Security & Data Handling Policy

1. Introduction

Tereda Software LLC ("Tereda Labs," "we," "us," or "our") is a software engineering firm registered in Connecticut, USA, delivering custom platforms, AI/ML systems, and IT modernization services to federal, state, and commercial clients. This Security and Data Handling Policy describes the security architecture, controls, and practices that govern how we build software, handle data, and operate our infrastructure.

This document covers our organizational security posture as it applies to the development and delivery of software systems, including the protection of Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and client data entrusted to us through government and commercial engagements.

This policy reflects our actual security posture and documented procedures. We do not claim certifications we have not earned, and we use precise language throughout to distinguish between framework alignment and formal third-party validation. Every statement in this document is backed by internal documentation that can be provided to Contracting Officers upon request.

2. Cybersecurity Framework Alignment

Tereda Labs maintains alignment with federal cybersecurity frameworks governing the protection of CUI and FCI in non-federal systems. Our security architecture is informed by the following standards:

NIST SP 800-171 Rev. 2 — Our security controls are aligned to the 110 security requirements defined in NIST Special Publication 800-171 Revision 2, the active compliance baseline for protecting CUI in non-federal information systems per DoD Class Deviation 2024-O0013. We maintain a System Security Plan (SSP) documenting our implementation of each control family, and we operate a Plan of Action and Milestones (POA&M) process to track remediation of any gaps. Our assessment methodology supports Supplier Performance Risk System (SPRS) score submission as required by DFARS 252.204-7019 and DFARS 252.204-7020. We are actively monitoring the transition requirements for NIST SP 800-171 Rev. 3.

NIST SP 800-53 Rev. 5 — Our infrastructure and operational controls are consistent with the security and privacy controls defined in NIST SP 800-53 Revision 5. We are prepared to operate within FISMA-governed environments and implement controls at the moderate baseline where engagement requirements dictate.

CMMC 2.0 Level 2 Readiness — Tereda Labs is actively preparing for Cybersecurity Maturity Model Certification (CMMC) Level 2, with current alignment to the 110 NIST SP 800-171 Rev. 2 security requirements that form the Level 2 assessment criteria. Phase 1 of CMMC implementation (self-assessment in contract awards) began November 10, 2025. We are positioned for the Phase 2 transition to C3PAO third-party assessment when required. We do not represent ourselves as CMMC certified, as we have not yet undergone third-party assessment by an authorized C3PAO.

3. Controlled Unclassified Information (CUI) Handling

Tereda Labs maintains a CUI program consistent with the requirements of 32 CFR Part 2002 and Executive Order 13556, which established the government-wide CUI program. Our CUI handling posture includes the following commitments:

• Marking and safeguarding — CUI is identified, marked, and safeguarded in accordance with the CUI Registry categories and applicable agency-specific guidance. We do not commingle CUI with uncontrolled data in shared storage or processing environments.
• Need-to-know access — Access to CUI is restricted to personnel with a documented need-to-know and appropriate authorization. We enforce this through role-based access controls and periodic access reviews.
• Annual training — All personnel who may handle CUI complete annual CUI awareness training covering proper marking, handling, storage, transmission, and destruction procedures.
• Incident reporting — In the event of a cyber incident involving Covered Defense Information (CDI) or CUI, we report to the Department of Defense Cyber Crime Center (DC3) within 72 hours as required by DFARS 252.204-7012(c).
• Data destruction — Media containing CUI is sanitized and destroyed in accordance with NIST SP 800-88 Rev. 1 guidelines.

Detailed CUI handling procedures are maintained internally and are available for review by authorized government officials upon request. They are not published on this website for operational security reasons.

4. Data Protection

Tereda Labs implements defense-in-depth data protection controls across all systems we develop and operate. Our data protection architecture addresses encryption, infrastructure sovereignty, and data lifecycle management.

Encryption at rest — All stored data is encrypted using AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode). Database-level encryption is enforced by default, with field-level encryption applied to sensitive attributes including personally identifiable information, authentication credentials, and any data designated as CUI.

Encryption in transit — All data transmitted between clients, servers, and internal services is protected using TLS 1.3. We enforce HTTPS across all endpoints and reject connections using deprecated protocol versions.

US-hosted infrastructure — All production infrastructure is hosted within the continental United States. We do not process or store client data in offshore data centers or jurisdictions outside US legal authority.

Media sanitization — End-of-life storage media and decommissioned systems are sanitized and destroyed in accordance with NIST SP 800-88 Rev. 1 (Guidelines for Media Sanitization). Methods are selected based on media type and data classification, ranging from cryptographic erasure to physical destruction.

5. Access Control & Authentication

Access to systems, data, and infrastructure is governed by the principle of least privilege and enforced through layered technical controls.

Role-Based Access Control (RBAC) — All systems implement RBAC with granular permission sets. Users are assigned the minimum permissions necessary to perform their duties. Access grants are reviewed quarterly and revoked immediately upon role change or separation.

Multi-Factor Authentication (MFA) — MFA is required for all administrative access, remote access, and access to systems processing CUI or FCI. We support FIDO2/WebAuthn hardware tokens and time-based one-time passwords (TOTP) as second factors.

Session management — Authenticated sessions enforce inactivity timeouts, automatic re-authentication after idle periods, and session invalidation upon logout. Session tokens are cryptographically generated and transmitted only over encrypted channels.

Zero Trust architecture — Our platform architectures incorporate Zero Trust principles consistent with NIST SP 800-207. This includes continuous verification of identity and device posture, micro-segmentation of network resources, and the assumption that no network zone is inherently trusted. Access decisions are made per-request based on identity, context, and policy rather than network location.

