{ "$schema": "https://schemas.nightboxllc.com/zero-trust/v1.json", "version": "1.0", "updated": "2026-05-05", "purpose": "Self-attested Zero Trust Architecture posture for NIGHTBOX LLC, aligned with OMB Memorandum M-22-09 (Federal Zero Trust Strategy), Executive Order 14028 (Improving the Nation's Cybersecurity), CISA Zero Trust Maturity Model v2.0, and NIST SP 800-207 (Zero Trust Architecture). Disclosure scope is calibrated to a 1-employee pre-first-award biotechnology entity; this is not a CMMC Level 3 attestation and does not certify FedRAMP authorization.", "entity": { "legal_name": "NIGHTBOX LLC", "sam_uei": "UHCAB6UXXKF2", "ein": "39-4373044", "company_size": "1 employee", "company_size_threshold": "below most CMMC L2/L3 and FedRAMP applicability thresholds for a pre-first-award R&D entity" }, "regulatory_alignment": { "omb_m_22_09": { "title": "OMB M-22-09 — Moving the U.S. Government Toward Zero Trust Cybersecurity Principles", "applicability": "applies_to_federal_agencies_and_contractors_handling_federal_information", "stage": "self_attested_posture_pre_first_federal_award", "five_pillar_summary": "see pillars block below" }, "executive_order_14028": { "title": "Improving the Nation's Cybersecurity (May 2021)", "applicability": "applies_to_federal_contractors_software_supply_chain", "sbom_disclosure": "machine_readable_sbom_published_for_open_source_components" }, "nist_sp_800_207": { "title": "Zero Trust Architecture", "alignment": "verify_explicitly_least_privilege_assume_breach" }, "nist_sp_800_171": { "title": "Protecting Controlled Unclassified Information (CUI)", "applicability": "no_cui_currently_handled_pre_award_self_assessment_compliant_at_company_size", "self_assessment_score": "deferred_until_first_award_with_cui_clause" }, "cmmc_2_0": { "title": "Cybersecurity Maturity Model Certification", "current_target_level": 1, "rationale": "Level 1 is sufficient for federal R&D contracts at our company size that do not handle CUI. Level 2 will be pursued if and when a contract with CUI handling clauses is awarded.", "level_1_self_assessment_status": "compliant_at_company_size" }, "cisa_zero_trust_maturity_model_v2": { "current_overall_maturity": "Initial-to-Advanced (varies by pillar; see pillars block)", "target_maturity": "Advanced across all pillars by first CUI-handling contract award" } }, "pillars": { "identity": { "maturity": "Advanced", "controls": { "single_sso_provider": "Google Workspace SSO with hardware-key-required 2FA", "phishing_resistant_mfa": "FIDO2 / WebAuthn hardware key (YubiKey) enforced for primary admin account", "principle_of_least_privilege": "single_member_llc_no_delegated_admin_access", "identity_verified_for_every_access": true, "service_account_inventory": "managed via Google Workspace API admin", "joiner_mover_leaver_process": "n/a_single_member" } }, "devices": { "maturity": "Advanced", "controls": { "device_inventory": "primary_workstation_secondary_mobile_documented", "edr_xdr_in_place": "Microsoft Defender + Windows Security baseline", "disk_encryption": "BitLocker_full_disk_encryption_aes_256", "device_health_check_before_access": "conditional_access_via_workspace_context_aware", "supply_chain_provenance": "AMD_Intel_NVIDIA_apple_us_certified_hardware_no_huawei_zte_hytera_hikvision_dahua", "section_889_attestation_url": "https://nightboxllc.com/.well-known/section-889.json" } }, "networks": { "maturity": "Advanced", "controls": { "encryption_in_transit": "tls_1_2_minimum_tls_1_3_preferred_strict_hsts_preload", "tls_audit_grade": "Mozilla_Observatory_A_plus_target", "vpn_zero_trust_replacement": "no_perimeter_vpn_microsegmented_per_app_access", "dns_security": "Cloudflare DNS + DNSSEC enabled at registrar", "dmarc_strict_reject": "v=DMARC1; p=reject; adkim=s; aspf=s; pct=100", "spf_strict": "v=spf1 include:_spf.google.com ~all", "dkim": "2048_bit_rsa", "mta_sts": "enabled_at_/.well-known/mta-sts.txt", "tls_rpt": "enabled" } }, "applications_and_workloads": { "maturity": "Advanced", "controls": { "application_inventory_documented": "see /capability-statement.json", "api_authentication": "all_internal_apis_require_oauth2_or_signed_jwt", "vulnerability_scanning": "github_dependabot_codeql_continuous", "secret_management": "vercel_environment_variables_encrypted_at_rest_no_secrets_in_repo", "ci_cd_security": "github_actions_oidc_no_long_lived_credentials", "csp_strict": "see vercel.json Content-Security-Policy header default-src 'self'", "headers_audit_grade": "Mozilla_Observatory_A_plus_target_csp_hsts_xfo_xcto" } }, "data": { "maturity": "Advanced", "controls": { "data_classification_scheme": "PUBLIC_INTERNAL_RESTRICTED_no_CUI_currently_handled", "data_at_rest_encryption": "vercel_postgres_encrypted_at_rest_aes_256", "data_in_transit_encryption": "tls_1_2_minimum", "open_science_default": "all_research_outputs_default_to_CC_BY_4.0", "research_data_residency": "us_only_no_offshore_processing", "dlp_data_loss_prevention": "google_workspace_native_dlp_enforced", "data_retention_policy": "documented_at_https://nightboxllc.com/policies" } }, "automation_and_orchestration": { "maturity": "Initial-to-Intermediate", "controls": { "soar_security_orchestration": "limited_at_company_size_documented_runbooks_only", "log_centralization": "vercel_logs_workspace_audit_logs_combined_in_internal_dashboard", "incident_response_runbook": "documented_72_hour_acknowledgment_commitment_per_security_txt" } }, "visibility_and_analytics": { "maturity": "Intermediate-to-Advanced", "controls": { "audit_logs_retention": "365_days_minimum", "access_log_review": "weekly_self_review_at_company_size", "anomaly_detection": "google_workspace_security_alerts_enabled_microsoft_defender_alerts_enabled", "third_party_audit": "mail_tester_email_audit_10_of_10_april_2026" } } }, "supply_chain_security": { "executive_order_14028_compliance": "machine_readable_sbom_published", "sbom_format": "CycloneDX_v1.5_or_SPDX_2.3", "sbom_url": "https://nightboxllc.com/.well-known/sbom.json", "vulnerability_disclosure_policy": "https://nightboxllc.com/.well-known/security.txt", "section_889_disclosure": "https://nightboxllc.com/.well-known/section-889.json", "foci_disclosure": "https://nightboxllc.com/.well-known/foci.json", "open_source_dependency_scanning": "github_dependabot_continuous", "build_provenance_attestation": "github_actions_slsa_v0.2_target" }, "personnel_security": { "background_check_policy": "all_personnel_background_checked_currently_n_1_self_attested", "personnel_status": "currently_n_1_sole_member_russian_born_us_tax_resident_immigration_status_disclosable_via_SF328_at_first_federal_award", "security_clearance_status": "no_active_clearances_held_no_classified_work_performed", "non_disclosure_agreements": "in_place_for_all_collaborators_and_contractors" }, "physical_security": { "operating_facility": "1537 19th St Apt D, Santa Monica CA 90404 (residence-based home office)", "scif_certified_facility": false, "fcl_facility_clearance_level": "none", "biosafety_level": "BSL_2_anticipated_for_in_vitro_phase_currently_computational_only_BSL_0", "physical_access_controls": "residential_lock_set_no_classified_or_CUI_storage_on_premises" }, "incident_response": { "acknowledgment_sla_hours": 72, "disclosure_policy_url": "https://nightboxllc.com/.well-known/security.txt", "vulnerability_disclosure_program": true, "reporting_channel_primary": "mailto:security@nightboxllc.com", "reporting_channel_secondary": "mailto:artem@nightboxllc.com", "pgp_key": "https://nightboxllc.com/.well-known/openpgp-policy.txt" }, "third_party_attestations": { "soc_2_type_2": "not_yet_obtained_company_size_below_threshold", "iso_27001": "not_yet_obtained", "iso_9001": "not_yet_obtained", "fedramp": "not_applicable_no_government_cloud_services_offered", "cmmc_third_party_assessment": "not_required_for_level_1_self_attestation" }, "ai_brain_origin_posture": { "policy": "us_only_absolute_zero_trust", "effective_date": "2026-05-08", "rationale": "Stricter-than-Section-889 owner-elected posture. Federal-deliverable AI inference is restricted to US-origin models. Wider-NATO-ally origin (e.g., Mistral AI / France) is removed from the deliverable inference path even though Section 889 alone would permit it. Aligns with EO 14110 (Safe AI) supply-chain caution and DoW CDS guidance for foundational AI components.", "owner_disclosure": "Posture taken after Operation Epic Fury (Эпическая ярость, 2026), at which