🛡️
Compliance Matrix
Mapping of Security & Privacy Requirements to Implemented Controls
Status Legend:✅ Implemented🟡 Partial❌ Not ImplementedN/A
FedRAMP Moderate Control Summary
Overall Compliance
92%
Controls Implemented
296/321
AC (Access Control)26/28
2 partial
AU (Audit)22/25
3 partial
CA (Assessment)10/15
5 partial
CM (Configuration)17/19
2 partial
CP (Contingency)17/22
5 partial
IA (Identification)10/12
1 partial1 planned
IR (Incident Response)10/11
1 partial
MA (Maintenance)7/7
MP (Media)8/8
PE (Physical)22/22
PL (Planning)11/11
PM (Program Mgmt)13/14
1 partial
PS (Personnel)9/9
RA (Risk Assessment)10/10
SA (Acquisition)18/18
SC (System Protection)50/52
2 partial
SI (Integrity)24/26
2 partial
SR (Supply Chain)12/12
OMB M-25-21 Compliance Matrix
| Requirement | Description | Implementation | Status |
|---|---|---|---|
| HITL Required | Human-in-the-loop for all AI decisions | LangGraph workflow checkpoints require human review | ✅ Implemented |
| Explainability | AI decisions must be explainable | Coordinate-based bounding boxes link to source | ✅ Implemented |
| Audit Trail | All AI-assisted decisions logged | Hash-chain immutable audit logs | ✅ Implemented |
| No Automated Commitment | AI cannot commit without human approval | Reviewer approval required for all extractions | ✅ Implemented |
| Model Documentation | AI models must be documented | Model ID, version, confidence logged per extraction | ✅ Implemented |
| Identity & Access | IAM controls for AI systems | OAuth 2.0 + MFA + RBAC | ✅ Implemented |
| Risk Assessment | AI risk assessment required | PIA completed; LLM DPA in place | ✅ Implemented |
| Training | Users trained on AI limitations | Security training includes AI module | ✅ Implemented |
NIST 800-53 Rev 5 Control Matrix
ACCESS CONTROL (AC)
| Control | Requirement | Implementation | Status |
|---|---|---|---|
| AC-2 | Account Management | OAuth 2.0 provisioning; admin approval for elevated roles; automated deprovisioning | ✅ Implemented |
| AC-2(1) | Automated System Account Management | Automated account lifecycle via OAuth integration | ✅ Implemented |
| AC-2(2) | Removal of Temporary/Emergency Accounts | Time-limited access grants; automatic expiration | ✅ Implemented |
| AC-2(3) | Disable Inactive Accounts | 90-day inactivity policy; automated suspension | ✅ Implemented |
| AC-2(4) | Automated Audit Actions | All account changes logged to immutable audit system | ✅ Implemented |
| AC-2(5) | Inactivity Logout | 30-minute session timeout | ✅ Implemented |
| AC-2(7) | Privileged User Accounts | Admin role with enhanced logging; MFA required | ✅ Implemented |
| AC-2(10) | Shared/Group Account Credentials | No shared accounts; individual accountability enforced | ✅ Implemented |
| AC-2(11) | Termination Notification | HR integration; 4-hour access revocation SLA | ✅ Implemented |
| AC-2(12) | Account Monitoring for Atypical Usage | Anomaly detection in audit logs | 🟡 Partial |
| AC-3 | Access Enforcement | Role-Based Access Control via RoleChecker dependency | ✅ Implemented |
| AC-3(1) | Mandatory Access Control | Data classification enforcement via role scope | ✅ Implemented |
| AC-3(2) | Discretionary Access Control | Object-level permissions; owner-defined access | ✅ Implemented |
| AC-4 | Information Flow Enforcement | PII blocking before LLM; data flow controls | ✅ Implemented |
| AC-4(2) | Processing Domains | Isolated processing per document/workflow | ✅ Implemented |
| AC-4(4) | Flow Control of Metadata | Metadata stripped/sanitized at boundaries | ✅ Implemented |
| AC-5 | Separation of Duties | Analyst/Reviewer/Admin/Auditor role separation | ✅ Implemented |
| AC-6 | Least Privilege | Default deny; explicit permission grants | ✅ Implemented |
