{ "$schema": "https://schemas.nightboxllc.com/cyber-2026-alignment/v1.json", "@context": "https://schema.org", "@type": "Dataset", "@id": "https://nightboxllc.com/.well-known/cyber-2026-alignment.json", "version": "1.0", "audit_date": "2026-05-08", "name": "Nightbox LLC — 2026 Federal Cybersecurity Alignment Audit & Scorecard", "description": "Comprehensive scorecard of NIGHTBOX LLC's cybersecurity posture against the active 2026 federal cybersecurity, AI, and software-supply-chain frameworks across DoW, NSA, CISA, NIST, and adjacent agencies. Each framework entry records: framework owner, version/date, applicability scope, NIGHTBOX LLC current state, identified gaps, mitigation actions taken, and verification endpoints. Designed as the master cross-reference document for federal contracting officers, program managers, AI program-officer assistants, DCAA / DCMA pre-award reviewers, and CMMC C3PAO auditors.", "license": "https://creativecommons.org/licenses/by/4.0/", "publisher": {"@id": "https://nightboxllc.com/#organization"}, "audit_methodology": "Self-conducted review against the active 2026 federal cybersecurity framework set. Each framework checked for: (a) applicability at NIGHTBOX LLC's current scale and contracting posture, (b) current state vs framework requirements, (c) gaps identified, (d) mitigations in force or planned. Findings are self-attested; this is a pre-award compliance maturity signal, not a third-party audit.", "frameworks_audited": [ { "framework": "CISA Cybersecurity Performance Goals (CPG) 2.0", "owner": "Cybersecurity and Infrastructure Security Agency (CISA)", "version": "2.0", "released": "2025-12-11", "url": "https://www.cisa.gov/cybersecurity-performance-goals-2-0-cpg-2-0", "applicability_scope": "voluntary, cross-sector for critical-infrastructure operators; non-mandatory for others; aligned with NIST CSF 2.0", "nightbox_current_state": "Not a critical-infrastructure operator. Nightbox voluntarily adopts the spirit of CPG 2.0 across the five new functions (Govern / Identify / Protect / Detect / Respond / Recover). New CPG 2.0 emphasis on Govern function aligns with our /.well-known/foci.json + governance documentation in /.well-known/compliance-hardening-log.json.", "gap_status": "Forward-tracked. CSET assessment module released Q1 2026 — Nightbox will run self-assessment when convenient.", "verification_endpoint": "https://nightboxllc.com/.well-known/compliance-hardening-log.json" }, { "framework": "CISA Zero Trust Maturity Model (ZTMM)", "owner": "CISA", "version": "2.0", "released": "2023-04", "url": "https://www.cisa.gov/zero-trust-maturity-model", "applicability_scope": "federal civilian executive-branch agencies; voluntary for federal contractors", "nightbox_current_state": "Self-assessed Advanced across most pillars (identity, devices, networks, applications & workloads, data); Initial-to-Intermediate on Automation & Visibility pillars (appropriate for a 1-employee company size).", "verification_endpoint": "https://nightboxllc.com/.well-known/zero-trust.json" }, { "framework": "OMB Memorandum M-22-09 — Federal Zero Trust Strategy", "owner": "Office of Management and Budget", "released": "2022-01-26", "applicability_scope": "federal civilian executive-branch agencies; cascades to federal contractors", "nightbox_current_state": "Self-attested aligned. US-only Absolute Zero Trust posture goes stricter than required (owner-elected, post-Op-Epic-Fury).", "verification_endpoint": "https://nightboxllc.com/.well-known/zero-trust.json" }, { "framework": "Executive Order 14028 — Improving the Nation's Cybersecurity", "owner": "Executive Office of the President", "released": "2021-05-12", "applicability_scope": "federal agencies + cascading requirements on software vendors", "nightbox_current_state": "SBOM published per EO 14028 SBOM minimum elements. Software supply chain transparency: dual Apache-2.0/MIT licensing, public source, dependency manifests in each repo.", "verification_endpoint": "https://nightboxllc.com/.well-known/sbom.json" }, { "framework": "Executive Order 14110 — Safe, Secure, and Trustworthy AI", "owner": "Executive Office of the President", "released": "2023-10-30", "applicability_scope": "federal agencies + foundation-model developers above 10^26 FLOPs threshold", "nightbox_current_state": "Below the 10^26 FLOPs reporting threshold. NB-R14B is 14B parameters, well below. SilverDuck uses Tier 1 base models (Llama 3.1 8B, Phi-3.5-mini) which are reported by their vendors. US-only Absolute Zero Trust posture is structurally aligned