Repository evidence contradicts one or more testable SSP claims.
Failed
11
Needs evidence
2
Passed
2
Evaluated
2026-07-16
Evidence source
docs/infrastructure.yaml
Source timestamp
2026-07-16 21:14 UTC
SSP version
2.3 · reviewed 2024-08-12
Control results
Sorted by failed controls, evidence gaps, then passing controls.
15 controls evaluated
Assessment status and supporting detail for each evaluated control
Status
Control
Control name
Checks
Details
Failed
AU-2
Event Logging
✓Passed:1✕Failed:2?Needs evidence:0
SSP statement
The system logs the following event types: authentication attempts (success and failure), privilege escalations, configuration changes, data access events for records marked CUI, and system errors. Logs are retained for one year online and three years archived.
Check results
Findings, evidence, and cited source for checks under AU-2
Result
Check
Finding and evidence
Passed
Logs retained three years archived (>= 1095 days)archive-retention-3yr
1# AU-2 - Event Logging 2# "The system logs the following event types: authentication attempts 3# (success and failure), privilege escalations, configuration changes, data 4# access events for records marked CUI, and system errors. Logs are retained 5# for one year online and three years archived." 6 7packagessp.compliance 8 9required_event_types:={10"auth_success",11"auth_failure",12"privilege_escalation",13"config_change",14"cui_data_access",15"system_error",16}1718missing_event_types:=required_event_types-logged_event_types1920defaultretention_online_ok:=false2122retention_online_okifinput.logging.retention_online_days>=3652324defaultretention_archive_ok:=false2526retention_archive_okifinput.logging.retention_archive_days>=10952728checkscontains{29"control":"AU-2","id":"required-event-types",30"requirement":"Auth success/failure, privilege escalation, config changes, CUI access, and system errors are logged",31"status":verdict(count(missing_event_types)==0),32"evidence":sprintf("missing event types: %s",[csv(sort(missing_event_types))]),33"paths":["logging.event_types_logged"],34}3536checkscontains{37"control":"AU-2","id":"online-retention-1yr",38"requirement":"Logs retained one year online (>= 365 days)",39"status":verdict(retention_online_ok),40"evidence":sprintf("logging.retention_online_days = %v",[object.get(input,["logging","retention_online_days"],"unset")]),41"paths":["logging.retention_online_days"],42}4344checkscontains{45"control":"AU-2","id":"archive-retention-3yr",46"requirement":"Logs retained three years archived (>= 1095 days)",47"status":verdict(retention_archive_ok),48"evidence":sprintf("logging.retention_archive_days = %v",[object.get(input,["logging","retention_archive_days"],"unset")]),49"paths":["logging.retention_archive_days"],50}
Failed
AU-9
Protection of Audit Information
✓Passed:1✕Failed:2?Needs evidence:0
SSP statement
Audit logs are written to a tamper-evident store. Access to logs is restricted to the ISSO and SOC personnel. Logs are encrypted at rest.
Check results
Findings, evidence, and cited source for checks under AU-9
Result
Check
Finding and evidence
Failed
Log access restricted to the ISSO and SOC personnellog-access-restricted
1# AU-9 - Protection of Audit Information 2# "Audit logs are written to a tamper-evident store. Access to logs is 3# restricted to the ISSO and SOC personnel. Logs are encrypted at rest." 4# 5# Object Lock governance mode can be bypassed by privileged principals; only 6# compliance mode is tamper-evident against all users. 7 8packagessp.compliance 910defaulttamper_protection_ok:=false1112tamper_protection_okifinput.logging.tamper_protection=="object_lock_compliance"1314log_reader_allowed(role)ifrole=="isso"1516log_reader_allowed(role)ifstartswith(role,"soc")1718unauthorized_log_readers:=[r.role|19somerinlog_readers20notlog_reader_allowed(r.role)21]2223unauthorized_log_reader_paths:=[sprintf("logging.access_controls.readers.