3 · Cybersecurity & data handling
What a prime's compliance officer or CISO checks first. We operate in the civilian / unclassified lane only.
| NIST SP 800-171 self-assessment | In progress Targeted Q4 2026 |
|---|
| SPRS score submission | In progress Targeted Q1 2027 |
|---|
| FedRAMP-Moderate hosting (inherited) | Operational AWS GovCloud or Azure Government as engagement requires |
|---|
| FedRAMP authorization as CSP | Not pursued — we inherit cloud controls; we are not a Cloud Service Provider |
|---|
| Cybersecurity questionnaire response template | In progress |
|---|
| Personnel clearances | Not pursued — civilian / unclassified posture only |
|---|
NIST SP 800-171 control-family summary
Pre-Q4-2026 mapping of the 14 control families that make up the 110 NIST SP 800-171 Rev. 2 controls. This is a working artifact, not a self-assessed SPRS score. We do not yet have a SPRS submission — targeted Q1 2027. Updated quarterly as evidence packs are completed.
| Family |
Controls |
Current posture |
Evidence type targeted |
| 3.1 Access Control (AC) | 22 | Documented | Role-based access policy, repo & cloud-account access matrix, MFA configuration screenshots |
|---|
| 3.2 Awareness & Training (AT) | 3 | Documented | Annual security awareness training records, role-specific training log |
|---|
| 3.3 Audit & Accountability (AU) | 9 | Partial — inherited | CloudTrail / Azure Activity logs (inherited from cloud provider), application audit log spec |
|---|
| 3.4 Configuration Management (CM) | 9 | Documented | IaC baseline, change-control workflow in Git, environment-promotion checklist |
|---|
| 3.5 Identification & Authentication (IA) | 11 | Documented | MFA enforcement, password policy, SSO configuration, federated-identity diagram |
|---|
| 3.6 Incident Response (IR) | 3 | Initial mapping | Incident response plan (draft), notification SLA to prime PM, tabletop exercise log |
|---|
| 3.7 Maintenance (MA) | 6 | Documented | Patch cadence, dependency-scanning automation, maintenance-window communication template |
|---|
| 3.8 Media Protection (MP) | 9 | Documented | Encrypted-at-rest configuration, removable-media prohibition policy, secure-disposal procedure |
|---|
| 3.9 Personnel Security (PS) | 2 | Documented | Background-check records, separation procedure, role-revocation checklist |
|---|
| 3.10 Physical Protection (PE) | 6 | Inherited | Cloud-provider data-center physical controls (FedRAMP-inherited), workstation-handling policy |
|---|
| 3.11 Risk Assessment (RA) | 3 | Initial mapping | Risk register, vulnerability scanning cadence, dependency-CVE workflow |
|---|
| 3.12 Security Assessment (CA) | 4 | Initial mapping | Self-assessment plan, POA&M template, prime-handoff documentation kit |
|---|
| 3.13 System & Communications Protection (SC) | 16 | Documented | TLS / encryption-in-transit posture, network-segmentation diagram, boundary protection (inherited) |
|---|
| 3.14 System & Information Integrity (SI) | 7 | Documented | Patch SLA, malware-protection inheritance, monitoring & alerting configuration |
|---|
| Totals | 110 controls across 14 families | Self-assessment targeted Q4 2026; SPRS submission targeted Q1 2027 |
|---|
Posture key — Documented: control mapped, policy or configuration in place, evidence on file. Initial mapping: control identified, evidence pack being assembled. Inherited: control satisfied by AWS GovCloud / Azure Government inheritance. Partial — inherited: baseline inherited from cloud provider, application-layer evidence in progress.
Cybersecurity Questionnaire (CSQ) — anticipated response skeleton
A preview of how we would answer a typical 30–60-question CSQ. Lets a prime’s compliance officer pre-brief their internal stakeholders before formally sending us the live CSQ. Each category below shows the questions we’d expect and the answer pattern we’d use, grounded in the NIST family table above.
