Skip to main content
Vallark

vallark (n.) — from vallum 'palisaded rampart' + ark 'vessel': a defensive perimeter that arrives ready to hold.

For .mil mobile program offices

Your mobile program, ATO-ready on day one.

A .mil mobile ATO typically takes 12+ months of compliance plumbing before anyone writes a feature. Vallark is SigilArk's delivery capability that ships that floor pre-built — controls, documentation, and automated gates across every layer your program has to authorize.

Engage SigilArk →

I · Scope

Five layers. Five ATO packages.

Every .mil mobile program has to authorize a full stack, not just the app. Each layer meets RMF independently and ships its own evidence package.

Cloud infrastructure

Accreditation boundary, SSP, continuous monitoring, FedRAMP Moderate inheritance where applicable.

AWS GovCloud · Terraform

Backend API

DISA SRG + STIG coverage, SBOM, SLSA provenance, every endpoint audited, CUI classification enforced, audit trail tied to identity.

Hono.js on AWS Lambda · API Gateway

Web console

FIPS 140-3 crypto, strict CSP, no client-side CUI, Section 508 / WCAG AA, VPAT, sessions bound to CAC-backed identity.

React · BFF pattern · CloudFront edge

iOS app

DISA Mobile SRG, App Attest, certificate pinning, root / debugger detection, keyboard and screenshot discipline, release-build log stripping.

Swift · iOS 16+

Android app

DISA Mobile SRG, Play Integrity, certificate pinning, root / debugger detection, keyboard and screenshot discipline, release-build log stripping.

Kotlin · Android 13+

One stack · one boundary · five ATO packages
Vallark architecture: three clients (iOS, Android, Web) converge into one backend API, which runs in a Terraform-managed AWS GovCloud environment, all inside a single ATO / STIG / FIPS 140-3 compliance boundary. ATO · STIG · FIPS 140-3 boundary iOS APP Swift · App Attest PKCE ANDROID APP Kotlin · Play Integrity PKCE WEB CONSOLE React · BFF pattern CAC / PIV BACKEND API Hono.js on AWS Lambda · Postgres · API Gateway JWT · OIDC · TRUST BROKER CLOUD INFRASTRUCTURE Terraform · AWS GovCloud · CloudFront · S3 · IAM

And the platforms aren't symmetric. iOS has no public API to prevent screenshots, so where Android writes a prevention control, iOS writes a compensating detection-and-audit control — and both rows have to be documented, tested, and defensible before one STIG control is closed.

Every layer also ships in STIG-hardened RHEL-9 UBI containers — refreshed nightly to maintain a clean 0 / 0 / 0 / 0 CVE scan, every day, across every program.

Container hardening by
Glyphon™

Built on

  • AWS GovCloud
  • Terraform
  • React
  • Hono.js
  • Docker
  • Red Hat UBI
  • Swift
  • Kotlin

II · The marathon

Why it takes 12+ months.

The work is genuinely that big. The rigor is warranted — mobile is the highest-risk category, and every friction point below exists for a reason. The question isn't whether to clear them; it's whether each program clears them from scratch.

ISSO and AO scrutiny

Mobile is the risk category cyber leadership worries about most. Every control needs evidence. Every exception needs a signed compensating-control row. Every platform gap gets questioned.

Platform-specific controls

iOS can't prevent screenshots. Android can. The same STIG row is a prevention on one platform and a compensating control on the other — both built, tested, defended. Every divergent surface doubles the matrix.

Documentation surface

SSP. POA&M. VPAT. FIPS 140-3 validation. DISA Mobile STIG checklist. App-revocation runbook. Threat model. Data inventory. CUI acknowledgment. Version-controlled to the code that implements them.

Multi-program drift

Run two .mil mobile programs and you're copy-pasting controls across codebases. Every iOS privacy change or CVE means every fork needs the patch, the re-test, the evidence update. By program three, maintenance exceeds delivery.

