NIST

TAC implements the Policy Engine, Policy Administrator, and Policy Enforcement Point defined in NIST SP 800-207, and aligns with NIST 800-171 control families for Controlled Unclassified Information (CUI) — the foundation of CMMC 2.0 compliance for defense industrial base contractors. Also covers NIST CSF Protect outcomes for identity management and access control.

• All seven NIST 800-207 Zero Trust tenets implemented in one platform
• NIST 800-171 families 3.1 (AC), 3.3 (AU), 3.5 (IA), 3.13 (SC) addressed for CUI applications
• Phishing-resistant FIDO2 / WebAuthn MFA satisfying OMB M-22-09
• CMMC 2.0 Level 2 and Level 3 access control, identification, and audit practices

Read the full alignment guide →

HIPAA / HITECH

TAC supports the HIPAA Security Rule’s Technical Safeguards (45 CFR §164.312) for covered entities and business associates protecting electronic protected health information (ePHI) — through reverse-proxy access mediation, MFA on every session, continuous device posture validation, and complete audit logging.

• Access control, audit controls, person authentication, transmission security
• Single-tenant SVA architecture preventing ePHI co-mingling between organisations
• MFA injection for legacy EHR and clinical systems without code changes
• TLS 1.2 or TLS 1.3 with FIPS 140-2 compliant cryptographic modules

Read the full alignment guide →

PCI-DSS v4.0

TAC supports PCI-DSS v4.0 requirements for access control, authentication, monitoring, and network protection of systems in the cardholder data environment (CDE). The reverse-proxy architecture eliminates direct exposure of CDE applications, while continuous device posture validation and MFA satisfy v4.0’s expanded authentication and device requirements.

• Requirements 1, 7, 8, 10, and 12.3.x for CDE access paths
• Phishing-resistant MFA for administrative and cardholder data access
• Continuous device posture validation (v4.0 expanded requirement)
• Complete audit trail with SIEM export for Requirement 10 review

Read the full alignment guide →

FedRAMP

TAC is architected to align with NIST SP 800-53 Rev. 5 controls at the Moderate and High baselines — the same control framework that underpins FedRAMP authorisation. TAC deploys in FedRAMP-authorised cloud environments (AWS GovCloud, Azure Government) as well as on-premises within agency facilities. TAC is not currently FedRAMP authorised and does not hold the FedRAMP Ready designation.

• NIST 800-53 alignment across AC, IA, AU, SC families for agency ATO
• Three deployment scenarios: on-premises, agency GovCloud, contractor environments
• Single-tenant SVA — no shared infrastructure across agencies
• Documentation and engineering support for agency Authority to Operate

Read the full alignment guide →

NERC CIP and IEC 62443

TAC delivers the technical access control, authentication, monitoring, and audit evidence requirements of NERC CIP and IEC 62443 for the systems that command your OT environment — HMIs, SCADA servers, engineering workstations, historians, and remote-access tools. TAC sits in the IT/OT DMZ; it does not touch OT devices themselves.

• NERC CIP-005 Electronic Security Perimeter and Intermediate System for remote access
• NERC CIP-007 system security and CIP-004 access management evidence
• IEC 62443-3-3 FR 1, FR 2, FR 3, FR 5, FR 6, FR 7 technical controls
• Vendor remote access — time-bounded, scoped, MFA-enforced, fully logged

Read the full alignment guide →

ISO 27001:2022

TAC supports specific ISO/IEC 27001:2022 Annex A controls — access control (A.5.15-A.5.18), supplier access (A.5.19, A.5.22), authentication and secure access (A.8.2, A.8.3, A.8.5), logging and monitoring (A.8.15-A.8.16), network security (A.8.20-A.8.22), and cryptography (A.8.24). TAC produces the technical evidence ISO 27001 lead auditors expect for these controls.

• Annex A controls in Organisational (A.5) and Technological (A.8) themes
• Continuous effectiveness evidence for Type II-style surveillance audits
• Single-tenant isolation strengthens confidentiality control evidence
• Unified audit trail simplifies ISMS audit scoping

Read the full alignment guide →

SOC 2

TAC supports the SOC 2 Trust Service Criteria most relevant to access control — particularly Security (Common Criteria CC5-CC7) and Confidentiality. The continuous validation model is well-suited to SOC 2 Type II audits, which evaluate whether controls operate effectively over time rather than at a single point.

• CC6 Logical Access — reverse proxy, MFA, identity federation
• CC7 System Operations — continuous monitoring, audit trail
• Confidentiality — single-tenant SVA, encrypted transmission, granular policy
• Continuous effectiveness evidence for Type II audits

Read the full alignment guide →

AI Agent Governance

AI agents are non-human identities that authenticate, access systems, and take actions in your environment. TAC governs human and AI agent access through the same policy engine, producing unified audit evidence that maps to both the NIST AI Risk Management Framework (GOVERN, MANAGE) and ISO/IEC 42001:2023 Annex A controls.

• NIST AI RMF GV-1.4, GV-1.5, GV-1.6, MG-2.4 (governance and risk response)
• ISO/IEC 42001 A.6.2.6, A.6.2.8 (operation, monitoring, event logging)
• Same policy engine for human and AI agent identities
• Real-time revocation when AI agent behaviour or upstream identity changes

Read the full alignment guide →