The questions federal evaluators ask first.

No. CybrIQ has no FedRAMP status today — not Authorized, not "In Process," no FedRAMP Marketplace listing, no sponsoring-agency arrangement. The FedRAMP path is evaluated against federal demand and is not a current roadmap commitment with a date attached. "Authorized" is the correct word for that state, and we use it only when we are entitled to.

For agencies whose authorization route is FISMA rather than FedRAMP, or whose deployment must be on-premise, SCIF, or air-gapped, the customer-installed deployment shape does not require FedRAMP — see the FedRAMP posture page for the detail.

SOC 2 Type II (AICPA Trust Services Criteria), ISO/IEC 27001, ISO 27017 (cloud security), and ISO 27018 (PII in cloud) certifications. Reports and certificates are available on request under MNDA. The product-side controls behind these include TLS 1.2 in transit, AES-256 at rest, MFA, SAML 2.0 SSO, RBAC, regular third-party penetration testing, and DISA STIG vulnerability remediation. Azure Marketplace listing and ServiceNow Store certified application (Select Partner — Build level) are live commercial channels.

What we do not hold: FedRAMP (any tier), StateRAMP, TX-RAMP, DoD IL4–IL6 as product-level authorizations, NIAP Common Criteria, and FIPS 140-3.

Yes. Because CybrIQ is software the agency installs on agency-controlled hardware, the agency's SSP describes the deployment the agency owns. We supply the controls-inheritance documentation against NIST SP 800-53 Rev. 5, deployment-architecture diagrams, the SOC 2 Type II report, ISO 27001 / 27017 / 27018 certificates, and independent third-party penetration-test results your authorization team needs. See the FedRAMP posture page for the controls list typically cited.

No. CybrIQ does not require any traffic-capture mechanism. Identification is from switch-side signals — link negotiation pattern, MAC OUI, LLDP/CDP advertisements, port statistics, VLAN context — read through read-only switch access via SNMP. No packets are inspected.

Read-only switch access via SNMP. The agency configures the SNMP community (v2c) or SNMPv3 user with read-only permissions. SNMP write is not used, granted, or required. The agency's network team controls the credentials, the polling cadence, and which switches are in scope.

Not on managed endpoints, lab equipment, OT, or third-party devices. Identification is entirely from switch-side signals. There is an optional small agent for USB-insertion detection on Windows and Linux workstations — that's a separate feature for catching a specific class of attack (Rubber Ducky, BadUSB-class devices), and it's opt-in by environment.

No. The agency installs the External Scan Engine (ESE) and the main instance on agency hardware; communication between them is over SSL inside the agency network. There is no vendor cloud, vendor tunnel, or vendor phone-home in the path. For reference-library updates, signed packages can ship online or as offline files moved into air-gapped environments via the agency's approved-media process.

Yes. The full deployment can run disconnected. Reference-library updates ship as signed offline packages; the agency moves them into the enclave through the existing approved-media process. We have customers running fully disconnected; the operations briefing for that profile adds about a week to onboarding.

Subsection (a)(1)(B) — federal use of covered telecommunications and video-surveillance equipment. CybrIQ identifies covered hardware on agency networks (Huawei, ZTE, Hytera, Hikvision, Dahua and their subsidiaries) via Layer-1 fingerprint matching against the reference library, surfacing relabeled and unmarked covered devices that asset inventories miss. See the Section 889 page for the full posture.

CybrIQ supplies the hardware-asset-management completeness data CDM HWAM cannot reach — printers, cameras, lab equipment, OT, contractor-provided devices, building-systems integrations. Output integrates with the CDM dashboard via syslog (RFC 5424) and REST, with field names aligned to HWAM expectations. See the CDM page for the detail.

Pillar 2 — Devices, in the CISA Zero Trust Maturity Model 2.0. CybrIQ produces the continuous device inventory the Devices pillar requires. Identity (Pillar 1), Networks (Pillar 3), and the rest depend on knowing what devices are actually on the network; the Devices pillar is the input to the others. See the Zero Trust page.

Primarily CM.L2-3.4.1 (Authorized Hardware) and CM.L2-3.4.2 (Baseline Configuration), with input data for CM.L2-3.4.3, SI.L2-3.14.6, and SC.L2-3.13.6. CybrIQ does not replace the SSP, the POA&M, or the C3PAO assessment — it supplies the device-discovery evidence those activities cite. See the CMMC page.

GSA Multiple Award Schedule (MAS): path under evaluation. SEWP V/VI, CIO-SP3, 2GIT: channel-partner relationships under discussion; we can route through a reseller on these vehicles. State and local cooperative purchasing: state-by-state. The briefing call is the fastest way to a specific answer for your environment.

RoomIQ ships per-room, recurring. SpacesIQ ships per-deployment, sized by total port count or by environment scale. Pilots have no fee. Specific pricing for a federal or SLED environment is scoped during the briefing — the inputs we need are environment scale, number of sites, and authorization shape. We do not publish a per-port number because the right answer depends on inputs we don't know yet.

30 days, no fee. The agency supplies the hardware the software runs on, grants read-only switch-management access, and at the end of the period we hand over the inventory, the deviation report, and the controls-mapped evidence pack as deliverables. The deliverables are yours whether or not the conversation continues.