Industry
Manufacturing ERP for DoD-grade requirements.
ITAR export controls, DFARS clause flow-down, CMMC 2.0 Level 2 cybersecurity, and counterfeit prevention built in as native platform capabilities - not paid add-ons. Cortrova runs commercial cloud, air-gapped, or in classified environments, with every record classified and every AI agent's read/write boundary enforced at runtime.
The challenge
- !DFARS clauses do not stop at the prime contract - they flow down through every sub-tier purchase order, and one missed inheritance is a compliance gap
- !Controlled data leaks through the analytics and reporting layer because classification is never enforced at the record level
- !CMMC assessments turn into a documentation scramble instead of a review, with no clean map from control to evidence to owner
- !Counterfeit and suspect parts slip into the supply chain without AS6174/AS5553 quarantine and traceability
- !Export-controlled technical data is shared by access rules that the system can't actually enforce on people or AI agents
How Cortrova answers
- ✓DFARS flow-down is mapped at each tier: Cortrova inherits clauses down the sub-tier purchase order chain, verifies supplier compliance before a PO is released, and keeps the audit trail intact
- ✓A Scope Registry assigns a classification - Public, Internal, CUI, ITAR, or Air-Gap - to every record, and AI agents must declare read/write boundaries that are enforced at runtime
- ✓Each of the 110 CMMC 2.0 Level 2 controls across 14 domains is mapped to a system feature, the evidence it produces, and the responsible role, so assessment is a documentation review, not a fire drill
- ✓Counterfeit prevention follows AS6174 and AS5553: suspect parts are flagged, quarantined, and traced against approved sources before they reach production
- ✓Deploy in commercial cloud, fully air-gapped with no internet egress, or inside classified environments - the same platform, the same controls
The controls
Four defense controls, native to the platform.
Export control, contract flow-down, cybersecurity, and counterfeit prevention are part of the data model - not bolt-ons you license separately.
ITAR export control
Technical data under 22 CFR 120-130 is gated by nationality, role, and scope, so export-controlled drawings and specs are only reachable by authorized people and systems.
DFARS flow-down
252.204-7012 and the tiered clause map cascade down every sub-tier PO; supplier compliance is verified before release and recorded for audit.
CMMC 2.0 Level 2
110 controls across 14 domains - AC, AU, CM, IA, IR, SC, SI and the rest - each mapped to feature, evidence, and owner.
Counterfeit prevention
AS6174 and AS5553 workflows flag, quarantine, and trace suspect parts against approved sources before they enter the build.
Data security
Classification the analytics layer can't leak around.
The Scope Registry is the spine of data protection: five classification scopes, enforced wherever data moves - including the AI agents.
Five scopes
Public, Internal Employees, CUI, ITAR, and Air-Gap. Every record carries a scope, and the scope travels with it through reports, exports, and dashboards.
Runtime enforcement
AI agents declare the scopes they may read from and write to; those boundaries are enforced at runtime, so controlled data never leaks through analytics.
Air-gap ready
Run with no internet egress for classified work - the same controls hold whether you are in commercial cloud or fully disconnected.
How it works
Adopting defense.
Classify the data
Assign every record a scope in the Scope Registry - Public, Internal, CUI, ITAR, or Air-Gap - so protection is intrinsic to the data, not a permission bolted on later.
Map the contract
Load prime contract clauses and let Cortrova cascade DFARS flow-down through each sub-tier purchase order, verifying supplier compliance before any PO is released.
Stand up CMMC evidence
Each of the 110 Level 2 controls is tied to a feature, the evidence it generates, and a responsible role, so your assessment is a guided review.
Deploy to your environment
Run in commercial cloud, air-gapped, or in a classified environment - the platform and its controls move with you without re-architecture.
Compliance frameworks
Built in, not bolted on.
FAQ
Questions, answered.
Are ITAR, DFARS, and CMMC features add-ons or part of the platform?
They are native platform capabilities, not paid add-ons. ITAR export controls, DFARS clause flow-down, CMMC 2.0 Level 2 cybersecurity, and AS6174/AS5553 counterfeit prevention are part of the core data model, so the controls hold across every module rather than living in a separate compliance bolt-on.
How does Cortrova handle DFARS flow-down to sub-tier suppliers?
Cortrova maps clause inheritance at each tier. It cascades clauses such as 252.204-7012 down every sub-tier purchase order, verifies that each supplier's compliance status is current before a PO is released, and maintains the audit trail so flow-down can be evidenced rather than reconstructed.
How does the platform keep controlled and CUI data from leaking?
A Scope Registry assigns a classification - Public, Internal Employees, CUI, ITAR, or Air-Gap - to every record. Those scopes are enforced everywhere data moves, including the analytics layer, and AI agents must declare the scopes they may read from and write to, with boundaries enforced at runtime.
Can Cortrova run in air-gapped or classified environments?
Yes. The same platform deploys in commercial cloud, fully air-gapped with no internet egress, or inside classified environments. The control set - ITAR, DFARS, CMMC, and scope enforcement - is identical regardless of deployment, so you do not trade compliance for isolation.
How does Cortrova reduce the CMMC 2.0 assessment burden?
Each of the 110 CMMC 2.0 Level 2 controls across 14 domains is mapped to the system feature that satisfies it, the evidence that feature produces, and the role responsible for it. That turns the assessment into a documentation review instead of a scramble, with a clean line from requirement to proof.
In the field
What defense teams run.
Release sub-tier POs only after DFARS flow-down and supplier compliance are verified
Walk a CMMC 2.0 assessor from control to evidence to owner without a documentation scramble
Keep ITAR technical data reachable only by authorized people and AI agents
Quarantine and trace suspect counterfeit parts under AS6174/AS5553 before they reach the floor
Run a fully air-gapped instance for classified production with no internet egress
Get started
Built for defense.
We'll tailor a demo to your environment and constraints.