UNCLASSIFIED // FOR OFFICIAL USE ONLY

Security Policy

Document ID: VSI-SEC-2025-001
Version: 4.1
Last Updated: January 1, 2025
Jurisdiction: United States · International
This Security Policy documents VSI Technologies' information security architecture, controls, operational procedures, and compliance posture. It applies to all VSI personnel, contractors, systems, and client deployments. VSI maintains a defense-in-depth security posture aligned to NIST SP 800-53 Rev 5, FedRAMP Moderate, CMMC 2.0 Level 2, and Zero Trust principles.
// Table of Contents //
01Security Governance02Security Architecture03Encryption Standards04Identity & Access Management05Monitoring & Incident Response06Physical Security07Personnel Security08Supply Chain Security09Cloud Security Posture10Vulnerability & Penetration Testing11Compliance Attestations12Security Contacts
01
Security Governance

VSI Technologies maintains a formal Information Security Program governed by executive leadership with defined roles, responsibilities, and accountability structures.

Security Leadership
The Chief Information Security Officer (CISO) holds primary accountability for the VSI security program. A dedicated Security Committee meets quarterly to review program effectiveness, risk posture, and emerging threat landscape.
Policy Framework
VSI's security program is governed by a comprehensive policy hierarchy: Security Policy (this document), System Security Plans (SSPs) per deployment, Standard Operating Procedures (SOPs), and technical implementation standards. All policies are reviewed annually and upon material changes.
Risk Management
VSI applies the NIST Risk Management Framework (RMF) to all government deployments. Risk assessments are conducted before each new system deployment and annually thereafter. Residual risk acceptance requires executive sign-off for government programs.
Compliance Posture
FedRAMP Moderate Aligned · NIST 800-53 Rev 5 Implemented · FISMA Compliant · CMMC 2.0 Level 2 Aligned · SOC 2 Type II Audited · DISA STIG Applied · Zero Trust EO 14028 Aligned · CJIS Security Policy Aligned
02
Security Architecture

VSI systems are built on a zero-trust security architecture where no implicit trust is granted to any user, device, or network segment regardless of location.

Zero Trust Principles
Verify explicitly (authenticate and authorize every request), use least privilege access (minimize access scope), and assume breach (design for containment and rapid detection). All five zero-trust pillars are addressed: Identity, Devices, Networks, Applications/Workloads, and Data.
Network Architecture
Micro-segmented network zones with VLAN isolation per classification domain. No lateral movement paths between security zones. All inter-zone traffic inspected by next-generation firewalls. Compatible with TIC 3.0 network architecture for federal deployments.
Defense in Depth
Multiple independent security layers: perimeter controls, network segmentation, endpoint protection, application security, data encryption, monitoring, and incident response. No single control failure results in a security breach.
Air-Gap Capability
VSI systems support fully air-gapped deployment for classified environments. Offline operational modes maintain core functionality without external network connectivity. Data transfer between classification levels follows approved cross-domain solution (CDS) protocols.
03
Encryption Standards

All VSI systems implement encryption standards meeting or exceeding federal requirements:

Data State Algorithm Key Length Standard
At Rest AES-GCM 256-bit FIPS 140-2 Validated
In Transit TLS 1.3 256-bit NIST SP 800-52 Rev 2
Key Management RSA / ECDSA 4096 / P-384 NIST SP 800-57
Hashing SHA-256 / SHA-384 FIPS 180-4
Key Exchange ECDH / DHE P-256 or higher NIST SP 800-56A

All cryptographic modules are validated under FIPS 140-2 Level 1 or higher. See the FIPS 140-2 Attestation document for complete module listings and validation certificate numbers.

04
Identity & Access Management

VSI implements comprehensive IAM controls aligned to NIST SP 800-63 Digital Identity Guidelines.

Authentication
Multi-factor authentication (MFA) is mandatory for all VSI personnel and client system administrators. Government deployments support PIV/CAC smart card authentication per HSPD-12. FIDO2/WebAuthn supported for phishing-resistant MFA.
Authorization
Role-Based Access Control (RBAC) with least-privilege enforcement. Access rights reviewed quarterly and upon role changes. Privileged Access Management (PAM) enforced for all administrative access. Just-in-time (JIT) privileged access for sensitive operations.
Identity Lifecycle
Automated provisioning and de-provisioning integrated with HR systems. Access terminated within 4 hours of personnel departure. Annual access recertification for all accounts. Orphaned account detection automated.
Shared Accounts
Shared or generic accounts are prohibited except for documented service accounts with restricted privileges and enhanced monitoring. All service accounts managed through the PAM vault with rotation policies enforced.
05
Monitoring & Incident Response

VSI maintains 24/7 security monitoring capabilities aligned to NIST SP 800-137 (Continuous Monitoring) and NIST SP 800-61 (Incident Response).

