Cost Intelligence with Least Privilege

Applying NIST SP 800-171 Principles in Estimation Workflows

In federal contracting and construction SaaS, strong security practices are more than a checkbox—they’re a competitive advantage. Our estimation stack, powered by BreakEven PLUS™ and FALIB™, applies security principles aligning with NIST SP 800-171, including least privilege and separation of duties, to protect sensitive business data while improving operational control.

🎯 Why Least Privilege Matters in Construction SaaS

Teams responsible for cost forecasting, project estimates, and financial benchmarks rely on data accuracy and controlled access. Least privilege ensures users receive only the permissions required to perform their role—and nothing more, reducing risk while preserving accountability.

🔐 Real-World Role Separation in BreakEven PLUS™

BreakEven PLUS™ is built around real-world role separation, not rigid, one-size-fits-all access models.

Each organization operates under a Super Admin–defined permission structure that clearly separates responsibilities while remaining flexible enough for day-to-day operations.

Defined Core Roles

Estimators (Employee)
Can create, edit, and duplicate estimates, but cannot:

• Delete users

• Suspend companies

• Access unrestricted, company-wide administrative reports

Project Managers (Admin)
Can view reports, forecasts, and operational data only when explicitly granted by their Super Admin.

Super Admin (Company Owner / Executive Role)
Defines and assigns permissions through a centralized Access Control panel, retaining full authority over role scope and data visibility.

Permission-Based — Not Hard-Coded

Rather than locking users into static roles, BreakEven PLUS™ uses granular, permission-based access.

When a user is granted Access Control permissions, they may assign only the permissions they themselves are authorized to manage, including:

• Employee, Customer, and Vendor management

• File storage visibility and downloads

• Reports and audit access

• Estimate, Work Order, and Job Report (FALIB™) permissions

• Configuration settings such as invoice patterns, signatures, and workflows

This approach delivers flexibility without enabling privilege escalation.

Guardrails Against Overreach

Even with deep configurability:

• Permissions are explicitly assigned, never implicitly inherited

• Cross-tenant data access is structurally prevented

• Administrative actions are logged, traceable, and auditable

Authority is delegated intentionally, not accidentally.

Why This Matters

Real businesses don’t operate in binaries.

Some managers need limited administrative authority.
Some employees need expanded operational access.

BreakEven PLUS™ supports this reality—without compromising security.

Role separation is enforced.
Permissions are deliberate.
Control stays where it belongs.

🔧 Internals Aligned with Security Best Practices

We apply the same principles internally:

• Infrastructure personnel do not have access to application-level data unless explicitly required

• Application developers operate with non-privileged accounts and elevate access only through audited, role-specific IAM credentials

• Privileged operations—such as database access or system configuration—are restricted to scoped personnel and protected with MFA

📊 Cost Estimation Integrity: Protected by Design

When BreakEven PLUS™ or FALIB™ generate estimates or reports, access is permission-based and logged:

• Estimators cannot view sensitive forecast data or HR-linked information unless explicitly scoped

• Export and download capabilities are disabled by default and enabled only through Super Admin approval

• All actions—including logins, permission changes, and estimate edits—are captured for auditability