How Bedrock CMMC Protects Your Data
We treat all customer data as Controlled Unclassified Information (CUI). Even when your data may not carry a formal CUI designation, we apply the full rigor of NIST SP 800-171 and CMMC Level 2 controls to everything on the platform.
Our Commitment
An attacker with access to your compliance documentation would have a roadmap to your security gaps. We don't treat customer data casually. Access is restricted to authenticated, authorized users with a legitimate need. Data is encrypted in transit and at rest using FIPS-validated cryptographic modules. All access is logged and auditable. Data isolation is enforced at the application and database layer — your data is never commingled with another organization's.
Platform Architecture
Defense-in-depth at every layer, built on FedRAMP Moderate authorized infrastructure.
Only the Application Load Balancer faces the internet. No application servers or databases are internet-accessible. All traffic enters through HTTPS only.
Containerized services on AWS Fargate with no direct internet access. Each container runs in its own Firecracker microVM with read-only filesystems and non-root execution.
Aurora PostgreSQL in private subnets with zero internet access. All connections require TLS and IAM authentication — no database passwords stored anywhere.
Serverless & Immutable
- No servers to manage or patch — AWS manages host infrastructure
- Firecracker microVM isolation — no shared kernel with other tenants
- Non-root containers (UID 1001) with privilege escalation disabled
- Read-only filesystem — no runtime modifications possible
Network Isolation
- Three-tier VPC with deny-all-by-default security groups
- VPC endpoints for all AWS service calls — never touches public internet
- Traffic allowed only on specific ports between specific tiers
- No SSH, RDP, or management ports exposed on any resource
Encryption Everywhere
Every byte of customer data is encrypted, whether it's moving between services or sitting in storage. No exceptions.
- TLS 1.2 minimum, TLS 1.3 preferred for all connections
- HTTP never accepted — all requests redirected to HTTPS
- Service-to-service communication encrypted via ECS Service Connect
- Database connections encrypted with mandatory TLS
- AWS API calls through encrypted VPC endpoints (PrivateLink)
- Aurora PostgreSQL: AES-256 via customer-managed KMS key
- S3 evidence storage: SSE-KMS encryption with versioning
- Audit logs: SSE-KMS with Object Lock (WORM) — tamper-proof
- Secrets Manager: All credentials encrypted with KMS
- CloudWatch Logs: KMS-encrypted with 365-day retention
Access Control
Least privilege at every level — from user authentication to service-to-service calls.
- AWS IAM Identity Center (SSO) with mandatory MFA
- No long-lived access keys — session tokens expire
- No SSH, RDP, or direct management ports
- Dedicated IAM roles per service with minimum permissions
- CI/CD via OIDC federation — no stored AWS credentials
- RDS Proxy with IAM auth — no passwords in code
- HTTPS authentication with time-limited JWT tokens
- 8-hour session expiry, 15-minute inactivity timeout
- Role-based authorization on all API endpoints
Multi-Factor Authentication — Mandatory
Every user on Bedrock CMMC is required to use MFA — no exceptions. Customers, administrators, and external assessors all authenticate with TOTP from any standard authenticator app. Infrastructure access through IAM Identity Center also requires MFA. We do not support SMS as a sole MFA factor due to known SIM-swapping vulnerabilities.
Compromised passwords are the leading cause of unauthorized access. MFA ensures that even if a password is stolen, an attacker cannot access the platform without physical possession of the user's authentication device.
Continuous Monitoring
Security is not a one-time configuration — it's a continuous practice.
AWS CloudTrail
Records every API call with log file integrity validation.
Amazon GuardDuty
Continuously analyzes CloudTrail, VPC Flow Logs, and DNS logs for malicious activity.
AWS Security Hub
Aggregates findings from all security services and scores posture against benchmarks.
AWS Config
Evaluates resource configurations against 50+ FedRAMP Moderate conformance rules.
VPC Flow Logs
Captures all network traffic metadata for forensic analysis.
Immutable Audit Trail
S3 Object Lock (WORM) — logs cannot be modified or deleted, even by administrators.
Incident Response
Foxx Cyber maintains a documented Incident Response Plan with defined roles, escalation paths, containment procedures, and communication protocols. We conduct tabletop exercises and review the plan annually. If a security event affects customer data, we are committed to transparent and timely notification.
Infrastructure as Code
The entire production environment is defined in AWS CloudFormation templates — no manual configurations.
Reproducible
Environment rebuilt identically from code at any time
Auditable
Every change is a tracked commit with peer review
Drift Detection
AWS Config alerts on any resource deviation
Rollback
Failed deployments auto-revert to last known-good state
Compliance Posture
We hold ourselves to the same standard we help our customers achieve.
All 110 CMMC Level 2 security practices implemented across 14 control domains. These practices are documented in domain-specific policies and procedures, with technical evidence maintained for each control.
Our System Security Plan documents how each of the 110 security requirements is satisfied through implemented controls, inherited AWS capabilities, or documented plans of action.
FedRAMP Moderate Inheritance
Your trust is our authority to operate
We built Bedrock CMMC to the same CMMC Level 2 standard we help our customers achieve. Questions about our security practices? We're happy to discuss in detail.