III · The relief

Five starter projects. One compliance floor. Day one.

SigilArk brings Vallark to every .mil mobile engagement as five pre-built, ATO-ready starter projects. Your developers clone them on day one and begin building features inside a scaffold that is already compliant.

Five starter projects, day-one ready

One per target — infrastructure, API, web console, iOS, Android. Each ships with STIG / RMF controls implemented and evidence generated. Your developers clone and begin writing features inside an ATO-compliant scaffold.

ATO documentation baseline

SSP shell. STIG checklists. Compensating-control inventory. Threat model. Data inventory. VPAT baseline. Pre-filled to the level Vallark is implemented at. Your team adds the program-specific rows, not the framework.

Automated compliance gates

CI runs the 22 + 8 control matrix on every PR. Fails on drift. Blocks release on missing evidence. Produces the evidence bundle your ISSO reviews — the same green gate your engineers see.

One maintained baseline, every program

One baseline, updated in one place when OS APIs shift or a CVE lands. The patch lands once and propagates to every program in your portfolio — the floor stays current, without drifting copy-paste forks.

The compliance floor stops being the critical path.

Your program's first release

Month 12 → Week 4

Typical .mil mobile program

12 months → first release

With Vallark

4 weeks → first release

IV · On the device

The controls, in your hand.

Every Vallark control lands as actual UI on real iOS and Android devices. Here's what four of them look like in flight.

iOS screenshot — CUI banner + ack gate

CUI banner + ack gate

Classification banner pinned to every authenticated view, including first-launch. The CUI acknowledgment gate runs underneath — versioned, so policy changes re-prompt.

Android screenshot — Login.gov in flight

Login.gov in flight

Sign-in opens the IdP in-app. Same flow for AWS Cognito, Okta, MyAuth, or any OIDC provider — the surrounding chrome doesn't change.

iOS screenshot — Root / jailbreak rejection

Root / jailbreak rejection

Launch refuses on devices showing signs of root or jailbreak. The deny screen names the cause so the user knows what's wrong.

Android screenshot — App-switcher privacy

App-switcher privacy

Backgrounded app shows a privacy screen instead of the active view. Prevents shoulder-surfing in the app-switcher carousel.

V · Identity

Pick your IdP. The flow is wired.

CAC on web. Modern IdPs across every surface. JWT / OIDC orchestration in the API. PKCE on mobile. The hardest gate in a .mil program ships pre-wired, not bolted on.

CAC on the web console

PIV smart-card auth lands in the web starter on day one — the credential most program offices ask about first. Cert chain validation, OCSP, and the middle-tier bridge to the API ship pre-wired in the starter.

IdPs out of the box

Pick your IdP per program; the surrounding flow stays uniform across surfaces. Any OIDC / PKCE provider drops in via standard configuration — the named providers below are pre-wired in the starter.

One trust broker in the API

The API starter handles the full JWT / OIDC authn and authz flow end-to-end. Web, mobile, and third-party API clients all flow through the same identity contract — one code path to audit, one place to govern.

Mobile PKCE, by default

Mobile auth has its own constraints — no client secret, redirect handling, attestation binding. The mobile starter ships PKCE wired through the trust broker so the flow is uniform across iOS and Android.

Identity providers, supported out of the box

  • Login.gov
  • Cognito
  • Okta
  • Auth0
  • MyAuth
  • Any OIDC / PKCE

VI · Proven in production

Already shipping. Already authorized.

Two .mil deployments running on the Vallark floor today — IL4 and IL5 GovCloud, both maintained continuously since launch.

Tactical-edge medical readiness platform

IL4 GovCloud Real-time multiplayer

Multiplayer iOS, Android, and web clients coordinated over real-time WebSocket. In-game interrupts, gameplay replays, and after-action review across concurrent mission scenarios. Hono.js API on AWS Lambda; Postgres for state.

