{"system-security-plan":{"uuid":"1262eb6a-6b07-44bd-a95b-3a37b53efc1c","metadata":{"roles":[{"id":"system-owner","title":"Information System Owner"},{"id":"isso","title":"Information System Security Officer"},{"id":"authorizing-official","title":"Authorizing Official"},{"id":"system-admin","title":"System Administrator"},{"id":"devops-engineer","title":"DevOps Engineer"},{"id":"cloud-service-provider","title":"Cloud Service Provider"},{"id":"prepared-by","title":"Prepared By"},{"id":"prepared-for","title":"Prepared For"},{"id":"security-operations","title":"Security Operations Analyst"},{"id":"app-developer","title":"Application Developer"},{"id":"end-user","title":"End User"}],"title":"Kalvico Application X System Security Plan (SSP)","parties":[{"name":"Kalvico","type":"organization","uuid":"192e71a2-3c4a-44c8-b4a6-508cb4638a27","remarks":"Kalvico is the system owner and operator of Application X.","short-name":"KAL","location-uuids":["6e62ca1c-ee61-4481-a1bd-79172faa356c"]},{"name":"Kalvico Information System Owner","type":"person","uuid":"0cd7bdb9-ef55-46c7-b8ab-29f8efce3617","remarks":"Designated system owner responsible for Application X operations and security posture."},{"name":"Kalvico ISSO","type":"person","uuid":"3a491fe9-e141-4833-b7fb-be33c7538616","remarks":"Information System Security Officer responsible for daily security oversight of Application X."},{"name":"Kalvico Authorizing Official","type":"person","uuid":"92fa7ef1-08dc-4e49-9dba-72d2d34ae8d0","remarks":"Authorizing Official responsible for accepting risk and granting authorization to operate."},{"name":"Kalvico System Administrator","type":"person","uuid":"edd7b467-a294-404b-a1a5-096521ef664e","remarks":"System administrator responsible for AWS infrastructure operations."},{"name":"Kalvico DevOps Engineer","type":"person","uuid":"50894eda-82b6-4917-b55b-3b377a08391a","remarks":"DevOps engineer responsible for CI/CD pipeline and infrastructure-as-code management."},{"name":"Amazon Web Services, Inc.","type":"organization","uuid":"1932cfaf-fed6-4c90-804a-d99ae37f627d","remarks":"Cloud infrastructure provider for Application X. AWS maintains FedRAMP High authorization.","short-name":"AWS"},{"name":"Auth0 (Okta, Inc.)","type":"organization","uuid":"284507a0-0d1d-4cdd-ba74-acef816fc705","remarks":"External Customer Identity and Access Management (CIAM) provider for Application X.","short-name":"Auth0"},{"name":"Microsoft Corporation","type":"organization","uuid":"93767fce-178a-4b48-b051-4f448d5fcea2","remarks":"Provider of Microsoft Entra ID, leveraged for privileged identity and access management.","short-name":"Microsoft"}],"remarks":"This SSP describes the security controls implemented for Application X operated by Kalvico. It addresses all 42 NIST SP 800-53 Rev 5 controls identified in the CISA SCuBA Assessment Plan for secure cloud business applications.","version":"1.0.0","locations":[{"uuid":"6e62ca1c-ee61-4481-a1bd-79172faa356c","title":"Kalvico Headquarters","address":{"city":"Arlington","type":"work","state":"VA","country":"US","addr-lines":["Kalvico Corporate Office"],"postal-code":"22201"}},{"uuid":"d4ac88bc-d4d6-4e10-b53e-7eba207ca81f","title":"AWS US East Region","address":{"city":"Ashburn","type":"work","state":"VA","country":"US","addr-lines":["AWS US East (N. Virginia)"],"postal-code":"20147"},"remarks":"Primary AWS deployment region for Application X infrastructure."}],"published":"2026-03-11T23:54:25Z","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"17eb373b-6c3a-4ef9-a021-0f8995cb4ce2"}],"last-modified":"2026-03-11T23:54:25Z","oscal-version":"1.1.2","responsible-parties":[{"role-id":"system-owner","party-uuids":["0cd7bdb9-ef55-46c7-b8ab-29f8efce3617"]},{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]},{"role-id":"authorizing-official","party-uuids":["92fa7ef1-08dc-4e49-9dba-72d2d34ae8d0"]},{"role-id":"cloud-service-provider","party-uuids":["192e71a2-3c4a-44c8-b4a6-508cb4638a27"]},{"role-id":"prepared-by","party-uuids":["192e71a2-3c4a-44c8-b4a6-508cb4638a27"]}]},"import-profile":{"href":"https://registry.oscal.io/api/v1/pirooz-javan/profiles/fbaf8f1f-716c-4e74-af6f-37cd8703d843","remarks":"Application X implements controls from the NIST SP 800-53 Rev 5 catalog with a FISMA Moderate profile."},"system-characteristics":{"props":[{"name":"cloud-service-model","value":"saas"},{"name":"cloud-deployment-model","value":"government-only-cloud"},{"name":"identity-assurance-level","value":"2"},{"name":"authenticator-assurance-level","value":"2"},{"name":"federation-assurance-level","value":"2"},{"ns":"http://fedramp.gov/ns/oscal","name":"authorization-type","value":"fedramp-agency"}],"status":{"state":"under-development","remarks":"Application X is currently under development with security controls being implemented in alignment with the CISA SCuBA Assessment Plan requirements."},"data-flow":{"diagrams":[{"uuid":"9e4c2966-feb1-488b-88ed-53037edeed87","links":[{"rel":"diagram","href":"#21c16bc5-f848-4ddf-ad3a-1f768217cb90"}],"caption":"Application X Data Flow Diagram","description":"Data flow diagram illustrating request paths, authentication flows, and audit data generation."}],"description":"Data flows through Application X follow these paths as defined in the logical architecture:\n\n1. Browser Request Flow: Browser clients send HTTPS requests (TLS 1.3, port 443) to CloudFront. For static content, CloudFront serves the Front-end Code (HTML/JavaScript/React) from S3. For API calls, CloudFront forwards requests to API Gateway (API Management Services).\n\n2. API Processing Flow: API Gateway validates JWT tokens via Lambda authorizers, then invokes Lambda functions (API Server, Python Code). Lambda functions process business logic and issue SQL queries to RDS PostgreSQL, receiving SQL result sets in response. Communication between API Management Services and API Server uses internal AWS service invocation.\n\n3. External Authentication Flow (Non-Privileged): The Front-end Code redirects users to Auth0 (leveraged CIAM service) for login. Auth0 performs authentication (including MFA), issues JWT tokens, and returns permit/deny/policy decisions. API Gateway and Lambda authorizers validate these JWTs on every API call.\n\n4. Privileged Authentication Flow: API Server and PostgreSQL authenticate privileged operations through Microsoft Entra ID (leveraged privileged access service). Entra ID returns permit/deny or policy decisions for privileged identity validation.\n\n5. Audit Data Flow: All API calls, Lambda executions, network traffic, and authentication events generate audit records captured in CloudTrail (API activity), CloudWatch (application and VPC Flow Logs), and forwarded to S3 for long-term retention.\n\n6. Secrets and Encryption Flow: Lambda functions retrieve application secrets from AWS Secrets Manager and use AWS KMS for encryption and decryption operations, all via VPC Endpoints."},"system-ids":[{"id":"KAL-APPX-001","identifier-type":"http://kalvico.com/ns/oscal"}],"description":"Application X is a cloud-native web application operated by Kalvico, delivered as a Software-as-a-Service (SaaS) offering hosted on Amazon Web Services (AWS). The system provides secure business application services to authorized users through a browser-based single-page application built with HTML, JavaScript, and React.\n\nThe system uses a serverless architecture within a single AWS Account authorization boundary: AWS Lambda (Python) for API compute, Amazon RDS PostgreSQL for persistent data storage, Amazon API Gateway for API management, Amazon CloudFront for content delivery and TLS termination, AWS WAF for web application firewall protection, and Amazon S3 for static front-end content hosting. The VPC provides network segmentation across two Availability Zones with Public Subnets (NAT Gateways), APP Private Subnets (Lambda functions), and DB Private Subnets (RDS PostgreSQL).\n\nApplication X leverages two external identity services under separate authorizations:\n\n1. Auth0 is leveraged as the External Customer Identity and Access Management (CIAM) service, providing authentication, multi-factor authentication, anomaly detection, and OAuth 2.0/OIDC token management for non-privileged external users.\n\n2. Microsoft Entra ID is leveraged as the privileged identity and access management service, providing federated enterprise authentication, conditional access policies, and MFA for Kalvico administrative and privileged users.","system-name":"Kalvico Application X","system-name-short":"AppX","system-information":{"information-types":[{"uuid":"80a93134-d0e7-4915-b74d-589eb56696e2","title":"Business Application Data","description":"Application X processes and stores business application data submitted by authorized users through the web interface.","categorizations":[{"system":"https://doi.org/10.6028/NIST.SP.800-60v2r1","information-type-ids":["C.3.5.1"]}],"integrity-impact":{"base":"fips-199-moderate"},"availability-impact":{"base":"fips-199-moderate"},"confidentiality-impact":{"base":"fips-199-moderate"}},{"uuid":"b67b0165-0568-4abf-bb15-cbaab33fe383","title":"Authentication and Identity Data","description":"User identity information, authentication credentials, and access tokens managed through Auth0 and Microsoft Entra ID.","categorizations":[{"system":"https://doi.org/10.6028/NIST.SP.800-60v2r1","information-type-ids":["C.3.5.2"]}],"integrity-impact":{"base":"fips-199-moderate"},"availability-impact":{"base":"fips-199-low"},"confidentiality-impact":{"base":"fips-199-moderate"}},{"uuid":"8cca65e3-2bbb-41e7-bcd5-df2d986408e6","title":"Audit and Accountability Records","description":"System audit logs, security event records, and operational monitoring data generated by Application X components including CloudTrail, CloudWatch, VPC Flow Logs, and Auth0 tenant logs.","categorizations":[{"system":"https://doi.org/10.6028/NIST.SP.800-60v2r1","information-type-ids":["C.3.5.3"]}],"integrity-impact":{"base":"fips-199-moderate"},"availability-impact":{"base":"fips-199-low"},"confidentiality-impact":{"base":"fips-199-moderate"}}]},"network-architecture":{"diagrams":[{"uuid":"3078b9c2-7ded-4ba1-8d16-0677b09f8761","links":[{"rel":"diagram","href":"#21c16bc5-f848-4ddf-ad3a-1f768217cb90"}],"caption":"Application X Network Architecture Diagram","description":"Network architecture diagram showing VPC layout, subnet tiers, NAT gateways, security groups, and AWS service endpoints."