← Cincra

Compliance roadmap

Where Cincra is today and where we're going on FIPS 140-3, AWS GovCloud (US), and FedRAMP Moderate. We publish honest dates — including the ones that haven't slipped yet.

Last updated June 2026
  1. Available todayLive since 2026 Q1

    Commercial cloud — DIB-ready

    Cincra runs on hardened commercial infrastructure with TLS 1.3 in transit, AES-256 at rest, SHA-256 hash-chained audit trail, and tenant-isolated RLS — suitable for handling FCI and supporting CMMC L1/L2 self-assessment workflows.

    • Postgres + RLS multi-tenancy (org_id-scoped on every row)
    • Evidence integrity: client-computed SHA-256 + tamper-evident audit_logs chain
    • Google SSO, role-based access (admin / member / auditor)
    • Single-region US-East commercial cloud
  2. In progressTarget: 2026 Q4

    FIPS 140-3 validated cryptography

    Replace commercial crypto modules with FIPS 140-3 validated equivalents end-to-end so CUI-handling tenants meet 800-171 §3.13.11 (Employ FIPS-validated cryptography).

    • Migrate object storage encryption to AWS KMS with FIPS endpoints
    • Pin TLS to FIPS-approved cipher suites at the edge
    • Swap browser-side SHA-256 for WebCrypto in FIPS-mode bundle
    • Publish CMVP certificate references in the Trust Center
  3. In progressTarget: 2027 Q2

    AWS GovCloud (US) tenancy

    Dedicated GovCloud (US) deployment with ITAR-screened operators, US-persons-only support, and physical isolation from the commercial plane. Required for ITAR/EAR-controlled CUI and L2 certification pursuits.

    • GovCloud (US-West) primary + (US-East) DR
    • US-persons-only access enforcement on the support and operator plane
    • Separate identity tenancy (no cross-realm federation with commercial)
    • Customer-managed KMS keys (BYOK) per org
  4. PlannedTarget: 2028

    FedRAMP Moderate authorization

    Pursue FedRAMP Moderate authorization via the agency sponsorship path so federal customers and primes flowing down DFARS 252.204-7012 can adopt Cincra under an existing ATO.

    • Engage 3PAO for readiness assessment (RAR)
    • Complete SSP, SAP, SAR, POA&M against 325 Moderate baseline controls
    • Continuous monitoring program (monthly vuln scans, annual assessment)
    • Sponsoring agency ATO → FedRAMP Marketplace listing

A note on dates

FedRAMP Moderate takes 12–24 months from kickoff to ATO and depends on agency sponsorship. GovCloud and FIPS milestones are within our control and we'll update this page when each ships. If a date on this page is more than 30 days stale, email trust@cincra.com and we'll fix it.

Need GovCloud or FedRAMP today?

Enterprise customers can co-sponsor an accelerated path. Talk to us.

Contact sales