While Others Play Catch-Up, We’re Setting the Security Standard
While Others Play Catch-Up, We’re Setting the Security Standard
The Cybersecurity Maturity Model Certification (CMMC) was created by the U.S. Department of Defense to raise the bar on how contractors handle sensitive information. But over time, it’s become much more than a defense requirement, it’s become a litmus test for operational excellence in the commercial sector. CMMC Level 2, in particular, is a proving ground. It requires organizations to demonstrate real-world capabilities in identity management, incident response, system hardening, secure development, and continuous monitoring. In short, it’s the difference between checking boxes and building resilient systems.
The model below outlines the three levels of CMMC and the rigor associated with each. Sanas has aligned its security posture to the advanced practices defined in Level 2.
Source: Department of Defense
At Sanas, we’ve architected our platform and security program to align with this level of maturity, because we believe these standards represent not just compliance, but real-world resilience. Our internal security posture maps directly to the core pillars of CMMC Level 2, reflecting a deep commitment to protecting our customers' data, systems, and trust.
How Sanas Stacks Up to the Highest Security Standard
Earning CMMC Level 2 compliance isn’t a formality. It requires organizations to prove they can enforce strict identity and access controls (AC), harden and segment systems (SC), encrypt sensitive data (MP), respond to incidents (IR), and maintain operational continuity (CP). Each of these areas demands real investment, real processes, and real accountability.
We’ve built systems that reflect comprehensive alignment with CMMC Level 2. Below are several representative controls we’ve chosen to highlight.
| Domain | CMMC Practice | How Sanas Meets It | |
| Access Control | AC.L2-3.1.5 Least Privilege | All access is provisioned based on role and necessity. Privileged access is tightly controlled using enterprise password vaults, just in time access and rotating cryptographic keys. | |
| Audit & Accountability | AU.L2-3.3.1 System Auditing | Logs every system event and user action across all scoped environments. Logs are stored in tamper-proof systems and retained for at least 1 year. | |
| Identification & Authentication | IA.L2-3.5.3 Multifactor Authentication | MFA is required for all scoped systems including the ones housing sensitive data, combined with cryptographic keys and strict session timeout policies. | |
| System & Communications Protection | SC.L2-3.13.8 Data in Transit Protection | All data in transit is encrypted using TLS 1.2+, AES-256, and SHA256. Sanas employs defense-in-depth routing and segmentation. | |
| System & Communications Protection | SC.L2-3.13.16 Data at Rest Protection | All stored data is encrypted using FIPS 140-2 standards, including logs, databases, and backups, with isolated key storage. | |
| Incident Response | IR.L2-3.6.1 Incident Handling | Dedicated team with defined playbooks, escalation paths, and annual incident response simulations approved by CERT. | |
| Configuration Management | CM.L2-3.4.2 Security Configuration Enforcement | Production servers are hardened and baseline-imaged to enforce secure defaults. Changes are logged and audited. | |
| Risk Assessment | RA.L2-3.11.2 Vulnerability Scanning | Proactive vulnerability scans are performed bi-weekly, with prioritized patching and quarterly third-party assessments. | |
These aren’t just claims, they’re baked into our security operations lifecycle, tested in third-party pen tests, and available for audit by customers. We’ve aligned our practices with CMMC Level 2 because we believe that standard represents not just security, but maturity.
Security So Good, You’ll Never Think About It
At Sanas, real-time voice transformation isn’t just a product, it’s an infrastructure. It handles live, sensitive, person-to-person communication at scale. That means trust can’t be an afterthought.
Security is embedded in every conversation we enable. Our customers include contact centers, healthcare providers, financial services, and enterprises with global data obligations. For them, it's not enough to say we encrypt. They need to know we can withstand outages, stop unauthorized access, and operate with provable control.
That’s why we hold ourselves to CMMC standards even when our contracts don’t require it. It sets us apart from companies that prioritize speed over stability, and from vendors who retroactively patch in security as they grow. Trust isn’t just a value, it’s a prerequisite. In Speech AI, what happens behind the scenes is what earns adoption on the front end.
My Personal Pledge: Security as a Core Principle
For me, security isn’t just a professional obligation, it’s a deep-seated passion. Building truly innovative technology demands an unwavering commitment to protecting the people who trust us with their data.
I've seen the devastating consequences of security breaches, and I refuse to let that happen on our watch. That's why I champion a "security-first" mentality at Sanas. It's not something we tack on at the end; it's a fundamental principle that guides our architecture, our development, and our operational processes.
That personal commitment is reflected across our entire team. Security isn’t just something I care about, it’s embedded in how Sanas builds. From architecture to operations, it’s a shared mindset, not a single responsibility. That’s how we ensure every decision, big or small, supports a platform our customers can trust without hesitation.
Personal Insights from the Trenches: Hack The Box, Dante, and CPTS
My passion for security isn’t just theoretical, it’s grounded in offensive work that pushes real systems to their limits. On platforms like Hack The Box, challenges like Dante simulate enterprise-grade environments with layered defenses. Gaining root required chaining web exploits, privilege escalation, lateral movement, and meticulous enumeration across multiple domains. Dante is designed to break conventional thinking and force you to think like an attacker, methodically, and creatively. That mindset shapes how we build at Sanas: assume nothing is safe, validate everything, and engineer systems to withstand real-world pressure.
Earning the Certified Penetration Testing Specialist (CPTS) certification meant going deep across a wide range of attack surfaces, from network intrusion and web application exploits to privilege escalation and social engineering. The process sharpened my understanding of how attackers operate, and reinforced the value of proactive, layered defenses. That experience didn’t just build technical skill, it shaped how I think about security. It’s why, at Sanas, we focus on staying ahead of threats rather than reacting to them. That mindset has profoundly shaped my perspective on security at Sanas. It reinforces the understanding that:
- Security is not static: The threat landscape is constantly evolving, requiring continuous vigilance and adaptation.
- Defense in depth is non-negotiable: No single control is enough; layered protection is essential.
- Thinking like an attacker is vital: To build truly secure systems, you need to understand how attackers operate and anticipate their moves.
My personal journey in offensive security directly informs the security decisions we make at Sanas. It's not just about adhering to frameworks; it's about applying a practical, attacker-centric mindset to ensure our platform is resilient against real-world threats. This blend of established frameworks and hard-earned practical experience is what drives our commitment to making security a true differentiator for Sanas.
Trust Isn’t a Feature. It’s the Platform.
You don’t need to see our infrastructure to know it’s working. You feel it in the reliability of every call, the clarity of every voice, and the confidence that your data isn’t just moving fast, it’s moving safely.
We built Sanas to transform communication, and that mission includes protecting every byte of it. With a cybersecurity program grounded in CMMC and shaped by real-world threat expertise, we’re not just securing today, we’re preparing for tomorrow. Our unseen strength is what makes everything else possible.
