TRUST CENTER
for Technology & Business Solutions LLC
Built for CMMC and ITAR compliance, and more.
For 20+ years Technology & Business Solutions LLC has delivered the most secure and compliant Cloud infrastructure for accounting, project management, automation and integration solutions for government contractors. We are passionate about securing your most precious project, financial, personnel and contract information, because we know that you are too.
Below you may learn more about how we align with various compliance regimes, and also access documentation that attests to our practices for cybersecurity, privacy, access controls, system and information integrity, and much more.
TBS is a Cyber-AB accredited Registered Practitioner Organization and External Service Provider (ESP), currently self-assessed to meet all 14 CMMC level-2 domain controls per NIST special publication 800-171 rev.2. Our C3PAO audit for final certification is scheduled for July 2025.
The full stack of Technology & Business Solutions’ cloud delivery, services and support also meet ITAR, CMS, DISA, and GDPR compliance standards, and are assured by our annual SOC2 Type II audit. TBS is currently in process with FedRAMP Moderate Ready assessment.
Technology & Business Solutions LLC is the owner of the Mosaic multicloud for Deltek, Altus IT Collaborative for CMMC compliance (ESP & RPO), and the Aspire SaaS platform for automation, integration, and content management.
Onward and upward.
-
99.99
Up-Time
Annual SLA Guarantee -
4
Hour
Recovery Time Objective -
99.99
Availability
Annual SLA Guarantee
2024 SOC2 Type II Audit Report
Independent service auditor’s SOC2 report on a description of Technology & Business Solutions’...
2025 SOC2 Bridge Letter
As of March 1, 2025, TBS is not aware of any material changes in our control environment that would...
Privacy Policy
At Technology & Business Solutions, we recognize that your privacy is important. This Policy...
EULA (Aspire SaaS)
These license terms are an agreement between Technology & Business Solutions LLC (TBS) and you....
Comprehensive Assurance for every GovCon and Agency
Technology & Business Solutions’ cybersecurity and compliance controls meet numerous regulatory frameworks that support government contractors and their clients. Contact us for our complete compliance matrix.
Annual SOC2 Audit
Technology & Business Solutions’ annual SOC2 Type II audit assures comprehensive compliance across the “full stack” of our Cloud delivery, services and support.
NIST 800-171 rev.2
Technology & Business Solutions’ cloud infrastructure, management policies, and cybersecurity practices adhere to all 117 controls across 14 domains per NIST special publication 800-171 revision 2.
FedRAMP Moderate
TBS security controls align with FedRAMP Moderate standards. FedRAMP ATO ETC 2025.
GDPR
Technology & Business Solutions’ cloud controls meet gold-standard GDPR requirements and are also aligned with California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA) and HIPAA mandates.
CMMC Level-2 Assessment scheduled
Technology & Business Solutions LLC is a CYBER-AB Registered Practitioner Organization and External Services Provider. Our CMMC L2 assessment is scheduled for July 2025.
CISA
Technology & Business Solutions follows CISA’s published standards for cloud service providers, including the Secure Cloud Business Applications (SCuBA) project.
ITAR
All TBS facilities are in the continental United States. All TBS employees are U.S. citizens.
Centers for Medicare & Medicaid Services
TBS CMS compliance supports our clients serving public health agencies and projects, with heightened data security, transparency, and efficiency controls.
-
Technology & Business Solutions builds its controls from the latest NIST frameworks, including both NIST SP 800-53: (Security and Privacy Controls for Information Systems and Organizations) and the NIST Cybersecurity Framework (CSF).
-
Technology & Business Solutions’ SOC 2 Type II Audit Report outlines our numerous compliance certifications. The report is available to TBS clients upon request.
-
Yes.
-
TBS implements security controls that regulate authentication, authorization, and access which prevent malicious acts. These controls are available for review in our SOC2 attestation. At this time TBS is in process with FedRAMP authorization.
-
Yes.
-
As of February 2025, per guidance from the Office of the CIO of the Department of Defense, Technology & Business Solutions is classified as a CMMC External Services Provider (ESP).
The DoD CIO outlines 4 ESP archetypes in its Technical Application of CMMC Requirements: ESPs, Asset Categories, SPA/SPD, and VDI documentation. TBS meets both the “Infrastructure as a Service (IaaS)” and “Staff Augmentation–Traditional IT” ESP models.
In that publication, a “Cloud Services Provider (CSP) means an external company that provides cloud services based on cloud computing. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” CSP end users may make changes and rapidly stand up and spin down hosts themselves.
To meet important cybersecurity, compliance, and performance mandates, TBS provides a critical and robust infrastructure management layer for all hosted systems and services. This control and governance mean that TBS is not classified as a Cloud Services Provider but is an External Services Provider for the purposes of CMMC.
When it comes to CMMC assessments, again per the DoD CIO's Technical Application of CMMC Requirements: ESPs, Asset Categories, SPA/SPD, and VDI:
- for DIB contractors partnering with a “CSP that processes, stores, or transmits CUI (with or without Security Protection Data) ... the Cloud Services Provider (CSP) shall meet the FedRAMP (Moderate or equivalent) requirements in 48 CFR 252.204–7012.”
- while “services provided by the ESP are in the assessment scope of the organization seeking assessment (OSA) and shall be assessed as part of the OSA’s assessment. [This applies to both] “Infrastructure as a Service (IaaS)” and “traditional IT services” that process, store, or transmit CUI (with or without Security Protection Data).”
- for DIB contractors partnering with a “CSP that processes, stores, or transmits CUI (with or without Security Protection Data) ... the Cloud Services Provider (CSP) shall meet the FedRAMP (Moderate or equivalent) requirements in 48 CFR 252.204–7012.”
Custom Resource Request
If you’re in need of tailored support to meet your audit requirements or for additional compliance due diligence, please share more details below.
If preferred, call 703.444.6562 x1 to speak with a TBS representative directly.