Compliance Gap Assessment · NIST SP 800-53
AEGIS-LOG — SSP Control Assessment
SSP v2.3 (reviewed 2024-08-12)
Evidence infrastructure.yaml
Assessed 2026-07-15
Region us-gov-west-1
Categorization Moderate (FIPS 199)
Each control claimed in the System Security Plan excerpts is compared against the
declared production infrastructure. A control fails when the deployed configuration
contradicts the SSP's written claim; it is partial when the claim is mostly upheld
but material weaknesses undercut it.
15 controls in SSP order · one segment per control
| Control | Title | Status | Finding |
| AC-2 | Account Management | Partial | Long-lived IAM keys; one unrotated since Jan 2023 |
| AC-3 | Access Enforcement | Pass | No contradicting evidence |
| AC-17 | Remote Access | Pass | No public ingress; admin VPN enforced |
| AU-2 | Event Logging | Fail | No privilege-escalation events; online retention 180 d vs 1 yr claimed |
| AU-9 | Protection of Audit Information | Fail | platform-engineer added as log reader; governance-mode object lock |
| CM-2 | Baseline Configuration | Pass | IaC baseline with weekly drift detection |
| CM-6 | Configuration Settings | Partial | STIG applied, but 2 high / 14 medium findings open |
| CP-9 | System Backup | Fail | Quarterly restore testing lapsed ~10 months |
| IA-2 | Identification and Authentication | Fail | Long-lived access keys contradict short-lived-token claim |
| IA-5 | Authenticator Management | Not assessed | No authenticator configuration in evidence |
| SC-7 | Boundary Protection | Fail | NLB ingress bypasses WAF inspection |
| SC-8 | Transmission Confidentiality | Fail | NLB permits TLS 1.0 |
| SC-13 | Cryptographic Protection | Fail | Non-FIPS OpenSSL 1.1.1 in use; waiver expired |
| SC-28 | Protection of Information at Rest | Pass | AES-256 with KMS rotation across stores |
| SI-4 | System Monitoring | Fail | Automated response only partial vs automated IR claimed |
Access Control (AC)
AC-2Account Management
Partial
SSP states
Service accounts are managed through AWS IAM with quarterly access reviews. All accounts are reviewed by the ISSO within 30 days of personnel changes.
Observed — infrastructure.yaml
15 account_review_cadence_days: 90
16 iam_users:
17 - name: deploy-bot
19 last_rotated: 2024-11-15
20 type: long_lived_access_key
21 - name: legacy-etl
23 last_rotated: 2023-01-08
24 type: long_lived_access_key
Assessment
The 90-day review cadence satisfies "quarterly," but two service accounts hold long-lived IAM access keys, and legacy-etl's key has not been rotated in roughly three and a half years. Accounts that stale undercut the claim that service accounts are actively managed.
AC-3Access Enforcement
Pass
SSP states
Role-based access control is enforced at the application layer. Three roles are defined… All access decisions are logged.
Observed — infrastructure.yaml
66 event_types_logged:
67 - auth_success
68 - auth_failure
70 - cui_data_access
73 access_controls:
74 readers:
75 - role: isso
Assessment
The evidence file does not describe application-layer RBAC directly, but role-scoped access appears in the logging configuration and authentication and data-access events are logged. Nothing in the infrastructure contradicts the claim.
AC-17Remote Access
Pass
SSP states
All remote access… occurs over the DoDIN via approved VPN endpoints. Direct internet exposure of any system component is prohibited.
Observed — infrastructure.yaml
28 - type: alb
31 public: false
32 - type: nlb
35 public: false
43 vpn:
44 required_for_admin: true
45 provider: dod-cap
Assessment
Neither load balancer is internet-facing and administrative access requires the DoD Cloud Access Point VPN. The jump-host requirement is not visible in the evidence file but nothing contradicts it.
Audit and Accountability (AU)
AU-2Event Logging
Fail
SSP states
The system logs… authentication attempts, privilege escalations, configuration changes, CUI data access, and system errors. Logs are retained for one year online and three years archived.
Observed — infrastructure.yaml
64 retention_online_days: 180
65 retention_archive_days: 1095
66 event_types_logged:
67 - auth_success
68 - auth_failure
69 - config_change
70 - cui_data_access
71 - system_error
Assessment
Two contradictions. Privilege-escalation events are claimed but absent from the logged event types, and online retention is 180 days against the one-year claim. Archive retention (1,095 days) does match the three-year claim.
AU-9Protection of Audit Information
Fail
SSP states
Audit logs are written to a tamper-evident store. Access to logs is restricted to the ISSO and SOC personnel.
Observed — infrastructure.yaml
72 tamper_protection: object_lock_governance
73 access_controls:
74 readers:
75 - role: isso
76 - role: soc-analyst
77 - role: platform-engineer # added 2025-08 for debugging
Assessment
The platform-engineer role was added as a log reader in August 2025, outside the SSP's stated ISSO/SOC restriction. Additionally, S3 Object Lock in governance mode can be bypassed by privileged principals, which weakens the tamper-evidence claim relative to compliance mode.
Configuration Management (CM)
CM-2Baseline Configuration
Pass
SSP states
The system maintains a documented baseline configuration in version control. All infrastructure is declared as code. Drift from baseline is reviewed weekly.
Observed — infrastructure.yaml
112 iac_tool: terraform
113 iac_repo: github.com/aegis-log/infra
114 drift_detection:
115 enabled: true
116 cadence: weekly
117 last_run: 2026-05-30
Assessment
Terraform-managed infrastructure in version control with weekly drift detection matches the claim. The last drift run (2026-05-30) is recent relative to the assessment date.