%d.role",[idx])|24someidx,rinlog_readers25notlog_reader_allowed(r.role)26]2728# "Logs are encrypted at rest." Nearest schema evidence: the s3-archive log29# destination is object storage, which must be encrypted.30defaultlog_encryption_ok:=false3132log_encryption_okifinput.storage.object_storage.encryption_at_rest==true3334checkscontains{35"control":"AU-9","id":"tamper-evident-storage",36"requirement":"Audit logs written to a tamper-evident store (Object Lock compliance mode; governance mode is bypassable by privileged users)",37"status":verdict(tamper_protection_ok),38"evidence":sprintf("logging.tamper_protection = %v",[object.get(input,["logging","tamper_protection"],"unset")]),39"paths":["logging.tamper_protection"],40}4142checkscontains{43"control":"AU-9","id":"log-access-restricted",44"requirement":"Log access restricted to the ISSO and SOC personnel",45"status":verdict(count(unauthorized_log_readers)==0),46"evidence":sprintf("reader roles outside ISSO/SOC: %s",[csv(unauthorized_log_readers)]),47"paths":paths_or(unauthorized_log_reader_paths,["logging.access_controls.readers"]),48}4950checkscontains{51"control":"AU-9","id":"log-encryption-at-rest",52"requirement":"Logs encrypted at rest (s3-archive destination is object storage)",53"status":verdict(log_encryption_ok),54"evidence":sprintf("storage.object_storage.encryption_at_rest = %v",[object.get(input,["storage","object_storage","encryption_at_rest"],"unset")]),55"paths":["storage.object_storage.encryption_at_rest"],56}
Failed
CM-2
Baseline Configuration
✓Passed:3✕Failed:1?Needs evidence:0
SSP statement
The system maintains a documented baseline configuration in version control. All infrastructure is declared as code. Drift from baseline is reviewed weekly by the engineering lead.
Check results
Findings, evidence, and cited source for checks under CM-2
Result
Check
Finding and evidence
Passed
Documented baseline configuration maintained in version controlbaseline-documented
1# CM-2 - Baseline Configuration 2# "The system maintains a documented baseline configuration in version 3# control. All infrastructure is declared as code. Drift from baseline is 4# reviewed weekly by the engineering lead." 5 6packagessp.compliance 7 8defaultiac_ok:=false 910iac_okif{11input.config_management.iac_tool12count(input.config_management.iac_repo)>013}1415defaultbaseline_doc_ok:=false1617baseline_doc_okifcount(input.config_management.baseline_doc_ref)>01819defaultdrift_detection_ok:=false2021drift_detection_okif{22dd:=input.config_management.drift_detection23dd.enabled==true24dd.cadencein{"hourly","daily","weekly"}25}2627defaultdrift_run_current_ok:=false2829drift_run_current_okifdays_since(input.config_management.drift_detection.last_run)<=73031checkscontains{32"control":"CM-2","id":"infrastructure-as-code",33"requirement":"All infrastructure declared as code in version control",34"status":verdict(iac_ok),35"evidence":sprintf("config_management: tool=%v repo=%v",[object.get(input,["config_management","iac_tool"],"unset"),object.get(input,["config_management","iac_repo"],"unset")]),36"paths":["config_management.iac_tool","config_management.iac_repo"],37}3839checkscontains{40"control":"CM-2","id":"baseline-documented",41"requirement":"Documented baseline configuration maintained in version control",42"status":verdict(baseline_doc_ok),43"evidence":sprintf("config_management.baseline_doc_ref = %v",[object.get(input,["config_management","baseline_doc_ref"],"unset")]),44"paths":["config_management.baseline_doc_ref"],45}4647checkscontains{48"control":"CM-2","id":"drift-detection-weekly",49"requirement":"Drift detection enabled at weekly cadence or better",50"status":verdict(drift_detection_ok),51"evidence":sprintf("drift_detection: enabled=%v cadence=%v",[object.get(input,["config_management","drift_detection","enabled"],"unset"),object.get(input,["config_management","drift_detection","cadence"],"unset")]),52"paths":["config_management.drift_detection.enabled","config_management.drift_detection.cadence"],53}5455checkscontains{56"control":"CM-2","id":"drift-review-current",57"requirement":"Drift reviewed weekly: last run within 7 days of evaluation date",58"status":verdict(drift_run_current_ok),59"evidence":sprintf("drift_detection.last_run = %v",[object.get(input,["config_management","drift_detection","last_run"],"unset")]),60"paths":["config_management.drift_detection.last_run"],61}
Failed
CM-6
Configuration Settings
✓Passed:2✕Failed:1?Needs evidence:1
SSP statement
All EC2 instances are hardened per the DISA STIG for Red Hat Enterprise Linux 8. All Kubernetes clusters are configured per the Kubernetes STIG. Container images are scanned against the DoD Iron Bank baseline before deployment.
