Built for the most regulated places on earth. Honest about where we are.
We are getting prime-time ready for the world's most regulated industries, starting with defense, intelligence, and national security. That means targeting FedRAMP High and the DoD Impact Levels, on top of the consent-first, data-ownership architecture underneath 🤫 Agent One and the 🤫 Puppy One edge grid. This is our public roadmap with committed windows. Every status here is a target / in-pursuit milestone, never an assertion that we are already certified.
Optimistic about progress. Honest about status.
We publish the dates
Every target window is stated publicly so partners, integrators, installers, and agencies can plan around what to expect by when - no private roadmaps, no vague 'coming soon'.
Target, not a claim
Until an attestation or authorization is granted, every item reads as in-pursuit / target. We never describe ourselves as certified before we are.
Delays and early releases
If a window moves, we say so and explain why. If we land early, we celebrate it. The record stays accurate - optimistic about progress, critical about what to improve.
Usable by your whole chain
End-users, installers, implementation, deployment, distribution, and support partners can all rely on this page to set expectations with their own stakeholders.
Status legend. In pursuit / target means active work toward a stated window - not a granted attestation or authorization. We will update each item to achieved only when the certificate, attestation, or authorization is formally issued, and we will date it.
The architecture regulated buyers actually evaluate.
Certifications confirm controls; they do not create them. The reason 🤫 is built for regulated work is the architecture underneath: the customer owns the data and the hardware, every access is consented and logged, and it can run sovereign or on-device. These are design properties of the product, stated plainly, not certifications.
The data stays the customer's
Agent One runs on hardware the customer owns, and the personal and mission data lives there. There is no quiet copy on someone else's cloud to breach.
Every access is scoped and logged
The Personal Consent & Hushh Protocol gates every read and share: least privilege, scoped grants, revocable, and a receipt for every action. Auditors love a receipt.
Runs where the mission requires
On-device and at the sovereign edge (🤫 Puppy One), so deployments can be air-gapped, region-bound, or controlled-environment, not forced into a public multi-tenant cloud.
Verify everything, trust nothing by default
Identity-aware access, strong authentication, and segmentation throughout. No implicit trust between components or networks.
At rest and in transit
Strong encryption by default, targeting FIPS 140-3 validated modules for the federal track. Keys the customer can control.
An immutable record
Receipts and logs give a tamper-evident trail of who accessed what, when, and under whose consent, the evidence an ATO and a CISO both need.
Every standard we're pursuing, with a target window.
FedRAMP High
The headline goal for federal and national-security workloads. Pursuing an agency sponsor and a 3PAO assessment, Moderate first then High. Status: in-pursuit, not authorized.
DoD Impact Levels IL4 / IL5
Sovereign and controlled-environment deployments for the IL4/IL5 mission set, pursued alongside FedRAMP High for defense customers.
DoD IL6 (classified)
For SECRET-level mission needs, exploring an IL6 path in sovereign enclaves. Long-horizon and dependent on sponsor and environment. Status: exploratory.
CMMC 2.0 (Level 2)
Aligning to NIST SP 800-171 for the defense industrial base; Level 2 assessment targeted as the program matures.
NIST SP 800-53 & 800-171
The control families underneath FedRAMP and CMMC. We are building and documenting to these as the security foundation everything else inherits.
SOC 2 Type II
Observation period underway; Type II attestation targeted for H2 2026. Type I readiness reached first as a milestone on the way.
ISO/IEC 27001
Information-security management system build-out in progress; Stage 1 then Stage 2 audit targeted for the second half of 2026.
ISO/IEC 42001 (AI management)
Pursuing the AI-management-system standard for governed, auditable agentic AI, targeted to follow 27001.
FIPS 140-3 cryptography
Validated cryptographic modules for data at rest and in transit, a prerequisite for the federal track.
HIPAA readiness
Safeguards and a BAA program for regulated health workloads; readiness targeted for the first half of 2027.
PCI DSS
For payments and the 🤫 Gold ID. Card data is handled by our payment processor today; full PCI DSS scope is on the roadmap.
Section 508 & WCAG 2.2 AA
Accessibility is a federal requirement and a value. We build and test to 508 and WCAG 2.2 AA as an ongoing commitment.
GDPR & EU-US Data Privacy Framework
Consent-first by construction (PCHP). Data-residency and DPF alignment is an ongoing, continuously-maintained commitment.
StateRAMP
Planned to follow the FedRAMP track for state and local government deployments.
IRAP, UK G-Cloud & allies
For allied governments, IRAP (Australia) and UK frameworks are planned as the sovereign-edge footprint expands.
Target windows are good-faith estimates and may move; when they do, we update this page and note the change. This roadmap is informational and is not itself a certification, attestation, or authorization.
From sponsor to scale, with one accountable owner.
Sponsor and scope
We align with an agency or prime sponsor, scope the mission system, and map it to the controls and the authorization path (ATO).
Controlled pilot
Stand up a pilot in a controlled or sovereign environment on hardware you own, with consent and audit on from day one.
Assess and authorize
Work through readiness, the 3PAO assessment, and authorization, documenting evidence and dating every milestone publicly.
Scale with accountability
Grow with one accountable owner and forward-deployed engineering, so what we sell we can actually run and re-authorize.
Investors and early customers can start now: we onboard through controlled pilots while the authorizations progress in parallel, so mission value begins before the final badge is granted, with full honesty about status at every step.
Partners can't plan around a secret.
A roadmap you can hold us to.
FedRAMP High, DoD IL4/IL5, CMMC, NIST 800-53/171, FIPS 140-3, SOC 2, ISO 27001 & 42001, HIPAA, PCI DSS, 508, GDPR/DPF, StateRAMP.
Committed windows on this page - so your stakeholders can plan around them.
We log slips and early releases as they happen. The record stays accurate.
Building for the most demanding environments.
If your standard isn't listed, or you need a sponsor conversation, talk to our trust team - we'll tell you exactly where we are and what we're targeting.
One is a product of Hushh Technologies Corporation (brand: 🤫 “hussh”), an independent company. One runs on third-party silicon, systems, and cloud; all company names are used solely to describe the platforms on which One software runs. Hushh Technologies is not affiliated with, endorsed by, sponsored by, or partnered with any company named.