}],"description":"Application X is deployed within an AWS Account in the US East region. The network architecture consists of three tiers:\n\nEdge Tier: Browser clients connect through the public internet to Amazon CloudFront (CDN), protected by AWS WAF, with DNS resolution via Amazon Route 53. CloudFront serves static front-end code (HTML/JavaScript/React) from an S3 bucket using Origin Access Control (direct public access is blocked; CloudFront OAC only) and routes API requests to Amazon API Gateway.\n\nApplication Tier: API Gateway invokes AWS Lambda functions using native AWS service-to-service integration (no network connectivity into the VPC is required for invocation). Lambda functions execute Python API code within APP Private Subnets inside Security Groups across two Availability Zones. Functions connect to the database through Lambda RDS Proxy with IAM authentication. Lambda functions requiring outbound HTTPS communication to external identity providers (Auth0 for CIAM and Microsoft Entra ID for privileged access) route through NAT Gateways in the Public Subnets and the Internet Gateway (outbound only via NAT).\n\nData Tier: Amazon RDS PostgreSQL instances are deployed in DB Private Subnets within Security Groups across two Availability Zones for high availability. RDS instances authenticate to Entra ID for privileged database operations.\n\nSupporting Services: AWS VPC Endpoints provide private connectivity to AWS services (S3, STS, Secrets Manager, KMS, CloudWatch, CloudTrail) without traversing the internet. Endpoint policies restrict service access to approved resources only. VPC Flow Logs capture all network traffic metadata and deliver to CloudWatch log groups. Egress is restricted to approved destinations and monitored via VPC Flow Logs.\n\nVPC Enforced Data Flow Rules (from logical architecture):\n- Default Deny\n- Allow any -> S3:443\n- Allow any -> API Management Service:443\n- Allow API Management Service -> API Server\n- Allow API Server -> PostgreSQL\n- Allow API Management Service -> Auth0\n- Allow API Server -> Entra ID\n- Allow PostgreSQL -> Entra ID"},"security-impact-level":{"security-objective-integrity":"fips-199-moderate","security-objective-availability":"fips-199-moderate","security-objective-confidentiality":"fips-199-moderate"},"authorization-boundary":{"diagrams":[{"uuid":"ac0a626b-5a80-44aa-bb55-1adcdb9cb19c","links":[{"rel":"diagram","href":"#21c16bc5-f848-4ddf-ad3a-1f768217cb90"}],"caption":"Application X Authorization Boundary Diagram","description":"The authorization boundary diagram depicts the Model Office architecture including all AWS components, network segmentation, and external identity provider integrations."}],"description":"The Application X authorization boundary encompasses all resources within the Kalvico AWS Account deployed in the US East region. This includes all components within the AWS Account: Amazon CloudFront, AWS WAF, Amazon Route 53 (edge services); Amazon API Gateway, Internet Gateway (regional services); the Virtual Private Cloud (VPC) with Public Subnets (NAT Gateways), APP Private Subnets (Lambda Function Python API with Security Groups), and DB Private Subnets (Amazon RDS PostgreSQL with Security Groups) across two Availability Zones; Lambda RDS Proxy; AWS S3 Bucket for static content (Front-end Code: HTML/JavaScript/React); VPC Flow Logs; AWS VPC Endpoints; and supporting AWS services accessed via endpoints (AWS STS, AWS Secrets Manager, AWS Key Management Service, Amazon CloudWatch, AWS CloudTrail).\n\nTwo systems are leveraged outside the authorization boundary:\n\n1. Auth0 (Leveraged Authorization) serves as the External Customer Identity and Access Management (CIAM) service, providing authentication, MFA, and token issuance for external non-privileged users.\n\n2. Microsoft Entra ID (Leveraged Authorization) serves as the privileged identity and access management service, providing federated enterprise authentication, conditional access, and MFA for Kalvico administrative and privileged users.\n\nBoth leveraged systems operate outside the authorization boundary under their own separate authorizations. Application X inherits identity and authentication controls from these leveraged services."},"security-sensitivity-level":"fips-199-moderate"},"system-implementation":{"users":[{"uuid":"fd2df2bd-71e5-4e0f-9112-bb4286b3d94f","props":[{"name":"type","value":"internal"},{"name":"privilege-level","value":"privileged"}],"title":"System Administrator","role-ids":["system-admin"],"description":"Kalvico staff responsible for AWS infrastructure management, configuration, and operational support of Application X."},{"uuid":"d7ad431f-d324-4cd9-9ce7-c467d7407921","props":[{"name":"type","value":"internal"},{"name":"privilege-level","value":"privileged"}],"title":"Application Developer","role-ids":["app-developer"],"description":"Kalvico developers responsible for Application X code development, testing, and deployment through CI/CD pipelines."},{"uuid":"ce9795c9-6967-417a-a5cb-b7ef8aacdd4f","props":[{"name":"type","value":"internal"},{"name":"privilege-level","value":"privileged"}],"title":"Security Operations Analyst","role-ids":["security-operations"],"description":"Kalvico security staff responsible for monitoring, incident response, and security configuration of Application X."},{"uuid":"3b981e3e-7636-4eb0-908e-e82c383e3a57","props":[{"name":"type","value":"external"},{"name":"privilege-level","value":"non-privileged"}],"title":"End User","role-ids":["end-user"],"description":"External authenticated users accessing Application X through the web interface for standard business functionality."},{"uuid":"850bd6d9-cbfe-42ad-a69b-1c6d07eb8c30","props":[{"name":"type","value":"internal"},{"name":"privilege-level","value":"privileged"}],"title":"ISSO","role-ids":["isso"],"description":"Information System Security Officer overseeing the security posture and compliance of Application X."}],"components":[{"type":"this-system","uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","props":[{"name":"implementation-point","value":"internal"}],"title":"Application X","status":{"state":"under-development"},"description":"Kalvico Application X - the complete cloud-native SaaS application system encompassing all AWS resources, Lambda application code, Auth0 integration, and supporting services within the authorization boundary."},{"type":"system","uuid":"2f4d466a-9549-4c65-b006-48e02f81736c","props":[{"name":"implementation-point","value":"external"},{"name":"leveraged-authorization-uuid","value":"043d01da-6a44-40d0-b360-7a3172c071e1"},{"name":"inherited-uuid","value":"043d01da-6a44-40d0-b360-7a3172c071e1"}],"title":"Amazon Web Services (AWS) IaaS/PaaS","status":{"state":"operational"},"description":"AWS provides the underlying cloud infrastructure including compute, storage, networking, and managed services. AWS maintains a FedRAMP authorization covering physical security, hypervisor security, and foundational cloud service security controls."},{"type":"service","uuid":"d6adfd46-e666-480a-b74a-14a411b7e173","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"Amazon CloudFront","status":{"state":"under-development"},"description":"Content delivery network providing HTTPS termination, static content caching from S3 (via Origin Access Control), and request routing to API Gateway. Enforces TLS 1.2+ and integrates with AWS WAF for edge protection. Direct public access to S3 is blocked; only CloudFront OAC is permitted."},{"type":"service","uuid":"58de1ebb-e60c-47b4-8306-ce189c83357b","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"AWS WAF (Web Application Firewall)","status":{"state":"under-development"},"description":"Web application firewall protecting Application X at the CloudFront edge. Provides managed rule groups for common vulnerabilities (OWASP Top 10), rate limiting, geographic restrictions, IP reputation filtering, and custom rules for application-specific protections."},{"type":"service","uuid":"c7d97ad6-8f0b-4c2c-8b72-8ab95606e670","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"Amazon Route 53","status":{"state":"under-development"},"description":"DNS service providing domain name resolution for Application X, with health checks and DNS failover capabilities."},{"type":"service","uuid":"90e71a35-c0ac-40ef-b097-fec56c2da9f7","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"Amazon API Gateway","status":{"state":"under-development"},"description":"Managed API gateway providing RESTful API endpoints for Application X. Handles request routing, throttling, authorization (via Lambda authorizers validating Auth0 JWT tokens), and access logging. Invokes Lambda functions using native AWS service-to-service integration with no direct network connectivity into the VPC required."},{"type":"network","uuid":"4ab08036-da91-4c78-9fbe-1baefd6b1c34","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"Application X Virtual Private Cloud (VPC)","status":{"state":"under-development"},"description":"AWS VPC providing network isolation for Application X. Spans two Availability Zones with three subnet tiers: Public Subnets (NAT Gateways), APP Private Subnets (Lambda function ENIs), and DB Private Subnets (RDS instances). Internet Gateway configured for outbound-only traffic via NAT. VPC Flow Logs monitor all network traffic."},{"type":"service","uuid":"22feb8d0-6f7b-4da2-92c4-57cc270cfe8e","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"AWS Lambda (Python API Functions)","status":{"state":"under-development"},"description":"Serverless compute service running Application X Python API functions. Lambda control plane is AWS-managed; function execution environment is attached to the VPC using Elastic Network Interfaces in APP Private Subnets. Functions execute within Security Groups and connect to RDS via Lambda RDS Proxy. Functions do not have direct internet access; outbound HTTPS to Auth0/Entra ID routes through NAT Gateway."