CybrIQ for government · Independent validation
CybrIQ
Government/Independent validation
Independent validation

The third-party assessments and certifications a federal evaluator can audit against vendor claims.

Vendor claims and vendor self-assessments are not the same thing as independent validation. This page lists the third-party assessments CybrIQ has, names the firm category for each, and describes how the artifact reaches an agency's evaluation team without leaking material on a public site.

This is the audit-mechanic deep dive. For the one-page executive summary of what's held and what isn't, see Trust posture.

The independent-validation chain that backs CybrIQ's claims, running left to right. Independent auditors at the left: an accredited CPA firm produces the SOC 2 Type II report (AICPA Trust Services Criteria, operating-effectiveness over a reporting period); an accredited ISO registrar produces the ISO 27001, 27017, and 27018 certificates (ISMS, cloud-services security, PII in cloud); an independent penetration-testing firm runs at least annual third-party tests aligned with OWASP and PTES. CybrIQ is the subject of the audits — not the producer of the validation; does not grade its own work, does not substitute self-cert. Artifact channel to your team: SOC 2 report and bridge letter dated to your request; ISO certificates and Statement of Applicability with scope; pen-test summary with methodology, scope, finding counts by severity, and remediation; independent NIST SP 800-53 Rev 5 assessment summary for FISMA-authorizing agencies. All artifacts ship under MNDA, addressed to the named contracting officer or authorization team, within two business days of the request.

Certifications held today

SOC 2 Type II

CPA-firm Type II report against the AICPA Trust Services Criteria. The Type II report is the version that covers operating effectiveness over a reporting period (not just design suitability at a point in time).

  • Reporting firm: an independent CPA firm; name and current reporting period shared after MNDA.
  • Trust Services Criteria in scope: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
  • Format delivered: full report (under MNDA) and a bridge letter covering the gap between the report's end date and the current date.

ISO/IEC 27001

Information Security Management System certified against ISO/IEC 27001. The certification covers the management system, not a snapshot of controls.

  • Certifying body: an accredited ISO 27001 registrar; name and certificate number shared after MNDA.
  • Scope statement: shared with the certificate.
  • Statement of Applicability: available on request under MNDA.

ISO 27017

Code of practice for information security controls for cloud services. Extends ISO 27001 with cloud-specific control guidance. Certified against the same accredited registrar that issues the ISO 27001 certificate; certificate available on request under MNDA.

ISO 27018

Code of practice for protection of personally identifiable information in public clouds acting as PII processors. Relevant for SLED procurements that reference ISO cloud-privacy baselines. Certificate available on request under MNDA.

Independent penetration testing

Regular third-party penetration testing is run against the product. The tester is an independent firm that does not also perform the SOC 2 audit; the test scope, methodology, finding count by severity, and remediation status are available on request under MNDA.

  • Cadence: at least annually; out-of-cycle tests are run against major release lines.
  • Scope: the product's web application, API surface, deployment shape, and authentication flow.
  • Methodology: aligned with OWASP Testing Guide and PTES (Penetration Testing Execution Standard).
  • Output: summary report shared under MNDA with the agency's evaluation team. The full report is held back; the summary names the firm, scope, methodology, finding counts, and remediation status.

Independent NIST SP 800-53 Rev. 5 assessment

For agencies authorizing CybrIQ under FISMA Moderate or High, an independent assessment summary against the controls cited on the FedRAMP posture page is available on request under MNDA. The assessment summary covers methodology, scope, controls tested, findings, and remediation status. It is structured for direct reference in the agency's SSP and continuous-monitoring strategy.

What independent validation does NOT include

Naming the gaps is part of the discipline. The following are not held today and are not represented as held:

  • FedRAMP authorization (any tier). No Marketplace listing. No "In Process" designation. The customer-installed deployment shape is the path for agencies whose authorization route is FISMA, on-premise, SCIF, or air-gapped — see FedRAMP posture.
  • StateRAMP / TX-RAMP. Not held today; the customer-installed deployment shape sits inside the state's own authorization boundary.
  • DoD IL4 / IL5 / IL6 as product-level authorizations. The customer-installed deployment shape sits inside the program's authorization boundary.
  • NIAP Common Criteria. Not pursued; rationale: customer-installed software, no embedded cryptography in the data path beyond TLS.
  • FIPS 140-3. Not pursued for the same reason. For environments that require FIPS-validated cryptography in the customer's own TLS stack, the briefing call covers the boundary.

How the artifacts reach your team

None of the artifacts above are public links — for two reasons. First, the underlying reports contain control-detail information that vendors do not publish on the open internet. Second, the agency's evaluation team typically wants the artifact addressed to a specific contracting officer or authorization team, with the audit firm's bridge letter dated to the request. The path is:

  1. Briefing call. 30 minutes; we confirm which artifacts your evaluation needs.
  2. MNDA execution. One-page mutual NDA, exchanged the same day.
  3. Artifact delivery. Reports, certificates, and assessment summaries shipped directly to the named recipient. Most artifacts ship within 2 business days; SOC 2 bridge letters take longer if a fresh letter is required.

Request the independent-assessment package

30 minutes: we confirm which artifacts your evaluation needs, execute MNDA, and ship the package addressed to your authorization team or contracting officer.

Request package