Skip to content
Request a demo
PlatformModulesIndustriesSecurityPricingInsights Request a demo

Industry

Manufacturing ERP for DoD-grade requirements.

ITAR export controls, DFARS clause flow-down, CMMC 2.0 Level 2 cybersecurity, and counterfeit prevention built in as native platform capabilities - not paid add-ons. Cortrova runs commercial cloud, air-gapped, or in classified environments, with every record classified and every AI agent's read/write boundary enforced at runtime.

Request a demo Security & compliance
110
CMMC 2.0 controls mapped
14
CMMC 2.0 domains covered
5
Data classification scopes
4
DFARS sub-tiers mapped

The challenge

  • !DFARS clauses do not stop at the prime contract - they flow down through every sub-tier purchase order, and one missed inheritance is a compliance gap
  • !Controlled data leaks through the analytics and reporting layer because classification is never enforced at the record level
  • !CMMC assessments turn into a documentation scramble instead of a review, with no clean map from control to evidence to owner
  • !Counterfeit and suspect parts slip into the supply chain without AS6174/AS5553 quarantine and traceability
  • !Export-controlled technical data is shared by access rules that the system can't actually enforce on people or AI agents

How Cortrova answers

  • DFARS flow-down is mapped at each tier: Cortrova inherits clauses down the sub-tier purchase order chain, verifies supplier compliance before a PO is released, and keeps the audit trail intact
  • A Scope Registry assigns a classification - Public, Internal, CUI, ITAR, or Air-Gap - to every record, and AI agents must declare read/write boundaries that are enforced at runtime
  • Each of the 110 CMMC 2.0 Level 2 controls across 14 domains is mapped to a system feature, the evidence it produces, and the responsible role, so assessment is a documentation review, not a fire drill
  • Counterfeit prevention follows AS6174 and AS5553: suspect parts are flagged, quarantined, and traced against approved sources before they reach production
  • Deploy in commercial cloud, fully air-gapped with no internet egress, or inside classified environments - the same platform, the same controls

The controls

Four defense controls, native to the platform.

Export control, contract flow-down, cybersecurity, and counterfeit prevention are part of the data model - not bolt-ons you license separately.

ITAR export control

Technical data under 22 CFR 120-130 is gated by nationality, role, and scope, so export-controlled drawings and specs are only reachable by authorized people and systems.

DFARS flow-down

252.204-7012 and the tiered clause map cascade down every sub-tier PO; supplier compliance is verified before release and recorded for audit.

CMMC 2.0 Level 2

110 controls across 14 domains - AC, AU, CM, IA, IR, SC, SI and the rest - each mapped to feature, evidence, and owner.

Counterfeit prevention

AS6174 and AS5553 workflows flag, quarantine, and trace suspect parts against approved sources before they enter the build.

Data security

Classification the analytics layer can't leak around.

The Scope Registry is the spine of data protection: five classification scopes, enforced wherever data moves - including the AI agents.

Five scopes

Public, Internal Employees, CUI, ITAR, and Air-Gap. Every record carries a scope, and the scope travels with it through reports, exports, and dashboards.

Runtime enforcement

AI agents declare the scopes they may read from and write to; those boundaries are enforced at runtime, so controlled data never leaks through analytics.

Air-gap ready

Run with no internet egress for classified work - the same controls hold whether you are in commercial cloud or fully disconnected.

How it works

Adopting defense.

01

Classify the data

Assign every record a scope in the Scope Registry - Public, Internal, CUI, ITAR, or Air-Gap - so protection is intrinsic to the data, not a permission bolted on later.

02

Map the contract

Load prime contract clauses and let Cortrova cascade DFARS flow-down through each sub-tier purchase order, verifying supplier compliance before any PO is released.

03

Stand up CMMC evidence

Each of the 110 Level 2 controls is tied to a feature, the evidence it generates, and a responsible role, so your assessment is a guided review.

04

Deploy to your environment

Run in commercial cloud, air-gapped, or in a classified environment - the platform and its controls move with you without re-architecture.

Compliance frameworks

Built in, not bolted on.

ITAR (22 CFR 120-130)DFARS 252.204-7012 / -7019 / -7020 / -7021DFARS 252.225-7048 / 252.246-7007 / -7008CMMC 2.0 Level 2NIST SP 800-171AS6174 & AS5553 (counterfeit prevention)AS9100 Rev DFAR / DFARS

FAQ

Questions, answered.

Are ITAR, DFARS, and CMMC features add-ons or part of the platform?

They are native platform capabilities, not paid add-ons. ITAR export controls, DFARS clause flow-down, CMMC 2.0 Level 2 cybersecurity, and AS6174/AS5553 counterfeit prevention are part of the core data model, so the controls hold across every module rather than living in a separate compliance bolt-on.

How does Cortrova handle DFARS flow-down to sub-tier suppliers?

Cortrova maps clause inheritance at each tier. It cascades clauses such as 252.204-7012 down every sub-tier purchase order, verifies that each supplier's compliance status is current before a PO is released, and maintains the audit trail so flow-down can be evidenced rather than reconstructed.

How does the platform keep controlled and CUI data from leaking?

A Scope Registry assigns a classification - Public, Internal Employees, CUI, ITAR, or Air-Gap - to every record. Those scopes are enforced everywhere data moves, including the analytics layer, and AI agents must declare the scopes they may read from and write to, with boundaries enforced at runtime.

Can Cortrova run in air-gapped or classified environments?

Yes. The same platform deploys in commercial cloud, fully air-gapped with no internet egress, or inside classified environments. The control set - ITAR, DFARS, CMMC, and scope enforcement - is identical regardless of deployment, so you do not trade compliance for isolation.

How does Cortrova reduce the CMMC 2.0 assessment burden?

Each of the 110 CMMC 2.0 Level 2 controls across 14 domains is mapped to the system feature that satisfies it, the evidence that feature produces, and the role responsible for it. That turns the assessment into a documentation review instead of a scramble, with a clean line from requirement to proof.

In the field

What defense teams run.

Release sub-tier POs only after DFARS flow-down and supplier compliance are verified

Walk a CMMC 2.0 assessor from control to evidence to owner without a documentation scramble

Keep ITAR technical data reachable only by authorized people and AI agents

Quarantine and trace suspect counterfeit parts under AS6174/AS5553 before they reach the floor

Run a fully air-gapped instance for classified production with no internet egress

Get started

Built for defense.

We'll tailor a demo to your environment and constraints.

Request a demo Explore the platform