Security & Compliance

AWS GovCloud. The only cloud that satisfies DFARS 252.204-7012.

FORGE handles Controlled Unclassified Information exclusively on AWS GovCloud. No CUI transits commercial AWS. US-only data residency. US-citizen-only AWS operations.

⚠ Using commercial AWS for CUI is a DFARS compliance failure.

FORGE exists in part because operators kept asking: "Where is the GovCloud version?"

Full regulatory coverage.

Every regulation that LOGCAP and SOFGLSS task orders impose — addressed at the platform level so you don't have to engineer compliance yourself.

DFARS 252.204-7012
Controlled Unclassified Information protection
All CUI processed exclusively on AWS GovCloud. Encryption, audit, incident reporting.
NIST SP 800-171
110 controls for non-federal CUI
Implemented at the platform level. SSP available on request.
FedRAMP Moderate
Federal cloud security baseline
GovCloud underlying infrastructure FedRAMP High. Application controls aligned to Moderate.
CMMC Level 2
Cybersecurity Maturity Model
Aligned to NIST SP 800-171. Roadmap to Level 2 assessment.
IL2 / IL4
DoD Impact Level classification
IL2 today on GovCloud. IL4 roadmap with us-gov-east-1 + us-gov-west-1 DR.
ITAR (22 CFR 120-130)
Defense article export control
ITAR-flagged records access-controlled. Audit log per access. US persons only.
EAR / ECCN
Dual-use export control
ECCN per part. BIS screening on transactions. Export license workflow.
DCAA Audit Readiness
Cost accounting standards
Labor, parts, overhead at WO level. Auto-generated cost exhibits.
FAR 52.246
Government inspection & acceptance
Inspector ID, date, result captured. Full audit trail.

Architecture designed for compliance.

Not retrofitted. Not adapted. Built from the first commit on GovCloud.

AWS Services Used

GovCloud (us-gov-east-1)Primary region — IL2
GovCloud (us-gov-west-1)DR region — IL2
AWS KMSCustomer-managed encryption keys
CloudTrailMulti-region audit log
GuardDutyContinuous threat detection
Security HubCentralized compliance monitoring
AWS ConfigResource configuration tracking
Cognito + CAC/PIVIdentity & MFA
VPC + Security GroupsNetwork isolation
WAF v2Application firewall

Live Compliance Verification

FORGE generates a live SOC 2 Type II readiness report — every control verified against actual AWS infrastructure state.

  • DynamoDB encryption (verified via API)
  • GuardDuty active (verified via API)
  • CloudTrail logging (verified via API)
  • WAF active (verified via API)
  • Multi-AZ deployment (verified via API)
  • PITR enabled (verified via API)

Your data stays yours.

Per-tenant isolation

Your data is logically separated using DynamoDB partition keys. No cross-tenant queries possible.

Pricing never shared

Supplier pricing is visible only to authorized contractor procurement personnel — never to competitors.

ITAR access controlled

ITAR-flagged records require cleared, need-to-know access. Every view audit-logged.

Tenant-isolated documents

CoC and traceability documents are only accessible by the purchasing contractor.

30-day data deletion

On contract termination, all tenant data is fully purged within 30 days.

Right to audit

Suppliers may request access logs for all accesses to their catalog data.

Ready in minutes, not months.

PWS §02.01.04(e) requires an annual cybersecurity tabletop exercise. FORGE's CloudTrail audit export generates your tabletop documentation package automatically. What used to take weeks takes five minutes.

Request security documentation.

For FedRAMP package access, NIST SP 800-171 SSP, or security architecture review — contact us.

Contact Security Team →