Engagement Role Boundaries and Security Governance Policy

Classification: Internal
Document status: Effective
Version: 1.0
Owner: Management / Security Owner
Effective date: 2026-05-13
Review cycle: Annual; interim revision upon material change to prime contractor role definitions or contract templates

---

Purpose

This policy defines role boundaries for Cloudnaut personnel when delivering security-related engineering or implementation work on customer or prime contractor-led engagements.

Scope

This policy applies to consulting, implementation, DevOps, cloud engineering, application development, infrastructure-as-code, and adjacent services performed for customers or as a subcontractor.

Permitted services

Cloudnaut personnel may deliver implementation and engineering work related to customer or platform security capabilities, including secure configuration, automation, tooling integration, and remediation support, within the written scope of work.

Governance boundaries

When Cloudnaut acts as a subcontractor on an engagement led by a prime contractor or customer security organization, Cloudnaut personnel do not assume formal security governance authority reserved to the prime contractor or customer. Examples of reserved roles include, without limitation: formal security sign-off authority for the prime’s delivery methodology, engagement management for the prime’s internal security program, designated “security bar” or equivalent sole approver roles defined solely by the prime, and formal risk acceptance authority on behalf of the prime.

Cloudnaut personnel implement, configure, and document within assigned scope; ambiguity about authority is escalated to Cloudnaut management and the engagement lead before action.

Records

Typical evidence includes statements of work, responsibility matrices, role descriptions from the prime contractor, and written instructions that define Cloudnaut’s delegated scope.