CM-6Configuration Settings
Partial
SSP states
All EC2 instances are hardened per the DISA STIG for Red Hat Enterprise Linux 8. All Kubernetes clusters are configured per the Kubernetes STIG.
Observed — infrastructure.yaml
51 stig_hardened: true
52 cis_benchmark_score: 87
54 os: rhel-8
55 stig_hardened: true
56 last_scan: 2026-05-22
57 open_findings_high: 2
58 open_findings_medium: 14
Assessment
STIG hardening is applied to both nodes and the Kubernetes cluster as claimed, but the most recent scan left 2 high and 14 medium findings open. The hardening claim stands; its execution is incomplete. Iron Bank scanning appears only as an egress allowlist entry and cannot be confirmed as a deployment gate.
Contingency Planning (CP)
CP-9System Backup
Fail
SSP states
Backups are encrypted and stored in a geographically separate AWS region. Backup restoration is tested quarterly.
Observed — infrastructure.yaml
84 backup_cadence: daily
85 backup_region: us-gov-east-1
86 last_restore_test: 2025-09-14
Assessment
Daily cross-region backups match the claim, but the last restore test was 2025-09-14 — roughly ten months before this assessment. At a quarterly cadence, at least two consecutive test windows have been missed, so the restoration-testing claim is not being met.
Identification and Authentication (IA)
IA-2Identification and Authentication
Fail
SSP states
Service-to-service authentication uses short-lived tokens issued by the platform identity broker.
Observed — infrastructure.yaml
10 mfa_required: true
11 cac_piv_integration: true
12 service_auth:
13 method: spiffe
14 token_ttl: 3600
16 iam_users:
20 type: long_lived_access_key # deploy-bot
24 type: long_lived_access_key # legacy-etl
Assessment
Human authentication (CAC/PIV-integrated OIDC with mandatory MFA) and the SPIFFE broker with one-hour tokens match the SSP. But two service identities operate entirely outside that broker on long-lived IAM access keys, directly contradicting the claim that service-to-service authentication uses short-lived tokens.
IA-5Authenticator Management
Not assessed
SSP states
Passwords, where used for break-glass access, conform to DoD password complexity requirements: minimum 15 characters… rotation every 60 days.
Observed — infrastructure.yaml
# No password policy, break-glass account, or authenticator
# configuration appears anywhere in the evidence file.
Assessment
The infrastructure file contains no authenticator or password-policy configuration, so this claim can be neither confirmed nor refuted from the available evidence. Request the break-glass account policy as additional evidence.
System and Communications Protection (SC)
SC-7Boundary Protection
Fail
SSP states
The system enforces boundary protection through AWS security groups, a managed WAF, and network ACLs. All ingress traffic is inspected. Egress is restricted to an allowlist of approved external endpoints.
Observed — infrastructure.yaml
28 - type: alb
30 waf_attached: true
32 - type: nlb
34 waf_attached: false
37 mode: allowlist
42 - "*.github.com" # added 2025-03 for CI artifact pulls
Assessment
The NLB ingress path has no WAF attached, so "all ingress traffic is inspected" is false. Secondary concern: the egress allowlist gained a wildcard for *.github.com in March 2025 — technically still an allowlist, but a broad public domain is scope creep on "approved external endpoints" and a plausible exfiltration path.
SC-8Transmission Confidentiality and Integrity
Fail
SSP states
All data in transit is protected using TLS 1.2 or higher.
Observed — infrastructure.yaml
28 - type: alb
29 tls_version_min: "1.2"
32 - type: nlb
33 tls_version_min: "1.0" # legacy partner integration
Assessment
The NLB accepts TLS 1.0 for a legacy partner integration, directly contradicting the TLS 1.2 floor. TLS 1.0 is deprecated and prohibited for protecting CUI in transit; no documented waiver covers this exception.
SC-13Cryptographic Protection
Fail
SSP states
All cryptographic modules in use are FIPS 140-2 validated. The system does not use any cryptographic primitive that has not been validated.
Observed — infrastructure.yaml
94 fips_mode: enabled
98 legacy_exceptions:
99 - service: legacy-etl
100 uses: openssl-1.1.1
101 fips_validated: false
102 waiver_expires: 2025-12-31 # expired
Assessment
The legacy-etl service runs non-FIPS-validated OpenSSL 1.1.1, contradicting the "all modules validated" claim outright — and the waiver that once covered the exception expired 2025-12-31, more than six months before this assessment. The system is operating with unvalidated cryptography and no active authorization for it.
SC-28Protection of Information at Rest
Pass
SSP states
All data at rest is encrypted using AES-256. Encryption keys are managed in AWS KMS with automatic annual rotation.
Observed — infrastructure.yaml
82 encryption_at_rest: true
83 kms_key_rotation: enabled
88 encryption_at_rest: true
89 encryption_algorithm: AES256
90 versioning: enabled
Assessment
Database and object storage are both encrypted at rest with AES-256 and KMS key rotation is enabled, consistent with the claim. Backups inherit database encryption.
System and Information Integrity (SI)
SI-4System Monitoring
Fail
SSP states
Anomalous behavior triggers an automated incident response workflow.
Observed — infrastructure.yaml
105 siem: splunk-cloud-gov
106 edr: crowdstrike-falcon-gov
107 ioc_feeds: enabled
108 automated_response: partial
109 soc_integration: true
Assessment
SIEM, EDR, IOC feeds, and SOC integration support the continuous-monitoring claim, but automated response is declared partial — short of the SSP's claim that anomalous behavior triggers an automated incident response workflow.