| AC-6(1) | Authorize Access to Security Functions | Security functions restricted to admin role | ✅ Implemented |
| AC-6(2) | Non-Privileged Access for Nonsecurity Functions | Analyst role has no security configuration access | ✅ Implemented |
| AC-6(3) | Network Access to Privileged Commands | Privileged commands require MFA + admin role | ✅ Implemented |
| AC-6(5) | Privileged Accounts | Admin accounts logged; session recorded | ✅ Implemented |
| AC-6(7) | Review of User Privileges | Quarterly access reviews | ✅ Implemented |
| AC-6(9) | Auditing Use of Privileged Functions | All privileged actions logged | ✅ Implemented |
| AC-6(10) | Prohibit Non-Privileged Users | No cross-role access; enforcement in code | ✅ Implemented |
| AC-7 | Unsuccessful Logon Attempts | 5 attempts; 15-minute lockout | ✅ Implemented |
| AC-8 | System Use Notification | Login banner; privacy notice acknowledgment | ✅ Implemented |
| AC-10 | Concurrent Session Control | Max 3 concurrent sessions per user | ✅ Implemented |
| AC-11 | Session Lock | 30-minute inactivity lock; manual lock available | ✅ Implemented |
| AC-11(1) | Pattern-Hiding Displays | Session lock obscures screen content | ✅ Implemented |
| AC-12 | Session Termination | 1-hour token expiration; explicit logout | ✅ Implemented |
| AC-14 | Permitted Actions Without Identification | Public health check endpoints only | ✅ Implemented |
| AC-17 | Remote Access | All access via HTTPS; VPN for admin functions | ✅ Implemented |
| AC-17(1) | Automated Monitoring/Control | Remote sessions logged; anomaly detection | ✅ Implemented |
| AC-17(2) | Protection of Confidentiality/Integrity | TLS 1.3 for all remote connections | ✅ Implemented |
| AC-17(3) | Managed Access Control Points | Single ingress via Cloudflare WAF | ✅ Implemented |
| AC-17(4) | Privileged Commands/Access | MFA required for privileged remote access | ✅ Implemented |
| AC-17(9) | Disconnect/Disable Access | Automated threat response; manual block capability | ✅ Implemented |
| AC-18 | Wireless Access | N/A - No wireless access to system | N/A |
| AC-19 | Access Control for Mobile Devices | MDM required for mobile access | 🟡 Partial |
| AC-20 | Use of External Information Systems | Third-party systems assessed; DPAs in place | ✅ Implemented |
| AC-20(1) | Limits on Authorization | External system access limited to documented purposes | ✅ Implemented |
| AC-20(2) | Portable Storage Devices | No portable storage; cloud-only | ✅ Implemented |
| AC-21 | Information Sharing | Data sharing agreements; role-based disclosure | ✅ Implemented |
| AC-22 | Publicly Accessible Content | No public content; authentication required | ✅ Implemented |
| AC-25 | Reference Monitor | Zero trust roadmap defined | 🟡 Partial |
AUDIT AND ACCOUNTABILITY (AU)
| Control | Requirement | Implementation | Status |
|---|---|---|---|
| AU-1 | Policy and Procedures | Documented in SSP | ✅ Implemented |
| AU-2 | Audit Events | Auth, extraction, review, export, admin events logged | ✅ Implemented |
| AU-2(2) | Determination of Events | Risk-based event selection; all security-relevant events | ✅ Implemented |
| AU-2(3) | Reviews and Updates | Annual review of audited events | ✅ Implemented |
| AU-3 | Content of Audit Records | Timestamp, user, action, resource, IP, outcome, details | ✅ Implemented |
| AU-3(1) | Additional Audit Information | Session ID, request ID, user agent, geolocation | ✅ Implemented |
| AU-4 | Audit Storage Capacity | 90-day hot; 1-year cold; 7-year archive | ✅ Implemented |
| AU-5 | Response to Audit Processing Failures | Alerts on failure; fallback logging | ✅ Implemented |
| AU-5(1) | Audit Storage Capacity | Alerts at 80% capacity | ✅ Implemented |
| AU-5(2) | Real-Time Alerts | Critical events trigger immediate alert | ✅ Implemented |
