CAGE149Y3  ·  UEIWHRZRJNG39L5  ·  NAICS541512 CMMC L2 self-assessed · Federal-first · Commercially funded
FRAMEWORKNIST 800-53 Rev 5 · 800-171 SCAPOpenSCAP · automated SUPPLY CHAINSLSA L3 · cosign

For government / 02 · Cybersecurity

Security engineered, not paperworked.

Built in, not bolted on. RMF & A&A with in-house SSP / SAR / POA&M authorship, automated STIG/SCAP hardening, runtime visibility with eBPF, and evidence pipelines that author POA&Ms from machine output — not screenshots. ISSO/ISSM and DevOps under one contract.

Continuous ATO loop

Not a one-time gate.

Author controls as OSCAL components — SSPs generated from the same source as the IaC. Implement with Ansible roles, Terraform modules, and container baselines that map 1:1 to controls. Assess with SCAP scans, OPA checks, and IaC scanners. Authorize by assembling SSP + SAR + POA&M from machine output. Monitor — runtime telemetry feeds back, and drift becomes a POA&M automatically.

What we operate

Six capabilities.

Compliance-as-code to closed-loop vuln mgmt.
Compliance as code with OSCAL
01

Compliance as code

SSPs are generated from the same source as the Terraform — no parallel documentation universe.

Control implementations live in compliance-trestle. OSCAL component definitions per system, diff-able in git. Inheritance from CSP / shared-service profiles (FedRAMP, CMS, DoD). Assessment results land back as OSCAL and the SAR auto-builds. POA&Ms are generated from failed controls — not authored by hand.

OSCALcompliance-trestleeMASSXactaOPA
STIG and SCAP automation
02

STIG & SCAP automation

Ansible roles built from the DISA content, extended where the baselines have gaps.

SCAP scans run on every deploy and on a 24-hour cron. RHEL 8 / 9, Ubuntu 22.04, and Windows Server 2022 baselines. Container CIS Benchmarks via kube-bench + trivy config. The deviation log lives in git — documented and signed off. Scan results stored as OSCAL assessment-results, not screenshots.

OpenSCAPDISA STIG · AnsibleCIS Benchmarkskube-benchLynis
124 / 124 controls≤ 5 min scan24h cadence
Zero-trust identity with SPIFFE
03

Zero-trust identity

Service identity via SPIFFE SVIDs — mTLS by default, no static service-account tokens shipped to pods.

PIV / CAC at the human edge. SPIRE server per cluster with workload attestation by node + selector. Istio Ambient mesh on the workload plane with ztunnel mTLS. Keycloak (RHBK) + step-up auth, WebAuthn for staff, and short-lived OAuth client credentials with OIDC for CI.

SPIFFE / SPIREIstio AmbientKeycloak (RHBK)PIV / CACWebAuthn
Runtime security with eBPF
04

Runtime security

eBPF-based runtime visibility — no sidecar tax.

Falco for policy alerts, Tetragon for kernel-level enforcement. Detections route to SIEM with deduped, scored events. Falco rules are tracked in git and CI-tested against synthetic events. Tetragon does in-kernel block (drop syscall, kill process). Hubble provides L3/L4/L7 flow telemetry with no app instrumentation — and alerts are deduped + scored before they wake oncall.

FalcoTetragonHubbleCiliumeBPF
Supply chain integrity
05

Supply chain integrity

Every artifact is signed. Every signature is verified. SBOMs travel with the image.

Provenance attestations link the binary back to the commit and the runner. Cosign keyless signing via OIDC, Sigstore Fulcio + Rekor. CycloneDX + SPDX SBOMs attached as cosign attestations. Kyverno / Connaisseur admission policies reject the unsigned, and Renovate auto-bumps base images and auto-merges CVE patches.

Cosign · SigstoreCycloneDX / SPDXin-totoKyvernoSLSA L3
Closed-loop vulnerability management
06

Vulnerability management

CVEs flow into a single queue with deduplication, severity normalization, and SLA tracking.

Auto-remediation playbooks fire for the noisy ones. Trivy + Grype + Tenable feed DefectDojo. SLA: critical ≤ 15 min, high ≤ 24 h, medium ≤ 30 d. Ansible auto-remediation is triggered by Falco alert categories, and the exception process is git-tracked — it expires on a date, not "TBD".

Trivy · GrypeTenableDefectDojoClosed-loop
The stack we operate

No security-theater tooling.

Frameworks to cryptography.

Frameworks & authoring

NIST-aligned, OSCAL-first authoring.

NIST 800-53 Rev 5NIST 800-171FedRAMP ModerateCJISHIPAAOSCALeMASScompliance-trestleXacta

Hardening & runtime

DISA STIG automation, eBPF-led runtime.

OpenSCAPDISA STIG · AnsibleCIS Benchmarkskube-benchFalcoTetragonHubbleCilium

Supply chain & vuln

SLSA L3 signing, closed-loop vuln mgmt.

Cosign · SigstoreCycloneDX / SPDXin-totoKyvernoTrivy · GrypeTenableSemgrep · CodeQLDefectDojo

Identity & cryptography

Zero-trust identity, FIPS + PQ-ready crypto.

Keycloak (RHBK)PIV · CACAuthentikSPIFFE / SPIREFIPS 140-3 modulesAWS KMS · HSMVault EnterpriseCRYSTALS-KyberDilithium
Tech radar · Q2

Where security is going.

Adopt · trial · assess.

Adopt

In production.

eBPF runtime security — Falco + Tetragon, no sidecars. Cosign keyless signing — OIDC-bound, Rekor transparency log. OPA admission — policy reviewed in git, not in a UI. OSCAL evidence — machine-readable ATO artifacts.

Trial

Piloting.

SPIFFE/SPIRE — workload identity beyond k8s. SLSA L3 provenance — end-to-end attestation chain. Hybrid PQ key wrap — X25519 + Kyber for TLS. Confidential containers — CC-mode pods on EKS.

Assess

Watching.

AI red-teaming · GarakMemory-safe rewrites · RustFIPS 140-3 PQ modules

Posture, on the record

We state compliance precisely.

Controls engineered into the baseline from day one — not retrofitted at audit. Bracketed tags mark items pending an authoritative date.

CAGE 149Y3 · UEI WHRZRJNG39L5 · NAICS 541512 · (801) 917-4617

Cleared personnel
TS/SCI held by individual engineers, applied through teaming with primes · ISSO/ISSM. No corporate facility clearance.
Compliance
NIST 800-53 / 800-171 aligned · RMF / A&A · STIG/SCAP
CMMC
Level 2 — self-assessment completed
Supply chain
SLSA L3 · Cosign keyless · OSCAL evidence

New engagement

Federal-grade work. Real engineering.

A free consultation. We map the boundary, the controls in scope, and what evidence you already have. A quote follows within 24 hours.

LocationUtah · Mountain Time
ResponseWithin 24 hours