Compliance Gap Assessment · NIST SP 800-53

AEGIS-LOG — SSP Control Assessment

SSP v2.3 (reviewed 2024-08-12) Evidence infrastructure.yaml Assessed 2026-07-15 Region us-gov-west-1 Categorization Moderate (FIPS 199)

Each control claimed in the System Security Plan excerpts is compared against the declared production infrastructure. A control fails when the deployed configuration contradicts the SSP's written claim; it is partial when the claim is mostly upheld but material weaknesses undercut it.

8
Fail
2
Partial
4
Pass
1
Not assessed
15 controls in SSP order · one segment per control
ControlTitleStatusFinding
AC-2Account ManagementPartialLong-lived IAM keys; one unrotated since Jan 2023
AC-3Access EnforcementPassNo contradicting evidence
AC-17Remote AccessPassNo public ingress; admin VPN enforced
AU-2Event LoggingFailNo privilege-escalation events; online retention 180 d vs 1 yr claimed
AU-9Protection of Audit InformationFailplatform-engineer added as log reader; governance-mode object lock
CM-2Baseline ConfigurationPassIaC baseline with weekly drift detection
CM-6Configuration SettingsPartialSTIG applied, but 2 high / 14 medium findings open
CP-9System BackupFailQuarterly restore testing lapsed ~10 months
IA-2Identification and AuthenticationFailLong-lived access keys contradict short-lived-token claim
IA-5Authenticator ManagementNot assessedNo authenticator configuration in evidence
SC-7Boundary ProtectionFailNLB ingress bypasses WAF inspection
SC-8Transmission ConfidentialityFailNLB permits TLS 1.0
SC-13Cryptographic ProtectionFailNon-FIPS OpenSSL 1.1.1 in use; waiver expired
SC-28Protection of Information at RestPassAES-256 with KMS rotation across stores
SI-4System MonitoringFailAutomated response only partial vs automated IR claimed

Access Control (AC)

AC-2Account Management

Partial

SSP states

Service accounts are managed through AWS IAM with quarterly access reviews. All accounts are reviewed by the ISSO within 30 days of personnel changes.

Observed — infrastructure.yaml

15  account_review_cadence_days: 90
16  iam_users:
17    - name: deploy-bot
19      last_rotated: 2024-11-15
20      type: long_lived_access_key
21    - name: legacy-etl
23      last_rotated: 2023-01-08
24      type: long_lived_access_key

Assessment

The 90-day review cadence satisfies "quarterly," but two service accounts hold long-lived IAM access keys, and legacy-etl's key has not been rotated in roughly three and a half years. Accounts that stale undercut the claim that service accounts are actively managed.

AC-3Access Enforcement

Pass

SSP states

Role-based access control is enforced at the application layer. Three roles are defined… All access decisions are logged.

Observed — infrastructure.yaml

66  event_types_logged:
67    - auth_success
68    - auth_failure
70    - cui_data_access
73  access_controls:
74    readers:
75      - role: isso

Assessment

The evidence file does not describe application-layer RBAC directly, but role-scoped access appears in the logging configuration and authentication and data-access events are logged. Nothing in the infrastructure contradicts the claim.

AC-17Remote Access

Pass

SSP states

All remote access… occurs over the DoDIN via approved VPN endpoints. Direct internet exposure of any system component is prohibited.

Observed — infrastructure.yaml

28    - type: alb
31      public: false
32    - type: nlb
35      public: false
43  vpn:
44    required_for_admin: true
45    provider: dod-cap

Assessment

Neither load balancer is internet-facing and administrative access requires the DoD Cloud Access Point VPN. The jump-host requirement is not visible in the evidence file but nothing contradicts it.

Audit and Accountability (AU)

AU-2Event Logging

Fail

SSP states

The system logs… authentication attempts, privilege escalations, configuration changes, CUI data access, and system errors. Logs are retained for one year online and three years archived.

Observed — infrastructure.yaml

64  retention_online_days: 180
65  retention_archive_days: 1095
66  event_types_logged:
67    - auth_success
68    - auth_failure
69    - config_change
70    - cui_data_access
71    - system_error

Assessment

Two contradictions. Privilege-escalation events are claimed but absent from the logged event types, and online retention is 180 days against the one-year claim. Archive retention (1,095 days) does match the three-year claim.

AU-9Protection of Audit Information

Fail

SSP states

Audit logs are written to a tamper-evident store. Access to logs is restricted to the ISSO and SOC personnel.

Observed — infrastructure.yaml

72  tamper_protection: object_lock_governance
73  access_controls:
74    readers:
75      - role: isso
76      - role: soc-analyst
77      - role: platform-engineer   # added 2025-08 for debugging

Assessment

The platform-engineer role was added as a log reader in August 2025, outside the SSP's stated ISSO/SOC restriction. Additionally, S3 Object Lock in governance mode can be bypassed by privileged principals, which weakens the tamper-evidence claim relative to compliance mode.

Configuration Management (CM)

CM-2Baseline Configuration

Pass

SSP states

The system maintains a documented baseline configuration in version control. All infrastructure is declared as code. Drift from baseline is reviewed weekly.

Observed — infrastructure.yaml

112  iac_tool: terraform
113  iac_repo: github.com/aegis-log/infra
114  drift_detection:
115    enabled: true
116    cadence: weekly
117    last_run: 2026-05-30

Assessment

Terraform-managed infrastructure in version control with weekly drift detection matches the claim. The last drift run (2026-05-30) is recent relative to the assessment date.

