← Custodia
Procurement Trust Center

The one page your IT and leadership can pre-check before you buy.

The BidFedCMMC platform is a CMMC compliance platform with a governed AI assistant. It is not an AI-first product; it is a CMMC firm’s software with AI as one governed feature. This is the pre-purchase pack: how the platform is built, where your data lives, how the AI is governed, and why the platform stays outside your CUI boundary. Built by Carnegie Mellon trained information security engineers, in the city where CMMC was half-built.

Powered by AWS
Customer-data keys live inside AWS Key Management Service in the United States. The key bytes never leave the boundary.
Effective May 13, 2026 · Custodia, LLC
NIST SP 800-171 Rev. 2FAR 52.204-21DFARS 252.204-701232 CFR Part 170OWASP ASVSAES-256-GCMTLS 1.2+U.S. Data Residency
AES-256
GCM at rest
TLS 1.2+
In transit, HSTS at edge
100% U.S.
Region & sub-processors
0
AI training on your data
Four pillars

How we protect Federal Contract Information.

We will not publish the full topology of our environment. That is itself a control. What we will publish is the architecture of intent, the principles we hold to, verifiable in contract, in code review, and in the third-party attestations our infrastructure and AI providers hold.

01 · Cryptography

Envelope encryption, key custody in AWS KMS.

Customer data is encrypted at rest with AES-256-GCM. Sensitive fields are wrapped under per-tenant Data Encryption Keys derived via HKDF, themselves wrapped by a Key Encryption Key that lives inside AWS KMS. Key bytes never leave the KMS boundary. Every unwrap is authenticated, logged in CloudTrail, and rate-bounded.
02 · Identity

Strong auth, least privilege, evidence-grade audit.

Customer authentication is delegated to Clerk with MFA available on every tier. Internal administrative access is role-based, requires MFA, and is reviewed quarterly. Every privileged action emits an audit record with actor, timestamp, and intent.
03 · Isolation

Tenant boundary enforced at the data layer.

Isolation is not a UI filter, it is enforced at the data-access layer, on every query, every read, every write. We assume application code will eventually be wrong, and push the boundary downstream of it.
04 · AI Boundary

Governed, no-training, human in the loop.

The AI reads your data in contextto draft and review, never to decide. Under our provider’s commercial terms your inputs and outputs are not used to train any model; API data is retained only briefly for operational and safety purposes, then deleted. No CUI is ever sent to the AI.
AI governance

AI is a governed feature here, not the product.

The BidFedCMMC platform uses AI to do two things: draft your documents and review your evidence. It never decides whether a control is met. Every attestation is made by a person on your team. Here is exactly how the AI is scoped, and what we will not claim about it.

For the full statement, read the AI Fact Sheet.

What the AI does

It drafts policies, procedures, and SSP narratives from facts you provide, and it reviews each piece of evidence you upload to confirm it supports the control and to screen for anything resembling CUI. Drafting and reviewing only.

Human in the loop

The AI never marks a control as met. It proposes; your people confirm, sign, and attest. There is no path by which the model can complete an attestation on its own.

No CUI by design

Evidence shows configurations, settings, rosters, and logs, never controlled data. Uploads are screened for CUI and export-control markings and blocked when detected. No CUI is ever sent to the AI.

Not used to train

Under the AI provider’s commercial terms, your inputs and outputs are not used to train or improve any model. API data is retained by the provider only briefly (30 days by default) for operational and safety purposes, then deleted.

Segregated and encrypted

Each organization’s data is isolated with a per-tenant encryption key. Evidence and sensitive fields are encrypted at rest with AES-256-GCM, wrapped by a platform key backed by AWS KMS. Destroying your key crypto-shreds your data.

Server-to-server, opaque identity

AI calls run server to server; your browser never connects to the AI provider. Only an opaque, salted account hash is sent as an identifier, never your raw user or organization ID. Direct identifiers typed into chat (SSNs, EINs, card numbers) are blocked before they reach the AI.

Tamper-evident

AI actions are logged for tamper-evidence using cryptographic hashes, not raw content, so the record of what happened cannot be quietly rewritten.

What we do not claim
  • We do not claim your evidence is never seen by AI. It is reviewed by AI on upload; that is how the sufficiency and CUI screening works.
  • We do not claim zero data retention. That term is not contracted; the honest posture is limited retention, then deletion.
  • We do not claim no personal data ever reaches AI. Images and PDFs are not redacted by OCR, so upload configuration and settings, not documents containing personal or controlled data.
The CUI boundary

Custodia is a no-CUI platform, by design.

