GotHawk Solutions LLC

AI Governance & Compliance Technology for Federal Contractors — Small, Mid-Tier, and Prime — and State Agencies
SAM.gov Active
CAGE: 1M4D4
UEI: HVWAF52DXCL2
Dillsburg, PA 17019
Company Overview

GotHawk Solutions LLC is a Pennsylvania-based small business delivering AI governance technology to federal contractors of all sizes — small businesses, mid-tier firms, and defense primes — as well as DoD program offices and state agencies. We built PromptFrame — a unified platform that governs AI systems at both design time and runtime. Design-Time (DT) scores AI system prompts deterministically across 10 governance dimensions and auto-generates complete ATO artifact packages. Runtime (RT) sits inline with LLM and agentic toolchains, blocking unauthorized tool calls before execution and logging every gate decision as a cryptographically signed audit record. DT and RT are not sold separately — one product, one price.

PromptFrame is fully air-gapped: zero external API calls, FIPS 140-3 capable (Red Hat UBI 9), AES-256-GCM encryption, HMAC-SHA256 audit chain. No LLM in the DT scoring path — same input always produces same output. Deployed as a self-hosted container stack on client infrastructure — GotHawk provides signed container images only. No client data is ever transmitted to GotHawk or any third party.

Core Capabilities
Design-Time (DT) — Governance Scoring & ATO Artifact Generation
Deterministic 10-dimension scoring of AI system prompts — no LLM in the path, C3PAO and 3PAO defensible. Auto-generates per engagement: SSP narratives, NIST SP 800-53 Rev 5 crosswalk, POA&M (FedRAMP format), GSAR 552.239-7001 (proposed) compliance checklist, SPRS export, per-dimension remediation report, and executive summary. All artifacts SHA-256 integrity-protected with HMAC-signed audit chain. Verbatim regulatory citations from primary sources throughout.
Runtime (RT) — Inline Enforcement Gate
Inline enforcement layer for LLM and agentic toolchains. Evaluates tool calls against policy before execution — unauthorized calls are blocked, not logged after the fact. Four enforcement categories: tool authorization, scope boundary, data exfiltration attempt, and privilege escalation. Every gate decision is logged as a cryptographically signed audit record. Anomalies promoted to DT in real time. Independently verifiable — not black-box AI outputs.
Shadow AI & Foreign AI Detection
Retrospective workspace scanner identifies installed AI tools, browser extensions, AI-related environment variables, and network log contacts with AI endpoints. Foreign-origin contacts (DeepSeek/China, Mistral/France, etc.) flagged per EO 14179 §2. Supports Cisco ASA syslog, CLF, CEF, CSV, and DNS query log formats. HMAC-signed scan report produced as a standalone artifact.
AI Governance Advisory & Teaming
Fixed-scope engagements sized for small contractors through primes: OMB M-25-21 AI use-case inventory alignment, CMMC Level 2 AI governance posture review, FedRAMP Moderate AI governance gap assessment. Small contractors can engage directly — no large program required. Available as AI governance subcontractor under prime AI modernization and DoD agentic AI programs. Fixed-price SOWs available. Engagement floor: $12,500.
Regulatory Coverage
NIST AI RMF (NIST AI 100-1) — All four functions
EO 14179 — Federal AI governance & foreign endpoint controls
OMB M-25-21 / M-25-22 / M-26-04 — Federal AI policy
GSAR 552.239-7001* — 14 paragraphs mapped at clause resolution
NIST SP 800-53 Rev 5 — 8 control families (AU/AC/IA/SI/CM/CP/PL/SA)
CMMC Level 2 / NIST SP 800-171 Rev 2 — 110 practices
PA EO 2023-19 — Pennsylvania responsible AI
*Proposed — pending GSA finalization
Differentiators
  • Only platform covering the full AI governance lifecycle — DT scoring + ATO artifact generation + RT inline enforcement in a single integrated product
  • Only platform mapping GSAR 552.239-7001 at paragraph resolution (14 paragraphs); GotHawk submitted public comment on the proposed rule April 3, 2026
  • Deterministic scoring — no LLM in the DT path; same input always produces same output; independently verifiable and C3PAO defensible
  • Air-gap native — FIPS 140-3 capable, AES-256-GCM, HMAC-SHA256 audit chain; zero external API calls; CUI-environment ready
  • RT gate decisions are cryptographically signed and independently verifiable — not inferred risk scores from an AI model