Skip to content

Aulendur Labs

Information Security Policy

Document ID: AUL-POL-01 Version: 1.0 Classification: Internal Owner: Chief Technology Officer / ISSM Effective: TBD-YYYY-MM-DD Next Review: TBD-YYYY-MM-DD

1. Purpose

This policy establishes the information security program for Aulendur Labs, Inc. It defines the security objectives, governance structure, and foundational requirements that protect company information assets, Controlled Unclassified Information (CUI), and customer data. This policy satisfies the requirement for documented security policies and procedures under NIST SP 800-171 Rev. 3 control 03.15.01 and provides the governance framework for CMMC 2.0 Level 2 compliance.

2. Scope

This policy applies to:

  • Personnel: All employees, contractors, interns, advisors, and any third party granted access to Aulendur Labs information systems or data.
  • Systems: All information systems owned, operated, or managed by Aulendur Labs, including production environments (Linode, Cloudflare, AWS), development environments, corporate IT (Google Workspace, GitHub, Slack, 1Password), and the planned CUI Enclave (AWS GovCloud).
  • Data: All data classifications — Public, Internal, Confidential, CUI, and ITAR-controlled technical data.
  • Locations: Omaha headquarters, all remote work locations, and third-party facilities processing Aulendur data.
  • Products: DeepLoom, WeaveCast, and all supporting infrastructure.

3. Roles & Responsibilities

Role Responsibility
Chief Executive Officer (CEO) Approves this policy; bears ultimate accountability for the security program; allocates resources for security activities.
Chief Technology Officer (CTO) / Information System Security Manager (ISSM) Owns this policy; directs the information security program; authorizes system operation; reports security posture to the CEO.
Information System Security Officer (ISSO) Executes day-to-day security operations, monitoring, and compliance evidence collection. At current scale (~5 personnel), the CTO/ISSM serves as acting ISSO until a dedicated ISSO is appointed.
System Owner Implements security controls within owned systems; maintains system-level documentation.
Data Owner Classifies data; authorizes access; reviews access permissions quarterly.
All Personnel Comply with all security policies; complete required training; report security incidents and policy violations promptly.

[!NOTE] DECISION POINT: At ~5 personnel, the CTO/ISSM is currently serving dual duty as acting ISSO. This is documented as a compensating control. When headcount exceeds 10 or Aulendur begins processing CUI in production, a dedicated ISSO shall be appointed.

4. Policy Statements

4.1 Information Security Program

4.1.1 Aulendur Labs shall maintain a documented information security program that protects the confidentiality, integrity, and availability of all information assets commensurate with their classification level.

4.1.2 The CTO/ISSM shall review and update this policy and the broader security program at least annually, or within 30 calendar days of a significant change to the threat environment, organizational structure, or regulatory requirements.

4.1.3 The security program shall address all control families defined in NIST SP 800-171 Rev. 3 and shall be structured to achieve CMMC 2.0 Level 2 certification.

4.1.4 The CEO shall allocate sufficient budget and personnel resources to implement and sustain the security program. Resource adequacy shall be evaluated during the annual risk assessment (see Risk Management Policy).

4.2 Regulatory Compliance

4.2.1 Aulendur Labs shall comply with DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), DFARS 252.204-7019 (NIST SP 800-171 DoD Assessment Requirements), DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements — Higher), and DFARS 252.204-7021 (Cybersecurity Maturity Model Certification Requirements) as conditions of its defense contracts.

4.2.2 Aulendur Labs shall comply with ITAR (22 CFR 120-130) and EAR (15 CFR 730-774) export control regulations for all technical data subject to those regimes.

4.2.3 Aulendur Labs shall comply with Section 889(a)(1)(A) and (a)(1)(B) of the FY2019 National Defense Authorization Act. No covered telecommunications equipment or services from Huawei, ZTE, Hytera, Hikvision, or Dahua (or their subsidiaries and affiliates) shall be procured, used, or connected to Aulendur systems.

4.2.4 The CTO/ISSM shall maintain a compliance obligations register and shall report compliance status to the CEO quarterly.

4.3 Risk-Based Approach

4.3.1 The security program shall be risk-based. Security investments and control implementations shall be prioritized according to the results of the annual risk assessment and any interim threat assessments (see Risk Management Policy).

