Security posture for defense work.
Mohave Forge treats every drawing, every cert, and every internal note as covered defense information until proven otherwise.
MFA enforced. SSO via SAML for prime customers. Role-based access (admin / engineer / customer) with least-privilege defaults and revocation auditing.
FIPS 140-2 validated cryptography for CUI in transit (TLS 1.3) and at rest. Signed, time-limited URLs for every engineering file download. Service-role keys never leave the server boundary.
U.S.-region only. Hardened serverless workers, automatic patching, no long-lived shell access. Database with row-level security on every user-data table.
Every quote decision, document download, role grant, and AI analysis is recorded in an immutable audit log accessible to admins and assigned engineers.
Continuous dependency scanning, leaked-password (HIBP) checks at signup, weekly security review. Coordinated disclosure at security@mohaveforge.com.
72-hour DoD reporting via DIBNet for cyber incidents involving covered defense information. Affected customers notified directly with scope and remediation.
Report a vulnerability.
Email security@mohaveforge.com with reproduction steps. We acknowledge within one business day and coordinate fix windows with affected programs. PGP key available on request.
▸ FULL COMPLIANCE POSTURE