Security & Compliance
CMMC L2 operational today (C3PAO-assessed Azure GCC High). DCAA-ready financials. RMF-aligned engineering. CMMI-DEV ML3 practices and ISO 9001:2015 QMS implemented internally; external appraisal targeted Q3 2026 and certification audit targeted Q4 2026. Compliance posture ready for award — not planned against a ramp.
Cybersecurity Compliance Operations
CMMC Level 2 operational today — C3PAO-assessed, Azure GCC High enclave. RDS Enclave gcch.roesslingdigital.com exists as an instance of Enclave One enclaveone.us delivered by Ariento.
C3PAO-assessed Azure GCC High environment (enclaveone.us, via Ariento Corp.). 110+ NIST SP 800-171 controls implemented and evidenced. Audit-ready evidence repositories maintained alongside engineering artifacts.
Full control set implemented, evidenced, and version-controlled. System Security Plan (SSP) maintained as a living document. Plan of Action and Milestones (POA&M) actively managed against open action items.
Controlled Unclassified Information handled within the GCC High boundary — marking, storage, transmission, and disposal aligned to DoD standards and 32 CFR Part 2002 CUI program requirements. Export-controlled (ITAR) policies, procedures, and controls implemented per 22 CFR 120-130 in the same enclave; first ITAR-covered engagement required for certification to handle ITAR data.
17 CMMC Level 1 practices self-assessed on the on-premise path for non-CUI workloads. Three-enclave posture (on-premise, Azure Commercial, Azure GCC High) — workload classification drives enclave placement.
Cybersecurity Supply Chain Risk Management posture established. DFARS 252.204-7012 flow-down to subcontractors, cyber incident reporting aligned to the DoD reporting portal, and software supply-chain attestation practices.
Risk Management Framework (RMF)
RMF-aligned engineering from day one — security controls selected, implemented, and continuously monitored per NIST SP 800-37 and DoDI 8510.01. Authorization artifacts formatted for direct use by authorization officials.
System Security Plans (SSP) maintained for both enclaves; Plan of Action and Milestones (POA&M) actively managed (GCC High enclave); ATO evidence packages (GCC High enclave) available. Authority to Operate and Authority to Connect preparation support. Security control selection (NIST SP 800-53), tailoring rationale documented, and control implementation evidence maintained for direct review.
Control-effectiveness monitoring, vulnerability scanning integrated into the CI pipeline, patch management cadence, and security posture dashboards. Monitoring evidence generated continuously, not assembled before assessment.
SSP as a living document, version-controlled alongside code, updated with every architectural change. SSP traceability to implementing components and test evidence.
Security Technical Implementation Guide compliance for applicable platforms (Windows Server, Linux, IIS, database tier) with scan evidence, deviations documented, and remediation commitments tracked.
Package assembly for Authorizing Officials and Configuration Control Boards. Evidence formatted for direct consumption — SSP, Security Assessment Report, POA&M, and continuous-monitoring telemetry aligned to the authorization boundary.
Security Engineering
Security designed into architecture and code from the earliest modeling phases — threat-modeled, zero-trust-architected, and DevSecOps-enforced across every RDS delivery.
STRIDE methodology integrated into design reviews. Threat-enumeration artifacts maintained alongside architecture artifacts so every design decision carries its threat context forward into implementation.
Identity-based access, micro-segmentation, least-privilege authorization, and continuous authentication across multi-enclave deployments. Zero-trust principles applied consistently across Azure Commercial, Azure GCC High, and on-premise environments.
Security gates enforced in CI/CD: SAST (Semgrep + Bandit), DAST, SCA (pip-audit + Dependabot), container scanning (Trivy, 32 images), and NDAA-889 covered-entity screen are required status checks on main — blocking before merge; 30,000+ automated tests gate every release. Secrets management via managed vaults, not repository-embedded.
