Trust
CMMC L2 self-attestation
Pending counsel review11 of 13 families live · 107 controls in scope
Xpoose CyberSec runs the platform that gets you to CMMC L2. The bar we hold customers to is the bar we hold ourselves to. This page declares our self-attestation against CMMC L2 + NIST SP 800-171 rev 3.
Pending the first signed quarterly
The signed PDF version of this attestation lands once counsel completes review and the @OPERATOR-ACTION-2 YubiKey signing ceremony fires. The control-family table below is the same content the signed PDF will carry; the signature is what you’ll wait on.
Latest signed PDF
Quarterly refresh; published to R2://xpoose-trust/cmmc/ once the ceremony fires.
Refresh cadence
Every 90 days, plus out-of-band on any control state change ≥ partial.
- · Q1 attestation: April 2026 (next)
- · Q2: July 2026
- · Q3: October 2026
- · Q4: January 2027
Control-family coverage
11 families fully implemented; 2 partial with known gaps named below. No families are unaddressed at v1.
- Live
AC — Access Control
22 controls
Clerk-backed identity + passkey-mandatory, hardware key for admin. F-10 + F-26 cover the full lifecycle.
- Live
AU — Audit & Accountability
9 controls
Append-only HMAC-chained audit log per ADR-014. F-33 covers immutability + verify endpoint + 1M-row export.
- Partial
AT — Awareness & Training
3 controls
Founder-Edition + Cohort academy programs (F-18 / F-19). Operator training tracker lands with F-25.
- Live
CM — Configuration Management
9 controls
Drizzle migrations forward-only, ADR-014 generation rotation, infrastructure/subprocessors.yaml as source of truth.
- Live
IA — Identification & Authentication
11 controls
Clerk MFA + WebAuthn. Step-up auth gate for MSA sign + checkout (F-35).
- Partial
IR — Incident Response
6 controls
PagerDuty hooks + ops_incidents table + chaos-drills runbook (F-32). Quarterly drill cadence per @OPERATOR-ACTION-7.
- Live
MP — Media Protection
4 controls
PreVeil customer-managed-key BYOK enclave per ADR-016. Per-object HMAC for tamper detection.
- Live
PE — Physical Protection
6 controls
Cloud-only ops; no Xpoose-touched on-prem. Key custody in fireproof safes per @OPERATOR-ACTION-5.
- Live
PS — Personnel Security
2 controls
Solo operator; background check on file. Subcontractor onboarding gate per the cosign 2nd-custodian process.
- Live
RA — Risk Assessment
3 controls
Annual risk register; quarterly POAM review for engaged clients. Exposure Scorecard per F-01.
- Live
CA — Security Assessment
9 controls
Internal control reviews quarterly. Pre-engagement assessment per CMMC Pre-Flight (cmmc-preflight offer).
- Live
SC — System & Communications
16 controls
Cloudflare R2 ENAM, AWS KMS HMAC seed, mTLS for Consigliere fleet via step-ca (ADR-015).
- Live
SI — System & Information Integrity
7 controls
Cosign-verified OTA, append-only audit chain, anomaly alerts. Tamper checks via integrity manifest.
What signing means
Once published, every quarterly self-attestation is signed with a YubiKey 5C FIPS held by the founder. Signature metadata + key fingerprint live in the integrity manifest; procurement can verify the signature against the published public key the same way they verify the SBOM.
Self-attestation is what CMMC L2 v1.0 + the proposed CMMC 2.0 rule allow for sub-primes; full third-party C3PAO assessment happens when the prime contract requires it.