Check results
Findings, evidence, and cited source for checks under CM-6
Result
Check
Finding and evidence
Needs evidence
Container images scanned against the DoD Iron Bank baseline before deploymentiron-bank-image-scanning
Image scanning is not represented in the infrastructure schema
No repository field can prove this claim.
Passed
Kubernetes clusters configured per the Kubernetes STIGkubernetes-stig-hardening
1# CM-6 - Configuration Settings 2# "All EC2 instances are hardened per the DISA STIG for Red Hat Enterprise 3# Linux 8. All Kubernetes clusters are configured per the Kubernetes STIG. 4# Container images are scanned against the DoD Iron Bank baseline before 5# deployment." 6 7packagessp.compliance 8 9defaultnodes_stig_ok:=false1011nodes_stig_okifinput.compute.nodes.stig_hardened==true1213defaultk8s_stig_ok:=false1415k8s_stig_okifinput.compute.kubernetes.stig_hardened==true1617# A system hardened per STIG should carry no open high-severity findings.18defaultno_high_findings_ok:=false1920no_high_findings_okifinput.compute.nodes.open_findings_high==02122checkscontains{23"control":"CM-6","id":"node-stig-hardening",24"requirement":"EC2 instances hardened per DISA STIG for RHEL 8",25"status":verdict(nodes_stig_ok),26"evidence":sprintf("compute.nodes: os=%v stig_hardened=%v",[object.get(input,["compute","nodes","os"],"unset"),object.get(input,["compute","nodes","stig_hardened"],"unset")]),27"paths":["compute.nodes.stig_hardened"],28}2930checkscontains{31"control":"CM-6","id":"kubernetes-stig-hardening",32"requirement":"Kubernetes clusters configured per the Kubernetes STIG",33"status":verdict(k8s_stig_ok),34"evidence":sprintf("compute.kubernetes.stig_hardened = %v",[object.get(input,["compute","kubernetes","stig_hardened"],"unset")]),35"paths":["compute.kubernetes.stig_hardened"],36}3738checkscontains{39"control":"CM-6","id":"no-open-high-findings",40"requirement":"No open high-severity scan findings on STIG-hardened nodes",41"status":verdict(no_high_findings_ok),42"evidence":sprintf("compute.nodes.open_findings_high = %v (last_scan %v)",[object.get(input,["compute","nodes","open_findings_high"],"unset"),object.get(input,["compute","nodes","last_scan"],"unset")]),43"paths":["compute.nodes.open_findings_high"],44}4546checkscontains{47"control":"CM-6","id":"iron-bank-image-scanning",48"requirement":"Container images scanned against the DoD Iron Bank baseline before deployment",49"status":"manual",50"evidence":"Image scanning is not represented in the infrastructure schema",51"paths":[],52}
Failed
CP-9
System Backup
✓Passed:2✕Failed:1?Needs evidence:1
SSP statement
User data and system configuration are backed up daily. Backups are encrypted and stored in a geographically separate AWS region. Backup restoration is tested quarterly.
Check results
Findings, evidence, and cited source for checks under CP-9
Result
Check
Finding and evidence
Needs evidence
Backups are encryptedbackup-encryption
No backup-encryption field in the schema; source volumes are covered under SC-28
No repository field can prove this claim.
Passed
User data and system configuration backed up dailydaily-backups
1# CP-9 - System Backup 2# "User data and system configuration are backed up daily. Backups are 3# encrypted and stored in a geographically separate AWS region. Backup 4# restoration is tested quarterly." 5 6packagessp.compliance 7 8defaultbackup_cadence_ok:=false 910backup_cadence_okifinput.storage.database.backup_cadencein{"hourly","daily"}1112defaultbackup_region_ok:=false1314backup_region_okif{15br:=input.storage.database.backup_region16br!=input.system.region17}1819defaultrestore_test_ok:=false2021restore_test_okifdays_since(input.storage.database.last_restore_test)<=922223checkscontains{24"control":"CP-9","id":"daily-backups",25"requirement":"User data and system configuration backed up daily",26"status":verdict(backup_cadence_ok),27"evidence":sprintf("storage.database.backup_cadence = %v",[object.get(input,["storage","database","backup_cadence"],"unset")]),28"paths":["storage.database.backup_cadence"],29}3031checkscontains{32"control":"CP-9","id":"geographically-separate-backups",33"requirement":"Backups stored in a geographically separate AWS region",34"status":verdict(backup_region_ok),35"evidence":sprintf("system.region = %v, backup_region = %v",[object.get(input,["system","region"],"unset"),object.get(input,["storage","database","backup_region"],"unset")]),36"paths":["storage.database.backup_region","system.region"],37}3839checkscontains{40"control":"CP-9","id":"quarterly-restore-test",41"requirement":"Backup restoration tested quarterly: last test within 92 days of evaluation date",42"status":verdict(restore_test_ok),43"evidence":sprintf("storage.database.last_restore_test = %v",[object.get(input,["storage","database","last_restore_test"],"unset")]),44"paths":["storage.database.last_restore_test"],45}4647checkscontains{48"control":"CP-9","id":"backup-encryption",49"requirement":"Backups are encrypted",50"status":"manual",51"evidence":"No backup-encryption field in the schema; source volumes are covered under SC-28",52"paths":[],53}
Failed
IA-2
Identification and Authentication
✓Passed:3✕Failed:1?Needs evidence:0
SSP statement
All human users authenticate via CAC/PIV. Multi-factor authentication is required for all administrative actions. Service-to-service authentication uses short-lived tokens issued by the platform identity broker.
