Trust & Security
Built to the controls federal assessors audit against.
Standards held. Self-audit posture published. Implementation depth under NDA. This page tells you what you need to verify the platform meets your procurement bar — without giving a competitor the topology to copy.
Operating Boundary
We operate in AWS GovCloud.
The same boundary federal agencies require. US-persons access controls. KMS keys that never leave GovCloud HSMs. No data transfer to commercial AWS regions.
Standards Posture
What we hold. What we're building toward.
What This Page Does Not Publish
By design. Available under NDA.
AWS account topology diagrams
Region-level deployment maps
Cross-account API layouts
Service-by-service architecture
Identity provider product names
Encryption library names or modes
Specific control-family-to-feature mappings
Internal data-model patterns
All of the above are discussed under NDA. Implementation depth that helps a buyer evaluate the platform is shared with qualified parties; implementation depth that helps a competitor clone the moat is not published.
Identity & Access
CAC/PIV. MFA. One sign-in across the ecosystem.
CAC/PIV federation
DoD PKI smart-card authentication supported for federal operators.
MFA-enforced
Multi-factor authentication required on every operator portal.
Role-based access
Granular RBAC with roles scoped to organization and data classification. Least privilege enforced.
Self-Audit Access
Findings and remediation plan published.
Available under NDA.
The full FORCE self-audit — including findings and the published remediation plan — is available to qualified parties under NDA. We don't market authorizations we haven't earned. We document the posture, publish the gaps, and ship the fixes.
Request Self-Audit Access →Security Contact
Responsible disclosure welcomed.
Security researchers and assessors with concerns or disclosures should contact us directly. We respond within one business day.
chris@bigforgeone.com