},{"type":"service","uuid":"5771abec-d2c1-43dc-b85e-4a901b6ed614","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"Amazon RDS PostgreSQL","status":{"state":"under-development"},"description":"Managed relational database service providing PostgreSQL instances in DB Private Subnets across two Availability Zones for high availability. Encrypted at rest with KMS customer-managed keys. Encrypted in transit with TLS. Accessed exclusively through Lambda RDS Proxy with IAM authentication. Deployed within Security Groups restricting access to application-tier security groups only."},{"type":"service","uuid":"55a399a4-9bfa-4695-8f66-d0ef3dea3344","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"Lambda RDS Proxy","status":{"state":"under-development"},"description":"Amazon RDS Proxy providing connection pooling and IAM-based authentication between Lambda functions and RDS PostgreSQL instances. Reduces database connection overhead and enables IAM authentication for database access."},{"type":"service","uuid":"948caa65-2291-46e2-be7f-cb2fffd09c73","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"AWS S3 Bucket (Static Content)","status":{"state":"under-development"},"description":"S3 bucket storing static web content (HTML, CSS, JavaScript). Direct public access is blocked; content is served exclusively through CloudFront with Origin Access Control (OAC). Encrypted at rest with SSE-S3 or KMS. Versioning enabled for change tracking."},{"type":"service","uuid":"2f469b18-652b-4df1-930c-b22d5bd7c05d","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"AWS Key Management Service (KMS)","status":{"state":"under-development"},"description":"Managed cryptographic key service providing customer-managed keys (CMKs) for encrypting RDS databases, S3 objects, Secrets Manager secrets, and CloudTrail logs. Keys are configured for automatic annual rotation."},{"type":"service","uuid":"f3778a8a-926e-4a43-8648-e3cdac9c5590","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"AWS Secrets Manager","status":{"state":"under-development"},"description":"Managed secrets storage for application credentials, API keys, database connection strings, and Auth0 client secrets. Supports automatic secret rotation schedules. Encrypted with KMS customer-managed keys. Accessed by Lambda functions through VPC Endpoints."},{"type":"service","uuid":"7bf653d6-95ae-41df-8a9e-ef5f99126ba6","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"Amazon CloudWatch","status":{"state":"under-development"},"description":"Monitoring and observability service providing centralized log aggregation (Lambda logs, VPC Flow Logs, API Gateway access logs), metric collection, alarm configuration, and dashboards. CloudWatch Logs Insights enables security event analysis. SNS integration delivers alerts to the security operations team."},{"type":"service","uuid":"b278e3d3-7a87-4d27-9dcb-d2394931262f","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"AWS CloudTrail","status":{"state":"under-development"},"description":"AWS API audit logging service capturing all management and data events across the Kalvico AWS account. Logs are delivered to a dedicated S3 bucket with integrity validation enabled. CloudTrail Insights detects unusual API activity patterns. Logs are encrypted with KMS."},{"type":"service","uuid":"fcd3b050-6c4e-4b2f-bc1e-ae22008a42cf","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"AWS Security Token Service (STS)","status":{"state":"under-development"},"description":"AWS STS provides temporary security credentials for Lambda execution roles and cross-service authentication. Accessed through VPC Endpoints for private connectivity."},{"type":"network","uuid":"472e300e-07c0-4714-b160-57c3291fdffb","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"NAT Gateways","status":{"state":"under-development"},"description":"NAT Gateways deployed in Public Subnets across both Availability Zones providing outbound internet connectivity for Lambda functions in private subnets. Required for HTTPS communication to external identity providers (Auth0 and Entra ID). No inbound internet access is permitted through NAT Gateways."},{"type":"network","uuid":"eea7b306-e9e5-4faf-9b5b-e79bcd5c0a3b","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"VPC Security Groups","status":{"state":"under-development"},"description":"Stateful firewalls applied to Lambda function ENIs and RDS instances. APP tier Security Groups allow inbound only from API Gateway service. DB tier Security Groups allow inbound only from APP tier Security Groups on the PostgreSQL port. All Security Groups follow deny-all-by-default for inbound traffic."},{"type":"service","uuid":"6338f7d2-8a09-4d37-93ed-bb2034ee5a3a","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"VPC Flow Logs","status":{"state":"under-development"},"description":"VPC Flow Logs configured to capture all network traffic (accepted and rejected) across all ENIs within the VPC. Logs are delivered to CloudWatch log groups for real-time analysis and to S3 for long-term retention. Egress is monitored and restricted to approved destinations."},{"type":"network","uuid":"fb7e3332-cfe8-4a00-a50c-6335cb27920a","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"AWS VPC Endpoints","status":{"state":"under-development"},"description":"Interface and Gateway VPC Endpoints providing private connectivity from the VPC to AWS services (S3, STS, Secrets Manager, KMS, CloudWatch, CloudTrail) without traversing the public internet. Endpoint policies restrict service access to approved resources only."},{"type":"system","uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","props":[{"name":"implementation-point","value":"external"},{"name":"leveraged-authorization-uuid","value":"52cbfa3a-7030-480a-845f-c2f00196c2d0"},{"name":"inherited-uuid","value":"52cbfa3a-7030-480a-845f-c2f00196c2d0"}],"title":"Auth0 (Leveraged External CIAM Service)","status":{"state":"operational"},"description":"Auth0 is a leveraged external system providing Customer Identity and Access Management (CIAM) for Application X. Auth0 handles authentication for external (non-privileged) users including user registration, username/password authentication with MFA, social login, OAuth 2.0/OIDC token issuance, adaptive MFA, anomaly detection (brute force protection, breached password detection), and session management. Auth0 issues JWT access tokens that are validated by API Gateway Lambda authorizers. Auth0 operates outside the Application X authorization boundary as a separately authorized identity service."},{"type":"system","uuid":"58e65041-0d92-40e3-9684-3bf14c4380fa","props":[{"name":"implementation-point","value":"external"},{"name":"leveraged-authorization-uuid","value":"fae8e1c0-9528-4e23-bb58-3ee0b5a2a41e"},{"name":"inherited-uuid","value":"fae8e1c0-9528-4e23-bb58-3ee0b5a2a41e"}],"title":"Microsoft Entra ID (Leveraged Privileged Access Service)","status":{"state":"operational"},"description":"Microsoft Entra ID (formerly Azure Active Directory) is a leveraged external system providing privileged identity and access management for Application X. Entra ID handles authentication for Kalvico administrative and privileged users through enterprise federated authentication, conditional access policies, device compliance enforcement, multi-factor authentication, and Privileged Identity Management (PIM). PostgreSQL and API Server components authenticate privileged operations through Entra ID. Entra ID operates outside the Application X authorization boundary as a separately authorized identity service."},{"type":"policy","uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","links":[{"rel":"policy","href":"#b6b08069-de39-4dd2-9a7f-3437989054d2"}],"title":"Access Control and Identity Management Policy","status":{"state":"operational"},"description":"Kalvico organizational policy governing access control, account management, least privilege, separation of duties, remote access, and information sharing for Application X and all Kalvico information systems."},{"type":"policy","uuid":"9c3548b9-1ad5-4f3b-80e6-7cc6a6ce6b93","links":[{"rel":"policy","href":"#a7945a54-bd40-431c-951f-f8f7c6b9ef6c"}],"title":"Identification and Authentication Policy","status":{"state":"operational"},"description":"Kalvico organizational policy governing user identification, authenticator management, multi-factor authentication requirements, password policies, and credential lifecycle management."},{"type":"policy","uuid":"1b1743d8-203b-4247-8669-ab962bfa7048","links":[{"rel":"policy","href":"#5cbbf634-a99b-4dee-9429-6f01f0834226"}],"title":"Configuration Management Policy","status":{"state":"operational"},"description":"Kalvico organizational policy governing baseline configurations, change control, security impact analysis, least functionality, and software installation restrictions."},{"type":"policy","uuid":"1b93debf-3823-4ea1-a5bc-bb499d01d97a","links":[{"rel":"policy","href":"#f2c26cda-f359-4509-b6cc-aeb8340dca6b"}],"title":"System and Communications Protection Policy","status":{"state":"operational"},"description":"Kalvico organizational policy governing boundary protection, transmission confidentiality and integrity, cryptographic standards, and network segmentation requirements."},{"type":"policy","uuid":"48380626-0e4e-4d1f-8221-99fdfc51978a","links":[{"rel":"policy","href":"#90439a75-36fb-47f7-aa53-ac789adec8f4"}],"title":"System and Information Integrity Policy","status":{"state":"operational"},"description":"Kalvico organizational policy governing malicious code protection, system monitoring, security alerts, spam protection, and information handling procedures."},{"type":"policy","uuid":"53c943a1-44a8-4386-a3fc-b81eadcd3478","links":[{"rel":"policy","href":"#67ad4cae-298a-42c5-bde3-b6e9edfbda95"}],"title":"Audit and Accountability Policy","status":{"state":"operational"},"description":"Kalvico organizational policy governing audit event generation, log storage capacity, audit record retention, and audit review procedures."