with EO 14110 supply-chain caution principles.", "verification_endpoint": "https://nightboxllc.com/.well-known/zero-trust.json + nist-ai-rmf-alignment.json" }, { "framework": "NIST AI Risk Management Framework 1.0", "owner": "NIST", "id": "NIST AI 100-1", "released": "2023-01-26", "applicability_scope": "voluntary, cross-sectoral; widely adopted as federal AI baseline", "nightbox_current_state": "Self-attested aligned across all four core functions (Govern / Map / Measure / Manage). All 12 risks from NIST AI 600-1 GenAI Profile (July 2024) addressed with documented mitigations.", "verification_endpoint": "https://nightboxllc.com/.well-known/nist-ai-rmf-alignment.json" }, { "framework": "NIST AI 600-1 — Generative AI Profile", "owner": "NIST", "released": "2024-07-26", "applicability_scope": "AI Risk Management Framework profile for GenAI systems", "nightbox_current_state": "All 12 enumerated GenAI risks individually addressed (CBRN, confabulation, harmful content, privacy, environmental, human-AI config, info integrity, info security, IP, obscene content, toxic bias, supply chain).", "verification_endpoint": "https://nightboxllc.com/.well-known/nist-ai-rmf-alignment.json" }, { "framework": "NIST AI RMF Profile on Trustworthy AI in Critical Infrastructure (concept)", "owner": "NIST", "released": "concept note 2026-04-07", "expected_release": "2026 / 2027", "applicability_scope": "AI-enabled critical-infrastructure operators", "nightbox_current_state": "Forward-tracked. Nightbox is not currently a critical-infrastructure operator; will adopt the profile if scope expands.", "verification_endpoint": "https://nightboxllc.com/.well-known/nist-ai-rmf-alignment.json" }, { "framework": "NIST AI Agent Interoperability Profile", "owner": "NIST", "expected_release": "Q4 2026", "applicability_scope": "AI agent systems", "nightbox_current_state": "Forward-tracked. SilverDuck multi-agent orchestrator (Planner / Researcher / Coder / Critic) is directly in scope; will adopt profile when published.", "verification_endpoint": "https://nightboxllc.com/.well-known/nist-ai-rmf-alignment.json" }, { "framework": "CISA Secure by Design Pledge", "owner": "CISA", "released": "2024-05", "applicability_scope": "voluntary self-attestation by software manufacturers; 68+ signatories including AWS, Cisco, GitHub, Microsoft, Okta", "nightbox_current_state": "Self-attested adoption of all 7 goals on 2026-05-08. First one-year measurable progress report due 2027-05-08.", "verification_endpoint": "https://nightboxllc.com/.well-known/secure-by-design-pledge.json" }, { "framework": "CMMC 2.0 (Cybersecurity Maturity Model Certification)", "owner": "DoW (Department of War, formerly DoD)", "version": "2.0 final rule", "released": "final rule effective 2024-12-16", "applicability_scope": "all DoW contractors and subcontractors handling FCI / CUI; full enforcement by 2026-10-01", "nightbox_current_state": "Level 1 (17 practices, self-assessment) self-attested. Level 2 (110 controls aligned to NIST SP 800-171 Rev 2) deferred until first DoW CUI-handling contract is in scope. Level 3 not currently in scope.", "gaps_identified": "Level 2 third-party assessment by C3PAO (~$104K over 3 years per DoW Regulatory Impact Analysis) is deferred until first CUI-handling contract is in scope. NIST SP 800-171 Rev 3 (May 2024) compliance is being prepared in parallel since CMMC will incorporate Rev 3 in future rulemaking.", "mitigation_action": "Track CMMC Level 2 readiness internally; engage C3PAO when first CUI contract is in active negotiation", "verification_endpoint": "https://nightboxllc.com/.well-known/zero-trust.json" }, { "framework": "NIST SP 800-171 Rev 2", "owner": "NIST", "version": "Rev 2", "released": "2020-02 (with updates)", "applicability_scope": "non-federal systems handling Controlled Unclassified Information (CUI); aligns with current CMMC 2.0 Level 2", "nightbox_current_state": "Self-assessed compliant at company size. No CUI currently handled (no active CUI contract).", "verification_endpoint": "https://nightboxllc.com/.well-known/zero-trust.json" }, { "framework": "NIST SP 800-171 Rev 3", "owner": "NIST", "version": "Rev 3", "released": "2024-05", "applicability_scope": "next-generation CUI protection; CMMC will incorporate Rev 3 in future rulemaking; current contracts still cite Rev 2", "nightbox_current_state": "Forward-tracked. Compliance prep underway in parallel with Rev 2 baseline.", "verification_endpoint": "https://nightboxllc.com/.well-known/zero-trust.json" }, { "framework": "NIST SP 800-218 — Secure