Silverfog

aegis-log Production

Assessment readiness

Evidence incomplete

No checks fail, but one or more SSP claims remain unproven.

Failed
0
Needs evidence
5
Passed
10
Evaluated
2026-07-17
Evidence source
docs/infrastructure.remediated.yaml
Source timestamp
2026-07-16 21:14 UTC
SSP version
2.3 · reviewed 2024-08-12

Control results

Sorted by failed controls, evidence gaps, then passing controls.

15 controls evaluated

Assessment status and supporting detail for each evaluated control
Status Control Control name Checks Details
Needs evidence AC-2 Account Management Passed: 1 Failed: 0 Needs evidence: 1

SSP statement

The AEGIS-LOG system uses centralized identity management via the DoD CAC/PIV infrastructure for all human users. Service accounts are managed through AWS IAM with quarterly access reviews. All accounts are reviewed by the ISSO within 30 days of personnel changes.

Check results

Findings, evidence, and cited source for checks under AC-2
Result Check Finding and evidence
Passed Service accounts reviewed at least quarterly (<= 90 days) account-review-cadence

identity.account_review_cadence_days = 90

  • docs/infrastructure.remediated.yaml:23 identity.account_review_cadence_days
    22    token_ttl: 3600
    23  account_review_cadence_days: 90
    24  iam_users:
    
Needs evidence Accounts reviewed by the ISSO within 30 days of personnel changes personnel-change-review

Process control; not represented in the infrastructure schema

No repository field can prove this claim.

Policy source policy/controls/ac2.rego
 1# AC-2 - Account Management
 2# "Service accounts are managed through AWS IAM with quarterly access
 3# reviews. All accounts are reviewed by the ISSO within 30 days of personnel
 4# changes."
 5
 6package ssp.compliance
 7
 8default account_review_cadence_ok := false
 9
10account_review_cadence_ok if input.identity.account_review_cadence_days <= 90
11
12checks contains {
13	"control": "AC-2", "id": "account-review-cadence",
14	"requirement": "Service accounts reviewed at least quarterly (<= 90 days)",
15	"status": verdict(account_review_cadence_ok),
16	"evidence": sprintf("identity.account_review_cadence_days = %v", [object.get(input, ["identity", "account_review_cadence_days"], "unset")]),
17	"paths": ["identity.account_review_cadence_days"],
18}
19
20checks contains {
21	"control": "AC-2", "id": "personnel-change-review",
22	"requirement": "Accounts reviewed by the ISSO within 30 days of personnel changes",
23	"status": "manual",
24	"evidence": "Process control; not represented in the infrastructure schema",
25	"paths": [],
26}
Needs evidence AC-3 Access Enforcement Passed: 0 Failed: 0 Needs evidence: 1
Needs evidence CM-6 Configuration Settings Passed: 3 Failed: 0 Needs evidence: 1
Needs evidence CP-9 System Backup Passed: 3 Failed: 0 Needs evidence: 1
Needs evidence IA-5 Authenticator Management Passed: 1 Failed: 0 Needs evidence: 1
Passed AC-17 Remote Access Passed: 2 Failed: 0 Needs evidence: 0
Passed AU-2 Event Logging Passed: 3 Failed: 0 Needs evidence: 0
Passed AU-9 Protection of Audit Information Passed: 3 Failed: 0 Needs evidence: 0
Passed CM-2 Baseline Configuration Passed: 4 Failed: 0 Needs evidence: 0
Passed IA-2 Identification and Authentication Passed: 4 Failed: 0 Needs evidence: 0
Passed SC-13 Cryptographic Protection Passed: 2 Failed: 0 Needs evidence: 0
Passed SC-28 Protection of Information at Rest Passed: 3 Failed: 0 Needs evidence: 0
Passed SC-7 Boundary Protection Passed: 2 Failed: 0 Needs evidence: 0
Passed SC-8 Transmission Confidentiality and Integrity Passed: 2 Failed: 0 Needs evidence: 0
Passed SI-4 System Monitoring Passed: 4 Failed: 0 Needs evidence: 0