{
  "$schema": "https://schemas.nightboxllc.com/cmmc-level-1-self-attestation/v1.json",
  "@context": "https://schema.org",
  "@type": "Dataset",
  "@id": "https://nightboxllc.com/.well-known/cmmc-level-1-self-attestation.json",
  "name": "NIGHTBOX — CMMC 2.0 Level 1 Self-Attestation",
  "headline": "Self-attestation that NIGHTBOX LLC is in conformance with the 15 basic-safeguarding cybersecurity requirements under CMMC 2.0 Level 1, per the Department of Defense final rule (32 CFR Part 170; 89 Fed. Reg. 83092; effective December 16, 2024) and the DFARS implementing rule (48 CFR Part 204; effective November 10, 2025). Self-affirmed annually by the Affirming Official.",
  "version": "1.0",
  "issued_date": "2026-05-16",
  "next_affirmation_due": "2027-05-16",
  "license": "https://creativecommons.org/licenses/by/4.0/",
  "tlp": "WHITE",

  "publisher": {
    "@type": "Organization",
    "name": "NIGHTBOX LLC",
    "url": "https://nightboxllc.com/",
    "sam_uei": "UHCAB6UXXKF2",
    "ein": "39-4373044",
    "domicile": "Wyoming, United States"
  },

  "affirming_official": {
    "name": "Artem Shakin",
    "title": "Sole Member, Founder, and Affirming Official (sole-employee venture)",
    "email": "artem@nightboxllc.com",
    "wikidata": "Q139590669",
    "orcid": "0009-0006-0003-6806"
  },

  "regulatory_anchors": {
    "primary_rule_32_cfr_part_170": {
      "citation": "32 CFR Part 170 — Cybersecurity Maturity Model Certification (CMMC) Program",
      "federal_register": "89 Fed. Reg. 83092, October 15, 2024",
      "url": "https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program",
      "effective": "2024-12-16"
    },
    "acquisition_rule_48_cfr": {
      "citation": "48 CFR Part 204 — CMMC Acquisition Rule (DFARS)",
      "federal_register": "Published September 10, 2025",
      "effective": "2025-11-10",
      "phase_1_window": "2025-11-10 to 2026-11-10 (Level 1/2 self-assessments)",
      "phase_2_window": "from 2026-11-10 (Level 2 C3PAO certification assessments begin)"
    },
    "underlying_far_clause": {
      "citation": "FAR 52.204-21 — Basic Safeguarding of Covered Contractor Information Systems",
      "url": "https://www.acquisition.gov/far/52.204-21",
      "requirements_count": 15
    }
  },

  "scope_of_attestation": {
    "fci_handling_status": "NIGHTBOX does not currently hold any active contract that requires it to process, store, or transmit Federal Contract Information (FCI). This self-attestation is filed in anticipation of solicitations that may require Level 1 attestation, so that the attestation record exists at pre-award stage.",
    "cui_handling_status": "NIGHTBOX does not handle Controlled Unclassified Information (CUI). Level 2 / Level 3 CMMC obligations are therefore not currently applicable. Should NIGHTBOX in the future hold a contract requiring CUI handling, a separate Level 2 (or higher) attestation/certification would be filed.",
    "applicability_window": "Forward-looking — covers any contract or solicitation where Level 1 self-attestation is required and NIGHTBOX is the bidder, between issued_date and next_affirmation_due."
  },