Secure coding standards enforced in code review. Security training for engineering staff. Incident response drills run on cadence, not only after incidents. NIST SP 800-218 SSDF — task groups PS, PW, RV, and PO implemented per stack; all four CISA Common Form Requirement Areas at engineering readiness; SBOM (CycloneDX) + cosign + SLSA build-provenance (Azure build path); vulnerability disclosures acknowledged 24–48h, remediated on published severity-based SLA (critical 24–72h; high 7 days); SCRM aligned to NIST SP 800-161.
CISA Common Form SSDF attestation — all four Requirement Areas at engineering readiness; CO-facing conformance statement prepared; Form signed and submitted on award (EO 14028 §4(g); OMB M-22-18 / M-23-16).
Role-based and attribute-based access controls (RBAC and ABAC), least-privilege enforcement, privileged-access workflow governance, and audit logging of access events aligned to NIST SP 800-63 digital identity guidelines.
Acquisition Compliance
The federal acquisition compliance stack operational today — FAR/DFARS/HHSAR/VAAR coverage spanning VA opportunities, DCAA-ready financial systems, and contract-readiness evidence assembled for direct use in proposal and award flows.
1,750-entry compliance clause library auto-ingested from eCFR (Title 48 Chapters 1, 2, 3, 8) with pipeline synchronization. Used internally for RFP/RFQ compliance review, Section L/M extraction, and SOW drafting — and available as a delivery capability to customers. VAAR coverage included for VA opportunities.
Safeguarding covered defense information per DFARS 252.204-7012. Cyber incident reporting posture established and tested against the DoD reporting portal. Flow-down to subcontractors documented.
DCAA-ready accounting, timekeeping, and project cost management operational today. SF 1408 Pre-Award Survey ready. Supports FFP, T&M, LH, CPFF, and CPAF contract types with audit-ready cost accounting practices for each.
RDS-built Property Management System aligned to FAR 52.245-1, FAR Part 45, and DFARS 252.245-7001/-7002/-7003/-7004 — one policy, eight standard operating procedures, and a monday.com-hosted workspace running 29 automations across six boards, all designed and operated by RDS. Sequential RDS-GFP-NNNN identification with mandatory evidence attachments gating every lifecycle status change. Holding 16 corporate IT assets under PMS rigor today; 8 of 10 FAR 52.245-1 outcomes operational against the hybrid-bridge scope. Ready for DCMA Property Management System Analysis (PMSA) on Contracting Officer request — record-to-floor and floor-to-record sampling supported today, extending to GFP rows on first receipt. Self-accreditation v2.0 published.
Financial-system audit-ready evidence maintained: labor distribution reports, unallowable-cost segregation, indirect-cost allocation documentation, and timekeeping traceability.
Posture aligned to DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements), 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements), and 252.204-7021 (Cybersecurity Maturity Model Certification Requirements). SPRS score current and posted.
Quality Management
Quality management systems operational, with external audits scheduled — the discipline behind RDS's evidence-first engineering culture.
Defined processes and tailored implementations in use across the engineering organization. Process discipline aligned to CMMI-DEV Maturity Level 3 practices internally. External appraisal scheduled to target Q3 2026 — roadmap covers appraisal sponsor selection, readiness review, and SCAMPI A appraisal.
Quality Management System implemented per ISO 9001:2015 internally. Process documentation, management review rhythm, internal audit cadence, and customer feedback loops established. External certification audit scheduled to target Q4 2026 — roadmap covers registrar selection, stage-one documentation review, and stage-two on-site audit.
Every capability claim traces to production code, a test suite, a compliance certification, or a past-performance narrative. Evidence is generated as a byproduct of operations.
CAPA discipline integrated into operational rhythm. Post-incident reviews, process-metric analysis, and management-review action items tracked to closure with evidence.
Quarterly management review, annual quality objective cascade, and improvement-initiative tracking. Quality posture that demonstrably gets better over time — and the evidence to show it.
