United States Workforce
Every person working on a Legacy to Modern engagement is a U.S. citizen working within the United States. Smaller engagements are delivered solo by the founder. For larger engagements, the founder brings in vetted U.S. citizen senior software engineers he has worked with for many years. We do not subcontract to offshore teams, we do not use nearshore pass-throughs, and we do not grant foreign nationals access to client code or data.
This is a hard procurement constraint, not a marketing line. When you engage us, you receive written confirmation of who is assigned to your project, where they are located, and their U.S. citizenship status. That composition cannot change without your written consent.
ITAR: What We Are, What We Are Not
Legacy to Modern LLC is not currently registered with the U.S. State Department's Directorate of Defense Trade Controls (DDTC) as an exporter, and we are not an ITAR-registered consultancy.
What we do offer: a 100% U.S. citizen, U.S. soil workforce, the operational discipline to handle controlled unclassified information appropriately (segregated storage, access logging, principle of least privilege), and the willingness to operate under client-led Technology Control Plans for non-exporting consulting work on ITAR-controlled technical data.
If your program requires a DDTC-registered consultancy as the prime or as a sub on controlled scope, we are not the right fit for that portion of the work. We may still be able to support adjacent non-controlled scope. We will tell you which is which on the first call, and we will not stretch our posture to win work we should not win.
FAR: What We Have and Have Not Done
For federal or federally-funded programs, we can operate under FAR-aligned engagement structures (fixed price, time and materials) with documentation and audit trails appropriate to the program.
Honest disclosure: Legacy to Modern LLC has not yet delivered work subject to FAR Part 31 cost-reasonableness review. We have the accounting hygiene to support such a review when called for, but we do not have a track record of having gone through one. We will be transparent about that during scoping.
Where DFARS cybersecurity requirements apply (NIST SP 800-171 controls on CUI), we will align engagement controls accordingly or coordinate with your compliance team on scope.
Data Protection
Client source code, databases, and documentation are stored in U.S.-region, encrypted repositories. Access is role-limited and logged. Production data is never copied to developer workstations except under an explicit, documented exception with the client's approval.
Regulatory Regimes: Career Experience
In prior career roles before founding Legacy to Modern LLC, the founder has worked on systems subject to the regulatory regimes below. Legacy to Modern LLC, as an entity, was founded in 2025 and does not hold formal certifications under these regimes. We scope the applicable controls per engagement and document what we meet, and we are explicit about the difference between career familiarity and firm-level certification.
Audits and Documentation
We support client-led audits of our engineering practice and of individual engagements. Standard deliverables on request include personnel attestations, access logs, a list of third-party services in scope, and our SDLC documentation.
Contact us for our current security questionnaire response pack (SIG-Lite, CAIQ) if you need to pre-qualify us as a vendor.