Industry · Government, Defense & Aerospace

Built for the Audit, Not Just the Click

An audit trail and access model architected around the same control families your CMMC and NIST SP 800-171 assessors already evaluate — segregation of duties enforced in code, not just in policy.

What DIB primes and subs actually need from vendor tooling

A phishing-simulation click rate is a nice number for a slide. It's not what a CMMC assessor or a prime's supply-chain security review actually asks for — they want a vendor whose own tool produces auditable evidence and enforces separation of duties by construction, the same way your own systems are expected to.

campaign.approved (audit action)

Maker-checker, enforced in code

Every campaign can require a second, distinct approver before it launches — and the system enforces that a creator can never approve their own campaign. Separation of duties as a hard constraint, not a policy someone has to remember to follow.

UPDATE … SET x = GREATEST(x, :v)

An append-only, tamper-resistant audit trail

Every campaign action and every access to sensitive per-recipient data is logged with an atomic write — the kind of append-only, tamper-resistant record an AT-family control review is built to check for.

crypto_vault.py · operators.mfa_secret_ciphertext

Administrative & Cryptographic Hardening

Every operator account requires TOTP multi-factor authentication to sign in, and every stored credential — including those MFA secrets themselves — is protected under host-isolated envelope encryption, a per-secret data key wrapped by a master key that never leaves this host's environment. Baseline admin-account hardening a DIB supply-chain security review checks for independently of any single campaign.

What this maps to on your compliance calendar

Architectural controls, not certifications — this is the evidence our platform contributes to a program you already run.

FrameworkWhat we contribute
CMMC 2.0 / NIST SP 800-171
(AT family)
An append-only audit trail plus three-tier RBAC (Admin / Operator / Read-only) map directly to the Awareness & Training control family assessors check for.
NIST SP 800-171
(AC family)
Role-gated access to campaign data and per-employee results, with every sensitive read logged, supports the Access Control family's least-privilege and audit-logging expectations.
FedRAMP-aligned architecture Not a FedRAMP authorization — we hold none. The platform is architected around the same control families FedRAMP assessors evaluate, which shortens the gap analysis if your program later requires it.
PhishArmory does not hold CMMC certification or FedRAMP authorization. This describes the architectural controls we contribute as evidence within your own compliance program — verify current certification status independently before relying on it in a procurement decision.