Security Operations
Continuous automated monitoring of all system components, network flows, and user activities. SIEM integration (Splunk, IBM QRadar) for correlation and alerting. Security events reviewed by trained analysts. Threat intelligence feeds integrated for proactive detection.
Incident Response
Four-phase IR process: Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident Activity. Government clients are notified within 1 hour of confirmed security incidents. US-CERT/CISA reporting within 72 hours per FISMA requirements. Full IR plan tested annually.
Metrics & SLAs
Mean Time to Detect (MTTD): target under 15 minutes. Mean Time to Contain (MTTC): target under 2 hours for Priority 1 incidents. Post-incident reports delivered within 72 hours.
Incident Reporting
To report a security incident: security@vsitechnologies.ai (monitored 24/7) · Priority 1 incidents: use the secure emergency contact provided in your engagement agreement
06
Physical Security

VSI personnel operate under physical security requirements appropriate to the engagement:

  • All VSI facilities require badge access with audit logging
  • Classified program work performed in approved facilities with appropriate physical security controls
  • SCIF-compatible workspace available for classified engagements requiring on-site presence
  • Clear-desk and clear-screen policies enforced for all personnel
  • Media handling and destruction follow NIST SP 800-88 (media sanitization) guidelines
  • Visitor management procedures enforced for all VSI facilities
07
Personnel Security

VSI personnel security program ensures trustworthy individuals handle government and sensitive client programs:

Background Investigations
All VSI personnel receive background investigations commensurate with their access requirements. Government program personnel are subject to applicable personnel security requirements including NACI, MBI, or higher investigations as required.
Security Clearances
VSI maintains cleared personnel at Secret and Top Secret levels for government programs requiring clearance access. Cleared personnel are subject to continuous evaluation (CE) programs as required by applicable security authority.
Security Training
Annual security awareness training mandatory for all personnel. Role-based training for personnel with privileged access or government program responsibilities. Insider threat awareness program maintained per EO 13587.
Acceptable Use
Acceptable Use Policy enforced for all VSI systems and government client systems. Policy acknowledgment required annually. Violations subject to disciplinary action up to and including termination and referral to appropriate authorities.
08
Supply Chain Security

VSI implements ICT supply chain risk management (SCRM) aligned to NIST SP 800-161 and Executive Order 14017.

Software Bill of Materials
SBOM provided for all VSI software deployments in CycloneDX or SPDX format. SBOM maintained current with each software release. Components cross-referenced against NVD and CISA Known Exploited Vulnerabilities (KEV) catalog.
Third-Party Assessment
All critical sub-processors and technology vendors assessed for security posture before engagement. Assessments reviewed annually or upon material changes. High-risk vendors subject to enhanced scrutiny and contractual security requirements.
DISA STIG Compliance
All system components are hardened per applicable DISA Security Technical Implementation Guides (STIGs). SCAP-compliant automated scanning validates STIG compliance. Findings remediated within defined SLA based on severity.
09
Cloud Security Posture

VSI cloud deployments are architected to government cloud security requirements:

  • AWS GovCloud (US) and Azure Government are the primary approved cloud environments for federal deployments
  • Cloud Security Posture Management (CSPM) tools continuously monitor cloud configurations against CIS Benchmarks and agency-specific requirements
  • Cloud infrastructure provisioned exclusively via Infrastructure as Code (IaC) with security controls embedded in templates
  • Container workloads protected by runtime security monitoring and image scanning
  • Serverless functions subject to same access controls and monitoring as traditional workloads
  • Cloud access governed by Cloud Access Security Broker (CASB) for visibility and policy enforcement
10
Vulnerability & Penetration Testing

VSI maintains a comprehensive vulnerability management and testing program:

Vulnerability Scanning
Automated vulnerability scanning of all production systems on a weekly basis. Critical findings remediated within 15 days. High findings within 30 days. Medium within 90 days. Low within 180 days or accepted risk with documented justification.
Penetration Testing
Annual third-party penetration test of VSI production infrastructure. Results shared with government clients upon request under NDA. Findings remediated and retested within defined SLA. Government program systems receive penetration testing per program requirements.
Bug Bounty
VSI operates a responsible disclosure program. Security researchers may report vulnerabilities to security@vsitechnologies.ai. VSI will acknowledge within 24 hours and provide remediation timeline within 5 business days.
11
Compliance Attestations

VSI maintains the following current compliance attestations and certifications:

Framework Level/Status Scope Renewal
FedRAMP Moderate Aligned VSI Cloud Platform Annual
SOC 2 Type II Certified All VSI Services Annual
NIST 800-53 Rev 5 Implemented Government Deployments Annual Review
CMMC 2.0 Level 2 Aligned DoD Programs Triennial C3PAO
DISA STIG Applied All System Components Per Release
FIPS 140-2 Level 1+ Modules All Cryptographic Functions Per Module
12
Security Contacts
Security Team Contacts
General Security Inquiries: security@vsitechnologies.ai
Vulnerability Disclosure: security@vsitechnologies.ai (PGP key available on request)
Government ISSO Liaison: government@vsitechnologies.ai
Incident Response (24/7): Provided in engagement agreement
CISO Office: legal@vsitechnologies.ai (for executive escalation)
// Document Authorization //
Issuing Authority
VSI Technologies Legal & Compliance Division
Contact
legal@vsitechnologies.ai
Document Control
Reviewed annually or upon material change
Related Documents
Privacy Policy Security Policy Terms & Conditions FIPS 140-2 Classified Engagement
© 2025 VSI Technologies · All Rights Reserved
Privacy Security Terms FIPS 140-2 Classified Home
VSI Technologies · government@vsitechnologies.ai · legal@vsitechnologies.ai · All documents subject to revision · Not legal advice · Consult qualified counsel for compliance determinations