Built for federal contracting

Security that meets
the bars federal contractors live under.

ManageMyGov was built from day one for the SMBs that handle CUI and live under DFARS / NIST 800-171 flow-downs from primes — not retrofitted onto a generic SaaS platform. Database-per-tenant isolation, role-based access with per-contract scoping, MFA, fraud detection, and AWS-native hardening evaluated continuously against NIST 800-53, 800-171, and CIS v5.

Start free trialRequest a security review
Operational today

Hosted on AWS FedRAMP-authorized infrastructure.

The underlying infrastructure layer that ManageMyGov runs on — physical data centers, network fabric, hypervisor, hardware lifecycle — is operated by AWS under a current FedRAMP authorization. Commercial regions hold FedRAMP Moderate; AWS GovCloud (US) holds FedRAMP High.

Under AWS's shared-responsibility model, ManageMyGov inherits the physical and infrastructure controls from AWS's authorization (roughly 25–30% of the FedRAMP control catalog). The application-layer controls — identity, access, data isolation, audit, encryption-in-use, secure SDLC — are ManageMyGov's responsibility and are documented across the rest of this page. Application-level FedRAMP authorization for ManageMyGov itself is on the compliance roadmap below.

Current deployment
  • Region · AWS us-east-2 (commercial)
  • FedRAMP authorization · Moderate (at infra layer)
  • DR region · us-east-1 (cross-region backups)
  • GovCloud-capable · Yes — for CUI customers
AWS holds 100+ compliance certifications including SOC 2, ISO 27001, HIPAA, ITAR, DoD IL2/4/5.
Application security

Four pillars, all live in production today.

Tenant isolation

Every tenant gets their own database. Not a row in a shared table.

  • Each customer is provisioned a dedicated PostgreSQL database (`tenant_<uuid>`) on our managed RDS cluster — schema-per-tenant is not enough for federal contracting.
  • Cross-tenant query is structurally impossible: no shared rows, no shared schemas, no FK across the tenant boundary.
  • Platform metadata (login routing, plans, billing) lives in a separate `mmg_platform` database with its own credentials and a session-scoped lookup pattern.
  • Row-Level Security (RLS) layered on every tenant table as defense-in-depth even though the structural isolation already enforces the boundary.
Role-based access

8 roles. 26+ capabilities. Per-contract scoping for field workers.

  • Contractor-tenant roles: `owner`, `admin`, `member`, `billing_admin`, `contractor`, `vendor`. Agency-tenant roles: `agency_admin`, `agency_viewer`.
  • `billing_admin` lets you delegate Stripe portal access to an external accountant without granting any operational visibility into contracts, invoices, or team data.
  • `contractor` and `vendor` roles are scoped by `allowed_contract_ids` — a field tech only sees the specific contracts they're assigned to, never the rest of your portfolio.
  • Server-side capability gates run on every API route via `requireCapability(...)`. No "the UI hides it" security.
Authentication & MFA

TOTP self-service for everyone. Tenant-wide enforcement for Pro+.

  • AWS Cognito-backed authentication with a 12-character password policy (upper/lower/numeric/symbol required), 3-day temporary password validity, and AdvancedSecurityMode threat protection.
  • Authenticator-app TOTP available to every user on every plan via the `/profile` self-service flow (Authy / Google Authenticator / 1Password).
  • Pro+ tenants can flip a single Settings toggle to **require** MFA for every team member — login gate enforces enrollment before any tenant data loads.
  • Sessions use iron-session with secure HTTP-only cookies and short TTLs; password reset and MFA reset flows are fully audit-logged.
Fraud + abuse detection

Signup blocklist on IP, email, and card fingerprint.