Medical-readiness system

IL5 GovCloud Offline-capable

iOS and Android provider apps with offline mission editing and deferred sync. Drag-and-drop editor pushes updates to every device. Command-level console with readiness dashboards — serving military, international, and disaster-relief engagements. Hono.js on AWS Lambda; Postgres for state.

~5K

Daily active users

6 mo

Continuous production

IL4 + IL5

GovCloud accreditation

Continuous ATOs held. Nightly CVE / STIG / Trivy scans auto-resolve via Glyphon-managed UBI 9 containers. Both deployments meet the full 22 + 8 mobile STIG + compensating-control matrix out of the box.

See the full 22 + 8 control matrix ↓

VII · The control set

22 full-parity · 8 platform-specific

Every control in the floor, mapped to its citation.

The 22 + 8 matrix — proven in prior .mil deployments — extends the native-mobile control set across the web console and the API surface, so mobile controls are load-bearing end-to-end. Each control below maps to the authoritative DoD or NIST publication that defines it.

Coverage at a glance

30 controls × 4 platforms. 103 cells apply — the rest are platform-asymmetric by design.

Control
  • 01 Root / jailbreak detection
  • 02 Debugger detection
  • 03 Device attestation
  • 04 Attestation header injection
  • 05 CUI // OPSEC banner
  • 06 CUI banner regression test
  • 07 Keyboard caching disabled
  • 08 CUI acknowledgment gate
  • 09 Gate chain order
  • 10 Token lifecycle — 120s background grace
  • 11 In-memory-only tokens
  • 12 Certificate pinning
  • 13 Disk cache disabled
  • 14 30-second request timeouts
  • 15 Version headers
  • 16 Bearer token injection
  • 17 Session-expired (401) handler
  • 18 Upgrade-required (426) handler
  • 19 Attestation-failed (403) handler
  • 20 Disk-write regression test
  • 21 Interceptor registration regression test
  • 22 OIDC provider abstraction
  • 23 Screenshot prevention or detection
  • 24 App-switcher / task-preview privacy
  • 25 Copy / cut disabled on CUI fields
  • 26 Clipboard clearing on sign-out / background
  • 27 Build-time log stripping
  • 28 CUI logging regression test
  • 29 Play Integrity (Android)
  • 30 App Attest (iOS)
Applies Not applicable

Reference standards

Full-parity controls · 22

Controls that ship with matching implementations across native mobile clients, the web console, and the API reference.

02

Debugger detection

Detect attached debuggers at launch and prevent debugger attachment on release builds.

Android iOS
DISA Mobile SRG
04

Attestation header injection

Every authenticated mobile request carries X-Attestation-Token; omitted from web requests by design under the BFF model.

Android iOS API
NIST SP 1800-22
05

CUI // OPSEC banner

CUI

Classification banner visible on every authenticated view; banner text configurable to the marking your program requires.

Android iOS Web API
CUI Registry DISA Mobile SRG
06

CUI banner regression test

Static source-walk in CI asserts every screen renders the banner. Prevents silent drift on new routes.

Android iOS Web API
DISA Mobile SRG
07

Keyboard caching disabled

Autocorrect, predictive text, personalized-learning, and autofill suppressed on fields handling CUI.

Android iOS Web
DISA STIG DISA Mobile SRG
08

CUI acknowledgment gate

CUI

First-launch modal reminds users of CUI handling obligations. Versioned so policy changes re-prompt.

Android iOS Web API
DISA STIG CUI Registry
09

Gate chain order

Fixed precedence: jailbreak → CUI ack → auth → upgrade check → attestation → app. Compiled-in; no runtime toggles.

Android iOS Web API
DISA Mobile SRG
10

Token lifecycle — 120s background grace

App tokens wiped 120 seconds after backgrounding. Cold start forces OIDC re-authentication.

Android iOS Web API
DISA STIG
12

Certificate pinning

Release builds pin the API TLS certificate; backup pin enables rotation overlap; pin failure is a hard error.