Accessibility & Section 508
Accessibility built into the delivery pipeline — not bolted on before acceptance. Section 508 conformance (36 CFR 1194) and WCAG 2.1 AA are engineering defaults across RDS products and customer deliverables. As of 2026-06-09, 7 of 11 RDS products carry Current published Accessibility Conformance Reports meeting our POL-A11Y-001 publish bar — every WCAG 2.1 Level A + AA success criterion dispositioned, zero Not Evaluated rows, manual keyboard + NVDA / Chrome baseline AT evidence on file. Essential for federal civilian and DoD (Section 508 / 36 CFR 1194), state and local government (ADA Title II), federal grant recipients (Section 504), EU and UK customers (EAA + Equality Act), and any enterprise where WCAG 2.1 AA is the de-facto procurement baseline.
Delivery aligned to the Revised Section 508 Standards. Functional performance criteria (FPC) tested across perception, operation, and understanding. ICT procurement, development, and maintenance flows supported end-to-end.
WCAG 2.1 AA enforced as the default conformance target across all RDS web applications and customer deliverables. Agentic test harnesses exercise both automated scanning (axe-core, Lighthouse) and manual assistive-technology test paths as part of CI. eslint-plugin-jsx-a11y is an active blocking CI gate on all 11 RDS product frontends today — a pull request that introduces a WCAG-flagged HTML pattern cannot land in main.
VPAT 2.4 INT Accessibility Conformance Reports filed per RDS-delivered software product. Portfolio status as of 2026-06-09 (v1.3 of the customer-facing portfolio statement): 7 of 11 products carry Current published ACRs — 5 with zero axe violations; 2 (rfx_response and full_product_life_cycle) with all findings formally exception-backed under documented Fluent UI library exceptions with monitored upstream trackers. Per-product manual keyboard + NVDA / Chrome baseline AT evidence on file. Customers can request any product’s ACR by name; the underlying axe JSON for each scan is retained alongside the published ACR.
Third-party-component findings — chiefly inside Microsoft Fluent UI v9 internal markup that RDS does not own — carry documented exceptions with upstream tracker links and 90-day re-review dates per our PROC-ACR-001 § Exceptions procedure. No accessibility rule is silently disabled anywhere in our code or scan configuration. Two exceptions are active today (EXC-A11Y-001 Breadcrumb, EXC-A11Y-002 Tabster); both have been stress-tested against the latest Fluent UI v9 release without retirement, with the negative-result evidence recorded so the next reviewer doesn’t re-do the experiment.
Keyboard-only navigation, screen reader (NVDA, JAWS, VoiceOver), magnification, and color-contrast validation on critical user paths. Accessibility regressions gated alongside functional regressions.
Accessibility posture aligned to VA Handbook 6102 / VA Section 508 program expectations and federal civilian agency 508 program offices. Compatible with agency-run Trusted Tester or Section 508 Coordinator validation workflows.
Evidence & Continuous Assurance
Compliance evidence generated continuously as a byproduct of operations — surfaced to program offices, auditors, and accreditors on request, with current evidence available at any point in the assessment cycle.
Version-controlled evidence repositories mapped to CMMC, NIST SP 800-171, DCAA, and program-specific control catalogs. Evidence available on request, timestamped, and traceable to the practice or control it supports.
Control-effectiveness telemetry integrated with the engineering observability stack. Controls monitored continuously through OpenTelemetry-backed dashboards that surface control health alongside operational metrics.
Monthly compliance digests, quarterly control-effectiveness summaries, and annual audit-support packages. Reports formatted for program-office, accreditor, and executive consumption — each audience getting what it needs.
Named points-of-contact for C3PAO, DCAA, and accreditor engagements. Pre-assessment readiness reviews. Response windows scoped in weeks, not quarters — assessor-facing posture built into the ongoing operational rhythm.
Open posture reporting to program offices — including open POA&M items, control deviations, and remediation status. Assessor-friendly transparency built into the reporting cadence.