  • Every signup captures the source IP. Stripe webhooks capture and persist card fingerprints (no PAN stored). Suspending a tenant automatically adds owner email, signup IP, and card fingerprint to the platform-wide blocklist.
  • `/admin/suspicious-trials` clusters trial accounts by shared IP, email, and card — surfaces likely fraud rings before they convert.
  • 5-day default trial with hard cutoff after 2-day grace period prevents extended free-rider abuse; lockout state restricts UI to `/upgrade`, `/settings`, and `/profile` only.
  • Stripe duplicate-subscription guard re-queries Stripe on every checkout call to self-heal local DB drift and prevent the same customer from being charged 3× for parallel Pro subs.
Infrastructure hardening

Continuously evaluated against the right standards.

Every item below is a live AWS resource configuration — verifiable via AWS CLI in under a minute. Not aspirational; not "we plan to."

Audit trail

  • CloudTrail multi-region with log file validation enabled (trail: `mmg-audit-trail`).
  • CloudTrail S3 bucket has versioning enabled — log immutability without Object Lock complexity.
  • AWS Config recorder captures every resource state change, 24h snapshot delivery, all resource types including global IAM.
  • Per-tenant `audit_log` table records every write (capability check, who, when, before/after).

Threat detection

  • GuardDuty active across the full account (detector: `18cecb0d4e79717376a7cf6dc00b4159`) — surfaces suspicious API calls, IAM credential exfiltration, crypto mining, and reconnaissance.
  • AWS Security Hub aggregates findings against **NIST 800-53 Rev 5** (FedRAMP Moderate baseline), **NIST 800-171 Rev 2** (CMMC L2 baseline), **CIS AWS Foundations v5.0.0**, and **AWS Foundational Security Best Practices**.
  • AWS Inspector continuous vulnerability scanning enabled for EC2, ECR, Lambda, and Lambda code — not a one-time scan.
  • CloudWatch metric filters tail PM2 application logs for ERROR / Unhandled / FATAL patterns; ≥5 errors in 5 minutes pages the on-call email + SMS.

Network

  • WAF Web ACL in front of CloudFront with 4 managed rule groups in **Block mode**: AmazonIpReputationList, CommonRuleSet (with intentional Count exceptions for SF1449 file uploads), KnownBadInputsRuleSet, SQLiRuleSet.
  • VPC Flow Logs enabled on all 3 production VPCs (`fl-0cb1bf238007446d4`, `fl-07bdc3d5acdee748d`, `fl-0960e24b50524e4b7`) with 90-day retention.
  • Public-facing surface terminated at CloudFront → nginx → app. PM2 binds to `0.0.0.0` only inside the VPC, never publicly exposed.
  • TLS 1.2+ enforced on every entry point — CloudFront default protocol policy is `TLSv1.2_2021`.

Data

  • AES-256 at rest on every tenant database, every S3 bucket, and the CloudTrail / Config / Flow-Log archive buckets.
  • RDS automated backups retained 14 days with point-in-time recovery (PITR active, latest restorable time < 10 minutes).
  • A permanent named snapshot (`mmg-pre-launch-baseline-20260417`) is held as a rollback anchor that survives backup retention rotation.
  • Production RDS instance and the legacy Aurora cluster both have **DeletionProtection = true** — accidental drop is blocked at the AWS API layer.
  • Application secrets (DB passwords, API keys, session secrets) live in AWS Secrets Manager, never in `.env.local` and never in source control. EC2 instance fetches via IAM role, no secrets ever cross human hands.
Compliance posture

Live now — and the dates we're working toward.

We disclose compliance status upfront rather than bury it. "Operational" means live and continuously evaluated; "In progress" means active work with target dates; "On the roadmap" means a planned investment with public timing.

