bigforceone
FORCE// CASE STUDY · TENANT ZERO

We used FORCE to get FORGE ready.

BigForgeOne is Tenant Zero on its own platform. We subscribed to NIST 800-171 R3 + CMMC L2 + FAR 52.204-21, onboarded the same way a customer would, and ran the assessment workflow end-to-end — including the parts that aren't glamorous.

Tenant: bigforgeone.com·Frameworks: CMMC L2 + NIST 800-171 R3 + FAR 52.204-21·Period: April 2026

Measured results

130
NIST 800-171 R3 requirements mapped

Full scope across all 17 control families.

422
Assessment objectives decomposed

Each requirement broken into the underlying examine / interview / test items.

$0
Consulting services engaged

Comparable engagements quote $75K-$150K for the same scope.

<5 min
From onboarding to first evidence

Connect AWS + M365 read-only, run collectors, see evidence map to controls.

TBD
DIBCAC result · published when measured

We will publish the result regardless of outcome. If we miss something, you see that too.

Why we made BigForgeOne Tenant Zero.

Most compliance SaaS companies don't use their own platform on themselves. The reasons are usually mundane — internal compliance is a tax, the platform is built for someone else's use case, the founders haven't had time. But it leaves a gap in the trust story: how do you ask a customer to bet their CMMC posture on your tooling when you wouldn't bet your own?

We made the call early. BigForgeOne's commercial M365 tenant and AWS account run through FORCE the same way any customer's do. Cross-tenant introspection. Read-only. Same evidence collectors. Same control catalog. Same SSP and POA&M generation. Same submission package.

If the platform doesn't hold up under our own use, we find out before customers do.

The setup.

Tenant Zero was provisioned exactly like a Charter L2 customer. No special access, no founder-only paths, no shortcuts.

  • AWS: cross-account scanner role deployed via the standard CloudFormation template. Read-only across IAM, EC2, S3, GuardDuty, Security Hub, CloudTrail, Config, RDS, SSM.
  • M365: Entra app registration with admin consent for Microsoft Graph read scopes — directory, conditional access, audit logs, security.
  • Frameworks: CMMC L2 + NIST 800-171 R3 + FAR 52.204-21 enrolled at onboarding. Multi-framework evidence sharing on.
  • People: one person — the founder — operating in the platform. No consultant, no compliance team. The platform had to do the lifting.

What worked.

Cross-tenant evidence collection.

First evidence appeared in the dashboard under 5 minutes after the AWS and M365 connections came online. By 24 hours we had 200+ evidence items mapped across the three frameworks. Every IAM policy structure, every Conditional Access rule, every CloudTrail event log configuration showed up where the assessment expected to find it.

The collectors are deliberately conservative — read-only, configuration-only, no data content ever. So “evidence” here means policy structure, configuration metadata, audit log presence, role definitions. Exactly what an assessor needs to verify a control is implemented; never the regulated data the controls protect.

Pre-generated canonical guidance.

Every control on the assessment page loads with a plain-language “why this matters” explanation, 5–9 implementation steps, evidence specifications, and common pitfalls. Generated once via Bedrock, SME-reviewed, cached. Sub-second loads on every control page after the first visit.

The architecture matters more than the cost. Canonical guidance is generated once, reviewed once, served to every customer from cache. New customers don't pay a per-control AI tax to view the assessment workflow — the content is already there, instantly.

The action-gate AI assistant.

Ask FORCE drafted starter narratives for each control — first-person past-tense, citing actual evidence IDs from our tenant. We edited about 60% before signing; the remaining 40% were close enough to use verbatim. The pattern is right: the AI does first-pass drafting, the human signs. The False Claims Act exposure on attestations stays with the human, where it belongs.

OSCAL output.

Profile, SSP, POA&M, and Assessment Results all download as OSCAL JSON from the assessment page. Structurally valid OSCAL 1.1.2 with proper cross-references — the SSP's import-profile points to the Profile, the POA&M's import-ssp points to the SSP, the AR cites evidence by UUID into back-matter resources. Schema-strict validation against FedRAMP's reference toolchain is Phase 2.5 work; structural validation is in place today.

The DIBCAC dry-run.

We're preparing for an actual DIBCAC engagement. The result will be published here regardless of what it says. If FORCE got us through, you'll see the specifics. If we missed something, you'll see that too — along with how we closed the gap in the platform itself.

Tentative date: Q3 2026. Result update will appear at the top of this page when the assessment closes.

What this proves.

  • A solo operator can stand up CMMC L2 readiness on FORCE end-to-end in under a month of part-time work, without a consulting engagement.
  • Canonical guidance plus action-gated AI drafting plus cross-tenant evidence collection covers most of the human-time burden of an assessment.
  • OSCAL artifacts are downloadable and structurally valid today, ahead of the FedRAMP September 2026 mandate.

What it doesn't prove.

BigForgeOne is a small, all-cloud company. We don't handle CUI ourselves (per License Agreement Section 4A), so our scope is bounded. A 200-person manufacturer with on-prem networks, physical access controls, and 30 vendors will have a more complex assessment than ours. FORCE handles those scopes too — but Tenant Zero is not the proof of that. Customer case studies come next.

FORCE // CHARTER PROGRAM

Run your tenant the way we ran ours.

Charter pricing locked for the first 50 L2 customers. Self-checkout. Continuous compliance.

Subscribe Now →See pricing