NIST 800-53 Rev5, FedRAMP High, FIPS 140-2, and DISA STIG documentation for Passcore Defense deployments.
Passcore Defense provides a complete control mapping to NIST SP 800-53 Revision 5, covering all applicable controls for Low, Moderate, and High baselines. Evidence artifacts are provided for each implemented control.
Key control families addressed include: Access Control (AC), Audit and Accountability (AU), Identification and Authentication (IA), System and Communications Protection (SC), and Configuration Management (CM).
Passcore implements multi-factor authentication for all privileged and non-privileged accounts. PIV/CAC enforcement with per-login OCSP revocation satisfies IA-2(1), IA-2(2), and IA-2(12) (PIV credentials).
MustLog compliance mode ensures audit records are committed atomically with the authentication decision. Audit write failures halt the request, satisfying AU-9 requirements for audit integrity protection.
Passcore Defense supports the FedRAMP High authorization path for government cloud deployments. Our documentation package includes a System Security Plan (SSP), Security Assessment Report (SAR) template, and Plan of Action & Milestones (POA&M) templates.
Deployments in AWS GovCloud (US) leverage FedRAMP-authorized infrastructure. For dedicated government environments, we support BPA/IDIQ procurement vehicles.
All cryptographic operations in Passcore Defense use FIPS 140-2 validated modules. This includes symmetric encryption (AES-256-GCM), asymmetric operations (RSA-4096, ECDSA P-384), and key derivation (HKDF-SHA-384).
Post-quantum algorithms (CRYSTALS-Kyber for key encapsulation, CRYSTALS-Dilithium for signatures) are implemented alongside classical algorithms in a hybrid mode, pending FIPS 140-3 validation of PQC modules.
Passcore Defense is hardened in alignment with the DISA Application Security and Development STIG (V5R3). Configuration guidance is provided in the deployment documentation package.
For ITAR-controlled programs, Passcore Defense is available in an on-premises or air-gapped deployment with no external dependencies, no telemetry, and no outbound connections required. All personnel with access to defense customer data are U.S. persons.
Reach out via the access request form to discuss ITAR-specific requirements with our compliance team.