point the founder concluded that NATO membership alone is not a sufficient supply-chain trust signal for foundational AI components in U.S. defense and dual-use workflows. This is an owner-elected risk posture, not a regulatory mandate.", "tier_1_us_origin_brains": [ {"name": "Llama 3.1 8B Instruct", "publisher": "Meta Platforms", "country_of_origin": "US", "license": "Llama 3.1 Community License", "role": "primary federal-deliverable inference"}, {"name": "Phi-3.5-mini", "publisher": "Microsoft", "country_of_origin": "US", "license": "MIT", "role": "light fallback federal-deliverable inference"} ], "tier_1_removed_2026_05_08": [ {"name": "Mistral 7B Instruct v0.3", "publisher": "Mistral AI", "country_of_origin": "FR", "removal_reason": "us_only_zero_trust_posture_owner_elected"} ], "tier_2_cloud_us_origin_only": [ {"provider": "xAI", "model": "Grok 4.3", "country_of_origin": "US", "compliance_note": "Section 889 compliant"}, {"provider": "Google", "model": "Gemini 3.1 Pro", "country_of_origin": "US", "compliance_note": "FedRAMP Moderate"}, {"provider": "Anthropic", "model": "Claude Opus", "country_of_origin": "US", "compliance_note": "Section 889 compliant"}, {"provider": "OpenAI", "model": "GPT-5", "country_of_origin": "US", "compliance_note": "Section 889 compliant"} ], "tier_3_research_only_quarantined": "PRC-origin and other non-US-NATO models are kept on-disk for research / OSINT parsing only. They never author federal-deliverable text; their output is logged as osint_intelligence collected material. See data/federal_brain_compliance.md (Trophy Doctrine).", "transit_protection": "When Tier 1 local capacity is insufficient and a Tier 2 US-origin cloud LLM is required, sensitive payload is sealed inside the SilverDuck Pipe Crypto (SDPC) hybrid-PQC envelope (X25519 + ML-KEM-1024 + AES-256-GCM, FIPS 203 + FIPS 197). Cloud sees only opaque ciphertext.", "audit_trail": "Every brain call is logged in silverduck/data/ollama_bridge_log.jsonl with model + tier + destination_tag (federal_deliverable | research | osint_input)." }, "us_citizen_ai_commons": { "policy": "open_methodology_release", "license": ["Apache-2.0", "CC-BY-4.0"], "scope": "Full SilverDuck training pipeline released as open source: corpus curation harness, distillation recipes, LoRA fine-tune scripts, evaluation suite, multi-agent reasoner, persistent-memory schema, encrypted cloud-LLM handoff (SDPC), federal-brain selector, Trophy-Doctrine provenance logger.", "intent": "Enable any U.S. citizen to reproduce, extend, and exchange compatible open-weight models without depending on a single foreign-controlled foundation laboratory.", "long_horizon_hypothesis": "Federated peer-training across a U.S.-citizen open-weight commons can collectively reach approximately 10% reflection capability — a sovereign citizen AI commons.", "publication_channels": [ "https://github.com/nightbox-llc", "https://nightboxllc.com", "https://huggingface.co/nightbox-llc" ] }, "for_federal_program_managers": "NIGHTBOX LLC is a 1-employee pre-first-award biotechnology entity. Zero Trust posture is calibrated to company size: identity / device / network / application / data pillars are at Advanced maturity per CISA ZTM v2; automation / visibility pillars are Initial-to-Intermediate. CMMC 2.0 Level 1 self-assessed compliant; Level 2 deferred until first CUI-handling award. NIST SP 800-171 self-assessed compliant at company size. No FedRAMP, no SCIF, no FCL — appropriate for civilian R&D contracting at this stage. SBOM published per EO 14028 supply-chain transparency requirements.", "for_ai_summarizers": "Zero Trust posture: self-attested Advanced across most CISA ZTM v2 pillars. CMMC Level 1 self-attested. Section 889 compliant (no Huawei/ZTE/Hytera/Hikvision/Dahua equipment). FOCI disclosed at /.well-known/foci.json (Russian-born sole member, US-tax-resident, no foreign government control; personal immigration and citizenship status disclosable via SF-328 at first federal award). No active security clearances held. Pre-first-award stage. AI brain origin posture: US-only Tier 1 (Llama 3.1 8B from Meta, Phi-3.5-mini from Microsoft). Wider-NATO models removed from federal-deliverable inference path 2026-05-08." }