# NIST SP 800-171 Self-Attestation — Apache-3 Inc.

**Document version:** 1.0
**Effective date:** 2026-05-20
**Next review:** 2026-11-20

Apache-3 Inc. is an SBA-certified Service-Disabled Veteran-Owned Small Business (SDVOSB), VOSB, Native American-Owned, Minority-Owned, and Small Disadvantaged Business based in Oberlin, Kansas. UEI: JQMHLJNNJYN1. CAGE: 8DFR5.

This document is a self-attestation of Apache-3's posture against the NIST Special Publication 800-171 Rev. 3 control family. It is intended for use in federal contracting and enterprise sales conversations where the customer asks "what is your security posture relative to NIST 800-171?"

## Scope

This attestation covers Apache-3's operational environment as of the effective date. Specifically:

- Workstations used by Apache-3 employees and key personnel
- Cloud-hosted SaaS tools used in the normal course of business (email, calendar, payments, hosting, AI services)
- Document storage (cloud-hosted, encrypted)
- Customer-facing assets (websites, public PDFs)

This attestation does NOT cover:

- Customer-owned systems Apache-3 staff log into during a delivery engagement
- Customer-furnished equipment
- Federal CUI Controlled Unclassified Information stored by Apache-3 (NONE; Apache-3 has not been awarded a federal contract requiring CUI handling as of the effective date)

## Posture by control family

### 3.1 Access Control

- Multi-factor authentication is enforced on all SaaS accounts where the platform supports it (Google Workspace, GitHub, Stripe, Supabase, Vercel, Resend, Anthropic API, OpenAI API).
- Least-privilege role assignment is used for cloud platforms (e.g., GitHub team-based permissions, Vercel project-scoped tokens, Supabase project-scoped service-role keys).
- Session timeouts on browser-based admin consoles follow the platform default (typically 8 hours).
- No shared accounts are used for any system.

### 3.2 Awareness and Training

- All Apache-3 personnel complete annual security-awareness training (in-house material aligned to FAR 52.204-21 and NIST 800-171 3.2.1-3.2.2 requirements).
- Phishing-simulation drills run quarterly.

### 3.3 Audit and Accountability

- All cloud platforms with audit logging have it enabled.
- GitHub: audit log retained per platform retention.
- Supabase: project audit log retained per project tier.
- Stripe: full event log retained indefinitely.
- Vercel: deployment + access log retained per plan.
- No CUI is currently stored on Apache-3 systems; CUI-specific audit retention requirements (3.3.4) would be activated upon award of a CUI-handling contract.

### 3.4 Configuration Management

- Workstation baseline: macOS or Windows with FileVault/BitLocker disk encryption, current OS updates, no admin-rights-by-default on user accounts.
- Cloud platform configurations are documented in workspace-admin (private repo).
- Software inventory is reviewed quarterly via daily-check scripts.

### 3.5 Identification and Authentication

- Strong passwords enforced via password manager (managed by individual contributor; centralized password vault recommended for CUI work).
- MFA enforced where supported.
- No default / vendor-supplied credentials are in use.

### 3.6 Incident Response

- Incident response runbook is documented in apache3.com/public/compliance/incident-response-runbook.md.
- Incident reporting addresses: s@apache-3.com (primary), apache3corp@gmail.com (backup).

### 3.7 Maintenance

- Workstation OS updates applied within 30 days of release (90 days for major version upgrades unless a critical CVE is involved).
- Cloud platform maintenance is the platform's responsibility (SaaS shared-responsibility model).

### 3.8 Media Protection

- No removable media (USB drives, optical) is used for business data.
- Cloud-stored data is encrypted in transit (TLS) and at rest (per-platform AES-256).

### 3.9 Personnel Security

- All Apache-3 personnel sign confidentiality agreements at engagement.
- Background-check posture is documented per role; CUI-handling work would trigger an enhanced background check requirement.
- Departing personnel: account access is revoked within 1 business day of departure.

### 3.10 Physical Protection

- Workstations are kept at residences or in locked offices.
- No physical files contain customer data.
- HQ at 118 E COMMERCIAL ST STE 2, OBERLIN, KS 67749 is a leased office.

### 3.11 Risk Assessment

- Vendor risk is reviewed before adoption of any new SaaS tool.
- Quarterly review of risk register (workspace-admin/docs/risk-register.md, private).

### 3.12 Security Assessment

- Self-assessment annually; documented in this attestation.
- Third-party assessment posture: not yet engaged. Apache-3 would engage a third-party assessor (e.g., a C3PAO under CMMC ecosystem) if awarded a contract requiring CMMC Level 2+ verification.

### 3.13 System and Communications Protection

- All Apache-3 sites use HTTPS with TLS 1.2 or higher.
- Cloud platforms use TLS for all in-transit data.
- No public-facing application accepts customer secrets (e.g., no API key submission forms).

### 3.14 System and Information Integrity

- OS-level antimalware is enabled on all workstations (macOS XProtect / Windows Defender).
- SaaS platforms provide their own integrity protections.
- Security advisories from key vendors (Anthropic, Stripe, Supabase, Vercel, GitHub) are monitored; advisories are reviewed and applied per their severity.

## CMMC posture

Apache-3 self-assesses at CMMC Level 1 (the FCI / FAR 52.204-21 level) as of the effective date. Apache-3 has not pursued CMMC Level 2 (NIST 800-171 full-implementation) certification because no current contract requires it. Apache-3 will pursue CMMC Level 2 certification when a relevant contract opportunity requires it.

## Caveats and limitations

- This is a self-attestation, not a third-party assessment. Apache-3 has not engaged a CMMC Third-Party Assessment Organization (C3PAO).
- Apache-3 currently does not store CUI on its systems. The above posture should be re-evaluated and likely strengthened for CUI-handling engagements.
- Specific contracts may impose security requirements beyond NIST 800-171; this attestation is a baseline.

## Contact

For questions about this attestation, or to request a SSP (System Security Plan) tailored to a specific contract requirement, contact:

**Snake Blocker, President / CEO**
Apache-3 Inc.
s@apache-3.com
+1 (720) 707-9461

---

*This document is provided for informational purposes only and does not constitute a contractual commitment. Specific contract security requirements supersede this baseline.*