},{"type":"policy","uuid":"f733ecd4-f9a4-4918-bc1f-43750c2c4eb5","links":[{"rel":"policy","href":"#6b78455a-c9ec-4cf4-8ec6-45f68cbde434"}],"title":"Awareness and Training Policy","status":{"state":"operational"},"description":"Kalvico organizational policy governing security awareness training, role-based training requirements, and training records management."},{"type":"network","uuid":"fced7afd-c2bd-4adb-a1a0-66dd84ce073d","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"Internet Gateway","status":{"state":"under-development"},"description":"AWS Internet Gateway attached to the VPC providing outbound-only internet connectivity via NAT Gateways. The Internet Gateway enables Lambda functions in private subnets to reach external identity providers (Auth0 and Entra ID) for authentication operations. No inbound internet traffic reaches the VPC through the Internet Gateway; all inbound user traffic is handled by CloudFront and API Gateway outside the VPC."},{"type":"software","uuid":"7509b22f-bf43-4e4d-b38d-64375fcb7ee7","props":[{"name":"implementation-point","value":"internal"},{"name":"virtual","value":"yes"}],"title":"Front-end Code (HTML/JavaScript/React)","status":{"state":"under-development"},"description":"Single-page application (SPA) built with HTML, JavaScript, and React, served as static files from the S3 bucket through CloudFront. The front-end code executes in the user's browser and communicates with the API Server (Lambda functions) through API Gateway using RESTful API calls over TLS 1.3. Authentication flows are initiated from the front-end via Auth0's Universal Login, which returns JWT tokens used for subsequent API authorization."}],"inventory-items":[{"uuid":"de69497d-b3c6-44b6-9da1-0bdd5003bc1d","props":[{"name":"asset-type","value":"web-server"},{"name":"virtual","value":"yes"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"scan-type","value":"web"}],"description":"Amazon CloudFront distribution serving Application X web content and API proxy.","implemented-components":[{"component-uuid":"d6adfd46-e666-480a-b74a-14a411b7e173"}]},{"uuid":"c6796a55-1238-4658-81ec-06ea3fadd8e0","props":[{"name":"asset-type","value":"firewall"},{"name":"virtual","value":"yes"}],"description":"AWS WAF WebACL attached to CloudFront distribution.","implemented-components":[{"component-uuid":"58de1ebb-e60c-47b4-8306-ce189c83357b"}]},{"uuid":"2bdc0719-004e-4114-9586-69b7082e2f4b","props":[{"name":"asset-type","value":"web-server"},{"name":"virtual","value":"yes"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"scan-type","value":"web"}],"description":"Amazon API Gateway REST API for Application X.","implemented-components":[{"component-uuid":"90e71a35-c0ac-40ef-b097-fec56c2da9f7"}]},{"uuid":"6235163b-a978-49af-9a62-73ca76010aea","props":[{"name":"asset-type","value":"network"},{"name":"virtual","value":"yes"}],"description":"Application X VPC spanning two Availability Zones.","implemented-components":[{"component-uuid":"4ab08036-da91-4c78-9fbe-1baefd6b1c34"}]},{"uuid":"460a0c36-9303-4867-a589-8ff2cd051f77","props":[{"name":"asset-type","value":"compute"},{"name":"virtual","value":"yes"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"scan-type","value":"infrastructure"}],"description":"Lambda Python API functions (AZ-1).","implemented-components":[{"component-uuid":"22feb8d0-6f7b-4da2-92c4-57cc270cfe8e"}]},{"uuid":"46aeb798-e310-4aaf-95a4-f313e7b3228a","props":[{"name":"asset-type","value":"compute"},{"name":"virtual","value":"yes"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"scan-type","value":"infrastructure"}],"description":"Lambda Python API functions (AZ-2).","implemented-components":[{"component-uuid":"22feb8d0-6f7b-4da2-92c4-57cc270cfe8e"}]},{"uuid":"41d6fd45-040a-4516-9f06-0ddb0db52b99","props":[{"name":"asset-type","value":"database"},{"name":"virtual","value":"yes"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"scan-type","value":"database"}],"description":"Amazon RDS PostgreSQL primary instance (AZ-1).","implemented-components":[{"component-uuid":"5771abec-d2c1-43dc-b85e-4a901b6ed614"}]},{"uuid":"0086ad1c-41fb-40d9-8e44-9d12facfc1cf","props":[{"name":"asset-type","value":"database"},{"name":"virtual","value":"yes"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"scan-type","value":"database"}],"description":"Amazon RDS PostgreSQL replica instance (AZ-2).","implemented-components":[{"component-uuid":"5771abec-d2c1-43dc-b85e-4a901b6ed614"}]},{"uuid":"83411a3e-e955-4e60-b848-c2a248810b5a","props":[{"name":"asset-type","value":"storage"},{"name":"virtual","value":"yes"}],"description":"S3 bucket for static web content.","implemented-components":[{"component-uuid":"948caa65-2291-46e2-be7f-cb2fffd09c73"}]},{"uuid":"1a0f74eb-1fd9-4257-9ca6-8de272fa25a4","props":[{"name":"asset-type","value":"service"},{"name":"virtual","value":"yes"}],"description":"Auth0 tenant for Application X CIAM.","implemented-components":[{"component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e"}]},{"uuid":"9699cf37-0f1d-4863-bb08-8c7df2c27ae3","props":[{"name":"asset-type","value":"network"},{"name":"virtual","value":"yes"}],"description":"VPC Internet Gateway for outbound NAT connectivity.","implemented-components":[{"component-uuid":"fced7afd-c2bd-4adb-a1a0-66dd84ce073d"}]},{"uuid":"6ab3dcf5-6212-4b2b-bd01-a249e2fb86a7","props":[{"name":"asset-type","value":"software"},{"name":"virtual","value":"yes"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"scan-type","value":"web"}],"description":"Front-end React SPA application code deployed to S3.","implemented-components":[{"component-uuid":"7509b22f-bf43-4e4d-b38d-64375fcb7ee7"}]},{"uuid":"791778c1-234b-4e30-8490-07ad2e6fec92","props":[{"ns":"http://comply0.com/ns/oscal","name":"machine-context","value":"{\"TenantId\":\"d932f00c-7213-49f2-b10d-73bf7d4619\"}"},{"ns":"http://csrc.nist.gov/ns/oscal","name":"allows-authenticated-scan","value":"yes"}],"description":"Configured M365 Instance"}],"leveraged-authorizations":[{"uuid":"043d01da-6a44-40d0-b360-7a3172c071e1","title":"Amazon Web Services (AWS)","remarks":"Application X leverages the AWS FedRAMP-authorized cloud infrastructure. AWS maintains FedRAMP High authorization for IaaS/PaaS services. Physical security, hypervisor security, and foundational cloud service controls are inherited from the AWS authorization.","party-uuid":"1932cfaf-fed6-4c90-804a-d99ae37f627d","date-authorized":"2024-01-01"},{"uuid":"52cbfa3a-7030-480a-845f-c2f00196c2d0","title":"Auth0 (External Customer Identity and Access Management)","remarks":"Auth0 is leveraged as the External Customer Identity and Access Management (CIAM) service for Application X. Auth0 provides user authentication, multi-factor authentication, anomaly detection, and OAuth 2.0/OIDC token issuance for external (non-privileged) user access. Auth0 operates outside the Application X authorization boundary as a separately authorized cloud identity service.","party-uuid":"284507a0-0d1d-4cdd-ba74-acef816fc705","date-authorized":"2024-06-01"},{"uuid":"fae8e1c0-9528-4e23-bb58-3ee0b5a2a41e","title":"Microsoft Entra ID (Privileged Identity and Access Management)","remarks":"Microsoft Entra ID is leveraged as the identity provider for privileged access to Application X. Entra ID provides federated enterprise authentication, conditional access policies, device compliance enforcement, and multi-factor authentication for Kalvico administrative and privileged users. Entra ID operates outside the Application X authorization boundary as a separately authorized cloud identity service.","party-uuid":"93767fce-178a-4b48-b051-4f448d5fcea2","date-authorized":"2024-01-01"}]},"control-implementation":{"description":"This section describes how Application X implements the 42 NIST SP 800-53 Rev 5 controls identified in the CISA SCuBA Assessment Plan, addressing 128 individual policy checks. Each control implementation maps to specific components within the Application X authorization boundary (the AWS Account and all contained resources) as well as controls inherited from two leveraged external systems: Auth0 (CIAM for non-privileged user authentication) and Microsoft Entra ID (privileged identity and access management). Implementation narratives describe the technical and procedural measures satisfying each control requirement.","implemented-requirements":[{"uuid":"fbbe1107-cd9b-4945-aaf0-13e6ed11ca87","control-id":"ac-17","by-components":[{"uuid":"3a846743-40f0-4e89-9261-16dd5ff8c576","description":"The Kalvico Access Control Policy establishes the organizational requirements and procedures that govern the implementation of AC-17.","component-uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"6c1bdf2d-24bf-486a-8c25-c2767654b5ea","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.TEAMS.1.1v1: External meeting participants SHOULD NOT be enabled to request control of shared desktops or windows.","description":"Remote access to Application X is provided exclusively through HTTPS via Amazon CloudFront and API Gateway. AWS WAF enforces geographic and IP-based access restrictions. All remote sessions are encrypted using TLS 1.2 or higher. Administrative remote access to AWS services requires IAM authentication with MFA through the AWS Management Console or CLI.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"d9024b15-714f-4c53-bf9f-12f2df3b31fb","description":"Amazon CloudFront contributes to the implementation of AC-17 as described in the system-level implementation narrative.","component-uuid":"d6adfd46-e666-480a-b74a-14a411b7e173","implementation-status":{"state":"planned"}},{"uuid":"e503a94e-c18d-41ac-a153-1b405cfcf167","description":"AWS WAF (Web Application Firewall) contributes to the implementation of AC-17 as described in the system-level implementation narrative.","component-uuid":"58de1ebb-e60c-47b4-8306-ce189c83357b","implementation-status":{"state":"planned"}},{"uuid":"e8c5f4db-fabc-45c7-9610-ac1ef9e6fad4","description":"Amazon API Gateway contributes to the implementation of AC-17 as described in the system-level implementation narrative.","component-uuid":"90e71a35-c0ac-40ef-b097-fec56c2da9f7","implementation-status":{"state":"planned"}}]},{"uuid":"e976823c-f6de-4ac1-9118-3942ece757cf","control-id":"ac-19","by-components":[{"uuid":"115ebb16-0b9b-47f3-8c30-43efdba22992","description":"The Kalvico Access Control Policy establishes the organizational requirements and procedures that govern the implementation of AC-19.","component-uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"a1ffaef4-6b77-496d-8d13-d860654c6898","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.DEFENDER.4.6v1: The custom policy SHOULD include an action to block access to sensitive","description":"Access control for mobile devices is enforced through Auth0 (leveraged CIAM service) adaptive authentication policies that evaluate device posture and risk signals. AWS WAF rules can restrict access based on device characteristics. Auth0 Guardian provides multi-factor authentication support for mobile devices accessing Application X.