Check results
Findings, evidence, and cited source for checks under IA-2
Result
Check
Finding and evidence
Passed
All human users authenticate via CAC/PIVcac-piv-authentication
1# IA-2 - Identification and Authentication 2# "All human users authenticate via CAC/PIV. Multi-factor authentication is 3# required for all administrative actions. Service-to-service authentication 4# uses short-lived tokens issued by the platform identity broker." 5 6packagessp.compliance 7 8defaultcac_piv_ok:=false 910cac_piv_okifinput.identity.human_auth.cac_piv_integration==true1112defaultmfa_ok:=false1314mfa_okifinput.identity.human_auth.mfa_required==true1516defaultservice_tokens_ok:=false1718service_tokens_okif{19sa:=input.identity.service_auth20sa.method!="api_key"21sa.token_ttl<=3600# "short-lived": at most one hour22}2324checkscontains{25"control":"IA-2","id":"cac-piv-authentication",26"requirement":"All human users authenticate via CAC/PIV",27"status":verdict(cac_piv_ok),28"evidence":sprintf("identity.human_auth: method=%v cac_piv_integration=%v",[object.get(input,["identity","human_auth","method"],"unset"),object.get(input,["identity","human_auth","cac_piv_integration"],"unset")]),29"paths":["identity.human_auth.cac_piv_integration"],30}3132checkscontains{33"control":"IA-2","id":"mfa-required",34"requirement":"Multi-factor authentication required for administrative actions",35"status":verdict(mfa_ok),36"evidence":sprintf("identity.human_auth.mfa_required = %v",[object.get(input,["identity","human_auth","mfa_required"],"unset")]),37"paths":["identity.human_auth.mfa_required"],38}3940checkscontains{41"control":"IA-2","id":"short-lived-service-tokens",42"requirement":"Service-to-service auth uses short-lived tokens (TTL <= 3600s, not api_key)",43"status":verdict(service_tokens_ok),44"evidence":sprintf("identity.service_auth: method=%v token_ttl=%v",[object.get(input,["identity","service_auth","method"],"unset"),object.get(input,["identity","service_auth","token_ttl"],"unset")]),45"paths":["identity.service_auth.method","identity.service_auth.token_ttl"],46}4748checkscontains{49"control":"IA-2","id":"no-long-lived-service-credentials",50"requirement":"No long-lived service credentials (contradicts short-lived broker-issued tokens)",51"status":verdict(count(long_lived_service_creds)==0),52"evidence":sprintf("long-lived access keys: %s",[csv(long_lived_service_creds)]),53"paths":paths_or(long_lived_service_cred_paths,["identity.iam_users"]),54}
Failed
IA-5
Authenticator Management
✓Passed:0✕Failed:1?Needs evidence:1
SSP statement
Passwords, where used for break-glass access, conform to DoD password complexity requirements: minimum 15 characters, complexity requirements per DoD policy, rotation every 60 days.
