Apache-3 · Compliance
Compliance posture, in the open.
Apache-3 publishes the security policies, contracting templates, and compliance attestations we use in customer engagements. Federal contracting officers, enterprise security reviews, and small-business peers can read what we actually do.
Honest note. Apache-3 is self-attested for NIST 800-171 baseline and CMMC Level 1. We are NOT yet SOC 2 Type I or CMMC Level 2 attested. We will pursue formal attestation when a customer engagement requires it.
Federal compliance
Documents used when responding to RFPs that require security posture disclosure.
NIST SP 800-171 Self-Attestation ↗
Apache-3's posture against each of the 14 NIST 800-171 control families. CMMC Level 1 baseline; Level 2 path documented.
SOC 2 Readiness Checklist ↗
Current state against AICPA Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). What's done; what remains for Type I attestation.
Customer contracting templates
Starting points for commercial enterprise + state/local engagements.
Master Services Agreement (template) ↗
Kansas-governed MSA template. SOW-based engagement structure, 1.5%/mo late fee, 12-month liability cap, mutual confidentiality, customer-owns-deliverables with Apache-3 anonymized methodology license.
Data Processing Agreement (template) ↗
GDPR-style DPA with 72-hour breach notification, sub-processor list, US-only data residency, Annex A technical/organizational measures.
Internal security policies
The actual policies governing Apache-3 operations. Published as a transparency signal.
Information Security Policy ↗
Acceptable use, access management, workstation security, data classification, credentials, vendor management, incident response, awareness training. Reviewed annually.
Vendor Management Policy ↗
Critical / Important / Supporting tiers. Onboarding, monitoring, offboarding workflows. Current vendor inventory + risk assessment cadence.
Incident Response Runbook ↗
NIST SP 800-61-aligned IR process. P0-P3 severity classification. Customer + regulatory notification timelines. Common scenario playbooks (compromised credential, lost device, phishing, vendor-side breach).
Need something specific?
For System Security Plans (SSPs), Plans of Action & Milestones (POA&Ms), customized DPAs, or per-contract security attestations, contact us at s@apache-3.com.
Related: federal contracting insights · capability statement