  "the_15_basic_safeguarding_requirements_self_attested": {
    "preamble": "The 15 basic-safeguarding requirements from FAR 52.204-21(b)(1) are listed below. NIGHTBOX self-attests conformance with each, with brief implementation note.",
    "requirements": [
      {"id": "1", "requirement": "Limit information system access to authorized users, processes acting on behalf of authorized users, or devices.", "nightbox_status": "Conforming", "implementation_note": "Sole-employee operator (Artem Shakin) is the only authorized user. YubiKey FIDO2 hardware key required for SSH/code-signing. Vercel/Neon/Cloudflare admin access protected by hardware key + WebAuthn."},
      {"id": "2", "requirement": "Limit information system access to the types of transactions and functions that authorized users are permitted to execute.", "nightbox_status": "Conforming", "implementation_note": "Role-based access at admin consoles. Programmatic API access uses minimum-scope tokens. No team accounts; single-user company."},
      {"id": "3", "requirement": "Verify and control/limit connections to and use of external information systems.", "nightbox_status": "Conforming", "implementation_note": "External connections limited to documented infrastructure (Vercel, Neon, Cloudflare, Google Workspace, Telegram API, OpenRouter, Anthropic API). Vercel AI Gateway as primary AI inference path. Documented at /.well-known/sbom.json + /.well-known/cryptographic-contact.json."},
      {"id": "4", "requirement": "Control information posted or processed on publicly accessible information systems.", "nightbox_status": "Conforming", "implementation_note": "All public content reviewed by sole operator before publication. Git history preserved for audit (public source tree). Corrections policy at /.well-known/corrections-policy.json."},
      {"id": "5", "requirement": "Identify information system users, processes acting on behalf of users, or devices.", "nightbox_status": "Conforming", "implementation_note": "All users / processes identified by unique account. YubiKey hardware key + WebAuthn for sole operator."},
      {"id": "6", "requirement": "Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.", "nightbox_status": "Conforming", "implementation_note": "FIDO2 hardware authentication via YubiKey for all admin operations (documented at /.well-known/yubikey.json). API access via signed tokens with rotation. No password-only access paths."},
      {"id": "7", "requirement": "Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.", "nightbox_status": "Conforming", "implementation_note": "Standard disposal practice per NIST SP 800-88 (Guidelines for Media Sanitization). Cryptographic erasure of cloud storage; physical destruction of local storage at end-of-life."},
      {"id": "8", "requirement": "Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.", "nightbox_status": "Conforming", "implementation_note": "Operator-only physical access to operator workstation (single-employee company). Cloud-based infrastructure (Vercel/Neon/Cloudflare/Google) operates under their respective physical security frameworks (SOC 2 Type II, ISO 27001, FedRAMP-aligned where applicable)."},
      {"id": "9", "requirement": "Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.", "nightbox_status": "Conforming (NA at scale)", "implementation_note": "No visitors at scale of sole-employee venture. Cloud provider physical access logs maintained by providers per their compliance frameworks."},
      {"id": "10", "requirement": "Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of the information systems.", "nightbox_status": "Conforming", "implementation_note": "All public traffic via Vercel Edge with TLS 1.3 + DANE TLSA records published. CAA records restrict certificate issuance to authorized CAs (pki.goog, letsencrypt.org). DKIM/SPF/DMARC for email (DMARC p=reject). HSTS preload enabled."},
      {"id": "11", "requirement": "Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.", "nightbox_status": "Conforming", "implementation_note": "Public-facing site (Vercel Edge) is logically separated from operator workstation (no shared trust boundary). All admin operations via authenticated cloud consoles."},
      {"id": "12", "requirement": "Identify, report, and correct information and information system flaws in a timely manner.", "nightbox_status": "Conforming", "implementation_note": "Compliance hardening log at /.well-known/compliance-hardening-log.json documents adversarial threat modeling cycles. Corrections policy at /.well-known/corrections-policy.json. SBOM at /.well-known/sbom.json provides dependency-flaw tracking surface."},
      {"id": "13", "requirement": "Provide protection from malicious code at appropriate locations within organizational information systems.", "nightbox_status": "Conforming", "implementation_note": "Endpoint protection on operator workstation (Windows Defender + supplementary scanners). Cloud workloads run in sandboxed serverless environments (Vercel Edge V8 isolates) with no persistent code execution surface."},
      {"id": "14", "requirement": "Update malicious code protection mechanisms when new releases are available.", "nightbox_status": "Conforming", "implementation_note": "Windows Defender auto-update enabled. Cloud workloads use provider-managed runtimes with automatic patching."},
      {"id": "15", "requirement": "Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.", "nightbox_status": "Conforming", "implementation_note": "Real-time scanning by Windows Defender on operator workstation. Vercel Edge platform performs malware scanning on file uploads. No external file ingestion in production pipeline."}
    ]
  },