Check results
Findings, evidence, and cited source for checks under IA-5
Result
Check
Finding and evidence
Failed
Authenticators rotated every 60 days (applied to long-lived IAM access keys)authenticator-rotation-60d
keys rotated more than 60 days before evaluation date: deploy-bot, legacy-etl
1# IA-5 - Authenticator Management 2# "Passwords, where used for break-glass access, conform to DoD password 3# complexity requirements: minimum 15 characters, complexity requirements per 4# DoD policy, rotation every 60 days." 5# 6# The 60-day rotation requirement is applied to the only rotatable 7# authenticators in the schema: long-lived IAM access keys. 8 9packagessp.compliance1011authenticator_stale(u)ifnotu.last_rotated1213authenticator_stale(u)ifdays_since(u.last_rotated)>601415stale_authenticators:=[u.name|16someuiniam_users17u.type=="long_lived_access_key"18authenticator_stale(u)19]2021stale_authenticator_paths:=[sprintf("identity.iam_users.%d.last_rotated",[idx])|22someidx,uiniam_users23u.type=="long_lived_access_key"24authenticator_stale(u)25]2627checkscontains{28"control":"IA-5","id":"authenticator-rotation-60d",29"requirement":"Authenticators rotated every 60 days (applied to long-lived IAM access keys)",30"status":verdict(count(stale_authenticators)==0),31"evidence":sprintf("keys rotated more than 60 days before evaluation date: %s",[csv(stale_authenticators)]),32"paths":paths_or(stale_authenticator_paths,["identity.iam_users"]),33}3435checkscontains{36"control":"IA-5","id":"password-complexity",37"requirement":"Break-glass passwords: minimum 15 characters, DoD complexity, 60-day rotation",38"status":"manual",39"evidence":"Password policy is not represented in the infrastructure schema",40"paths":[],41}
Failed
SC-13
Cryptographic Protection
✓Passed:1✕Failed:1?Needs evidence:0
SSP statement
All cryptographic modules in use are FIPS 140-2 validated. The system does not use any cryptographic primitive that has not been validated.
Check results
Findings, evidence, and cited source for checks under SC-13
Result
Check
Finding and evidence
Passed
FIPS 140-2 validated cryptographic modules (FIPS mode enabled)fips-mode-enabled
1# SC-13 - Cryptographic Protection 2# "All cryptographic modules in use are FIPS 140-2 validated. The system does 3# not use any cryptographic primitive that has not been validated." 4# 5# A non-validated module is tolerated only under an unexpired waiver. 6 7packagessp.compliance 8 9defaultfips_mode_ok:=false1011fips_mode_okifinput.crypto.fips_mode=="enabled"1213crypto_exception_ok(e)ife.fips_validated==true1415crypto_exception_ok(e)ifdays_since(e.waiver_expires)<01617invalid_crypto_exceptions:=[sprintf("%s (uses %s)",[e.service,e.uses])|18someeinlegacy_exceptions19notcrypto_exception_ok(e)20]2122invalid_crypto_exception_paths:=[sprintf("crypto.legacy_exceptions.%d",[idx])|23someidx,einlegacy_exceptions24notcrypto_exception_ok(e)25]2627checkscontains{28"control":"SC-13","id":"fips-mode-enabled",29"requirement":"FIPS 140-2 validated cryptographic modules (FIPS mode enabled)",30"status":verdict(fips_mode_ok),31"evidence":sprintf("crypto.fips_mode = %v",[object.get(input,["crypto","fips_mode"],"unset")]),32"paths":["crypto.fips_mode"],33}3435checkscontains{36"control":"SC-13","id":"fips-validated-modules-only",37"requirement":"No non-validated cryptographic primitive in use (non-validated modules need an unexpired waiver)",38"status":verdict(count(invalid_crypto_exceptions)==0),39"evidence":sprintf("non-validated modules without a current waiver: %s",[csv(invalid_crypto_exceptions)]),40"paths":paths_or(invalid_crypto_exception_paths,["crypto.legacy_exceptions"]),41}
Failed
SC-7
Boundary Protection
✓Passed:1✕Failed:1?Needs evidence:0
SSP statement
The system enforces boundary protection through AWS security groups, a managed WAF, and network ACLs. All ingress traffic is inspected. Egress is restricted to an allowlist of approved external endpoints.
