Security & Compliance
Security is not a feature request.
Every security header. Every API route authenticated. Every input validated. GovCloud architecture, FedRAMP Moderate path, and NIST 800-171 CUI handling are built into the platform — not added later.
FedRAMP Moderate
Path (FORGE)
NIST 800-171
CUI Controls
AES-256 + TLS 1.3
All Data
US-Only Data
GovCloud Residency
Frameworks
Compliance posture
FedRAMP Moderate
FORGE / GovCloud
FORGE is on the FedRAMP Moderate authorization path. The AWS GovCloud deployment baseline, combined with inherited controls from AWS's FedRAMP High P-ATO, significantly reduces the control implementation burden. SSP in development.
NIST SP 800-171
FORGE (CUI Handling)
All 110 CUI protection requirements from NIST SP 800-171 Rev 2 are addressed in the FORGE architecture. Controlled Unclassified Information is handled exclusively in GovCloud with strict access controls, encryption, and audit logging.
SOC 2 Type II
BigMFGOne
SOC 2 Type II audit is on the roadmap for BigMFGOne to support enterprise commercial customers. Trust Service Criteria for Security, Availability, and Confidentiality are already addressed in the current architecture.
DoD Impact Level 2
FORGE GovCloud
IL2 authorization supports DoD unclassified data. The GovCloud architecture baseline, FedRAMP Moderate controls, and DISA SRG alignment provide the foundation. IL2 ATO pursuit tied to initial LOGCAP VI contract award.
DoD Impact Level 4
FORGE GovCloud
IL4 extends coverage to Controlled Unclassified Information in DoD systems. Architecture design decisions made today — data residency, encryption key management, network segmentation — are made with IL4 requirements in mind.
CMMC Level 2
FORGE
Cybersecurity Maturity Model Certification Level 2 maps directly to NIST SP 800-171. FORGE's existing 800-171 implementation provides the control foundation for CMMC Level 2 certification as the DIB supply chain requires it.
Architecture
Security by design
Security decisions made at architecture time — not patched in after deployment. Every control is implemented in AWS CDK as code, version-controlled, and reproducibly deployed to both commercial and GovCloud environments.
Infrastructure
AWS GovCloud (US-West)
FORGE deployed exclusively in AWS GovCloud us-gov-west-1. No data leaves US government regions.
Commercial AWS (BigMFGOne)
BigMFGOne deployed in us-east-1 with data residency controls. No cross-region data transfer.
Multi-Account Architecture
Separate AWS accounts for production, staging, and tooling. Service Control Policies prevent data exfiltration.
VPC Network Isolation
All compute runs in private subnets. No direct internet access. All egress through NAT or PrivateLink.
Encryption
AES-256 At Rest (KMS)
Every DynamoDB table, S3 bucket, and RDS instance encrypted with AWS KMS Customer Managed Keys. Separate KMS keys per environment and data classification.
TLS 1.3 In Transit
All API traffic, service-to-service communication, and browser connections enforced at TLS 1.3. TLS 1.0/1.1 disabled at the load balancer and CloudFront distribution.
KMS Key Rotation
Automatic annual key rotation enabled on all CMKs. Key policies scoped to minimum necessary principals. Key deletion requires 30-day waiting period.
Secrets Manager
All application secrets, database credentials, and API keys stored in AWS Secrets Manager. No secrets in environment variables or source code.
Authentication & Authorization
Cognito with CAC/PIV Support
Amazon Cognito configured for SAML federation with DoD PKI. CAC and PIV smart card authentication supported for FORGE GovCloud users.
Multi-Factor Authentication
MFA enforced for all user accounts. TOTP (authenticator app) and hardware security key (FIDO2/WebAuthn) supported in addition to CAC/PIV.
Role-Based Access Control
Granular RBAC with roles scoped to organization, location, module, and data classification. No shared accounts. Principle of least privilege enforced.
JWT with httpOnly Cookies
Access tokens issued as short-lived JWTs (15 min). Refresh tokens stored in httpOnly, Secure, SameSite=Strict cookies. No tokens accessible to JavaScript.
Audit & Monitoring
AWS CloudTrail
All API calls to all AWS services logged in CloudTrail with multi-region trail and log file validation. Logs shipped to immutable S3 bucket with Object Lock.
AWS Security Hub
Security Hub aggregates findings from GuardDuty, Inspector, Config, Macie, and third-party tools. CIS AWS Foundations Benchmark standard enabled.
Application Audit Log
Every create, update, delete, and access event logged with user identity, timestamp, IP address, changed fields, and previous/new values. Tamper-evident.
Quarterly Penetration Testing
External penetration tests conducted quarterly against both commercial and GovCloud environments. Findings tracked to closure with SLAs by severity.
Data Residency
US-only data handling
FORGE — GovCloud
AWS GovCloud (US-West) · us-gov-west-1
- +All CUI data remains in AWS GovCloud US regions only
- +No data transfer to commercial AWS regions
- +Access restricted to US persons only via IAM conditions
- +AWS GovCloud accounts owned by US persons (AWS requirement)
- +KMS keys never leave GovCloud HSMs
BigMFGOne — Commercial
AWS Commercial · us-east-1
- +All customer data stored in US East (N. Virginia)
- +No cross-region data replication without customer consent
- +GDPR-ready data deletion and portability on request
- +Tenant data isolated at DynamoDB partition key level
- +QuickBooks OAuth tokens stored in Secrets Manager, never logged
“Every security header. Every API route authenticated. Every input validated. Security is not a checkbox — it is the architecture.”
BigOne Platforms Security Principle