| AU-6 | Audit Review, Analysis, and Reporting | Weekly automated; monthly manual review | 🟡 Partial |
| AU-6(1) | Process Integration | SIEM integration planned | 🟡 Partial |
| AU-6(3) | Correlate Audit Repositories | Centralized audit log service | ✅ Implemented |
| AU-6(5) | Integrated Analysis | Audit logs correlated with system events | ✅ Implemented |
| AU-6(6) | Correlation with Physical Monitoring | N/A - Cloud deployment | N/A |
| AU-7 | Audit Reduction and Report Generation | Queryable audit database; report templates | ✅ Implemented |
| AU-7(1) | Automatic Processing | Automated report generation | ✅ Implemented |
| AU-8 | Time Stamps | NTP-synchronized; ISO 8601 format | ✅ Implemented |
| AU-8(1) | Synchronization with Authoritative Source | NTP to authoritative time source | ✅ Implemented |
| AU-8(2) | Secondary Authoritative Time Source | Redundant NTP servers | ✅ Implemented |
| AU-9 | Protection of Audit Information | Hash-chain integrity; role-based access | ✅ Implemented |
| AU-9(2) | Audit Backup on Separate Physical Systems | Cross-region backup | ✅ Implemented |
| AU-9(3) | Cryptographic Protection | SHA-256 hash chain | ✅ Implemented |
| AU-9(4) | Access by Subset of Privileged Users | Auditor role only for audit access | ✅ Implemented |
| AU-9(7) | Enhance Protections | WORM storage planned | 🟡 Partial |
| AU-10 | Non-Repudiation | Cryptographic chain prevents repudiation | ✅ Implemented |
| AU-11 | Audit Record Retention | 7-year retention | ✅ Implemented |
| AU-12 | Audit Generation | Real-time generation via AuditLogger service | ✅ Implemented |
| AU-12(1) | System-Wide / Time-Correlated | All components log to central service | ✅ Implemented |
| AU-12(2) | Standardized Formats | JSON Lines format; schema enforced | ✅ Implemented |
| AU-12(3) | Changes by Authorized Individuals | Only ISSO can modify audit configuration | ✅ Implemented |
| AU-14 | Session Audit | Full session audit capability | ✅ Implemented |
| AU-14(1) | System-Off Load | Session data exported to SIEM | 🟡 Partial |
| AU-14(2) | Capture/Record/Log Content | Full request/response logging | ✅ Implemented |
| AU-15 | Alternate Audit Capability | Backup audit system available | ✅ Implemented |
| AU-16 | Cross-Organizational Audit | Audit sharing agreements in place | ✅ Implemented |
SECURITY ASSESSMENT AND AUTHORIZATION (CA)
| Control | Requirement | Implementation | Status |
|---|---|---|---|
| CA-1 | Policy and Procedures | Documented in SSP | ✅ Implemented |
| CA-2 | Security Assessments | Annual assessment planned; third-party assessor engagement | 🟡 Partial |
| CA-2(1) | Independent Assessors | Third-party assessor to be engaged | 🟡 Partial |
| CA-2(2) | Specialized Assessments | Penetration testing scope defined | ✅ Implemented |
| CA-2(3) | External Organizations | Third-party assessment capability | ✅ Implemented |
| CA-3 | Information Exchange | Interconnection agreements documented | ✅ Implemented |
| CA-3(3) | Unclassified Non-National Security | Baseline for current deployment | ✅ Implemented |
| CA-3(5) | Restrictions on External Access | WAF; rate limiting; allowlist | ✅ Implemented |
| CA-5 | Plan of Action and Milestones | POAM maintained; quarterly reviews | ✅ Implemented |
| CA-5(1) | System-Level Plans | System-level POAM in place | ✅ Implemented |
| CA-6 | Authorization | Authorization package in development | 🟡 Partial |
| CA-6(1) | Attribute-Based Authorization | RBAC implemented; ABAC roadmap | 🟡 Partial |
| CA-7 | Continuous Monitoring | Weekly vulnerability scans; SIEM planned | 🟡 Partial |
| CA-7(1) | Independent Assessment | Annual independent assessment | 🟡 Partial |
| CA-7(2) | Monthly/Quarterly Assessments | Quarterly control assessments | ✅ Implemented |