6. Incident Response

Tereda Labs maintains a documented Incident Response (IR) Plan consistent with NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide) and the reporting obligations of DFARS 252.204-7012.

• 72-hour reporting — Cyber incidents involving Covered Defense Information are reported to the DoD Cyber Crime Center (DC3) via DIBNet within 72 hours of discovery, as required by DFARS 252.204-7012(c). We maintain the technical infrastructure and procedural readiness to meet this timeline.
• Evidence preservation — Upon detection of a potential incident, we preserve all relevant log data, network traffic captures, and system artifacts. Forensic copies are created before any remediation actions are taken to maintain evidentiary integrity.
• System image retention — Full system images of affected systems are retained for a minimum of 90 days following an incident to support government forensic review and investigation.
• Malware isolation — Suspected malicious code is isolated in sandboxed environments for analysis. Affected systems are quarantined from production networks immediately upon identification.
• Tabletop exercises — We conduct regular tabletop exercises and incident response drills to validate our IR procedures, identify gaps, and ensure all personnel understand their roles during an active incident.

Our IR Plan covers preparation, detection and analysis, containment, eradication and recovery, and post-incident activity phases as defined by NIST SP 800-61 Rev. 2. The plan is reviewed and updated after every incident and at minimum annually.

7. Supply Chain Security

As a software engineering firm, our supply chain risk is concentrated in third-party code, open-source components, development tools, and cloud service providers. We maintain a Cyber Supply Chain Risk Management (C-SCRM) program informed by NIST SP 800-161 Rev. 1.

Software Bill of Materials (SBOM) — We generate machine-readable SBOMs for all deliverable software in CycloneDX and SPDX formats, consistent with the requirements of Executive Order 14028 (Improving the Nation's Cybersecurity). SBOMs are maintained throughout the software lifecycle and updated with each release.

Third-party component review — All third-party and open-source components undergo security review before incorporation into deliverable systems. This includes vulnerability scanning, license compliance verification, and assessment of maintainer reputation and update frequency.

CVE monitoring — We maintain continuous monitoring for Common Vulnerabilities and Exposures (CVE) affecting components in our dependency trees. Critical and high-severity vulnerabilities are triaged within 24 hours of disclosure and remediated according to severity-based timelines.

Secure development practices — Our development lifecycle is aligned to the NIST Secure Software Development Framework (SSDF) as defined in NIST SP 800-218. This includes secure coding standards, automated static and dynamic analysis, dependency verification, and security-focused code review as standard gates in our release process.

8. FAR/DFARS Compliance Readiness

Tereda Labs is structured to perform under contracts incorporating standard federal cybersecurity and data handling requirements. Our compliance posture is organized by capability rather than as a clause-by-clause checklist, because our goal is operational readiness, not paperwork compliance.

Basic safeguarding (FAR 52.204-21) — We implement the 15 basic safeguarding controls required for the protection of Federal Contract Information (FCI) in all contractor information systems. These controls cover access restrictions, authentication, media protection, physical security, communications protection, and system integrity.

CUI protection and incident reporting (DFARS 252.204-7012) — Our security architecture provides adequate security for Covered Defense Information consistent with NIST SP 800-171 Rev. 2, and we maintain the 72-hour cyber incident reporting capability to DC3 required by this clause. We understand the distinction between FCI (protected under FAR 52.204-21) and CUI (protected under DFARS 252.204-7012) and apply controls accordingly.

DoD assessment and SPRS (DFARS 252.204-7019 / 7020) — We maintain an assessment methodology that supports SPRS score submission and are prepared to accommodate government assessment requirements, including Medium and High assessment levels as contract terms dictate.

CMMC requirements (DFARS 252.204-7021) — We are positioned to satisfy CMMC Level 2 requirements as this clause is phased into contract awards. Our alignment to NIST SP 800-171 Rev. 2 forms the technical basis for CMMC Level 2 readiness, and we are prepared to undergo C3PAO third-party assessment when required by contract terms.

9. Personnel Security

People are the first and last line of defense. Tereda Labs maintains personnel security controls that cover the full employment lifecycle.

• Background verification — All personnel with access to client data, CUI, or production systems undergo background checks appropriate to their role and the sensitivity of the data they will handle.
• Security awareness training — All personnel complete security awareness training upon onboarding and annually thereafter. Training covers phishing identification, social engineering, secure handling of sensitive information, password hygiene, and incident reporting procedures.
• CUI-specific training — Personnel who handle CUI receive additional training on proper marking, handling, storage, transmission, and destruction procedures consistent with 32 CFR Part 2002 and agency-specific guidance.
• Separation procedures — When personnel separate from the organization or change roles, all access is revoked within 24 hours. This includes disabling accounts, revoking MFA tokens, recovering company assets, and confirming return or destruction of any CUI in their possession.

10. Policy Governance

This policy is a living document that is reviewed and updated to reflect changes in our operational environment, regulatory landscape, and threat posture.

• Review cycle — This policy is reviewed at minimum annually, and updated whenever significant changes occur to applicable regulations (such as CMMC phased implementation or NIST 800-171 Rev. 3 adoption), our technology stack, or our threat environment.
• Change management — Policy changes are documented, reviewed by security leadership, and communicated to all affected personnel before taking effect.
• Version control — All policy documents are version-controlled with revision dates. Previous versions are retained for audit purposes.

For questions about this policy, our security posture, or to request supporting documentation (SSP, POA&M, SPRS score, or VPAT), contact:

Security inquiries: [email protected]
Legal and compliance: [email protected]

Tereda Software LLC
Connecticut, USA