The trust signals a federal evaluator looks for — in one place, with the gaps named.
Federal evaluators look for trust signals in the first 30 seconds and bounce if they have to dig for them. This page consolidates everything CybrIQ can point to today — and names what is not in place — without dressing it up.
This is the executive summary. For the audit-mechanic detail — which firms produce which artifacts, how the bridge letter dates, what ships under MNDA on what cadence — see Independent validation.
Cloud-service authorizations
FedRAMP
Status: No FedRAMP status today. CybrIQ is not FedRAMP Authorized. There is no Marketplace listing, no "In Process" designation, and no sponsoring-agency arrangement. The FedRAMP path is evaluated against federal demand; it is not a current roadmap commitment with a date attached. For agencies whose authorization route is FISMA on-prem, SCIF, or air-gapped, the customer-installed deployment shape proceeds without FedRAMP — see FedRAMP posture for detail.
Product-side controls that exist today
These are the controls the agency's authorization team can evaluate directly. They are product properties, not formal attestations.
Cryptography & access controls
TLS 1.2 in transit. AES-256 at rest. SAML 2.0 single sign-on, RBAC, multi-factor authentication. The cryptographic boundary is the customer's TLS implementation in the customer-installed deployment.
Vulnerability and hardening program
Regular third-party penetration testing. DISA STIG vulnerability remediation against relevant baselines. Coordinated disclosure process per RFC 9116. Pen-test summary and remediation status available on request under MNDA.
Marketplace presence
Microsoft Azure Marketplace listing. ServiceNow Store certified application (Select Partner — Build level). Both routes exist for procurement teams that prefer to transact through a marketplace they already use. Neither is a security attestation — they are commercial channels with their own onboarding controls.
Third-party attestations CybrIQ holds today
These are commercial-cloud trust attestations, available on request under MNDA. They are not FedRAMP; we do not represent them as a FedRAMP substitute.
SOC 2 Type II
Status: Certified. CPA-firm Type II report against the AICPA Trust Services Criteria. Current reporting period, auditor identity, and any qualifications are shared with the requester after MNDA.
ISO/IEC 27001
Status: Certified. Information Security Management System certified against ISO/IEC 27001. Statement of Applicability, scope, and certificate available on request under MNDA.
ISO 27017 & ISO 27018
Status: Certified. ISO 27017 (cloud-services security) and ISO 27018 (protection of PII in cloud) certifications, in addition to ISO 27001. Material relevant for SLED procurements that reference ISO cloud-security baselines.
Where we are clear about the gap
If your evaluation gates on any of these, the answer today is "we do not have that." We would rather you know that now than discover it in week six of a procurement.
NIAP Common Criteria / FIPS 140-3
Status: Not pursued for current product line. Rationale: CybrIQ is software the customer installs; the data path does not involve embedded cryptography beyond standard TLS. For environments that mandate NIAP CC or FIPS for embedded crypto, the conversation covers whether the customer's TLS implementation satisfies the requirement and where the boundary is.
StateRAMP / TX-RAMP / DoD IL4–IL6
Status: Not held as product-level authorizations. For SLED and DoD environments, the customer-installed deployment shape sits inside the agency or program's existing authorization boundary instead of relying on a product-level listing.
Security disclosure
CybrIQ maintains a coordinated security-disclosure process aligned with RFC 9116. The public security.txt is at cybriq.io/.well-known/security.txt. The disclosure process and contact email (security@cybriq.io) accept reports under standard responsible-disclosure terms; advisories are PGP-signed; the SLA is acknowledgment within 24 business hours, status update within 5 business days, public disclosure coordinated with patch availability.
Privacy posture
The privacy posture for federal and SLED readers — including the Privacy Act, PIA, and FOIA framing — is on the dedicated government privacy page. The main-site canonical policy is at cybriq.io/privacy.
Accessibility
CybrIQ for government is built to substantially conform to WCAG 2.1 Level AA, which is the technical standard referenced by Section 508 of the Rehabilitation Act for federal accessibility. The accessibility statement covers the specific posture and the path for reporting access barriers.
Deployment-side authority
The trust signals above cover CybrIQ as a company. The trust signals that often matter more to federal evaluators cover the deployment: customer-installed software, agency-controlled hardware, read-only switch access via SNMP, no SPAN/mirror/tap, no agents on managed devices, no vendor cloud dependency, air-gap capable. See the FedRAMP posture, Products, and deployment-side privacy sections for the full posture an SSP would reference.
Where to request artifacts
Available on request under MNDA: penetration-test summary and remediation status, independent assessment summary, tailored controls-inheritance matrix against NIST SP 800-53 Rev. 5, reference architecture, air-gap runbook, internal-controls walkthrough. The briefing call is the routing path; the Resources page lists every artifact we ship.
Request a trust-posture walkthrough
30 minutes: we walk the posture above against your environment's evaluation criteria. MNDA-gated artifacts shipped directly to your eval team after the call.
Schedule walkthrough