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"f889ac57-2b3f-4268-8b6e-c2b8d3b14996","description":"AWS WAF (Web Application Firewall) contributes to the implementation of AC-19 as described in the system-level implementation narrative.","component-uuid":"58de1ebb-e60c-47b4-8306-ce189c83357b","implementation-status":{"state":"planned"}},{"uuid":"43895abb-7582-440c-8563-45be89176268","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of AC-19 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}}]},{"uuid":"1e35d3fd-593f-48ac-a976-86dc687d2c4b","control-id":"ac-2","by-components":[{"uuid":"f52032a8-fd6d-4956-a30f-95ac10b292ce","description":"The Kalvico Access Control Policy establishes the organizational requirements and procedures that govern the implementation of AC-2.","component-uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"d31b3984-0865-4000-a8ae-14aa1edf7ea4","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.7.4v1: Permanent active role assignments SHALL NOT be allowed for highly privileged roles.\n\nMS.AAD.7.5v1: Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system.\n\nMS.EXO.2.2v2: An SPF policy SHALL be published for each domain that fails all non-approved senders.\n\nMS.SHAREPOINT.1.1v1: External sharing for SharePoint SHALL be limited to Existing guests or Only people in your organization.\n\nMS.SHAREPOINT.1.2v1: External sharing for OneDrive SHALL be limited to Existing guests or Only people in your organization.","description":"Application X manages user accounts through Auth0, which serves as the External Customer Identity and Access Management (CIAM) service. Account provisioning, modification, disabling, and removal follow the Kalvico Access Control Policy. Auth0 integrates with Microsoft Entra ID (leveraged boundary) for enterprise federated authentication. Account types include privileged administrator accounts, standard user accounts, and service accounts for Lambda functions. All account actions are logged via CloudTrail and CloudWatch.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"79fd1db0-77d8-4206-b8ab-0ad464338a2e","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of AC-2 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}},{"uuid":"550b3218-a160-4770-8ee6-6f8a6947c671","description":"Microsoft Entra ID (Leveraged Boundary) (leveraged privileged access service) contributes to the implementation of AC-2 as described in the system-level implementation narrative.","component-uuid":"58e65041-0d92-40e3-9684-3bf14c4380fa","implementation-status":{"state":"planned"}}]},{"uuid":"851deab8-05fb-42bb-ba71-730fb1574c42","control-id":"ac-2.1","by-components":[{"uuid":"56c93f7b-6934-4bc4-8bcf-589ca59f7358","description":"The Kalvico Access Control Policy establishes the organizational requirements and procedures that govern the implementation of AC-2.1.","component-uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"531e4989-3eff-4eaf-b9e9-c3b8f2613225","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.7.7v1: Eligible and Active highly privileged role assignments SHALL trigger an alert.","description":"Automated account management is implemented through Auth0 (leveraged CIAM service) rules and Lambda functions that enforce account lifecycle policies. Automated workflows handle account provisioning based on organizational role assignments, periodic access reviews, and automatic disabling of inactive accounts after the defined inactivity period.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"35f9f43f-8605-4a67-9af8-2b48fc39f76e","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of AC-2.1 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}},{"uuid":"ed2266b4-8859-4399-9743-227e97d11d5e","description":"AWS Lambda (Python API Functions) contributes to the implementation of AC-2.1 as described in the system-level implementation narrative.","component-uuid":"22feb8d0-6f7b-4da2-92c4-57cc270cfe8e","implementation-status":{"state":"planned"}}]},{"uuid":"e654bc55-1491-4293-9088-8fdd3c36a59a","control-id":"ac-2.12","by-components":[{"uuid":"0ca5e922-c2bb-43b5-8bad-2bbbfa846a8d","description":"The Kalvico Access Control Policy establishes the organizational requirements and procedures that govern the implementation of AC-2.12.","component-uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"4d2e635f-657f-4c2e-bc82-e73b53d51d3a","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.2.1v1: Users detected as high risk SHALL be blocked.\n\nMS.AAD.2.2v1: A notification SHOULD be sent to the administrator when high-risk users are detected.\n\nMS.AAD.2.3v1: Sign-ins detected as high risk SHALL be blocked.","description":"Application X monitors accounts for atypical usage through Auth0 (leveraged CIAM service) anomaly detection capabilities. Auth0 Brute Force Protection and Breached Password Detection identify high-risk user behavior. CloudWatch alarms trigger notifications when unusual authentication patterns are detected, including impossible travel, credential stuffing attempts, and repeated failed login attempts from new locations.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"bbfcd45c-4346-4f1b-bcf0-ea737b6fbbe5","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of AC-2.12 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}},{"uuid":"ee29edf6-22a9-4df0-9467-43f0f3ca66f0","description":"Amazon CloudWatch contributes to the implementation of AC-2.12 as described in the system-level implementation narrative.","component-uuid":"7bf653d6-95ae-41df-8a9e-ef5f99126ba6","implementation-status":{"state":"planned"}}]},{"uuid":"73f4560e-de46-42b1-b8b8-9731153c0319","control-id":"ac-2.13","by-components":[{"uuid":"58883380-b51e-4014-b51a-cd892ab90a46","description":"The Kalvico Access Control Policy establishes the organizational requirements and procedures that govern the implementation of AC-2.13.","component-uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"574e5fea-a3cb-4587-a133-85f2e1f134a9","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.2.1v1: Users detected as high risk SHALL be blocked.\n\nMS.AAD.2.3v1: Sign-ins detected as high risk SHALL be blocked.","description":"Accounts of users posing a significant risk are disabled within the Auth0 platform. Auth0 anomaly detection combined with custom Lambda functions automatically block users detected as high risk. Risk signals include compromised credentials, anomalous login geography, and threat intelligence feeds integrated through Auth0 (leveraged CIAM service) Actions.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"18a1c834-73cf-42b9-9b74-b9c19401394e","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of AC-2.13 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}},{"uuid":"36253e0a-0161-4ea6-aa3d-2d06010fd38e","description":"AWS Lambda (Python API Functions) contributes to the implementation of AC-2.13 as described in the system-level implementation narrative.","component-uuid":"22feb8d0-6f7b-4da2-92c4-57cc270cfe8e","implementation-status":{"state":"planned"}}]},{"uuid":"04e93fac-bbcc-45d4-9318-0c4e2dcb03ff","control-id":"ac-20","by-components":[{"uuid":"ccde7c9d-e722-4ab1-8bd3-5da113901e43","description":"The Kalvico Access Control Policy establishes the organizational requirements and procedures that govern the implementation of AC-20.","component-uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"a893272f-c1a1-4629-af6a-de28378647c2","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.3.7v1: Managed devices SHOULD be required for authentication.\n\nMS.AAD.3.8v1: Managed Devices SHOULD be required to register MFA.","description":"Use of external systems is controlled through Auth0 federation with Microsoft Entra ID (leveraged boundary). External device authentication requires compliance with Kalvico device trust policies enforced through Entra ID conditional access. Application X does not permit access from unmanaged external devices without completing additional authentication challenges.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"b1d4571f-bc69-4dee-ae03-d7df76b86f79","description":"Microsoft Entra ID (Leveraged Boundary) (leveraged privileged access service) contributes to the implementation of AC-20 as described in the system-level implementation narrative.","component-uuid":"58e65041-0d92-40e3-9684-3bf14c4380fa","implementation-status":{"state":"planned"}},{"uuid":"c8cd46a8-b0a2-4963-9707-bf879a78048c","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of AC-20 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}}]},{"uuid":"8017e1f9-d343-4b2c-bbaf-60e1d4d68758","control-id":"ac-21","by-components":[{"uuid":"df278613-6609-48d2-a929-210763bfaba4","description":"The Kalvico Access Control Policy establishes the organizational requirements and procedures that govern the implementation of AC-21.","component-uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"0ea674ac-e659-4dfd-9d3a-be960151a0fe","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.POWERBI.7.1v1: Sensitivity labels SHOULD be enabled for Power BI and employed for sensitive data per enterprise data protection policies.\n\nMS.SHAREPOINT.3.1v1: Expiration days for Anyone links SHALL be set to 30 days or less.\n\nMS.TEAMS.1.7v2: Record an event SHOULD NOT be set to Always record.","description":"Information sharing is controlled through API Gateway authorization policies and Lambda function business logic that enforces sharing rules. Application X implements role-based sharing controls that restrict data visibility based on user roles and organizational membership defined in Auth0.