For government contractors
Move CUI through any channel
without breaking compliance.
Encrypt. Track. Attest.
Defense contractors, federal IT consultancies, and any business handling Controlled Unclassified Information need transfer infrastructure that meets CMMC and NIST 800-171 expectations. CIPH4 produces the artifact your assessor asks for on every transfer.
THE CHALLENGE
Where the SSP gap lives
What teams in this role actually run into when secure transfer goes wrong.
01
SharePoint isn't built for CUI
Most contractor breach incidents involve CUI traveling through channels the contractor's own SSP doesn't account for: a personal email forward, an unmanaged Teams chat, an unenrolled mobile device. Inbox-based delivery leaves no audit-grade record of who saw what.
02
Findings turn on missing logs
CMMC Level 2 maps to NIST 800-171 controls including transmission encryption, access logging, and disposition records. Audit findings usually turn on the absence of access logs and provable disposition — not the encryption itself.
03
Every transfer needs an artifact
Subcontractor and government-client transfers happen daily. A defensible artifact for every transfer — who, when, where, and proof of disposition — is the difference between an assessment finding and a clean control map.
THE SOLUTION
What CIPH4 gives you
The product surface that maps to those problems, one feature at a time.
01
Encrypted in the sender's browser
Every file is encrypted in the sender's browser before it leaves it. The plain document never reaches CIPH4. Maps to NIST 800-171 3.13.11 (cryptographic mechanisms) and 3.13.16 (data at rest).
02
Tamper-evident audit trail
Every transfer is logged in a cryptographically chained audit record, serialized by an atomic database lock. Any after-the-fact change to a row is mathematically detectable. Maps to NIST 800-171 3.3 (audit and accountability) control family.
03
Per-IP allow / block rulesEnterprise
Pin recipient access to cleared network ranges before sharing. Per-org allowlists or personal blocks; enforcement-cache invalidation fires immediately on every rule change.
04
CMMC framework templateEnterprise
CMMC 2.0 control mapping inside the compliance suite, with policy library, vendor assessments, and evidence collection — all linked to the tamper-evident audit log.
05
Signed deletion receiptsEnterprise
Every Enterprise burn produces a cryptographically signed receipt — your disposition artifact under NIST 800-171 3.8.3. The defensible record for documented CUI destruction.
06
Single sign-on and automated provisioningEnterprise
Bind every access event to a verified identity from your IdP. SAML 2.0, OIDC, Azure AD, Okta; SCIM 2.0 for provisioning. Maps to NIST 800-171 3.5 (identification and authentication) requirements.
THE FLOW
How a typical workflow looks
A typical sequence — from intent to evidence — in three steps.
01
Stage
Drop the CUI document into a new link, set passphrase, expiry, and per-IP allowlist to the recipient organization's cleared egress range.
02
Track
You get a real-time notification the moment the recipient decrypts. Tamper-evident access log captures IP, geo, and timestamp for the SSP.
03
Document
When the document closes, pull the signed deletion receipt. File it in the engagement record as disposition evidence for assessor review.
THE FRAMING
Where CIPH4 fits your program
How the same building blocks land against the frameworks your auditor cares about.
01
Frameworks we map
CMMC 2.0 (levels 1-3), NIST 800-171, NIST 800-53, ITAR / EAR, and contract clauses (DFARS 252.204-7012, FAR 52.204-21). Included as ready-to-use compliance templates inside the suite.
02
Controls we ship
In-browser encryption (the plain document never reaches CIPH4), tamper-evident audit log, per-IP allowlists, single sign-on with automated provisioning. Map to NIST 800-171 3.13.11 / 3.13.16, 3.3 family, and 3.5 family.
03
Artifacts we generate
Cryptographically signed disposition receipts for documented CUI destruction. Tamper-evident access trail per transfer — the SSP artifact assessors actually want.
Ready to see it?
20 free links a month, no credit card. When you need single sign-on, compliance templates, or signed deletion receipts your auditor can verify — we'll talk.