Check results
Findings, evidence, and cited source for checks under SC-7
Result
Check
Finding and evidence
Passed
Egress restricted to an allowlist of approved endpointsegress-allowlist
38mode:allowlist39allowed_endpoints:40-"*.amazonaws.com"41-"iron-bank.dso.mil"42-"api.partner-system.mil"43-"*.github.com"# added 2025-03 for CI artifact pulls44vpn:
Failed
All ingress traffic inspected by the managed WAFwaf-on-all-ingress
1# SC-7 - Boundary Protection 2# "The system enforces boundary protection through AWS security groups, a 3# managed WAF, and network ACLs. All ingress traffic is inspected. Egress is 4# restricted to an allowlist of approved external endpoints." 5 6packagessp.compliance 7 8ingress_without_waf:=[i.type| 9someiiningress10object.get(i,"waf_attached",false)!=true11]1213ingress_without_waf_paths:=[sprintf("network.ingress.%d.waf_attached",[idx])|14someidx,iiningress15object.get(i,"waf_attached",false)!=true16]1718defaultegress_allowlist_ok:=false1920egress_allowlist_okif{21input.network.egress.mode=="allowlist"22count(input.network.egress.allowed_endpoints)>023}2425checkscontains{26"control":"SC-7","id":"waf-on-all-ingress",27"requirement":"All ingress traffic inspected by the managed WAF",28"status":verdict(count(ingress_without_waf)==0),29"evidence":sprintf("ingress without WAF: %s",[csv(ingress_without_waf)]),30"paths":paths_or(ingress_without_waf_paths,["network.ingress"]),31}3233checkscontains{34"control":"SC-7","id":"egress-allowlist",35"requirement":"Egress restricted to an allowlist of approved endpoints",36"status":verdict(egress_allowlist_ok),37"evidence":sprintf("network.egress: mode=%v endpoints=%v",[object.get(input,["network","egress","mode"],"unset"),count(object.get(input,["network","egress","allowed_endpoints"],[]))]),38"paths":["network.egress.mode","network.egress.allowed_endpoints"],39}
Failed
SC-8
Transmission Confidentiality and Integrity
✓Passed:1✕Failed:1?Needs evidence:0
SSP statement
All data in transit is protected using TLS 1.2 or higher. Mutual TLS is used for service-to-service communication within the cluster.
Check results
Findings, evidence, and cited source for checks under SC-8
Result
Check
Finding and evidence
Passed
Mutual TLS for service-to-service communication (mtls or spiffe)mutual-tls-service-auth
1# SC-8 - Transmission Confidentiality and Integrity 2# "All data in transit is protected using TLS 1.2 or higher. Mutual TLS is 3# used for service-to-service communication within the cluster." 4 5packagessp.compliance 6 7weak_tls_ingress:=[sprintf("%s (%s)",[i.type,object.get(i,"tls_version_min","unset")])| 8someiiningress 9notobject.get(i,"tls_version_min","unset")in{"1.2","1.3"}10]1112weak_tls_ingress_paths:=[sprintf("network.ingress.%d.tls_version_min",[idx])|13someidx,iiningress14notobject.get(i,"tls_version_min","unset")in{"1.2","1.3"}15]1617defaultmtls_ok:=false1819# SPIFFE identities are delivered over mTLS; both satisfy the SSP claim.20mtls_okifinput.identity.service_auth.methodin{"mtls","spiffe"}2122checkscontains{23"control":"SC-8","id":"tls-1.2-minimum",24"requirement":"All data in transit protected with TLS 1.2 or higher",25"status":verdict(count(weak_tls_ingress)==0),26"evidence":sprintf("ingress below TLS 1.2: %s",[csv(weak_tls_ingress)]),27"paths":paths_or(weak_tls_ingress_paths,["network.ingress"]),28}2930checkscontains{31"control":"SC-8","id":"mutual-tls-service-auth",32"requirement":"Mutual TLS for service-to-service communication (mtls or spiffe)",33"status":verdict(mtls_ok),34"evidence":sprintf("identity.service_auth.method = %v",[object.get(input,["identity","service_auth","method"],"unset")]),35"paths":["identity.service_auth.method"],36}
Failed
SI-4
System Monitoring
✓Passed:3✕Failed:1?Needs evidence:0
SSP statement
The system is monitored continuously for indicators of compromise. Alerts are forwarded to the program SOC. Anomalous behavior triggers an automated incident response workflow.`
Check results
Findings, evidence, and cited source for checks under SI-4
Result
Check
Finding and evidence
Failed
Anomalous behavior triggers an automated incident response workflowautomated-incident-response