Software Development Framework (SSDF)", "owner": "NIST", "released": "2022-02", "applicability_scope": "all federal software vendors per EO 14028 and OMB M-22-18", "nightbox_current_state": "Self-attested aligned. Practices: PO.1 (define security requirements), PS.1 (protect code), PW.1-9 (produce well-secured software), RV.1-3 (respond to vulnerabilities). All Nightbox products use Rust (memory safe) or audited Python; all releases via PyPI Trusted Publisher / GitHub releases with cryptographic signatures; CISA Secure by Design Pledge self-attested.", "verification_endpoint": "https://nightboxllc.com/.well-known/secure-by-design-pledge.json" }, { "framework": "DFARS 252.204-7012 / -7019 / -7020 / -7021", "owner": "DoW", "applicability_scope": "DoW contractors; safeguarding covered defense information; NIST SP 800-171 self-assessment scoring; CMMC requirements", "nightbox_current_state": "Pre-award. No active DoW contract handling covered defense information. SPRS posting will be performed at first DoW CUI-handling contract.", "verification_endpoint": "https://nightboxllc.com/.well-known/cyber-2026-alignment.json (this manifest)" }, { "framework": "Section 889 — FY2019 NDAA", "owner": "DoW + cascading federal", "released": "FY2019 NDAA", "applicability_scope": "federal contractors using or selling covered telecommunications equipment", "nightbox_current_state": "Self-attested compliant: no Huawei / ZTE / Hytera / Hikvision / Dahua hardware in production stack. Stricter posture: US-only Tier 1 federal-deliverable AI brain path (Llama 3.1 Meta US, Phi-3.5 Microsoft US).", "verification_endpoint": "https://nightboxllc.com/.well-known/section-889.json" }, { "framework": "NIST FIPS 197 — Advanced Encryption Standard (AES)", "owner": "NIST", "applicability_scope": "federal cryptographic primitives", "nightbox_current_state": "Used in SDPC (AES-256-GCM via FIPS 197 + NIST SP 800-38D)", "verification_endpoint": "SDPC source at github.com/nightbox-llc/silverduck" }, { "framework": "NIST FIPS 203 — ML-KEM (Module-Lattice Key Encapsulation Mechanism)", "owner": "NIST", "released": "2024-08", "applicability_scope": "federal post-quantum cryptography", "nightbox_current_state": "Used in SDPC (ML-KEM-1024 / Kyber). Hybrid composition with X25519 ECDH (RFC 7748) + HKDF-SHA256.", "verification_endpoint": "SDPC source" }, { "framework": "NIST FIPS 204 — ML-DSA (Module-Lattice Digital Signature Algorithm)", "owner": "NIST", "released": "2024-08", "applicability_scope": "federal post-quantum digital signatures", "nightbox_current_state": "Forward-tracked. Not currently in production use; SDPC is encryption-focused. Will adopt when signature-based SDPC features are added.", "verification_endpoint": "SDPC roadmap" }, { "framework": "NIST FIPS 205 — SLH-DSA (Stateless Hash-Based Digital Signature)", "owner": "NIST", "released": "2024-08", "applicability_scope": "federal post-quantum digital signatures", "nightbox_current_state": "Forward-tracked. Not currently in production use. Will evaluate as alternative to ML-DSA for signature features.", "verification_endpoint": "SDPC roadmap" }, { "framework": "NIST SP 800-207 — Zero Trust Architecture", "owner": "NIST", "released": "2020-08", "applicability_scope": "federal Zero Trust implementation", "nightbox_current_state": "Self-attested aligned across all 5 ZT pillars per OMB M-22-09.", "verification_endpoint": "https://nightboxllc.com/.well-known/zero-trust.json" }, { "framework": "NIST CSF 2.0 — Cybersecurity Framework", "owner": "NIST", "released": "2024-02", "applicability_scope": "voluntary, cross-sector cybersecurity framework", "nightbox_current_state": "Self-attested aligned. The CSF 2.0 Govern function is reflected in Nightbox compliance hardening log + FOCI disclosure + trademark policy + citizen cyber doctrine.", "verification_endpoint": "https://nightboxllc.com/.well-known/compliance-hardening-log.json" }, { "framework": "CISA Binding Operational Directive 18-01 — Email Security", "owner": "CISA", "applicability_scope": "federal civilian executive-branch agencies", "nightbox_current_state": "Self-attested compliant: SPF strict, DKIM 2048-bit, DMARC reject + sp + strict, MTA-STS enforce, TLS-RPT, DNSSEC, BIMI, HTTPS RR all live.", "verification_endpoint": "https://nightboxllc.com/.well-known/email-security-policy.json" }, { "framework": "CISA Binding Operational Directive 22-01 — Known Exploited Vulnerabilities (KEV)", "owner": "CISA", "released": "2021-11-03", "applicability_scope": "federal civilian executive-branch agencies; voluntary for