COMPLIANCE POSTURE

Where we stand today.
Where we're going.

FRIDAY Sovereign Intelligence is a pre-certification platform on an aggressive accreditation roadmap. We document every framework with honest current status and target dates. No paper certifications.

01At-a-glance

NIST 800-53 (Moderate)
Control mapping documented for 187 of 261 controls
IN PROGRESS Target: Q1 2027
FedRAMP Moderate
3PAO selection in progress; AWS GovCloud target environment
PLANNED Target: Q1 2027
CMMC Level 2
Self-assessment under NIST 800-171 underway
IN PROGRESS Target: Q4 2026
SOC 2 Type I
Trust Services Criteria gap analysis Q3 2026
PLANNED Target: Q4 2026
ITAR / EAR Posture
EAR99 self-classification; ITAR not applicable for current capability mix
SELF-CLASSIFIED Reviewed: 2026 Q2
SAM.gov Registration
Entity registration submitted 2026-04-01; CAGE code pending
SUBMITTED Awaiting CAGE
DCAA Accounting
DCAA-compliant accounting structure setup in progress
IN PROGRESS Target: Q3 2026

02Framework Detail

FedRAMP Moderate

Status: Documentation phaseTarget: ATO Q1 2027Boundary: SI platform only

FedRAMP Moderate is the target authorization for federal civilian and limited DoD use. AWS GovCloud is the target hosting environment. Current Hetzner deployment is for commercial pilots only and is NOT in scope for FedRAMP boundary.

CMMC Level 2

Status: Self-assessmentTarget: Q4 2026Framework: NIST SP 800-171 Rev. 2

CMMC Level 2 is required for handling Controlled Unclassified Information (CUI) from DoD contracts. Current SBIR pipeline (A254-P050) drives the Q4 2026 timeline.

NIST 800-53 Rev. 5 (Moderate baseline)

Status: Mapping in progressCoverage: 187 / 261 controlsBaseline: Moderate

NIST 800-53 control mapping is the foundation of both FedRAMP and DoD Impact Level authorizations. Mapping is tracked in a control matrix maintained against each platform component.

ITAR / EAR Posture

Status: Self-classified EAR99Reviewed: 2026-Q2Counsel: External export-control review pending

The current commercial capability mix (open-source intelligence fusion, public-data signal processing) is self-classified as EAR99. No ITAR-controlled defense articles are exported. Customers requiring ITAR-restricted deployment configurations are reviewed case-by-case.

SOC 2 Type I & II

Status: PlannedType I target: Q4 2026Type II target: Q3 2027

SOC 2 attestation is the standard commercial trust signal for enterprise SaaS. Trust Services Criteria gap analysis is scheduled Q3 2026 with a Big-4-affiliated auditor.

GDPR / Data Privacy

Status: Compliant (commercial workloads)DPA: Available on requestDPO: Founder-fronted

EU production deployment falls under GDPR. Data subject rights (access, rectification, deletion, portability) handled within 30 days. Standard Contractual Clauses available for international transfers.

Federal Procurement Readiness

SAM.gov: Submitted 2026-04-01CAGE code: PendingSBIR: A254-P050 pipeline active

Direct federal contracting readiness is on track for first contract award in late 2026.

03Honest disclosures

We have not yet achieved any third-party-attested certification. Anyone claiming we have is wrong. Current posture is pre-certification with documented roadmap and active engagement with assessors. Pilots run on commercial deployment with clear scope-of-work language acknowledging pre-cert status.

Why the honesty matters: Defense intel buyers see fake certification claims constantly. Our wager is that transparent in-progress documentation builds more trust than aspirational marketing copy. The first FedRAMP ATO is a 12-18 month process and we're on month 3.

Need a capability statement?

Procurement teams — request the current capability statement and SSP excerpt for evaluation.