passcore

Defense

Identity infrastructure
for cleared environments.

Built for defense primes, federal agencies, and government contractors operating under IL4, IL5, FedRAMP High, and ITAR requirements. The only commercial IAM platform with PIV/CAC defense mode and hard-fatal bypass enforcement.

Request access Compliance docs

Certifications & authorizations

Meeting the bar for cleared work.

IL4+

Impact Level 4 & 5

Supports CUI and mission-critical data classification requirements under DoD CC SRG.

FedRAMP

High Authorization Path

Full NIST 800-53 Rev5 control mapping with ATO documentation package and dedicated CSM support.

FIPS 140-2

Validated Cryptography

All cipher operations use FIPS 140-2 validated modules. CRYSTALS-Kyber and Dilithium post-quantum ready.

ITAR

Export Control Compliant

Air-gap and on-prem deployment with no external dependencies. Suitable for ITAR-restricted networks.

NIST

800-53 Rev5 Mapping

Complete control mapping and evidence artifacts for all applicable baselines, Low, Moderate, and High.

STIG

DISA STIG Aligned

Configuration hardening aligned to DISA Application Security and Development STIG requirements.

Technical specifications

Defense mode, in detail.

passcore Defense is not a configuration option on the commercial platform, it is a separate deployment with hardened defaults that cannot be overridden.

PIV/CAC authentication

Per-login certificate validation with enforced OCSP revocation freshness. Revocation bypass flags (PIV_REVOCATION_BYPASS) are hard-fatal in all non-development builds.

IL4+

Certificate trust chain

Requires X-SSL-Client-Verify: SUCCESS from reverse proxy. Full DoD PKI trust anchor validation enforced at startup and per-login.

DoD PKI

Cryptographic modules

FIPS 140-2 validated for all symmetric and asymmetric operations. Post-quantum: CRYSTALS-Kyber (key encapsulation), CRYSTALS-Dilithium (signatures).

FIPS 140-2

Audit log integrity

MustLog compliance mode: every auth event committed atomically in the same database transaction. Audit write failures halt the request, no silent gaps in the compliance record.

MustLog

WebAuthn (defense mode)

WEBAUTHN_ENABLED flag required; disabled by default. Routes gated behind defense-mode middleware. Org ID propagation enforced, no audit rows in unscoped system bucket.

FIDO2

Session handling

Redis GETDEL atomic session consumption. No replay attacks. JWT signed with CRYSTALS-Dilithium in defense mode. Session lifetime bounded by clearance policy.

Zero-trust

Database isolation

PostgreSQL with Row-Level Security. Org-scoped data isolation enforced at the database layer, not application layer. ABAC policies evaluated before any query executes.

RLS

Deployment options

Meets your environment, not the other way around.

GovCloud SaaS

Deployed in AWS GovCloud (US). FedRAMP authorized infrastructure. Suitable for CUI up to IL4.

IL4FedRAMPAWS GovCloud

On-premises

Deploy in your own data center on customer-managed hardware. Full configuration control. No external dependencies required.

IL5ITARCustomer-managed

Air-gapped

Fully disconnected deployment. No outbound connections required. Suitable for ITAR-restricted and classified environments.

IL5+ITARClassified

ATO support

We've done this before.

Our dedicated compliance team has supported multiple federal ATO engagements. We provide the documentation, you bring the agency relationship.

Start the conversation

Vetting & NDA

Organization and personnel vetting. NDA execution. Access provisioned to the defense portal and documentation repository.

Control mapping delivery

Full NIST 800-53 Rev5 control mapping, SSP templates, and evidence artifacts delivered for your specific baseline.

Technical integration

Dedicated solutions engineer for PIV/CAC configuration, deployment architecture review, and pen test coordination.

ATO & ongoing support

Continuous monitoring support, annual evidence refresh, and dedicated CSM for the life of your agreement.

Identity infrastructurefor cleared environments.