Compliance posture · refreshed monthly

Compliance is the substrate.

We track our gaps as carefully as our strengths. Here is exactly where we stand today.

NIST 800-171 · self-assessment authoredCMMC L1 · metSOC 2 · narratives draftedVeteran-owned
Posture today

Where we stand.

Standard, posture, and verification ... every line. Updated monthly ... last refreshed 2026-05-15. Historical snapshots are preserved and available on request.

Standard
Posture
Verification
NIST 800-171 r2
Self-assessment authored · submission queued
All 110 practices scored against NIST 800-171 r2. System Security Plan is authored across the 14 control families. A 26-item Plan of Action and Milestones (POA&M) is drafted. SPRS submission follows the final Phase-2 consolidation close.
SPRS submission · in queue
CMMC Level 1
Met (self-attest)
Annual self-attestation on file. All 17 basic safeguarding practices for Federal Contract Information (FAR 52.204-21) are filled with current state and active remediation paths.
Annual self-attestation
CMMC Level 2
Phase-1 complete · Phase-2 consolidation under way
Per-practice gap analysis complete across all 14 families (1:1 with NIST 800-171 r2). Phase-2 consolidation in progress: branch-protection inventory, MFA enforcement audit, incident-response SOP adoption, workstation EDR rollout, network-topology documentation. Self-assessment target T+9 months. C3PAO certified assessment target T+21 months. We make no claim of Level 2 conformance today.
C3PAO assessment record
FedRAMP Low / Moderate
Outline SSP authored · sponsor-gated
Eleven SSP-outline documents (~1,400 lines) authored, including the boundary diagram, FIPS module path, POA&M template, observability runbook, and the CMMC Level 2 control mapping. V1 of the product is on-premise and is not delivered through FedRAMP. Cloud delivery follows agency sponsor identification and ATO grant ... not before.
Authorization letter when granted
SOC 2 Type I
Engagement letter signed · narratives drafted
CPA engagement letter signed with an independent firm. Twelve narrative documents drafted across CC1 through CC9, Availability, and Confidentiality criteria, plus a Type II evidence-source plan. Report issuance follows the CPA's control-design assessment close.
Auditor report when issued
SOC 2 Type II
Planned post-Type I
Twelve-month operating-effectiveness observation window opens at Type I close. Evidence-source plan is already drafted as part of the Type I narratives.
Auditor report when issued
FIPS 140-3
aws-lc-rs migration complete · CMVP queue is the gate
Migration to aws-lc-rs is complete in code and documented in the FIPS module path. aws-lc-rs is in the NIST CMVP public queue; current public queue depth is 18–24 months. Queue status is monitored monthly under a documented SOP. We make no FIPS validation claim on any external surface today.
CMVP certificate when granted
ITAR / EAR overlay
Controls live · counsel review under way
Content-leakage scans across all public-facing repositories return zero export-controlled technical data. An automated disclaimer-check workflow enforces appropriate language in continuous integration on every public-facing repository. Outside-counsel-mediated legal opinion is in progress. We do not yet handle ITAR-controlled technical data.
Counsel-mediated review
◆ Met  ·  ◐ In remediation  ·  ○ Planned  ·  Last refreshed 2026-05-15  ·  Next refresh 2026-06-15
What we already have

The strengths the substrate inherits by design.

Cryptographic primitives chosen against NIST guidance. Engineering discipline a much larger team would recognize. Every item below is in code today.

Cryptographic primitives (NIST-aligned)

  • Ed25519 · native signing (RFC 8032)
  • secp256k1 ECDSA · EVM compatibility
  • Argon2id · wallet keystore at rest
  • AES-256-GCM · encrypted storage with secure cleanup
  • ECVRF-P256-SHA256-TAI · proposer election (RFC 9381)
  • Noise XX · mutually-authenticated peer transport
  • CRYSTALS-Kyber + X25519 · hybrid quantum-safe storage
  • HKDF-SHA-256 · tenant sub-secret derivation
  • aws-lc-rs · FIPS-track cryptographic backend (CMVP queued)

Engineering discipline

  • 121+ TLA+ formal specifications across the workspace
  • 50B+ states explored on transaction signing
  • 5,377 Rust tests · 1,343 Foundry tests
  • Mock budget zero ... no in-codebase mocks; every path names its real data source
  • 28 Semgrep CI tripwire rules pinned to specific historical findings
  • 26-item POA&M drafted against the 110 NIST 800-171 r2 practices
  • Disclaimer-check CI workflow enforces compliance-claim language on every public-facing repository
  • CycloneDX + SPDX SBOMs on every release
  • SLSA build provenance on every artifact
The honest gaps

What we do not yet promise.

Bidding on a contract whose requirements we cannot meet would be a FAR 52.203-13 violation. We disclose what we cannot do. That is the discipline.

  1. 01
    We are not yet FedRAMP-authorized for cloud delivery. Our V1 is on-premise. V2 cloud delivery follows ATO.
  2. 02
    We do not yet hold a CMMC Level 2 certificate. Phase-1 remediation is complete and Phase-2 consolidation is in progress; certified C3PAO assessment is on a defined T+21 month track.
  3. 03
    We do not yet ship a FIPS 140-3 validated cryptographic module. Migration is documented; the CMVP queue is the bottleneck.
  4. 04
    We will not handle classified data or controlled unclassified information on any network we operate until federal certification is complete.
  5. 05
    We make no representations about token pricing or token-economic returns to anyone, ever. Our commercial model is denominated in dollars, on standard contract vehicles.
Verification path

Independently verify every claim on this page.

  • Live testnethttps://rpc.citrate.ai · Chain ID 40204
  • TLA+ spec inventoryAvailable on request via /resources/verify
  • Deployed contractsAddresses published per release
  • Audit historyDated, immutable, available on request
  • Compliance posture briefTwo-business-day NDA-protected response · /contact
Request the verification packet
Talk to us

Compliance is a conversation, not a checkbox.

If you need a written posture summary for a procurement file, we will send the most recent snapshot under NDA within two business days.

Request a compliance reviewRequest the verification packet