Air-gapped networks. Compartmented programs. Disconnected operations. Your GRC platform should be built for the same constraints.
The Intelligence Community doesn't run on FedRAMP.
ICD 503 establishes security risk management for IC systems. CNSSI 1253 provides control baselines—but unlike FIPS 199, it uses separate categorizations for Confidentiality, Integrity, and Availability. A system might be Moderate-Moderate-Low or High-High-High, each with different control implications.
Special Access Programs add another layer. The Joint SAP Implementation Guide defines Protection Levels—PL1, PL2, PL3—as technical supplements to NIST 800-53 and CNSSI 1253. SCIF construction follows ICD 705. Personnel security follows SEAD 3.
None of it connects to the internet. Thalorin deploys on-premises, operates air-gapped, and maintains compliance workflows without external dependencies.
Classified environments require frameworks built for disconnected operations. ICD 503 provides the policy foundation. CNSSI 1253 delivers control baselines. JSIG addresses SAP-specific requirements. The Feynman Engine maps them all.
IC-wide IT security policy
NSS control baselines, all C/I/A levels
SAP system authorization (PL1/PL2/PL3)
SCIF physical/technical requirements
No external network dependencies. Local database and application hosting. Updates via approved removable media with cryptographic verification. Offline authentication. The platform operates entirely within your authorization boundary.
Separate Confidentiality, Integrity, and Availability categorizations create granular baseline requirements. Thalorin manages the full matrix—Low-Low-Low through High-High-High—and tracks control implementation against your specific categorization.
SAP systems require Protection Level assignments under the Joint SAP Implementation Guide. Control mapping to PL1, PL2, and PL3 requirements. Assessment documentation maintained within the classified environment.
Evidence at classification levels requires chain of custody, access controls, and appropriate storage. No external transmission. No cloud storage. No spillage risk. Evidence lifecycle managed within your environment.
Defense contractors with Facility Clearances face DCSA oversight under 32 CFR Part 117. Insider threat program tracking, personnel security, self-inspection documentation—alongside system authorization requirements.
Thalorin deploys entirely within your infrastructure.
Full application stack on your hardware. Database, application server, and authentication within your network boundary.
No network connectivity required. Updates via approved media with SHA-256 verification. Offline operation for extended periods.
Compatible with classified virtualization platforms. Deployable within existing virtual infrastructure.
Cryptographically signed packages. Manual installation via approved media transfer procedures.
A defense program operating under Special Access restrictions required JSIG Protection Level 2 authorization. Assessment documentation had to remain within the SAPF. Cloud-based GRC tools were prohibited.
On-premises deployment within the SAPF. Pre-loaded JSIG requirements mapped to CNSSI 1253 and NIST 800-53. Evidence collection and storage within the authorization boundary. Assessment workflows without external connectivity.
Authorization package prepared within the classified environment. Control implementation tracked against PL2 requirements. Continuous monitoring maintained without network egress.
Adopted RMF-aligned terminology. Enables reciprocal acceptance of security assessments from compatible NIST and CNSS standards.
Incorporates NIST SP 800-53 Rev 5. Adds PII Processing, Transparency, and Supply Chain Risk Management families.
Codified NISPOM as federal regulation. Establishes industrial security requirements for cleared contractors.
Implements DoD Zero Trust Strategy across unclassified and classified systems. Target Level ZT required by FY 2027.
Air-gapped deployment. On-premises operation. No external dependencies.