We prove how you protect controlled information without ever holding it. Your CUI stays in your environment. Our platform holds the compliance record about it, nothing more.

What Custodia stores: your assessment answers, scores, policies, plans, registers, and evidence that shows settings and configurations, an MFA policy screen, a user roster, an antivirus status, a visitor log. Compliance metadata, encrypted per tenant with crypto-shred on exit.

What must never enter Custodia: Controlled Unclassified Information itself. Controlled drawings, export controlled specs, technical data on defense articles, or any file marked CUI. The platform tells you this at every evidence upload, and Charlie enforces it in every capture walkthrough: capture the setting, never the controlled data.

Shared responsibility: your CUI lives and stays in your own environment, your Microsoft 365 or Google tenant, your enclave, your file systems, protected by the 110 NIST SP 800-171 requirements the platform walks with you. Custodia is the system of record for the program, not a repository for the protected data. This is the same boundary discipline we ask assessors to verify in your environment, applied to ours.

CMMC asset categorization

Where the platform sits in your assessment scope.

Your assessor will ask how to categorize any tool that touches your program. Here is the determination, with the citations, so you and your C3PAO can place the platform quickly and correctly.

For the artifact your assessor can drop straight into your SSP, see the ESP Service Description.

The BidFedCMMC platform processes, stores, and transmits no CUI. Depending on how you use it, you categorize it as an Out-of-Scope Asset or, where it holds security-relevant readiness data about your environment, a Security Protection Asset (SPA) assessed within your own CMMC assessment. In neither case is it a cloud service provider handling CUI, so it does not trigger the DFARS 252.204-7012 FedRAMP Moderate requirement.

The Out-of-Scope determination is yours to make and justify, not an automatic exemption. As the OSC, you determine that the asset cannot process, store, or transmit CUI and does not provide security protections for CUI Assets, and you must be prepared to justify that determination. Where the platform holds security protection data about your environment, treat it as an SPA and assess it against the Level 2 requirements relevant to the capability it provides, inside your own assessment, not as a separate certification.

32 CFR 170.4 / 170.19
Asset categories and the Security Protection Asset / Security Protection Data definitions.
Scope Guide L2 v2.13
SPAs are assessed within the OSC assessment; Out-of-Scope Assets carry no documentation requirement.
DFARS 252.204-7012
The FedRAMP Moderate trigger applies to a CSP that stores, processes, or transmits CUI. The platform does not.
Suggested SSP asset-inventory line

Asset: BidFedCMMC (Custodia, LLC) | Category: Security Protection Asset / Out-of-Scope | CUI: None processed, stored, or transmitted | FedRAMP: Not applicable, no CUI

Defense in depth

Every layer assumes the layer above will fail.

The doctrine we teach customers is the doctrine we run on ourselves. Each control is independently verifiable. None of them is load-bearing alone.

P.01
Secure-by-default platform
Hosted on hardened, U.S.-region managed infrastructure. Network ingress is locked to TLS 1.2+ with HSTS. Default-deny egress on services that handle customer data.
P.02
Cryptographic separation of duties
The Key Encryption Key is held by AWS KMS. Application code can request a wrap or unwrap, but cannot exfiltrate a key. Engineering staff cannot read encrypted FCI without going through KMS, and every call is audit-logged.
P.03
Input validation and output encoding
Server-side validation on every state-changing route. Strict CSRF protection. Same-site session cookies. Output encoded at render to prevent injection across every surface that touches a customer string.
P.04
Supply chain hygiene
Continuous dependency scanning on every build. High and critical advisories triaged within seven business days. Lockfile-pinned releases. Production artifacts reproducible from version control.
P.05
Change control
Pre-merge human review on every change. Production deploys are gated on automated test, type, and lint pipelines plus reviewer approval. No direct production edits.
P.06
Telemetry with PII scrubbing
Application error and performance telemetry is instrumented with field-level redaction before it leaves the runtime. We collect what we need to keep the service safe; nothing else.
P.07
Continuous posture monitoring
Authentication and admin actions are logged with actor and timestamp and retained for at least twelve months. Anomalous behavior, impossible-travel sign-in, mass deletion, off-hours administrative escalation, generates alerts to a human on call.
P.08
Recoverability
Point-in-time recovery on managed data stores. Infrastructure-as-code in version control. Annual review of business-continuity and disaster-recovery posture, with a documented restoration target.
AI trust boundary

The model is scoped, logged, and never trusted with the master key.

AI is the most concentrated trust-boundary issue in modern software. We treat the model the way a careful firm treats a contractor with limited badge access: scoped, logged, and never trusted with the master key. This is the engineering under the AI Fact Sheet.