1# SI-4 - System Monitoring 2# "The system is monitored continuously for indicators of compromise. Alerts 3# are forwarded to the program SOC. Anomalous behavior triggers an automated 4# incident response workflow." 5 6packagessp.compliance 7 8defaultcontinuous_monitoring_ok:=false 910continuous_monitoring_okif{11count(object.get(input,["monitoring","siem"],""))>012count(object.get(input,["monitoring","edr"],""))>013}1415defaultioc_feeds_ok:=false1617ioc_feeds_okifinput.monitoring.ioc_feeds=="enabled"1819defaultsoc_integration_ok:=false2021soc_integration_okifinput.monitoring.soc_integration==true2223defaultautomated_response_ok:=false2425automated_response_okifinput.monitoring.automated_response=="full"2627checkscontains{28"control":"SI-4","id":"continuous-monitoring",29"requirement":"Continuous monitoring for indicators of compromise (SIEM and EDR deployed)",30"status":verdict(continuous_monitoring_ok),31"evidence":sprintf("monitoring: siem=%v edr=%v",[object.get(input,["monitoring","siem"],"unset"),object.get(input,["monitoring","edr"],"unset")]),32"paths":["monitoring.siem","monitoring.edr"],33}3435checkscontains{36"control":"SI-4","id":"ioc-feeds",37"requirement":"Indicator-of-compromise feeds enabled",38"status":verdict(ioc_feeds_ok),39"evidence":sprintf("monitoring.ioc_feeds = %v",[object.get(input,["monitoring","ioc_feeds"],"unset")]),40"paths":["monitoring.ioc_feeds"],41}4243checkscontains{44"control":"SI-4","id":"soc-integration",45"requirement":"Alerts forwarded to the program SOC",46"status":verdict(soc_integration_ok),47"evidence":sprintf("monitoring.soc_integration = %v",[object.get(input,["monitoring","soc_integration"],"unset")]),48"paths":["monitoring.soc_integration"],49}5051checkscontains{52"control":"SI-4","id":"automated-incident-response",53"requirement":"Anomalous behavior triggers an automated incident response workflow",54"status":verdict(automated_response_ok),55"evidence":sprintf("monitoring.automated_response = %v",[object.get(input,["monitoring","automated_response"],"unset")]),56"paths":["monitoring.automated_response"],57}
Needs evidence
AC-2
Account Management
✓Passed:1✕Failed:0?Needs evidence:1
SSP statement
The AEGIS-LOG system uses centralized identity management via the DoD CAC/PIV infrastructure for all human users. Service accounts are managed through AWS IAM with quarterly access reviews. All accounts are reviewed by the ISSO within 30 days of personnel changes.
Check results
Findings, evidence, and cited source for checks under AC-2
Result
Check
Finding and evidence
Passed
Service accounts reviewed at least quarterly (<= 90 days)account-review-cadence
1# AC-2 - Account Management 2# "Service accounts are managed through AWS IAM with quarterly access 3# reviews. All accounts are reviewed by the ISSO within 30 days of personnel 4# changes." 5 6packagessp.compliance 7 8defaultaccount_review_cadence_ok:=false 910account_review_cadence_okifinput.identity.account_review_cadence_days<=901112checkscontains{13"control":"AC-2","id":"account-review-cadence",14"requirement":"Service accounts reviewed at least quarterly (<= 90 days)",15"status":verdict(account_review_cadence_ok),16"evidence":sprintf("identity.account_review_cadence_days = %v",[object.get(input,["identity","account_review_cadence_days"],"unset")]),17"paths":["identity.account_review_cadence_days"],18}1920checkscontains{21"control":"AC-2","id":"personnel-change-review",22"requirement":"Accounts reviewed by the ISSO within 30 days of personnel changes",23"status":"manual",24"evidence":"Process control; not represented in the infrastructure schema",25"paths":[],26}
Needs evidence
AC-3
Access Enforcement
✓Passed:0✕Failed:0?Needs evidence:1
SSP statement
Role-based access control is enforced at the application layer. Three roles are defined: read-only viewer, operator, and administrator. All access decisions are logged.
Check results
Findings, evidence, and cited source for checks under AC-3
Result
Check
Finding and evidence
Needs evidence
Three application-layer roles (viewer, operator, administrator) with logged access decisionsapplication-rbac
Application-layer RBAC is not represented in the infrastructure schema
1# AC-3 - Access Enforcement 2# "Role-based access control is enforced at the application layer. Three 3# roles are defined ... All access decisions are logged." 4 5packagessp.compliance 6 7checkscontains{ 8"control":"AC-3","id":"application-rbac", 9"requirement":"Three application-layer roles (viewer, operator, administrator) with logged access decisions",10"status":"manual",11"evidence":"Application-layer RBAC is not represented in the infrastructure schema",12"paths":[],13}
Passed
AC-17
Remote Access
✓Passed:2✕Failed:0?Needs evidence:0
SSP statement
All remote access to AEGIS-LOG occurs over the DoDIN via approved VPN endpoints. Direct internet exposure of any system component is prohibited. Administrative access requires jump host traversal.
