Controls inherited at handoff
The build you receive at handoff includes the 14 NIST 800-171 control families operating against your environment. You inherit a documented, auditable security posture, not a checkbox.
← Trust and security·Security standard
Built to NIST 800-171 by default.
Every AC5 build inherits the NIST SP 800-171 controls baseline. Authentication, encryption, audit logging, and backups are part of the build, not an add-on. The same baseline applies whether the customer is a federal agency or sub-tier defense contractor, a city or county SLED buyer, a school district, a healthcare practice, or a mid-market commercial firm. CMMC Level 2-ready. HIPAA-safe where the work requires it.
NIST SP 800-171 · 110 controlsCMMC Level 2-readyHIPAA + BAA (PHI engagements)SOC 2 Type II on the roadmap
Hosting
We host in your name for the first three years.
Hosting is included in the fixed fee for years one through three. The cloud account is set up in your name from day one, AC5 operates and patches it during the included period, and at year three you decide whether to keep us running it on a known annual line, take over the cloud bill yourself, or move it to your own infrastructure.
For federal workloads requiring FedRAMP-authorized infrastructure, we deploy into AWS GovCloud or Microsoft Azure Government. For agencies that cannot use the cloud at all, we deliver on-premise, including as a self-contained appliance you own outright.
What this means for you
Three things that come standard.
The baseline is not a sales claim. It is how every engagement is delivered, regardless of size.
Evidence delivered with the build
A security self-assessment, the SRA, the incident response runbook, and the configuration baseline are part of the deliverables. Your operators can hand them to a lender, an auditor, or a federal customer without reverse-engineering them.
Same operators through year three
Hosting is included in the fixed fee for three years; the operators who scope the work also build it and run it. Patches, security updates, and incident response stay in the same hands.
The 14 control families
What we actually operate.
One line each, plain English. The full NIST SP 800-171 Rev. 2 catalog is the source of truth; this is how each family shows up in an AC5 engagement.
NIST 800-171 · 3.1
Access Control
Named accounts. Role-based permissions. Session timeout and idle lockout. Remote access through MFA and an encrypted tunnel only. Removable media controls where the build environment supports them.
NIST 800-171 · 3.2
Awareness and Training
AC5 operators complete documented security training; the record lives in the engagement file. The training your team needs to operate the build is delivered at handoff and refreshed annually if you put us on a maintenance line.
NIST 800-171 · 3.3
Audit and Accountability
Every authentication event, privileged action, and PHI-bearing access is logged with user, action, resource, and timestamp. Logs are immutable and retained per the engagement BAA or MSA, whichever is stricter.
NIST 800-171 · 3.4
Configuration Management
Baseline configurations are documented and version-controlled. Changes are reviewed in code and applied through infrastructure-as-code. No untracked changes to production.
NIST 800-171 · 3.5
Identification and Authentication
Phishing-resistant MFA (hardware key or TOTP) on every account that can reach the build environment. Shared accounts are not used.
NIST 800-171 · 3.6
Incident Response
Documented incident response runbook delivered with the build. AC5 retains 24-hour notification commitment for any security event affecting an active engagement.
NIST 800-171 · 3.7
Maintenance
Patching cadence documented. Security patches in the included three-year hosting period are on us. Maintenance windows are coordinated with you.
NIST 800-171 · 3.8
Media Protection
Encrypted backups, encrypted in transit and at rest. Media sanitization documented when an engagement environment is decommissioned.
NIST 800-171 · 3.9
Personnel Security
Background checks on AC5 operators with access to a customer environment. Access is revoked the day the engagement ends; revocation is documented in the BAA.
NIST 800-171 · 3.10
Physical Protection
AC5 operator devices are encrypted (FileVault, BitLocker) with TPM-backed keys. Customer cloud environments inherit the physical protections of AWS, Azure, or the chosen platform.
NIST 800-171 · 3.11
Risk Assessment
A documented security risk assessment is delivered as part of the Evidence Binder for engagements that include the compliance containers. For other engagements, the assessment is delivered at handoff in the engagement runbook.
NIST 800-171 · 3.12
Security Assessment
Documented self-assessment of the controls baseline before handoff. The assessment is part of the deliverables. Third-party CMMC or SOC 2 assessment can be added as a separate engagement.
NIST 800-171 · 3.13
System and Communications Protection
TLS 1.2+ everywhere. AES-256 at rest. FIPS-validated cryptography on operator endpoints. Cloud workloads run in customer-named accounts with network segmentation.
NIST 800-171 · 3.14
System and Information Integrity
Endpoint detection and response on operator devices. Vulnerability scanning on the build environment. Security advisories are reviewed weekly during the engagement and within the maintenance window after.
Adjacent standards
How the rest fits in.
NIST 800-171 is the baseline. These are the standards customers ask about most often and how AC5 treats each.
CMMC Level 2-ready
AC5 implements all 110 NIST 800-171 controls in its standard delivery process. A third-party CMMC Level 2 assessment for an installed build can be added as a separate engagement, scoped to your environment.
HIPAA · Security Rule + BAA
For Practice Operations Toolkit and any other engagement that touches PHI, AC5 signs a Business Associate Agreement before the work starts. The HIPAA Security Rule controls overlap heavily with NIST 800-171; both are operated together.
SOC 2 Type II · roadmap
A SOC 2 Type II audit is on the AC5 roadmap. NIST 800-171 implementation covers the majority of the Common Criteria. Customers needing SOC 2 evidence today can request a current bridge letter and the 800-171 self-assessment.
FedRAMP · we host on it, we are not it
For customers serving federal agencies that require FedRAMP-authorized hosting, AC5 deploys into AWS GovCloud or Azure Government. AC5 itself is not a FedRAMP-authorized cloud service provider and does not claim to be.
What customers ask
Five questions we get on every discovery call.
- Do we need to be a defense contractor for this to matter?
- No. NIST 800-171 is the right baseline for any business that handles customer data, employee data, or financial records. It is also the baseline DoD subcontractors need. We operate it as our default because it serves both audiences and raises the floor for everyone.
- Are you CMMC certified?
- AC5 implements the 110 NIST 800-171 controls in its standard delivery process, which is the basis for CMMC Level 2. A third-party CMMC assessment is a separate engagement, scoped to a specific installed build and the customer environment that build runs in.
- Are you SOC 2 audited?
- Not yet. SOC 2 Type II is on the roadmap. The NIST 800-171 self-assessment covers most of the Common Criteria today; customers needing formal SOC 2 evidence can request our current bridge letter.
- What about FedRAMP?
- If you serve federal agencies that require FedRAMP-authorized hosting, we deploy into AWS GovCloud or Azure Government. AC5 itself is not a FedRAMP-authorized cloud service provider and does not claim to be.
- What if our auditor needs evidence?
- The build ships with a security self-assessment, the SRA, the incident response runbook, and the configuration baseline. We will sit with your auditor and walk them through any control they need to see. That call is included in the engagement, not a separate line item.
Want to see the controls in your environment?
30-minute discovery call. We map your environment to the NIST 800-171 control families on the call and tell you what is already in place. Written, fixed-fee quote in 48 hours.