Deployable CUI Vault — FIPS Boundary You Control
A FIPS-controlled CUI boundary with C3PAO-ready evidence and easy HTTPS integration into your website or enclave—so you reduce scope, meet DFARS, and keep CUI out of your main application.
FIPS 140-3 · CMMC Level 2 · C3PAO-ready evidence
Who It's For
The Deployable CUI Vault is for federal programs, defense contractors, and private organizations that need a defensible CUI boundary for CMMC compliance. Deploy it in your enclave or cloud—CUI stays inside the vault; your main app never handles CUI file bytes.
FIPS Boundary
All CUI decryption and cryptographic protection occur only inside the vault. Your main application issues tokens only—no CUI bytes through your app.
- Platform: Ubuntu 22.04 LTS with FIPS mode enabled (kernel + OpenSSL FIPS provider). Canonical Ltd. Ubuntu 22.04 OpenSSL Cryptographic Module — NIST CMVP Certificate #4794 (FIPS 140-3 Level 1, active through 2026-09-10).
- CUI in transit: TLS 1.3 (AES-256-GCM-SHA384) terminated on the vault host.
- CUI at rest: AES-256-GCM application-level encryption using the FIPS-validated module per Certificate #4794.
What's in the Box
The deployable unit (VM image or container) includes everything needed for a defensible CUI boundary and C3PAO handoff.
- OS: Ubuntu 22.04 LTS, FIPS mode (kernel + OpenSSL FIPS provider per CMVP #4794)
- CUI Vault Service: POST/GET/DELETE /v1/files/*; JWT validation; API key for server-side delete; AES-256-GCM encrypt/decrypt
- TLS: nginx — TLS 1.3 termination, security headers, reverse proxy to vault service
- Database: Local PostgreSQL bound to localhost; encrypted CUI (ciphertext, nonce, tag, metadata)
- Hardening: harden_ubuntu_cmmc.py (and optionally harden_ubuntu_stig.py); evidence in /opt/compliance/hardening-evidence
- Validation: cmmc_hardening_validation_evidence.py; evidence in /opt/compliance/validation-evidence
- Policy bundle: Vault-boundary subset of CMMC policies/procedures under /opt/compliance/policies
- Evidence export: Script to produce tarball of hardening + validation evidence + policies for C3PAO
C3PAO Evidence
Hardening and validation evidence are produced by our automation and stored on the vault. An export script collects hardening evidence, validation evidence, and (optionally) the policy bundle into a single tarball for C3PAO handoff. Reference evidence (MAC-RPT-*, FIPS documentation) is available in the repo and can be shipped or linked from the deployable image.
- Hardening evidence: harden_ubuntu_cmmc.py (cloud-safe CMMC Level 2) → /opt/compliance/hardening-evidence
- Validation evidence: cmmc_hardening_validation_evidence.py → /opt/compliance/validation-evidence
- Evidence package: export script builds tarball for C3PAO
HTTPS & API Integration
Your app authenticates users and issues short-lived JWTs for upload and view. The browser uploads and downloads CUI directly to and from the vault over HTTPS—your application never handles CUI file bytes. API: POST /v1/files/upload, GET /v1/files/:id, DELETE /v1/files/:id.
Contact us for integration support and environment configuration.
Artifact Formats
VM image
Packer-built image (e.g. GCE, AWS AMI, Azure VHD) for DoD and federal environments where VM hardening and a FIPS kernel are required.
Container
Dockerfile/OCI image for cloud deployments—same vault service and tooling, with FIPS and hardening applied as documented for the container build.
Ready to deploy a FIPS-controlled CUI boundary?