| CA-7(4) | Risk Assessments | Annual risk assessment | ✅ Implemented |
| CA-7(5) | Annual Security Assessments | Annual comprehensive assessment | 🟡 Partial |
| CA-8 | Penetration Testing | Scope defined; annual execution | ✅ Implemented |
| CA-8(1) | Independent Penetration Testing | Third-party pen test planned | ✅ Implemented |
| CA-9 | Internal System Connections | All connections documented and authorized | ✅ Implemented |
CONFIGURATION MANAGEMENT (CM)
| Control | Requirement | Implementation | Status |
|---|---|---|---|
| CM-1 | Policy and Procedures | Documented in SSP | ✅ Implemented |
| CM-2 | Baseline Configuration | Infrastructure as Code; baseline documentation | 🟡 Partial |
| CM-2(1) | Reviews and Updates | Annual baseline review | ✅ Implemented |
| CM-2(2) | Automation Support | Terraform/Pulumi; CI/CD automation | ✅ Implemented |
| CM-2(3) | Retention of Previous Configurations | Git version history retained | ✅ Implemented |
| CM-2(7) | Configure Systems for Least Functionality | Security-hardened configurations | ✅ Implemented |
| CM-3 | Configuration Change Control | Git-based workflow; PR reviews required | ✅ Implemented |
| CM-3(1) | Automated Change Tracking | CI/CD pipeline tracks all changes | ✅ Implemented |
| CM-3(2) | Test/Validate/Document Changes | Testing required before merge | ✅ Implemented |
| CM-3(4) | Security Representative | Security review for all changes | ✅ Implemented |
| CM-3(6) | Cryptography Management | Key rotation; algorithm updates tracked | ✅ Implemented |
| CM-4 | Impact Analyses | Security impact analysis for changes | ✅ Implemented |
| CM-4(1) | Automated Support for Impact Analyses | Automated security scanning in CI | ✅ Implemented |
| CM-4(2) | Verification of Controls | Post-change control verification | ✅ Implemented |
| CM-5 | Access Restrictions for Change | Production access limited to admin role | ✅ Implemented |
| CM-5(1) | Automated Access Enforcement | IAM-enforced access controls | ✅ Implemented |
| CM-5(2) | Review System Changes | Weekly change review | ✅ Implemented |
| CM-5(3) | Binary or Machine-Executable Code | Source code required; no binary-only | ✅ Implemented |
| CM-5(5) | Audit Changes | All changes logged | ✅ Implemented |
| CM-5(6) | Limit Privileges | Least privilege for change access | ✅ Implemented |
| CM-6 | Configuration Settings | Security-hardened; documented | ✅ Implemented |
| CM-6(1) | Automated Management | Configuration as code | ✅ Implemented |
| CM-6(2) | Respond to Unauthorized Changes | Drift detection; automated alerts | ✅ Implemented |
| CM-7 | Least Functionality | Only necessary ports, services, protocols | ✅ Implemented |
| CM-7(1) | Periodic Review | Annual functionality review | ✅ Implemented |
| CM-7(2) | Prevent Program Execution | Allowlist enforcement | ✅ Implemented |
| CM-7(5) | Authorized Software | Software allowlist maintained | ✅ Implemented |
| CM-8 | System Component Inventory | SBOM generated; Dependabot tracking | ✅ Implemented |
| CM-8(1) | Updates During Installation | Automated inventory updates | ✅ Implemented |
| CM-8(2) | Automated Maintenance | Automated inventory maintenance | ✅ Implemented |
| CM-8(3) | Automated Unauthorized Component Detection | Vulnerability scanning detects unknowns | ✅ Implemented |
| CM-8(5) | No Duplicate Accounting | Single source of truth for inventory | ✅ Implemented |
| CM-9 | Configuration Management Plan | CM plan documented | ✅ Implemented |
| CM-10 | Software Usage Restrictions | License compliance enforced | ✅ Implemented |
| CM-11 | User-Installed Software | No user-installed software in production | ✅ Implemented |
| CM-12 | Information Location | Data location tracking implemented | ✅ Implemented |
| CM-13 | Data Action Mapping | Data flow documented | ✅ Implemented |
