LATENCY: 12msSENSORY_INPUT: ACTIVENEURAL_LOAD: 42%SYSTEM_READYTHETA_WAVE: STABLEDELTA_RECOVERY: OPTIMIZEDOPERATOR_ID: JMJ-0922SBA 8(a) CERTIFIEDMBE CERTIFIEDSAM.GOV REGISTEREDSBIR / STTR READYLATENCY: 12msSENSORY_INPUT: ACTIVENEURAL_LOAD: 42%SYSTEM_READYTHETA_WAVE: STABLEDELTA_RECOVERY: OPTIMIZEDOPERATOR_ID: JMJ-0922SBA 8(a) CERTIFIEDMBE CERTIFIEDSAM.GOV REGISTEREDSBIR / STTR READY

CMMC 2.0 · NIST SP 800-171

CMMC & NIST 800-171 Posture

JMJ Neuro Systems™ maintains an active CMMC 2.0 Level 2 readiness program, aligned with all 110 controls of NIST SP 800-171 Rev. 2 for the protection of Controlled Unclassified Information (CUI) in federal R&D engagements.

Program Summary

Our cybersecurity program is built around the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework at Level 2, mapped 1:1 to the 110 security requirements of NIST SP 800-171 Rev. 2. All federal contract information (FCI) and CUI received under NDA is processed in environments engineered to meet or exceed these requirements.

Controls Summary (14 Families)

  • Access Control (AC) Least-privilege role-based access, MFA on all privileged accounts, session controls.
  • Awareness & Training (AT) Annual CUI handling, insider-threat, and phishing training for all personnel with CUI access.
  • Audit & Accountability (AU) Centralized, tamper-resistant audit logging with 12-month online retention.
  • Configuration Management (CM) Baseline configurations, change control board, allow-listed software.
  • Identification & Authentication (IA) FIPS-validated cryptography, MFA, unique user identifiers, no shared accounts.
  • Incident Response (IR) Documented IR plan, 72-hour reporting commitment to contracting agencies per DFARS 252.204-7012.
  • Maintenance (MA) Controlled, logged, and supervised maintenance activities.
  • Media Protection (MP) Encrypted storage, NIST SP 800-88 sanitization, no removable media for CUI without authorization.
  • Personnel Security (PS) Background screening, signed NDAs, and access reviews for all CUI-cleared staff.
  • Physical Protection (PE) Badge-controlled facilities, visitor logs, locked workstations.
  • Risk Assessment (RA) Annual risk assessments, continuous vulnerability scanning, documented POA&M.
  • Security Assessment (CA) Living System Security Plan (SSP), annual self-assessment, third-party readiness review.
  • System & Communications Protection (SC) TLS 1.2+ in transit, AES-256 at rest, network segmentation between research and corporate enclaves.
  • System & Information Integrity (SI) Endpoint detection & response, automated patch management, malware protection.

Compliance Anchors

  • NIST SP 800-171 Rev. 2 — 110 / 110 controls in scope
  • CMMC 2.0 Level 2 — readiness posture
  • DFARS 252.204-7012 / 7019 / 7020 — applicable on flow-down
  • FAR 52.204-21 — basic safeguarding of FCI
  • NIST SP 800-53 Rev. 5 — reference framework
  • FIPS 140-2/3 — validated cryptographic modules

Security Contact & Vulnerability Disclosure

Security researchers, federal partners, and contracting officers may report suspected vulnerabilities or request our current System Security Plan (SSP) summary through the channels below. We aim to acknowledge reports within 2 business days and provide a substantive response within 10 business days.

Do not include CUI, FCI, or PII in initial reports. We will coordinate a secure channel before any sensitive material is exchanged.

Last reviewed: 2026-05-20

IP Protected

Proprietary technology and trade-secret methods protected under applicable U.S. intellectual-property law.

NDA-Gated

All partnership and technical inquiries processed under executed mutual non-disclosure agreement.

Export Controlled

Sensitive content screened against ITAR / EAR. CUI handling per NIST SP 800-171 controls.

Request Partnership Brief →