Security you can audit.
We handle sensitive federal contracting data. Security isn't an afterthought — it's built into every layer of the platform.
Where we stand on the frameworks that matter.
SOC 2 Type II
Our SOC 2 Type II audit covers Security, Availability, and Confidentiality. Report available to Enterprise customers under NDA.
NIST 800-171
VETR infrastructure and development practices align with NIST SP 800-171 controls for protecting Controlled Unclassified Information (CUI).
FedRAMP Ready
We are actively pursuing FedRAMP authorization. VETR operates on FedRAMP-authorized infrastructure (AWS GovCloud).
CMMC Level 2
Security controls aligned with CMMC Level 2 practices for organizations handling CUI in the defense industrial base.
Section 508
Web-accessibility-compliant interfaces tested against the Revised 508 standard for federal procurement.
Section 889
No covered telecommunications equipment or services from prohibited sources are used in VETR infrastructure or supply chain.
Six layers, one defense in depth.
The specifics, organized by category — every control reviewable, exportable, audit-ready.
01
Data Protection
- AES-256 encryption at rest for all stored data
- TLS 1.3 encryption for all data in transit
- Encrypted backups with geographic redundancy
- Data isolation between organizations
02
Access Control
- Multi-factor authentication (MFA) support
- Role-based access control (RBAC)
- Single Sign-On (SSO) via SAML 2.0 — Enterprise
- Automatic session timeout and invalidation
03
Infrastructure
- AWS-hosted with 99.9% uptime SLA
- Automated security patching
- DDoS protection via AWS Shield
- Web Application Firewall (WAF)
04
Monitoring & Response
- 24/7 infrastructure monitoring
- Real-time intrusion detection
- Automated anomaly alerting
- Defined incident response (< 4 hr)
05
Development
- Security code review for all changes
- Dependency vulnerability scanning
- Annual third-party penetration testing
- OWASP Top 10 compliance checks
06
Audit & Privacy
- Comprehensive audit logging
- Immutable log storage
- Data retention and deletion controls
- Privacy-by-design architecture
Where we are on the FedRAMP path — milestone by milestone.
We publish our security roadmap because veteran-owned contractors deserve transparency, not vague compliance theater. Update cadence: quarterly.
- AES-256 at rest, TLS 1.3 in transit
- AWS multi-AZ deployment
- Audit logging immutable + 7-year retention
- CUI redaction service shipped
- 110-control NIST SP 800-171 r2 mapping documented
- POA&M (Plan of Action and Milestones) maintained
- CMMC L2 alignment review complete
- Auditor engaged, observation window active
- Type II report due Q3 2026
- Available to Enterprise customers under NDA
- Sponsor agency conversations underway
- Third-party assessor (3PAO) selection
- Body of Evidence package preparation
- JAB or Agency authorization path TBD
- Continuous monitoring program design
- Targets veteran-owned DoD-adjacent contractors
Phase 1 — Foundation (Complete)
CompletePhase 2 — NIST 800-171 self-attestation (Complete)
CompletePhase 3 — SOC 2 Type II audit (Q3 2026)
In progressPhase 4 — FedRAMP Moderate Equivalency (Q4 2026)
In progressPhase 5 — FedRAMP Moderate Authorization (target 2027)
PlannedFound a vulnerability? Tell us.
We acknowledge valid reports within 48 hours and work with researchers in good faith. No lawyers, no surprises.
Report to security@vetrproposal.com
Need our security package?
Enterprise customers receive SOC 2 reports, pen-test summaries, and architecture reviews under NDA.