Security

We Operate Inside the Authorization Boundary

What We Are & What We're Not

ADL is a consulting and software development firm. We are not a cloud service provider.

We don't host federal systems or data. FedRAMP doesn't apply. We operate under the agency's existing Authority to Operate.

Your cloud account. Your network. Your approved tools. We work inside. FISMA applies through the agency contract. We implement NIST 800-53 controls at the application layer and contribute to your ATO package—SSP sections, control evidence, POA&M items.

If your ISSO or security team needs specifics, we get them answers. Not a form. Not a queue.

What We Touch, Where It Goes, What Happens When We Leave

Data in Transit

TLS 1.2+ minimum. Nothing over unencrypted channels. API calls authenticated, logged. We don't open ports or protocols your network team hasn't approved.

Data at Rest

Agency's approved environment only. AES-256 at rest where it applies. No parallel datastores, no shadow copies, nothing replicated outside your boundary.

Data at Engagement Close

Credentials rotated or revoked. No data retained. No training sets, no derivative datasets, no "de-identified" copies. Written confirmation of disposition to your POC.

Access Controls

Role-based, scoped to engagement. Least privilege. MFA on everything. Approvals, changes, logs—your security team can see them on request.

Controlled Unclassified Information

CUI engagements: handling aligned to NIST 800-171. Documented controls for storage, transmission, access, incident reporting.

Data Minimization

We collect what we need. Unnecessary fields excluded by default. Retention windows match agency requirements.

Security Lives Inside the Engineering Process

Code Scanning

Every PR runs static analysis and dependency checks before merge. High-severity? Blocks release until triage and remediation are documented.

Supply Chain Integrity

Dependencies pinned. Provenance verified. Package updates go through change control. We skip unvetted transitive upgrades. Evidence in the release record.

Secrets Management

Secrets in approved vaults. Never in repos. Never in CI logs. Rotation schedules and break-glass procedures—defined with your security team before go-live.

Configuration Management

Infra and app config as versioned artifacts. Peer-reviewed change history. Rollback paths ready before we need them.

Peer Review

Security-relevant changes: second reviewer required. Explicit notes on auth, authz, data handling. No silent merges on privileged paths.

Environment Isolation

Dev, staging, prod—logically separated. Scoped credentials. Least privilege. Test data and production data never mix.

Logging & Audit Trail

Security events logged. Actor, action, timestamp, context. Investigations can reconstruct who did what and when. Retention follows agency policy.

SBOM & Artifact Traceability

Build outputs tied to SBOM and immutable artifact IDs. Assessors can trace a deployed release back to reviewed source and approved dependencies.

Vulnerability Triage SLA

Findings triaged by severity. Documented response timelines. Critical? Immediate containment. Same-day communication to agency stakeholders.

Incident Response Readiness

Runbooks define escalation, evidence collection, coordination with your SOC and ISSO. We rehearse. Real incidents don't become process discovery exercises.

Access Recertification

Privileged access reviewed periodically against active engagement scope. Dormant accounts and unnecessary permissions—removed as routine hygiene.

Frameworks We Build Against

We satisfy them inside your environment. Your assessors see it.

FISMA

Controls addressed in the architecture from day one. SSP documentation delivered as part of every build engagement.

FedRAMP

We deploy on platforms that already hold your agency's FedRAMP authorization. No new packages to sponsor mid-project.

NIST AI RMF

Security controls mapped and documented per NIST 800-53 rev 5. Inherited controls identified, system-specific controls implemented.

OMB M-25-21

Controls addressed in the architecture from day one. SSP documentation delivered as part of every build engagement.

OMB M-25-22

We deploy on platforms that already hold your agency's FedRAMP authorization. No new packages to sponsor mid-project.

NIST 800-171

Security controls mapped and documented per NIST 800-53 rev 5. Inherited controls identified, system-specific controls implemented.

NIST 800-53 (Rev. 5)

Controls addressed in the architecture from day one. SSP documentation delivered as part of every build engagement.

NYC-Specific Requirements

Controls addressed in the architecture from day one. SSP documentation delivered as part of every build engagement.

Section 508

Security controls mapped and documented per NIST 800-53 rev 5. Inherited controls identified, system-specific controls implemented.

Security is Fundamental to Everything We Do

No. We're consulting and development, not a CSP. FedRAMP applies to CSPs. We deploy on platforms that already hold your agency's FedRAMP authorization.

SOC 2 applies to service orgs that store or process customer data. We operate inside your boundary using your infrastructure. We don't host, store, or process agency data on our own systems.

Nowhere. Credentials rotated or revoked. No data retained. No training sets, no derivative datasets, no de-identified copies. Written confirmation of disposition to your POC.

Yes. Default model. We develop inside your cloud account, your network, your approved tools. FISMA applies through the contract.

Team members hold or can obtain clearances at required levels. Specifics confirmed during scoping.

When appropriate and approved. AI usage follows agency governance requirements. Documented as part of the engagement.

Yes. ADL does not use covered telecommunications equipment or services from prohibited sources under Section 889 of the NDAA.

Yes. We provide documentation relevant to scope directly to your ISSO or security team. Not a form. Not a queue.

Ready to scope your project? We'll map, design, and build the right solution.