Read-mostly tools

The AI’s tools are deliberately read-mostly. The actions that carry weight, editing a response, deleting evidence, submitting an affirmation, stay human-only. The model can propose; it cannot execute the decisions that matter.

Least context

Each call receives the minimum context needed for the task, scoped to your organization before it is assembled. Long-term memory, where used, is per tenant and stays inside your boundary; it is never a shared index across customers.

Tenant-scoped retrieval

Retrieval-augmented prompts are scoped to a single tenant before they ever reach the model. A query for Tenant A cannot retrieve a record from Tenant B, enforced at the data layer, not in the prompt.

Adversarial-prompt hardening

Untrusted content (uploaded files, third-party feeds) is treated as data, not instructions. Tool calls carry capability scopes and are bounded by server-side policy, not the model’s self-restraint.

Compliance posture

We hold ourselves to the standard we sell.

The BidFedCMMC platform’s control set is designed and operated consistent with the regimes our customers must satisfy. We respond to vendor security questionnaires in writing, with citations, on request.

A word on certification, plainly. The BidFedCMMC platform has not completed a third-party audit of its own yet; it holds no SOC 2 or ISO certificate in its own name. Security is built in and documented here, resting on infrastructure and AI providers that hold current third-party attestations (see our sub-processors). An independent assessment is on the roadmap. Details are available on request at security@bidfedcmmc.com.
NIST SP 800-171 Rev. 2
Controls applicable at CMMC Level 1 implemented and mapped to assessment objectives.
FAR 52.204-21
The 15 basic safeguarding requirements operationalized at the platform layer for our own environment.
DFARS 252.204-7012(c)
72-hour breach notification commitment to customers on confirmed unauthorized access.
32 CFR Part 170
Aligned to the CMMC Program rule and its posture expectations for Level 1 self-affirmation.
OWASP ASVS
Application Security Verification Standard used as the design reference for the web tier.
73 P.S. § 2301 et seq.
Pennsylvania breach-notification commitments incorporated by reference in our contracts.
Governance

The contract you can hold us to.

Incident response

A written incident response procedure is maintained and exercised. On confirmation of unauthorized acquisition of, or access to, customer data, we will notify affected customers without unreasonable delay and within seventy-two (72) hours of confirmation, consistent with DFARS 252.204-7012(c) and 73 P.S. § 2301 et seq. We provide reasonable assistance to customers fulfilling onward notification to DoD or other contracting agencies.

Coordinated vulnerability disclosure

Researchers may report suspected vulnerabilities to security@bidfedcmmc.com or via /.well-known/security.txt. We acknowledge reports within two (2) business days and offer a good-faith safe harbor for researchers who scope testing to their own accounts and give us a reasonable window to remediate before public disclosure.

Sub-processors & residency

All sub-processors are U.S. entities operating in the United States. Production data is stored and processed in the contiguous U.S. The current sub-processor list is published at /subprocessors. Material changes are notified in advance per contract.

Provenance

Built in Pittsburgh, by people who studied this for a living.

Custodia was founded by an information security practitioner holding a Master of Science in Information Security Policy and Management from Carnegie Mellon University, the same campus that produced the CERT Coordination Center and seeded much of the doctrine inside the Cybersecurity Maturity Model Certification program. Half of CMMC is Pittsburgh and Baltimore; we sit on the Pittsburgh end of it.

That heritage is not a logo on a slide. It is the reason we wrote our key custody, tenant isolation, and AI boundary the way we did. We are operating the platform we would have wanted to audit.

Carnegie Mellon University · MS Information Security Policy & ManagementCERT / SEI heritagePittsburgh, PA
Shared responsibility

Where we end and you begin.

Security is shared in every serious platform. We are explicit about the line.

Custodia owns
Customer owns
Platform encryption & key custody
Workstation hygiene & endpoint MFA
Tenant isolation at the data layer
User roster & offboarding
Patching of Custodia services
Acceptable use of the platform
Logging & anomaly detection
Classification of uploaded data
Sub-processor due diligence
Third-party integrations you connect
Incident response within our boundary
Reporting incidents in your boundary

See the Acceptable Use Policy for the full statement of customer responsibilities.

Try the platform

Federal bid-ready in seven days.

Start your CMMC Level 1 build on the same platform you just read about. Seven days free. No credit card required.

Start 7-day free trial
No credit card · Cancel any time
Custodia, LLC · Pittsburgh, PA · Effective May 13, 2026
Powered by AWS