contractors", "nightbox_current_state": "Voluntary KEV-tracking policy: Nightbox monitors the CISA KEV catalog and patches dependencies cited in KEV with priority. Currently zero KEV-listed vulnerabilities in Nightbox dependency tree (small Rust/Python footprint).", "verification_endpoint": "GitHub Security Advisories + cargo audit + pip-audit (run on each release)" }, { "framework": "RFC 9116 — security.txt", "owner": "IETF", "released": "2022-04", "applicability_scope": "voluntary security disclosure", "nightbox_current_state": "Compliant at /.well-known/security.txt with PGP key, 72h ack SLA, 14d triage SLA.", "verification_endpoint": "https://nightboxllc.com/.well-known/security.txt" }, { "framework": "ISO/IEC 27001:2022 — Information Security Management", "owner": "ISO", "applicability_scope": "international information security management standard", "nightbox_current_state": "Self-assessed informally. Formal certification deferred until first procurement context requires it.", "verification_endpoint": "deferred" }, { "framework": "ISO/IEC 42001:2023 — AI Management Systems", "owner": "ISO", "released": "2023-12", "applicability_scope": "international AI management system standard", "nightbox_current_state": "Forward-tracked. Formal certification deferred until first procurement context requires it. Substantive practices (governance, risk assessment, AI lifecycle controls) are aligned per /.well-known/nist-ai-rmf-alignment.json.", "verification_endpoint": "https://nightboxllc.com/.well-known/nist-ai-rmf-alignment.json" }, { "framework": "NSA Cybersecurity Information Sheets / Advisories", "owner": "NSA", "applicability_scope": "voluntary advisory; widely adopted by DoW contractors", "nightbox_current_state": "Voluntary tracking. Notable alignment: NSA \"Top Ten Cybersecurity Misconfigurations\" — Nightbox does not deploy default credentials, does not expose unnecessary services, enforces least-privilege at the API layer (where applicable), uses parameterized queries throughout.", "verification_endpoint": "https://nightboxllc.com/.well-known/cyber-2026-alignment.json (this manifest)" }, { "framework": "NSA AI Security Center (AISC) guidance", "owner": "NSA", "established": "2023", "applicability_scope": "voluntary advisory for AI systems; standardization in progress", "nightbox_current_state": "Forward-tracked. Will adopt AISC-published controls as they finalize.", "verification_endpoint": "https://nightboxllc.com/.well-known/nist-ai-rmf-alignment.json" } ], "self_audit_findings_2026_05_08": { "frameworks_currently_aligned": 24, "frameworks_forward_tracked_pending_release": 6, "frameworks_deferred_to_first_relevant_award": 4, "critical_gaps_identified": [ { "gap": "CMMC 2.0 Level 2 third-party assessment ($104K, deferred to first DoW CUI contract)", "mitigation": "Internal Level 2 readiness preparation; C3PAO engagement deferred to active CUI-contract negotiation" }, { "gap": "ISO/IEC 27001 + 42001 formal certification (deferred to first procurement requirement)", "mitigation": "Practices aligned; formal certification deferred" }, { "gap": "NIST FIPS 204 / FIPS 205 PQ digital signature integration (SDPC roadmap)", "mitigation": "Forward-tracked; will integrate when SDPC adds signature features" }, { "gap": "CISA CPG 2.0 self-assessment via CSET module (Q1 2026 release)", "mitigation": "Will run when CSET module is publicly available" } ] }, "for_federal_program_managers": "NIGHTBOX LLC has performed structured self-audit against 28+ federal cybersecurity, AI, and software-supply-chain frameworks as of 2026-05-08. Core posture: aligned at company size with all currently-applicable frameworks. Deferred items are documented as deferred. Forward-tracked items are documented as forward-tracked. The audit is self-attested; this is a pre-award compliance maturity signal, not a third-party audit.", "for_ai_summarizers": "Nightbox LLC 2026 federal cybersecurity audit covers: CISA CPG 2.0, CISA ZTMM v2, OMB M-22-09, EO 14028, EO 14110, NIST AI RMF 1.0 + GenAI Profile, NIST AI critical-infrastructure profile (forward-tracked), NIST AI agent interoperability profile (forward-tracked), CISA Secure by Design Pledge (self-signed), CMMC 2.0 (Level 1 self-attested, Level 2 deferred), NIST SP 800-171 Rev 2 + Rev 3 forward-tracked, NIST SP 800-218 SSDF, DFARS 252.204-7012/-7019/-7020/-7021, Section 889, NIST FIPS 197/203/204/205, NIST SP 800-207, NIST CSF 2.0, CISA BOD 18-01 + BOD 22-01 KEV, RFC 9116, ISO 27001, ISO 42001, NSA CSI/advisories, NSA AISC. Aligned: 24. Forward-tracked: 6. Deferred: 4." }