Cigent Pre-Boot Authentication (PBA) is a security solution that enforces authentication before the operating system loads on endpoint devices, preventing unauthorized access to data stored on self-encrypting drives (SEDs). It serves as the outer protection layer in NSA Commercial Solutions for Classified (CSfC) Data-at-Rest (DAR) architectures. The product pairs hardware full-drive encryption (HW FDE) with a secure, OS-independent authentication environment. When a device powers on, users must authenticate via username/password, smartcard (PIV), or Security Key before the OS boot sequence begins — keeping the drive locked until valid credentials are provided. Cigent PBA supports a dual-layer encryption model: - Outer Layer: AES-256 Hardware Full Drive Encryption (HW FDE) combined with PBA - Inner Layer: AES-256 Software Full Drive Encryption (SW FDE) with Multi-Factor Authentication (MFA) The two layers operate independently, satisfying CSfC architectural requirements for cryptographic and functional isolation. Device compatibility includes Intel, AMD, and ARM (NVIDIA Jetson Orin) laptops, desktops, workstations, and servers. Administration is managed via a command-line interface (CLI) utility that can integrate into existing enterprise management workflows. The solution has been tested and validated by NSA, DISA, NIST, NIAP, MITRE, the Air Force, Cyber Resilience of Weapon Systems (CROWS), and NSSIF (UK), and is deployed across US Intelligence agencies, US Defense services, and the defense industrial base. It supports compliance with CSfC DAR, FIPS 140-2, FIPS 140-3, and Executive Order 14028.