launch | Checklist: UAT signed off, ISSO confirmed, training delivered, SLA active, support channel open |
| Go-live declaration | Customer Success + agency program manager | Written go-live confirmation email to agency PM; milestone invoice triggered (see first-invoice-template-v0) |
| First milestone invoice issued | Revenue Lead | Invoice for CLIN 0002 (onboarding) submitted; subscription billing started for CLIN 0001 |
| Hypercare window starts | Customer Success | Daily check-in for 14 days post go-live; response time SLA tightened to 2-hour during hypercare |
Duration: Ongoing from Month 2 forward.
| Cadence | Activity | Owner | Output |
|---|---|---|---|
| Weekly | Account health check: ticket volume, open POA&Ms, user adoption rate | Customer Success | Internal health dashboard row (not shared with agency unless red) |
| Monthly | Agency program manager review: outcomes vs. contract KPIs, upcoming changes, expansion topics | Customer Success | Monthly review deck (see nps-outcome-cadence-v0) |
| Quarterly | ISSO security review: ConMon findings, POA&M status, boundary changes (if any) | Authorization Architect | ConMon status memo to agency ISSO; any boundary change proposals documented formally |
| Annual | Option year exercise: confirm renewal, renegotiate CLIN 0001 user count, assess expansion (see expansion-account-playbook-v0) | Revenue Lead + Customer Success | Option year exercise notice; updated user count; expansion CLIN conversation initiated if applicable |
| Trigger | Who escalates | Who receives | Timeline |
|---|---|---|---|
| SLA breach (uptime below threshold) | Customer Success | Platform Architect + First-SKU Launch Lead | Within 1 hour of detection |
| Boundary change request from agency | Customer Success | Authorization Architect | Within 24 hours; never approve without Authorization Architect sign-off |
| Agency ISSO concern about ConMon finding | Authorization Architect | First-SKU Launch Lead + Revenue Lead | Within 48 hours |
| User adoption below 40% at 30 days | Customer Success | First-SKU Launch Lead | At 30-day mark; trigger additional training session |