AWS FedRAMP-authorized infrastructure
Operational
Hosted on AWS, which holds FedRAMP Moderate authorization in the commercial regions and FedRAMP High in AWS GovCloud (US). ManageMyGov inherits the physical, environmental, hypervisor, and network-fabric controls from AWS’s authorization; application-layer controls (the rest of this page) are evaluated independently.
NIST 800-53 Rev 5 alignment
Operational
Security Hub continuously evaluates the AWS account against the full FedRAMP Moderate baseline (300+ controls). Live posture available to prospects under NDA.
NIST 800-171 Rev 2 alignment
Operational
Security Hub continuously evaluates the AWS account against the CMMC L2 baseline (110 controls). Maps directly to DFARS 252.204-7012 flow-downs.
CIS AWS Foundations v5
Operational
Current best-practice AWS hardening benchmark — continuously evaluated, drift surfaced as Security Hub findings.
SOC 2 Type I
In progress
Controls operational. Drata signed and onboarding active (2026-05); continuous control monitoring live. Type I attestation in 2027.
CMMC Level 2 self-attestation
In progress
NIST 800-171 control set actively being mapped to product evidence. Self-attestation target: month 6.
SOC 2 Type II
On the roadmap
Following Type I. Target: month 12.
CMMC L2 C3PAO assessment
On the roadmap
Following self-attestation, scheduled with an authorized C3PAO. Target: month 12.
FedRAMP Moderate ATO
On the roadmap
Long game, gated on agency sponsorship. Target: month 18-24. SOC 2 + CMMC overlap reduces FedRAMP cost ~40%.
AWS GovCloud (US) deployment
In progress
Commercial production runs in AWS us-east-2. GovCloud (US-West) account baselined and Federal-tier deployment available for customers handling CUI or operating under prime-contract flow-down requirements. Custom-quoted; contact sales@managemygov.org.
Operational security

How we run it, day to day.

Incident runbook

`docs/RUNBOOK.md` covers app outage, DB errors, Cognito issues, WAF false-positive, Lambda failures, malware-handler escalation, support-data access procedures, and breach notification. 1-hour business-hours response SLA.

Availability target

99.5% monthly uptime measured at the application HTTP health endpoint. Multi-AZ RDS, multi-instance EC2 behind an ALB, and cross-region AWS Backup eliminate single-instance failure modes. Scheduled maintenance windows (Sunday 02:00-04:00 ET) announced 48+ hours in advance and excluded from the target.

Backup & recovery

Continuous transaction logs (5-minute RPO) with 35-day point-in-time recovery. Daily cross-region backup of database, EC2 AMIs, and S3 stores. Vault Lock protects backup vaults from deletion. Annual DR game-day testing; restore drills documented in `app/runbooks/disaster-recovery.md`.

Subprocessors

AWS (cloud infrastructure — commercial and GovCloud), Anthropic PBC (AI inference, no training on customer data, no retention), Drata Inc. (compliance monitoring, SOC 2 Type II certified), Stripe Inc. (billing only, no tenant data). Full list with DPA links available under NDA. Material subprocessor additions notified 30 days in advance per MSA.

Incident notification

Confirmed security incidents affecting customer data are notified within 72 hours of confirmation, with a written incident report within 14 days describing nature, scope, and remediation. Notification commitments in writing are documented in the MSA Section 11.3.

Pre-launch security review

Independent code review completed pre-launch with 3 critical, 5 high, and 6 medium findings. All 3 critical and the load-bearing high-severity items remediated; medium items tracked in normal iteration.

Vulnerability disclosure

Email security@managemygov.org. We acknowledge within 24 hours, scope within 72, and credit researchers in the changelog when fixes ship. No legal action against good-faith research.

Data export & deletion

Tenants can export every resource type (contracts, deliverables, invoices, opportunities, documents, knowledge, modifications) as CSV or printable HTML at any time. On contract termination, complete machine-readable export provided within 30 days; data deleted within 90 days except as held in routine backups before scheduled deletion or as required by law.

Trust contacts

Direct paths for security researchers, prospects under evaluation, and customers with active flow-down requirements.

Vulnerability disclosure
security@managemygov.org
Coordinated disclosure. 24h ack, 72h scope, credit on fix.
Privacy & data requests
privacy@managemygov.org
GDPR-style data export, deletion, and access requests.
Procurement & evaluation
sales@managemygov.org
Security questionnaires (CAIQ, SIG, SOC 2 bridge letter), NDA, BAA.
Live AWS posture (NDA)
security@managemygov.org
Security Hub findings against NIST 800-53, 800-171, CIS v5 — under NDA.