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"7ef11c82-d45e-4c9b-8ca6-fa40c8501f19","description":"Amazon API Gateway contributes to the implementation of AC-21 as described in the system-level implementation narrative.","component-uuid":"90e71a35-c0ac-40ef-b097-fec56c2da9f7","implementation-status":{"state":"planned"}},{"uuid":"7d6ede04-55ce-46fc-8326-999b6fc87d92","description":"AWS Lambda (Python API Functions) contributes to the implementation of AC-21 as described in the system-level implementation narrative.","component-uuid":"22feb8d0-6f7b-4da2-92c4-57cc270cfe8e","implementation-status":{"state":"planned"}}]},{"uuid":"766d411e-9933-4e4a-9d2b-46508ca929ea","control-id":"ac-3","by-components":[{"uuid":"34975532-f336-4ad1-8f45-11eb2c820db7","description":"The Kalvico Access Control Policy establishes the organizational requirements and procedures that govern the implementation of AC-3.","component-uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"e819aa19-c97e-462a-b171-63291c5a5ada","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.DEFENDER.4.3v1: The action for the custom policy SHOULD be set to block sharing sensitive information with everyone.\n\nMS.EXO.6.1v1: Contact folders SHALL NOT be shared with all domains.\n\nMS.EXO.6.2v1: Calendar details SHALL NOT be shared with all domains.\n\nMS.POWERPLATFORM.3.1v1: Power Platform tenant isolation SHALL be enabled.\n\nMS.POWERPLATFORM.3.2v1: An inbound/outbound connection allowlist SHOULD be configured.\n\nMS.SHAREPOINT.1.1v1: External sharing for SharePoint SHALL be limited to Existing guests or Only people in your organization.\n\nMS.SHAREPOINT.1.2v1: External sharing for OneDrive SHALL be limited to Existing guests or Only people in your organization.\n\nMS.SHAREPOINT.1.3v1: External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.\n\nMS.SHAREPOINT.3.1v1: Expiration days for Anyone links SHALL be set to 30 days or less.\n\nMS.TEAMS.1.4v1: Internal users SHOULD be admitted automatically.\n\nMS.TEAMS.2.1v2: External access for users SHALL only be enabled on a per-domain basis.","description":"Access enforcement is implemented at multiple layers. Amazon API Gateway enforces authentication and authorization on all API requests. Lambda authorizers validate JWT tokens issued by Auth0. Security Groups enforce network-level access control between application and database tiers. IAM policies restrict AWS service access to least-privilege principles. RDS Proxy manages database connection pooling with IAM authentication.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"644f6598-3083-4064-a40d-16026c8cca2b","description":"Amazon API Gateway contributes to the implementation of AC-3 as described in the system-level implementation narrative.","component-uuid":"90e71a35-c0ac-40ef-b097-fec56c2da9f7","implementation-status":{"state":"planned"}},{"uuid":"76b1ea5b-95fe-4e3d-9704-71857241fac2","description":"AWS Lambda (Python API Functions) contributes to the implementation of AC-3 as described in the system-level implementation narrative.","component-uuid":"22feb8d0-6f7b-4da2-92c4-57cc270cfe8e","implementation-status":{"state":"planned"}},{"uuid":"6f0789db-9ae9-408a-b0c0-c1a775ecfdb5","description":"VPC Security Groups contributes to the implementation of AC-3 as described in the system-level implementation narrative.","component-uuid":"eea7b306-e9e5-4faf-9b5b-e79bcd5c0a3b","implementation-status":{"state":"planned"}}]},{"uuid":"5ea2c651-68c4-4956-bae2-91df690ebc3c","control-id":"ac-4","by-components":[{"uuid":"4f17bbbc-bd18-46b5-a2de-bf1faa4d75ee","description":"The Kalvico Access Control Policy establishes the organizational requirements and procedures that govern the implementation of AC-4.","component-uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"cb39d24e-ebe4-4af1-91e0-aa07676f198d","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.EXO.1.1v2: Automatic forwarding to external domains SHALL be disabled.\n\nMS.EXO.12.1v1: IP allow lists SHOULD NOT be created.\n\nMS.EXO.12.2v1: Safe lists SHOULD NOT be enabled.\n\nMS.POWERBI.4.1v1: Service principals with access to APIs SHOULD be restricted to specific security groups.\n\nMS.POWERBI.4.2v1: Service principals creating and using profiles SHOULD be restricted to specific security groups.\n\nMS.TEAMS.4.1v1: Teams email integration SHALL be disabled.","description":"Information flow enforcement is implemented through VPC network segmentation, Security Groups, NACLs, and AWS WAF rules. The VPC is segmented into public subnets (NAT Gateways only), APP private subnets (Lambda functions), and DB private subnets (RDS instances). Lambda functions in private subnets route outbound traffic through NAT Gateways. Egress is restricted to approved destinations and monitored via VPC Flow Logs. AWS WAF applies content filtering rules at the CloudFront edge.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"8ff33371-b451-4178-b61b-c1c505165745","description":"Application X Virtual Private Cloud (VPC) contributes to the implementation of AC-4 as described in the system-level implementation narrative.","component-uuid":"4ab08036-da91-4c78-9fbe-1baefd6b1c34","implementation-status":{"state":"planned"}},{"uuid":"a48c9898-c907-4927-9197-109846233803","description":"VPC Security Groups contributes to the implementation of AC-4 as described in the system-level implementation narrative.","component-uuid":"eea7b306-e9e5-4faf-9b5b-e79bcd5c0a3b","implementation-status":{"state":"planned"}},{"uuid":"46a24469-7a5a-4a48-9d07-a6804077c667","description":"NAT Gateways contributes to the implementation of AC-4 as described in the system-level implementation narrative.","component-uuid":"472e300e-07c0-4714-b160-57c3291fdffb","implementation-status":{"state":"planned"}},{"uuid":"e515008b-5414-4208-a82b-6cbe299d3399","description":"AWS WAF (Web Application Firewall) contributes to the implementation of AC-4 as described in the system-level implementation narrative.","component-uuid":"58de1ebb-e60c-47b4-8306-ce189c83357b","implementation-status":{"state":"planned"}}]},{"uuid":"841f9722-0826-4912-8753-f869377506bf","control-id":"ac-5","by-components":[{"uuid":"1407a589-0af5-47c7-a321-bdd657d32033","description":"The Kalvico Access Control Policy establishes the organizational requirements and procedures that govern the implementation of AC-5.","component-uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"3d09e438-a653-4e78-88b2-51d14ae47804","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.7.2v1: Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator.","description":"Separation of duties is enforced through Auth0 (leveraged CIAM service) role-based access control (RBAC). Administrative roles are separated from standard user roles. Privileged access to AWS management console requires separate credentials from application-level access. No single individual can both approve and deploy changes to production infrastructure.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"dac2fa8d-321a-49c4-ab0b-501c4d8d4b5e","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of AC-5 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}}]},{"uuid":"1595fec8-acf1-49a3-a236-1f88e95fc05a","control-id":"ac-6","by-components":[{"uuid":"29919159-5328-48d4-89e5-792fefd61424","description":"The Kalvico Access Control Policy establishes the organizational requirements and procedures that govern the implementation of AC-6.","component-uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"35958b00-3ad7-477e-b282-b4a4ce70c43d","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.POWERBI.2.1v1: Guest user access to the Power BI tenant SHOULD be disabled unless the agency mission requires the capability.\n\nMS.POWERBI.3.1v1: The Invite external users to your organization feature SHOULD be disabled unless agency mission requires the capability.\n\nMS.SHAREPOINT.2.1v1: File and folder default sharing scope SHALL be set to Specific people (only the people the user specifies).\n\nMS.SHAREPOINT.2.2v1: File and folder default sharing permissions SHALL be set to View.\n\nMS.SHAREPOINT.3.2v1: The allowable file and folder permissions for links SHALL be set to View only.","description":"Least privilege is enforced across all system layers. Auth0 assigns minimum necessary permissions through scoped OAuth 2.0 tokens. Lambda function execution roles use narrowly scoped IAM policies granting only required service permissions. RDS access is restricted to specific Lambda functions via RDS Proxy with IAM authentication. S3 bucket policies restrict access to CloudFront Origin Access Control only.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"ec36e227-eae6-469b-852c-cd7cb96afa65","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of AC-6 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}},{"uuid":"171c1242-e59e-4b64-af5e-59607281d053","description":"AWS Lambda (Python API Functions) contributes to the implementation of AC-6 as described in the system-level implementation narrative.","component-uuid":"22feb8d0-6f7b-4da2-92c4-57cc270cfe8e","implementation-status":{"state":"planned"}}]},{"uuid":"c39ce425-07c0-433d-bf2c-967605b8457d","control-id":"ac-6.1","by-components":[{"uuid":"b2d3f373-bb0d-41ed-8b96-67beb4097be0","description":"The Kalvico Access Control Policy establishes the organizational requirements and procedures that govern the implementation of AC-6.1.","component-uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"a7dfc62b-4bff-4346-972a-cdf8070c2ff9","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.7.6v1: Activation of the Global Administrator role SHALL require approval.","description":"Application X explicitly authorizes access to privileged functions through Auth0 (leveraged CIAM service) Organizations and role assignments. Security functions including user management, system configuration, and audit log review require elevated roles that are explicitly granted by system administrators and reviewed quarterly.