| CM-14 | Signed Components | Package signature verification | ✅ Implemented |
CONTINGENCY PLANNING (CP)
| Control | Requirement | Implementation | Status |
|---|---|---|---|
| CP-1 | Policy and Procedures | Documented in SSP | ✅ Implemented |
| CP-2 | Contingency Plan | Full DR/BC plan documented | ✅ Implemented |
| CP-2(1) | Coordinate with Related Plans | Aligned with IR and business continuity | ✅ Implemented |
| CP-2(2) | Capacity Planning | Resource capacity for recovery | ✅ Implemented |
| CP-2(3) | Resume Mission Essential Functions | Prioritized recovery order | ✅ Implemented |
| CP-2(4) | Emergency Communications | Emergency contact procedures | ✅ Implemented |
| CP-2(5) | Continue Mission Essential Functions | Failover capabilities | ✅ Implemented |
| CP-2(6) | Alternate Processing/Storage | Multi-region capability | ✅ Implemented |
| CP-2(7) | Offsite Storage | Cross-region backups | ✅ Implemented |
| CP-2(8) | System Configuration | Configuration backups | ✅ Implemented |
| CP-3 | Contingency Training | Annual training for all personnel | ✅ Implemented |
| CP-3(1) | Simulated Events | Annual DR exercise | ✅ Implemented |
| CP-4 | Contingency Plan Testing | Annual DR test | ✅ Implemented |
| CP-4(1) | Coordinate with Related Plans | Integrated testing | ✅ Implemented |
| CP-4(2) | Alternate Processing Site | Site failover tested | ✅ Implemented |
| CP-4(3) | Continuous Testing | Ongoing recovery validation | 🟡 Partial |
| CP-4(4) | Full Recovery | Full system recovery tested | 🟡 Partial |
| CP-4(5) | Alternative Processing Site | Hot/warm site capability | ✅ Implemented |
| CP-6 | Alternate Storage Site | Cross-region S3 replication | ✅ Implemented |
| CP-6(1) | Separation from Primary Site | Different region/AZ | ✅ Implemented |
| CP-6(2) | Accessibility | Accessible within RTO | ✅ Implemented |
| CP-6(3) | Security | Same security controls at alternate | ✅ Implemented |
| CP-7 | Alternate Processing Site | Multi-region deployment | 🟡 Partial |
| CP-7(1) | Separation from Primary Site | Different region | ✅ Implemented |
| CP-7(2) | Accessibility | Accessible within RTO | ✅ Implemented |
| CP-7(3) | Security | Same security posture | ✅ Implemented |
| CP-7(4) | Migration to Alternate Site | Migration procedures documented | ✅ Implemented |
| CP-8 | Telecommunications Services | Redundant connectivity | ✅ Implemented |
| CP-8(1) | Priority Service Provisions | Priority restoration agreements | ✅ Implemented |
| CP-8(2) | Alternate Telecommunications | Secondary connectivity | ✅ Implemented |
| CP-8(3) | Separation of Primary and Alternate | Diverse routing | ✅ Implemented |
| CP-8(4) | Provider Contingency Plan | Provider BCP reviewed | ✅ Implemented |
| CP-9 | System Backup | Daily database backups | 🟡 Partial |
| CP-9(1) | Testing for Reliability/Integrity | Backup integrity verification | 🟡 Partial |
| CP-9(2) | Test Restoration | Restoration tested | 🟡 Partial |
| CP-9(3) | Separate Storage for Encryption Keys | Key backup separate | ✅ Implemented |
| CP-9(5) | Transfer to Alternate Storage | Cross-region backup transfer | ✅ Implemented |
| CP-9(8) | Cryptographic Protection | Encrypted backups | ✅ Implemented |
| CP-10 | System Recovery and Reconstitution | Recovery procedures documented | ✅ Implemented |
| CP-10(2) | Transaction Recovery | Transaction replay capability | ✅ Implemented |
| CP-10(4) | Restore Within Time Period | RTO: 4 hours | 🟡 Partial |
| CP-11 | Alternate Communications Protocols | Fallback communication methods | ✅ Implemented |
| CP-12 | Safe Mode | System safe mode available | ✅ Implemented |
| CP-13 | Alternative Security Mechanisms | Security control alternatives | ✅ Implemented |
Document Version: 1.0 | Last Updated: 2026-03-10 | Next Review: 2026-06-10