Compensating on web — browser CA store + HSTS + CT logs per standard web posture.

Android iOS API
NIST SP 1800-22
13

Disk cache disabled

HTTP disk cache off by default; CUI responses additionally tagged Cache-Control: no-store.

Android iOS Web API
NIST SP 1800-22
14

30-second request timeouts

Every client and the API gateway enforce a 30-second cap. No unbounded waits on any path.

Android iOS Web API
NIST SP 1800-22
15

Version headers

Every authenticated request carries X-App-Version and X-Platform-Version. Server audit-logs both and enforces a minimum-version floor.

Android iOS Web API
NIST SP 1800-22
16

Bearer token injection

Authorization: Bearer <jwt> added server-side by the BFF for web, client-side for mobile. Validated at the API on every route.

Android iOS Web API
DISA STIG OpenID Connect Core
17

Session-expired (401) handler

Client intercepts 401 + RFC 7807 code=session_expired, surfaces an explicit re-auth flow — never a silent retry loop.

Android iOS Web API
DISA STIG RFC 7807
18

Upgrade-required (426) handler

Server returns 426 when X-App-Version is below floor. Client shows a non-dismissable update prompt.

Android iOS Web API
NIST SP 1800-22
19

Attestation-failed (403) handler

Client intercepts 403 + RFC 7807 code=attestation_failed, triggers a re-attestation flow rather than crashing.

Android iOS API
NIST SP 1800-22 RFC 7807
20

Disk-write regression test

CI fails if any code path writes to disk outside an explicit allowlist. Catches persistence regressions before they ship.

Android iOS Web API
NIST SP 1800-22
21

Interceptor registration regression test

CI verifies all required middleware and client interceptors are registered in the correct order.

Android iOS Web API
DISA Mobile SRG

Platform-specific controls · 8

Controls where the ideal implementation differs per target, or where one platform's API surface forces a compensating posture.

23

Screenshot prevention or detection

Android blocks screenshot capture at the platform window level. iOS and web detect the event and audit it — those platforms do not expose a prevention API.

Compensating on iOS (detect-only) and web (detect-only via visibilitychange).

Android iOS Web API
DISA Mobile SRG
24

App-switcher / task-preview privacy

Thumbnail obscured when the app is backgrounded. Secure-window flag on Android, material blur overlay on iOS.

Android iOS
DISA Mobile SRG
25

Copy / cut disabled on CUI fields

CUI

Android suppresses the text-toolbar copy/cut items. Web blocks copy and cut events on CUI inputs. iOS is best-effort with no public API.

Compensating on iOS — no public SwiftUI API to suppress text-toolbar items.

Android iOS Web
DISA Mobile SRG CUI Registry
26

Clipboard clearing on sign-out / background

CUI

Android calls ClipboardManager.clearPrimaryClip() on sign-out and background transitions.

Compensating on iOS — no public API to clear the system clipboard from an app.

Android iOS Web
DISA Mobile SRG CUI Registry
27

Build-time log stripping

Release builds strip debug logs: R8 -assumenosideeffects on Android, os.Logger scoping on iOS, Vite in web production, Pino log-level pinned on API.

Android iOS Web API
NIST SP 800-53 Rev 5
28

CUI logging regression test

CUI

Per-platform lint rules (detekt-no-cui-in-log, swiftlint-no-cui-in-log, eslint-no-cui-in-log) plus source-walk tests catch CUI leaking into logs.

Android iOS Web API
CUI Registry DISA Mobile SRG
29

Play Integrity (Android)

Hardware-backed attestation via Google Play Integrity API. Server verifies verdict, nonce, and device-integrity fields on every attested request.

Android API
NIST SP 1800-22 Play Integrity API
Vallark boar mascot

For a SigilArk-led .mil mobile engagement, this matrix lands on day one.

by SigilArk
Start a scope conversation →