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"32ec2152-9168-4d7f-8273-c64e0f3128a1","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of AC-6.1 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}}]},{"uuid":"9b86f41b-d491-4a3b-8a6f-cb50eb8dbfdd","control-id":"ac-6.10","by-components":[{"uuid":"fbbf53d6-f8aa-4bfc-82c5-7c33b60cb625","description":"The Kalvico Access Control Policy establishes the organizational requirements and procedures that govern the implementation of AC-6.10.","component-uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"e172d177-787e-4a78-80c7-bf81735d89cd","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.5.1v1: Only administrators SHALL be allowed to register applications.\n\nMS.AAD.5.2v1: Only administrators SHALL be allowed to consent to applications.\n\nMS.POWERPLATFORM.1.1v1: The ability to create production and sandbox environments SHALL be restricted to admins.\n\nMS.POWERPLATFORM.1.2v1: The ability to create trial environments SHALL be restricted to admins.\n\nMS.SHAREPOINT.1.3v1: External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.","description":"Non-privileged accounts are prohibited from executing privileged functions. Auth0 RBAC enforces role separation at the application layer. AWS IAM policies prevent non-administrative roles from accessing management functions. Lambda function execution roles are scoped to specific services and cannot modify infrastructure.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"cf378753-3a6f-437f-821d-fbd18770c844","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of AC-6.10 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}}]},{"uuid":"63309bbd-6859-496c-a7bb-0ba4554879eb","control-id":"ac-6.5","by-components":[{"uuid":"9fa45594-da49-4ca1-970c-6a971156f8b5","description":"The Kalvico Access Control Policy establishes the organizational requirements and procedures that govern the implementation of AC-6.5.","component-uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"c546338d-17bf-4dfc-90bb-8ab9e1097cc5","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.7.1v1: A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role.\n\nMS.AAD.7.3v1: Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers.\n\nMS.POWERBI.4.1v1: Service principals with access to APIs SHOULD be restricted to specific security groups.\n\nMS.POWERBI.4.2v1: Service principals creating and using profiles SHOULD be restricted to specific security groups.","description":"Privileged accounts are restricted to authorized personnel only. Auth0 tenant administration is limited to designated Kalvico security and operations staff. AWS account access uses IAM Identity Center with MFA enforcement. Privileged access reviews are conducted quarterly and access is revoked within 24 hours of role changes.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"144d71df-c8ca-48a8-82a9-bc0abe3c229a","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of AC-6.5 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}}]},{"uuid":"7bde608f-1f58-45a7-900e-fe102bee00f4","control-id":"ac-6.9","by-components":[{"uuid":"d3ab7bc9-9891-4e05-896c-b4401406da18","description":"The Kalvico Access Control Policy establishes the organizational requirements and procedures that govern the implementation of AC-6.9.","component-uuid":"1217c1aa-a952-4056-99f3-d3052e4d6504","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"bc2f5db4-d439-43f6-b5df-91dd31820ed0","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.7.8v1: User activation of the Global Administrator role SHALL trigger an alert.\n\nMS.AAD.7.9v1: User activation of other highly privileged roles SHOULD trigger an alert.","description":"All privileged function executions are logged through AWS CloudTrail and Auth0 tenant logs. CloudTrail captures all AWS API calls including management console sign-in events. Auth0 logs capture all administrative actions including user management, rule changes, and configuration modifications. Logs are forwarded to CloudWatch for centralized monitoring and alerting.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"afc40732-a67e-40c3-9b8c-d8ebc5315c20","description":"AWS CloudTrail contributes to the implementation of AC-6.9 as described in the system-level implementation narrative.","component-uuid":"b278e3d3-7a87-4d27-9dcb-d2394931262f","implementation-status":{"state":"planned"}},{"uuid":"33de63bd-22ea-4ede-a66c-39fbad3b6761","description":"Amazon CloudWatch contributes to the implementation of AC-6.9 as described in the system-level implementation narrative.","component-uuid":"7bf653d6-95ae-41df-8a9e-ef5f99126ba6","implementation-status":{"state":"planned"}}]},{"uuid":"81f49857-6190-4aaf-8714-14e77ad20253","control-id":"at-2","by-components":[{"uuid":"28e49aa4-4e62-42f4-9830-5e7e8762e0ba","description":"The Kalvico Awareness and Training Policy establishes the organizational requirements and procedures that govern the implementation of AT-2.","component-uuid":"f733ecd4-f9a4-4918-bc1f-43750c2c4eb5","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"11ee39d0-656d-488b-9545-48e75937fe98","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.DEFENDER.4.4v1: Notifications to inform users and help educate them on the proper use of sensitive information SHOULD be enabled in the custom policy.\n\nMS.EXO.11.2v1: User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed.","description":"Kalvico provides security and privacy awareness training to all Application X users and administrators. Training covers phishing recognition, credential management, secure use of cloud applications, and incident reporting procedures. Training is delivered upon initial access provisioning and refreshed annually. Simulated phishing exercises are conducted quarterly.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}}]},{"uuid":"9f688c2c-edac-4164-8846-ee3d02dd0327","control-id":"au-11","by-components":[{"uuid":"444bc3dd-4b3f-4d46-81b2-1a689b8edbf0","description":"The Kalvico Audit and Accountability Policy establishes the organizational requirements and procedures that govern the implementation of AU-11.","component-uuid":"53c943a1-44a8-4386-a3fc-b81eadcd3478","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"4a45118d-6d19-4922-bd9c-c4f6f89ef422","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.DEFENDER.6.3v1: Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31.\n\nMS.EXO.17.3v1: Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C).","description":"Audit records are retained in accordance with Kalvico records retention policy. CloudTrail logs are stored in S3 with a minimum 1-year retention with Glacier transition for long-term preservation. CloudWatch log groups retain logs for a minimum of 90 days in hot storage. Auth0 tenant logs are exported and archived following the same retention schedule.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"cf447915-17fb-40e2-b692-8b8aa352c033","description":"Amazon CloudWatch contributes to the implementation of AU-11 as described in the system-level implementation narrative.","component-uuid":"7bf653d6-95ae-41df-8a9e-ef5f99126ba6","implementation-status":{"state":"planned"}},{"uuid":"04677e82-6d74-4f17-9101-99ecc9f07480","description":"AWS CloudTrail contributes to the implementation of AU-11 as described in the system-level implementation narrative.","component-uuid":"b278e3d3-7a87-4d27-9dcb-d2394931262f","implementation-status":{"state":"planned"}},{"uuid":"57e60ca7-ef80-4723-88ea-dbd02d963526","description":"AWS S3 Bucket (Static Content) contributes to the implementation of AU-11 as described in the system-level implementation narrative.","component-uuid":"948caa65-2291-46e2-be7f-cb2fffd09c73","implementation-status":{"state":"planned"}}]},{"uuid":"20aa2ee5-c507-4084-89bc-e9cb40787298","control-id":"au-12","by-components":[{"uuid":"4038262d-3909-4d5b-97ed-35ab9bc5816f","description":"The Kalvico Audit and Accountability Policy establishes the organizational requirements and procedures that govern the implementation of AU-12.","component-uuid":"53c943a1-44a8-4386-a3fc-b81eadcd3478","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"78035ec6-3e6b-4f56-92f1-d4050bd788b7","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.DEFENDER.6.1v1: Unified Audit logging SHALL be enabled.\n\nMS.EXO.13.1v1: Mailbox auditing SHALL be enabled.\n\nMS.EXO.15.3v1: User click tracking SHOULD be enabled.\n\nMS.EXO.17.1v1: Unified Audit logging SHALL be enabled.\n\nMS.TEAMS.8.2v1: User click tracking SHOULD be enabled.","description":"Audit record generation is enabled across all Application X components. AWS CloudTrail records all API activity across the AWS account. VPC Flow Logs capture network traffic metadata for all ENIs. CloudWatch captures Lambda function execution logs and application-level events. Auth0 generates authentication, authorization, and administrative audit events. API Gateway access logs record all API request/response metadata.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"c29f7fdc-d435-429a-afd4-4694e68d4409","description":"AWS CloudTrail contributes to the implementation of AU-12 as described in the system-level implementation narrative.","component-uuid":"b278e3d3-7a87-4d27-9dcb-d2394931262f","implementation-status":{"state":"planned"}},{"uuid":"99ee7c7a-21dd-480c-be28-36ce3309d727","description":"Amazon CloudWatch contributes to the implementation of AU-12 as described in the system-level implementation narrative.","component-uuid":"7bf653d6-95ae-41df-8a9e-ef5f99126ba6","implementation-status":{"state":"planned"}},{"uuid":"e39ab63a-b976-4fd3-89a5-09979b98d4d5","description":"VPC Flow Logs contributes to the implementation of AU-12 as described in the system-level implementation narrative.","component-uuid":"6338f7d2-8a09-4d37-93ed-bb2034ee5a3a","implementation-status":{"state":"planned"}}]},{"uuid":"646676ef-b9a0-434c-812e-a75fcb1eebf9","control-id":"au-4","by-components":[{"uuid":"f00261a4-aa53-4f92-b451-b5d549cfce9b","description":"The Kalvico Audit and Accountability Policy establishes the organizational requirements and procedures that govern the implementation of AU-4.","component-uuid":"53c943a1-44a8-4386-a3fc-b81eadcd3478","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"827a9c1c-9d55-46a6-ab8c-7828bfcea8b5","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.4.1v1: Security logs SHALL be sent to the agency's security operations center for monitoring.","description":"Audit log storage capacity is managed through Amazon CloudWatch Logs with configurable retention periods and Amazon S3 for long-term archival. CloudTrail logs are delivered to a dedicated S3 bucket with lifecycle policies. CloudWatch log groups are configured with retention policies aligned to organizational requirements. S3 storage scales automatically to accommodate audit volume growth.