Government Compliance Attestations
One row per requirement RDS attests to — what is attested, how it is validated, and how often it refreshes. Each row is bound to a signed instrument and a version-controlled evidence location; the complete matrix with its evidence index is available to contracting officers on request.
| Requirement | What RDS attests | Validation | Refresh |
|---|---|---|---|
| NIST SP 800-161r1 C-SCRM | Controls fully aligned — 39 of 41 assessed controls implemented, 2 N/A justified (signed self-assessment worksheet) | Self-assessed; inherited NIST SP 800-171 foundations for CUI handling | Quarterly |
| NIST SP 800-171 / CMMC L2 — CUI handling | CUI work performed inside a C3PAO-assessed CMMC Level 2 boundary (Microsoft 365 GCC High, operated by Ariento enclaveOne); RDS-specific assessment planned | Inherited third-party (C3PAO) | Semiannual supplier review |
| CMMC Level 1 — FCI | On-premises development and delivery enclave self-assessed (17 practices); SPRS affirmation per contract | Self-assessed with evidence | Annual |
| NIST SP 800-218 SSDF / EO 14028 | Engineering readiness complete across all four CISA Common Form requirement areas; security gates required for merge | Self-assessed + operational CI evidence | Quarterly |
| CISA Secure Software Development Attestation | Readiness attested under signature; the Common Form is executed for the contracting officer at award | Self-assessed | At award |
| DFARS 252.204-7012 / -7019 / -7020 / -7021 | 72-hour incident-reporting procedures operational; SPRS posture current; flow-down to CUI-handling subcontractors | Self-assessed | Annual program review |
| NDAA Section 889 | No covered telecommunications equipment or services; automated screen on every code change plus a procurement gate | Operational (continuous machine evidence) | Continuous |
| Supply-chain flow-down | SCRM and security riders executed with both teaming partners, including the partner code-of-conduct acknowledgment | Executed contracts | Per new partner |
| Section 508 / WCAG 2.1 AA | VPAT 2.4 ACRs published per product with an accepted-exceptions register | Self-assessed + automated scans | Per release |
| 32 CFR Part 2002 — CUI | CUI handled exclusively in the GCC High environment; marking and media protection per policy | Self-assessed + inherited | Quarterly |
| FAR reps & certs / FOCI / VOSB | U.S.-citizen sole ownership with no foreign ownership, control, or influence; SAM current; SBA-certified VOSB | Federal registries | Annual |
| Business continuity | Formal continuity plan with a named crisis-management team and annual tabletop exercise | Self-assessed | Annual |
| SF 1408 / FAR Part 31 accounting | DCAA-Ready: accounting and timekeeping designed to the SF 1408 pre-award survey criteria, self-assessed; the survey itself is executed by the CO or DCAA | Self-assessed | Annual; refreshed before cost-type proposals |
| FAR 52.245-1 property management | Operational RDS-built Property Management System; self-accredited and PMSA-ready | Self-accredited | Annual physical inventory |
| Quality management | QMS operating per the quality self-accreditation; ISO 9001:2015 certification in progress | Self-accredited | Per certification plan |
Stated boundaries. ISO 9001:2015 and CMMI-DEV L3 are in progress, not yet held. No FedRAMP authorization is held or claimed — Microsoft cloud platform authorizations are Microsoft’s, and customer-directed deployment into FedRAMP-authorized environments is supported per program. Facility clearance is available upon contract sponsorship. ITAR readiness (policy, procedures, training, controlled-data environment) is in place; DDTC registration executes at the first contract requiring it.
Past Performance
The security proof point most directly relevant to this pillar: the CMMC L2 posture RDS built and runs for itself today.
RDS Internal CMMC L2 Posture (2025–Present)
RDS designed, stood up, and operates a C3PAO-assessed CMMC Level 2 environment for its own customer-facing work — Azure GCC High enclave with 110+ NIST SP 800-171 controls enforced, SSP and POA&M maintained, DCAA-ready financials, and continuous monitoring integrated with the engineering stack. The compliance posture RDS delivers to customers is the same posture it built and operates itself.
SECRET clearance, reinstatement eligible. Facility Clearance available upon contract sponsorship.
Cleared for Your Award
CMMC L2 operational. DCAA-ready. RMF-aligned. CUI work supported without a post-award compliance ramp; ITAR-Ready posture (first ITAR-covered engagement required for certification).