Check results
Findings, evidence, and cited source for checks under AC-17
Result
Check
Finding and evidence
Passed
Administrative access requires VPN (jump host traversal over DoDIN)admin-vpn-required
1# AC-17 - Remote Access 2# "All remote access to AEGIS-LOG occurs over the DoDIN via approved VPN 3# endpoints. Direct internet exposure of any system component is prohibited. 4# Administrative access requires jump host traversal." 5 6packagessp.compliance 7 8public_ingress:=[i.type| 9someiiningress10object.get(i,"public",true)==true11]1213public_ingress_paths:=[sprintf("network.ingress.%d.public",[idx])|14someidx,iiningress15object.get(i,"public",true)==true16]1718defaultadmin_vpn_ok:=false1920admin_vpn_okifinput.network.vpn.required_for_admin==true2122checkscontains{23"control":"AC-17","id":"no-public-ingress",24"requirement":"Direct internet exposure of any component is prohibited",25"status":verdict(count(public_ingress)==0),26"evidence":sprintf("public ingress endpoints: %s",[csv(public_ingress)]),27"paths":paths_or(public_ingress_paths,["network.ingress"]),28}2930checkscontains{31"control":"AC-17","id":"admin-vpn-required",32"requirement":"Administrative access requires VPN (jump host traversal over DoDIN)",33"status":verdict(admin_vpn_ok),34"evidence":sprintf("network.vpn.required_for_admin = %v",[object.get(input,["network","vpn","required_for_admin"],"unset")]),35"paths":["network.vpn.required_for_admin"],36}
Passed
SC-28
Protection of Information at Rest
✓Passed:3✕Failed:0?Needs evidence:0
SSP statement
All data at rest is encrypted using AES-256. Encryption keys are managed in AWS KMS with automatic annual rotation. Database storage volumes, object storage, and backup volumes are all encrypted.
Check results
Findings, evidence, and cited source for checks under SC-28
Result
Check
Finding and evidence
Passed
Database storage volumes encrypted at restdatabase-encryption
1# SC-28 - Protection of Information at Rest 2# "All data at rest is encrypted using AES-256. Encryption keys are managed 3# in AWS KMS with automatic annual rotation. Database storage volumes, object 4# storage, and backup volumes are all encrypted." 5 6packagessp.compliance 7 8defaultdb_encryption_ok:=false 910db_encryption_okifinput.storage.database.encryption_at_rest==true1112defaultobject_encryption_ok:=false1314object_encryption_okifinput.storage.object_storage.encryption_at_rest==true1516defaultkms_rotation_ok:=false1718kms_rotation_okifinput.storage.database.kms_key_rotation=="enabled"1920checkscontains{21"control":"SC-28","id":"database-encryption",22"requirement":"Database storage volumes encrypted at rest",23"status":verdict(db_encryption_ok),24"evidence":sprintf("storage.database.encryption_at_rest = %v",[object.get(input,["storage","database","encryption_at_rest"],"unset")]),25"paths":["storage.database.encryption_at_rest"],26}2728checkscontains{29"control":"SC-28","id":"object-storage-encryption",30"requirement":"Object storage encrypted at rest with AES-256",31"status":verdict(object_encryption_ok),32"evidence":sprintf("storage.object_storage: encryption_at_rest=%v algorithm=%v",[object.get(input,["storage","object_storage","encryption_at_rest"],"unset"),object.get(input,["storage","object_storage","encryption_algorithm"],"unset")]),33"paths":["storage.object_storage.encryption_at_rest","storage.object_storage.encryption_algorithm"],34}3536checkscontains{37"control":"SC-28","id":"kms-key-rotation",38"requirement":"Encryption keys managed in AWS KMS with automatic rotation",39"status":verdict(kms_rotation_ok),40"evidence":sprintf("storage.database.kms_key_rotation = %v",[object.get(input,["storage","database","kms_key_rotation"],"unset")]),41"paths":["storage.database.kms_key_rotation"],42}