US PKI, HSM & IoT cryptography—designed for federal & state requirements
Vendor-neutral design, migrations, crypto audits and lifecycle automation. We align builds with US federal frameworks (NIST/FIPS, CNSA 2.0) and state privacy laws (CCPA/CPRA, CPA, VCDPA, CTDPA, UCPA) while preparing for post-quantum.
PKI design & hierarchy modernization
Offline roots, issuing tiers, AIA/CDP/OCSP, HA revocation, evidence-backed ceremonies.
- Profiles/EKUs, naming & validity aligned to NIST SP 800-57 Pt.1 & SP 800-131A
- TLS per SP 800-52r2 and NSA CNSA 2.0
- CLM integration (Venafi / EJBCA / Keyfactor), ACME/EST auto-enrollment
HSM custody & key management
On-prem & cloud HSM patterns with M-of-N, RBAC and auditable SOPs.
- Key lifecycle per NIST SP 800-57
- Module/partition policies aligned to FIPS 140-3
- Dual-control ceremonies with evidence packs
Certificate lifecycle automation (CLM)
Discovery → policy → issuance → renewal across hybrid estates.
- Agents/APIs, ACME/EST; policy folders & approvals
- Dashboards & SLOs (expiry MTTR, OCSP freshness, CRL age)
- Change windows with blue/green rollovers
Post-quantum readiness
CBOM, hybrid certificates, pilot → rollout. Align to NIST PQC FIPS 203/204/205 & CNSA 2.0 resources.
- Algorithm policy & crypto-agility design
- Protocol & performance impact testing (handshake p95/p99)
- Parallel PKI design and deprecation plan
Cryptographic audits (infra & code)
CodeQL-driven code scans + infra review mapped to US controls.
- CBOM & deprecation removal (SHA-1, RSA-1024, weak ciphers)
- Control mapping to NIST SP 800-53, PCI DSS 4.x, HIPAA Security Rule
- Actionable remediation & backlog grooming
IoT identity & industrial PKI
Device enrollment at scale, constrained profiles, secure boot & signing.
- Baseline per NISTIR 8259A & NIST SP 800-82r3
- Firmware signing (LMS/HSS), supply-chain attestations
- Patterns aligned with ISA/IEC 62443
US regulatory & privacy alignment (what we design for)
Federal frameworks
- FIPS 140-3 (crypto modules) • FIPS 186-5 (digital signature)
- NIST SP 800-53 • CMMC 2.0
- FedRAMP • NSA CNSA 2.0
- NIST SP 800-207 (Zero Trust) • EO 14028
Sector regulations
- HIPAA/HITECH (health) • 21 CFR Part 11 (life sciences)
- PCI DSS 4.x (payments) • GLBA Safeguards & FFIEC (financial)
- NERC CIP & TSA Pipeline SD-02F (energy/pipelines)
- FBI CJIS Policy (law enforcement) • ITAR / EAR
State privacy laws
- California CCPA/CPRA • Colorado CPA
- Virginia VCDPA • Connecticut CTDPA
- Utah UCPA • emerging state privacy acts
Protocol & implementation baselines
- NIST SP 800-52r2 (TLS) • SP 800-131A (transitions)
- NIST PQC selected algorithms & CNSA 2.0 migration
We don’t offer legal advice. Our designs **align** technical controls and evidence with these frameworks so your legal/compliance teams can show conformity.