Security & Compliance Roadmap

DaedArch Federal Services is in pre-authorization status. We do not yet hold an active FedRAMP authorization or CMMC certification. The roadmap below describes the path to those authorizations as customer demand justifies the assessment cost.

Compliance Roadmap

Standard	Phase	Trigger	Expected timing
SAM.gov + UEI	Registration in progress	Day Zero (2026-04-01) entity opening	2026 Q2
NIST SP 800-171 self-assessment	Internal mapping	Prep for any CUI handling	2026 Q2
FedRAMP Tailored (Low)	Planning	First federal SaaS customer contract	2026 Q4 (if customer-funded)
CMMC L2 self-assessment	Planning	DoD subcontracting opportunity	2026 Q4 — 2027 Q1
CMMC L2 C3PAO (third-party)	Future	Required for DoD CUI prime	2027 Q2+ ($25k+ assessment)
FedRAMP Moderate	Future	Agency authorization sponsor	2027 Q3+ ($300k+ assessment)
FISMA Moderate	Future	Federal data handling	2027 Q3+

Operational Security Posture (Current)

All federal data isolated from commercial workloads (separate Mongo databases + PG schemas, separate MinIO bucket prefixes)
All federal data encryption at rest (MinIO server-side encryption, PG transparent data encryption)
All federal data encryption in transit (TLS 1.3 minimum)
Access logging via execution_contracts and audit views (vault-first credentials, no env-fallback)
Auth: xBAC per-record with role + ownership + organization checks
Quality gates on all external-facing federal communications (gate.external_communications + gate.research_integrity)

Data Sovereignty

Federal customer data residency:

Primary: GCP us-central1 (afergraph-core project) — CONUS only
Backup: GCP us-east4 (planned, customer-funded)
No CUI in shared multi-tenant infrastructure — dedicated namespace for federal workloads as customer onboards

Inquiries

For security questionnaires, SBOM requests, or pre-award due-diligence: [email protected]

← Back to DaedArch Federal Services