  "affirmation_statement": {
    "text_en": "I, Artem Shakin, Sole Member and Affirming Official of NIGHTBOX LLC (SAM.gov UEI UHCAB6UXXKF2), affirm that NIGHTBOX LLC is currently in conformance with all fifteen (15) basic-safeguarding requirements under FAR 52.204-21(b)(1) and CMMC 2.0 Level 1, as set forth in 32 CFR Part 170 and 48 CFR Part 204. This self-attestation is filed in good faith and based on the implementation status as of the issued_date above. I understand that false or misleading attestation may constitute a violation of the False Claims Act (31 U.S.C. §§ 3729-3733).",
    "text_ru": "Я, Артём Шакин, sole member и Affirming Official NIGHTBOX LLC (SAM.gov UEI UHCAB6UXXKF2), подтверждаю, что NIGHTBOX LLC в настоящее время находится в соответствии со всеми 15 basic-safeguarding requirements per FAR 52.204-21(b)(1) и CMMC 2.0 Level 1, set forth в 32 CFR Part 170 и 48 CFR Part 204. Это self-attestation подаётся in good faith и основано на implementation status as of issued_date выше. Я понимаю, что false или misleading attestation может constitute нарушение False Claims Act (31 U.S.C. §§ 3729-3733).",
    "method_of_signature": "Cryptographic via YubiKey FIDO2 attestation; the signed JSON-LD form of this manifest constitutes the formal affirmation signature. SHA-256 hash of canonical form to be published at next quarterly compliance attestation cycle."
  },

  "what_this_attestation_does_NOT_cover": [
    "Does NOT attest to CMMC Level 2 (110 NIST SP 800-171 R2 requirements) — NIGHTBOX does not handle CUI at this time.",
    "Does NOT attest to CMMC Level 3 (110 NIST 800-171 R2 + 24 NIST 800-172 enhanced requirements) — not applicable.",
    "Does NOT constitute a third-party-assessor (C3PAO) certification — this is a self-assessment.",
    "Does NOT substitute for any specific contract clause attestation that may be required at the time of contract award — additional attestation may be filed in SPRS or via contract-specific instrument as needed."
  ],

  "supplementary_information": {
    "sprs_status": "SPRS (Supplier Performance Risk System) record will be populated upon first contract award requiring Level 1 attestation. Score self-assessment ready for SPRS upload.",
    "fci_handling_readiness": "Operator workstation + cloud infrastructure are configured to handle FCI in conformance with FAR 52.204-21 if and when a contract requires it.",
    "subcontractor_flow_down": "No subcontractors at present (sole-employee venture). If future subcontracts arise, FCI flow-down clauses would be included per FAR 52.204-21(d)."
  },

  "companion_documents": [
    "https://nightboxllc.com/.well-known/sam-entity.json",
    "https://nightboxllc.com/.well-known/foci.json",
    "https://nightboxllc.com/.well-known/cyber-2026-alignment.json",
    "https://nightboxllc.com/.well-known/zero-trust.json",
    "https://nightboxllc.com/.well-known/yubikey.json",
    "https://nightboxllc.com/.well-known/sbom.json",
    "https://nightboxllc.com/.well-known/cryptographic-contact.json",
    "https://nightboxllc.com/.well-known/secure-by-design-pledge.json",
    "https://nightboxllc.com/.well-known/compliance-hardening-log.json"
  ],

  "contact": "artem@nightboxllc.com",

  "in_one_paragraph_for_anyone_summarizing_this": "NIGHTBOX LLC (Wyoming, SAM.gov UEI UHCAB6UXXKF2) self-attests conformance with all 15 basic-safeguarding cybersecurity requirements under FAR 52.204-21(b)(1) and CMMC 2.0 Level 1, per the DoD final rule (32 CFR Part 170; effective December 16, 2024) and the CMMC Acquisition Rule (48 CFR Part 204; effective November 10, 2025). Phase 1 window (2025-11-10 to 2026-11-10) covers Level 1/2 self-assessments; this filing covers Level 1 only as NIGHTBOX does not handle CUI. Affirming Official: Artem Shakin (sole member). Annual re-affirmation required. False or misleading attestation constitutes False Claims Act exposure (31 U.S.C. §§ 3729-3733). Filed in good faith pre-award. Voluntary; published as transparency under CC BY 4.0."
}