4.3.2 Residual risks that exceed Aulendur's risk appetite shall be documented in the Risk Register and tracked through the Plan of Action and Milestones (POA&M) process.

4.4 Defense-in-Depth

4.4.1 Aulendur Labs shall implement defense-in-depth by applying overlapping security controls across administrative, technical, and physical domains. No single control failure shall result in unauthorized access to CUI or Confidential data.

4.4.2 All personnel shall use hardware-backed multi-factor authentication (YubiKey 5, FIDO2/WebAuthn) for access to Google Workspace, GitHub, 1Password, and all production infrastructure (NIST SP 800-171 R3 03.05.03).

4.5 Incident Reporting

4.5.1 All personnel shall report suspected security incidents, policy violations, and vulnerabilities to the CTO/ISSM within 1 hour of discovery via the designated reporting channel (Slack #security-incidents or direct notification).

4.5.2 Cyber incidents involving Covered Defense Information (CDI) shall be reported to the Department of Defense within 72 hours via the DIBNet portal using a medium-assurance certificate, per DFARS 252.204-7012(c). Forensic images shall be preserved for 90 calendar days. Malicious software shall be submitted to the DoD Cyber Crime Center (DC3).

4.6 Continuous Improvement

4.6.1 The CTO/ISSM shall track security program maturity against the CMMC 2.0 Level 2 practice requirements and shall report progress to the CEO quarterly.

4.6.2 Findings from internal reviews, external assessments, and incident post-mortems shall be tracked in the POA&M and remediated according to the timelines defined in the Compliance Management Policy (forthcoming).

4.7 Policy Architecture

4.7.1 This Information Security Policy is the apex document in Aulendur's policy hierarchy. All subordinate policies, standards, procedures, and plans shall be consistent with and traceable to this policy.

4.7.2 The complete policy library structure, build order, and status are maintained in BUILD_ORDER.md and STATUS.md in the policy repository.

5. Standards & Procedures Referenced

The following companion documents implement this policy:

6. Compliance & Enforcement

Violations of this policy may result in disciplinary action up to and including termination of employment or contract, civil penalties, and criminal prosecution where applicable. Suspected violations shall be reported to the CTO/ISSM via Slack #security-incidents or the Whistleblower & Reporting Policy (forthcoming).

7. Exceptions

Exceptions to this policy require written approval per the Policy Exception & Waiver Policy (forthcoming). Exceptions are time-bounded (maximum 180 calendar days), backed by compensating controls, and tracked in the Exception Register.

8. Definitions

Term Definition
Controlled Unclassified Information (CUI) Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls, per 32 CFR Part 2002.
Covered Defense Information (CDI) Unclassified controlled technical information or other information as described in the CUI Registry that requires safeguarding or dissemination controls per DFARS 252.204-7012.
ISSM Information System Security Manager — the individual responsible for the organization's information security program.
ISSO Information System Security Officer — the individual responsible for day-to-day security operations for a specific system or set of systems.
POA&M Plan of Action and Milestones — a document identifying tasks to correct security deficiencies and reduce risk.
FIDO2 Fast Identity Online 2, an authentication standard using public-key cryptography for phishing-resistant authentication.

9. References

  • NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
  • CMMC 2.0 Level 2, Cybersecurity Maturity Model Certification
  • DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
  • DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements
  • DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements
  • DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements
  • 32 CFR Part 2002, Controlled Unclassified Information
  • Section 889, John S. McCain National Defense Authorization Act for Fiscal Year 2019
  • ITAR (22 CFR 120-130), International Traffic in Arms Regulations
  • EAR (15 CFR 730-774), Export Administration Regulations

10. Control Mappings

Framework Control ID Control Title Coverage
NIST SP 800-171 R3 03.15.01 Policy and Procedures Full
NIST SP 800-171 R3 03.15.03 Rules of Behavior Partial — completed by AUL-POL-05 Acceptable Use Policy
CMMC 2.0 L2 PL.L2-3.12.4 Security Plans Partial — completed by AUL-PLN-01 System Security Plan
NIST SP 800-53 R5 PL-1 Policy and Procedures Full
NIST SP 800-53 R5 PM-1 Information Security Program Plan Full

11. Revision History

Version Date Author Changes
1.0 TBD-YYYY-MM-DD J. Gershenson Initial issue.

© Aulendur Labs, Inc. 2026. Internal use only unless otherwise classified.