Built to the standards we help you reach.
FORCE operates in AWS GovCloud with continuous, hashed evidence collection, MFA-enforced access, per-tenant encryption with customer-managed keys, and endpoint protection across every personnel device. The platform that proves your compliance is instrumented to the same standards.
Below: our complete self-audit findings, our remediation plans, our continuous monitoring posture, and the formal certifications we operate toward. We publish what most platforms don't show until they're forced to. That's not a vulnerability — it's how trust gets built.
What FORCE operates today
Before any third-party certification, the FORCE platform operates with:
- ·AWS GovCloud (us-gov-west-1) deployment — the same boundary federal agencies require
- ·Continuous evidence collection across AWS, Azure, and Microsoft 365 with SHA-256 hashing at write time and S3 Object Lock immutability with 7-year retention
- ·Per-tenant customer-managed key (CMK) encryption at rest; TLS 1.2 or higher in transit; HSTS enforced
- ·Cognito identity with multi-factor authentication enforced on every diligence and assessor portal
- ·Microsoft Defender for Endpoint deployed across all personnel devices, with telemetry feeding the same evidence chain we provide to customers
- ·Multi-tenant isolation by tenant-prefixed partition keys; cross-tenant data paths prevented at the database level
- ·First-class incident response orchestration: detection through closure, with every incident tied to specific control families
- ·Native OSCAL exports across CMMC Level 2, FedRAMP Moderate (rev5 and 20x), SOC 2 Type II, and ISO 27001:2022
- ·A complete internal self-audit with published findings and remediation plans
Every item above is operational today. Every item is independently verifiable on request. Every item is in scope for the formal third-party assessments now underway.
Formal certifications underway
FORCE operates to multiple federal compliance standards today. Independent third-party assessments are now underway to formally certify that operation. Each assessment confirms what FORCE already operates. We will publish each report on this page upon issuance.
FORCE operates to FedRAMP Moderate controls today in AWS GovCloud. Formal third-party assessment is underway to certify that operation.
Observation period in progress with the engaged auditor.
FORCE operates to NIST SP 800-171 controls today. C3PAO assessment is scheduled.
Internal self-audit complete; certification audit underway with the engaged registrar.
Continuous monitoring posture
- • Continuous evidence collection across AWS, Azure, and Microsoft 365 — same engine FORCE customers run.
- • Every artifact SHA-256-hashed at write; S3 Object Lock compliance mode with 7-year retention.
- • Per-tenant CMK encryption at rest; FIPS 140-3 endpoints throughout.
- • Self-audit cadence: continuous, with quarterly published summaries.
Trust artifacts
How FORCE handles CUI, FCI, and other regulated data classes — bigforceone.com is an audit platform, not a CUI vault.
GovCloud, FIPS 140-3, per-tenant KMS, five-layer tenant isolation, attestation ledger.
An open invitation to every accredited 3PAO and C3PAO to bid on the FORCE assessment.
What we collect when we send cold outreach, what we don't, and how to opt out.
Coordinated disclosure contact + PGP key reference per RFC 9116.
Direct contact
- Privacy: privacy@bigforgeone.com
- Security: security@bigforgeone.com
- Partnerships: partners@bigforgeone.com