1 · Organization & personnel
Typical questions: Legal entity type, country of registration, ownership structure, employee count, % US-based personnel, separation procedure.
Our answer pattern: US-registered LLC (Alaska), senior core with a vetted specialist bench, founder-led; all personnel work under signed proprietary-information and confidentiality agreements; separation procedure documented and triggered within 24 hours of role change. Personnel size and posture provided in writing on the live CSQ — not published on the public site.
2 · Information security governance
Typical questions: Information security policy, designated security lead, control framework, audit cadence, exceptions process.
Our answer pattern: NIST SP 800-171 Rev. 2 is our governing framework (see the family table above). Founder serves as designated security lead until headcount supports a dedicated CISO role. Policies reviewed annually; exceptions logged with mitigation plan and prime-PM notification.
3 · Data handling & CUI
Typical questions: Data classification scheme, CUI handling, encryption posture (at-rest / in-transit), data-segregation between clients, retention & destruction.
Our answer pattern: Civilian / CUI-aware posture; we do not handle classified data. Encryption at-rest and in-transit by default (cloud-provider inheritance plus application-layer TLS). Per-engagement data segregation via dedicated tenancy or namespace inside the prime’s environment. Retention and destruction per the prime’s contractual flow-down clauses.
4 · Cloud & hosting posture
Typical questions: Hosting environment, FedRAMP authorization status, cloud-account ownership, data-residency, network architecture.
Our answer pattern: We deploy into AWS GovCloud or Azure Government when the engagement requires FedRAMP-Moderate inheritance. Cloud accounts are typically the prime’s; we operate inside the prime’s environment and inherit their FedRAMP posture. Data residency confirmed in writing per engagement. We are not a CSP and do not pursue our own FedRAMP authorization.
5 · Identity & access management
Typical questions: Authentication mechanism, MFA enforcement, privileged-access controls, joiner/mover/leaver process, federation with prime’s IdP.
Our answer pattern: MFA enforced on all accounts. Privileged access scoped per engagement, time-bounded where possible, logged. Joiner/mover/leaver triggers a documented checklist with 24-hour SLA. We can federate to the prime’s IdP (SAML / OIDC) where the engagement requires it.
6 · Incident response & continuity
Typical questions: Incident response plan, prime-notification SLA, evidence-preservation procedure, business continuity, recovery objectives.
Our answer pattern: Documented IR plan with named roles and a notification SLA of 4 hours from confirmed incident to the prime PM and prime’s security contact. Evidence preserved per the prime’s contractual flow-down. Continuity posture: small senior team with documented runbooks; not a 24/7 NOC. Recovery objectives set per engagement and confirmed in the kickoff memo.
7 · Vendor / third-party management
Typical questions: Sub-tier vendors, open-source posture, SBOM availability, dependency-vulnerability process, supply-chain risk management.
Our answer pattern: Core delivery is founder/W-2-led; named specialists are added per engagement under flow-down NDAs and the prime’s controls, disclosed in advance — the prime contracts directly with us. Open-source posture documented per engagement, with license inventory and CVE-scanning automation. SBOM provided in CycloneDX or SPDX format on request. Dependency upgrades scheduled against published CVSS thresholds.
8 · Compliance attestations & evidence
Typical questions: SOC 2 / ISO 27001 / FedRAMP / CMMC status, audit reports available, last self-assessment date, evidence retention.
Our answer pattern: We do not currently hold SOC 2 or ISO 27001 (not pursued at current scale). FedRAMP-Moderate posture is inherited via AWS GovCloud / Azure Government, not held as a CSP. CMMC: monitoring DoD CMMC final-rule timing; civilian-agency work does not currently require it. Self-assessment status: see the NIST family table above. Audit reports for prime CISO review available under mutual NDA — request via partner inquiry.
Want the live CSQ response in your prime’s format? Send the questionnaire to Team@OlenArc.com — we return a per-question response within 5 business days under a mutual NDA.