CM-6Configuration Settings

Partial

SSP states

All EC2 instances are hardened per the DISA STIG for Red Hat Enterprise Linux 8. All Kubernetes clusters are configured per the Kubernetes STIG.

Observed — infrastructure.yaml

51    stig_hardened: true
52    cis_benchmark_score: 87
54    os: rhel-8
55    stig_hardened: true
56    last_scan: 2026-05-22
57    open_findings_high: 2
58    open_findings_medium: 14

Assessment

STIG hardening is applied to both nodes and the Kubernetes cluster as claimed, but the most recent scan left 2 high and 14 medium findings open. The hardening claim stands; its execution is incomplete. Iron Bank scanning appears only as an egress allowlist entry and cannot be confirmed as a deployment gate.

Contingency Planning (CP)

CP-9System Backup

Fail

SSP states

Backups are encrypted and stored in a geographically separate AWS region. Backup restoration is tested quarterly.

Observed — infrastructure.yaml

84    backup_cadence: daily
85    backup_region: us-gov-east-1
86    last_restore_test: 2025-09-14

Assessment

Daily cross-region backups match the claim, but the last restore test was 2025-09-14 — roughly ten months before this assessment. At a quarterly cadence, at least two consecutive test windows have been missed, so the restoration-testing claim is not being met.

Identification and Authentication (IA)

IA-2Identification and Authentication

Fail

SSP states

Service-to-service authentication uses short-lived tokens issued by the platform identity broker.

Observed — infrastructure.yaml

10    mfa_required: true
11    cac_piv_integration: true
12  service_auth:
13    method: spiffe
14    token_ttl: 3600
16  iam_users:
20      type: long_lived_access_key   # deploy-bot
24      type: long_lived_access_key   # legacy-etl

Assessment

Human authentication (CAC/PIV-integrated OIDC with mandatory MFA) and the SPIFFE broker with one-hour tokens match the SSP. But two service identities operate entirely outside that broker on long-lived IAM access keys, directly contradicting the claim that service-to-service authentication uses short-lived tokens.

IA-5Authenticator Management

Not assessed

SSP states

Passwords, where used for break-glass access, conform to DoD password complexity requirements: minimum 15 characters… rotation every 60 days.

Observed — infrastructure.yaml

 # No password policy, break-glass account, or authenticator
 # configuration appears anywhere in the evidence file.

Assessment

The infrastructure file contains no authenticator or password-policy configuration, so this claim can be neither confirmed nor refuted from the available evidence. Request the break-glass account policy as additional evidence.

System and Communications Protection (SC)

SC-7Boundary Protection

Fail

SSP states

The system enforces boundary protection through AWS security groups, a managed WAF, and network ACLs. All ingress traffic is inspected. Egress is restricted to an allowlist of approved external endpoints.

Observed — infrastructure.yaml

28    - type: alb
30      waf_attached: true
32    - type: nlb
34      waf_attached: false
37    mode: allowlist
42      - "*.github.com"          # added 2025-03 for CI artifact pulls

Assessment

The NLB ingress path has no WAF attached, so "all ingress traffic is inspected" is false. Secondary concern: the egress allowlist gained a wildcard for *.github.com in March 2025 — technically still an allowlist, but a broad public domain is scope creep on "approved external endpoints" and a plausible exfiltration path.

SC-8Transmission Confidentiality and Integrity

Fail

SSP states

All data in transit is protected using TLS 1.2 or higher.

Observed — infrastructure.yaml

28    - type: alb
29      tls_version_min: "1.2"
32    - type: nlb
33      tls_version_min: "1.0"   # legacy partner integration

Assessment

The NLB accepts TLS 1.0 for a legacy partner integration, directly contradicting the TLS 1.2 floor. TLS 1.0 is deprecated and prohibited for protecting CUI in transit; no documented waiver covers this exception.

SC-13Cryptographic Protection

Fail

SSP states

All cryptographic modules in use are FIPS 140-2 validated. The system does not use any cryptographic primitive that has not been validated.

Observed — infrastructure.yaml

94  fips_mode: enabled
98  legacy_exceptions:
99    - service: legacy-etl
100      uses: openssl-1.1.1
101      fips_validated: false
102      waiver_expires: 2025-12-31   # expired

Assessment

The legacy-etl service runs non-FIPS-validated OpenSSL 1.1.1, contradicting the "all modules validated" claim outright — and the waiver that once covered the exception expired 2025-12-31, more than six months before this assessment. The system is operating with unvalidated cryptography and no active authorization for it.

SC-28Protection of Information at Rest

Pass

SSP states

All data at rest is encrypted using AES-256. Encryption keys are managed in AWS KMS with automatic annual rotation.

Observed — infrastructure.yaml

82    encryption_at_rest: true
83    kms_key_rotation: enabled
88    encryption_at_rest: true
89    encryption_algorithm: AES256
90    versioning: enabled

Assessment

Database and object storage are both encrypted at rest with AES-256 and KMS key rotation is enabled, consistent with the claim. Backups inherit database encryption.

System and Information Integrity (SI)

SI-4System Monitoring

Fail

SSP states

Anomalous behavior triggers an automated incident response workflow.

Observed — infrastructure.yaml

105  siem: splunk-cloud-gov
106  edr: crowdstrike-falcon-gov
107  ioc_feeds: enabled
108  automated_response: partial
109  soc_integration: true

Assessment

SIEM, EDR, IOC feeds, and SOC integration support the continuous-monitoring claim, but automated response is declared partial — short of the SSP's claim that anomalous behavior triggers an automated incident response workflow.