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"16f39029-6157-41d3-8b1c-38926b27ad77","description":"Amazon CloudWatch contributes to the implementation of AU-4 as described in the system-level implementation narrative.","component-uuid":"7bf653d6-95ae-41df-8a9e-ef5f99126ba6","implementation-status":{"state":"planned"}},{"uuid":"c8798a5b-e5da-43ec-84c7-2020d922a312","description":"AWS CloudTrail contributes to the implementation of AU-4 as described in the system-level implementation narrative.","component-uuid":"b278e3d3-7a87-4d27-9dcb-d2394931262f","implementation-status":{"state":"planned"}},{"uuid":"36b36a45-c13e-417f-a088-d3f19b3e2c0d","description":"AWS S3 Bucket (Static Content) contributes to the implementation of AU-4 as described in the system-level implementation narrative.","component-uuid":"948caa65-2291-46e2-be7f-cb2fffd09c73","implementation-status":{"state":"planned"}}]},{"uuid":"39749bd6-274c-4f06-aa2a-edd18e15e7f2","control-id":"cm-11","by-components":[{"uuid":"2d08ef57-b6a5-4cd9-b9ea-e4131dbee20b","description":"The Kalvico Configuration Management Policy establishes the organizational requirements and procedures that govern the implementation of CM-11.","component-uuid":"1b1743d8-203b-4247-8669-ab962bfa7048","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"b4689353-65e5-4fe2-9047-930af08388d9","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.TEAMS.5.1v2: Agencies SHOULD only allow installation of Microsoft apps approved by the agency.\n\nMS.TEAMS.5.2v2: Agencies SHOULD only allow installation of third-party apps approved by the agency.\n\nMS.TEAMS.5.3v2: Agencies SHOULD only allow installation of custom apps approved by the agency.","description":"User-installed software is not applicable to Application X as it is a managed cloud service. Users interact through a web browser only. No client-side software installation is required or permitted. Administrative access to the AWS environment is controlled through IAM and does not allow arbitrary software installation on managed infrastructure.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"system-admin","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}}]},{"uuid":"d6b45d45-b992-45e0-bc6d-6527303f2245","control-id":"cm-4","by-components":[{"uuid":"36c79c43-051d-4cb3-8ef5-534060cc2603","description":"The Kalvico Configuration Management Policy establishes the organizational requirements and procedures that govern the implementation of CM-4.","component-uuid":"1b1743d8-203b-4247-8669-ab962bfa7048","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"c3d0b627-ee30-4503-ae13-1ff16ca3f9b5","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.5.3v1: An admin consent workflow SHALL be configured for applications.","description":"Security and privacy impact analysis is conducted for all changes to Application X prior to deployment. Changes to Lambda function code, API Gateway configurations, and infrastructure are tested in a staging environment. Automated security scanning is integrated into the CI/CD pipeline. Changes are reviewed and approved through a change advisory board process before production deployment.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"system-admin","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"b334c2a8-491d-451b-8830-3c01960a24f2","description":"AWS Lambda (Python API Functions) contributes to the implementation of CM-4 as described in the system-level implementation narrative.","component-uuid":"22feb8d0-6f7b-4da2-92c4-57cc270cfe8e","implementation-status":{"state":"planned"}}]},{"uuid":"0513b3ba-9923-4091-85d9-bbc38385edc6","control-id":"cm-5","by-components":[{"uuid":"5791153d-d3c9-43e2-bfcc-ec21ba23efab","description":"The Kalvico Configuration Management Policy establishes the organizational requirements and procedures that govern the implementation of CM-5.","component-uuid":"1b1743d8-203b-4247-8669-ab962bfa7048","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"3273a65b-881a-4d46-8122-f4bcb5d7767c","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.5.1v1: Only administrators SHALL be allowed to register applications.\n\nMS.AAD.5.2v1: Only administrators SHALL be allowed to consent to applications.","description":"Access restrictions for change are enforced through IAM policies that limit production deployment permissions to authorized DevOps personnel. Infrastructure changes are managed through Infrastructure as Code (IaC) with version control in a private Git repository. All production changes are logged in CloudTrail and require multi-person approval.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"system-admin","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"2a9f7211-7547-4aab-a8f6-c007e25a4426","description":"AWS CloudTrail contributes to the implementation of CM-5 as described in the system-level implementation narrative.","component-uuid":"b278e3d3-7a87-4d27-9dcb-d2394931262f","implementation-status":{"state":"planned"}}]},{"uuid":"4bc84120-aacc-4b91-acdc-c1f4e6670a55","control-id":"cm-6","by-components":[{"uuid":"b78d0215-5785-4ce8-a313-29344fad328f","description":"The Kalvico Configuration Management Policy establishes the organizational requirements and procedures that govern the implementation of CM-6.","component-uuid":"1b1743d8-203b-4247-8669-ab962bfa7048","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"6e5f2842-78a1-4621-8615-3dfb34c11e86","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.DEFENDER.1.1v1: The standard and strict preset security policies SHALL be enabled.\n\nMS.DEFENDER.1.2v1: All users SHALL be added to Exchange Online Protection (EOP) in either the standard or strict preset security policy.\n\nMS.DEFENDER.1.3v1: All users SHALL be added to Defender for Office 365 protection in either the standard or strict preset security policy.\n\nMS.DEFENDER.1.4v1: Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy.\n\nMS.DEFENDER.1.5v1: Sensitive accounts SHALL be added to Defender for Office 365 protection in the strict preset security policy.","description":"Configuration settings for Application X components follow Kalvico security hardening baselines. Lambda functions are deployed with minimal runtime permissions. Security Groups follow deny-all-except-explicitly-allowed rules. RDS instances enforce encrypted connections and are configured per CIS benchmarks. AWS Config rules continuously monitor configuration compliance and generate alerts for drift.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"system-admin","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"97a8a764-e6fc-4d19-9005-9a4e0a6ef89f","description":"AWS Lambda (Python API Functions) contributes to the implementation of CM-6 as described in the system-level implementation narrative.","component-uuid":"22feb8d0-6f7b-4da2-92c4-57cc270cfe8e","implementation-status":{"state":"planned"}},{"uuid":"4b63cdef-d20d-4f26-8e20-7d82dbe8ecb6","description":"VPC Security Groups contributes to the implementation of CM-6 as described in the system-level implementation narrative.","component-uuid":"eea7b306-e9e5-4faf-9b5b-e79bcd5c0a3b","implementation-status":{"state":"planned"}}]},{"uuid":"abeea3d3-87ae-43aa-9202-93b6fe036cf1","control-id":"cm-7","by-components":[{"uuid":"2a83d733-74d3-4ade-a17b-abc1533a4ecc","description":"The Kalvico Configuration Management Policy establishes the organizational requirements and procedures that govern the implementation of CM-7.","component-uuid":"1b1743d8-203b-4247-8669-ab962bfa7048","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"172b1711-0caa-4094-956a-83f4d8ff66a4","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.1.1v1: Legacy authentication SHALL be blocked.\n\nMS.AAD.3.4v1: The Authentication Methods Manage Migration feature SHALL be set to Migration Complete.\n\nMS.AAD.3.5v1: The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled.\n\nMS.AAD.3.9v1: Device code authentication SHOULD be blocked.\n\nMS.EXO.5.1v1: SMTP AUTH SHALL be disabled.\n\nMS.POWERBI.1.1v1: The Publish to Web feature SHOULD be disabled unless the agency mission requires the capability.\n\nMS.POWERBI.2.1v1: Guest user access to the Power BI tenant SHOULD be disabled unless the agency mission requires the capability.\n\nMS.POWERBI.3.1v1: The Invite external users to your organization feature SHOULD be disabled unless agency mission requires the capability.\n\nMS.POWERBI.5.1v1: ResourceKey-based authentication SHOULD be blocked unless a specific use case (e.g., streaming and/or PUSH datasets) merits its use.\n\nMS.POWERBI.6.1v1: Python and R interactions SHOULD be disabled.\n\nMS.TEAMS.1.6v1: Meeting recording SHOULD be disabled.\n\nMS.TEAMS.2.2v2: Unmanaged users SHALL NOT be enabled to initiate contact with internal users.\n\nMS.TEAMS.2.3v2: Internal users SHOULD NOT be enabled to initiate contact with unmanaged users.","description":"Application X restricts system functionality to essential capabilities only. Lambda functions include only required dependencies. API Gateway routes expose only defined API endpoints. Security Groups restrict network ports to only those required for application functionality. Unnecessary AWS services are not enabled. Legacy authentication methods are blocked at the Auth0 tenant level.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"system-admin","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"9662a7cb-e9a4-4b6f-a022-1d3a51474a0c","description":"AWS Lambda (Python API Functions) contributes to the implementation of CM-7 as described in the system-level implementation narrative.","component-uuid":"22feb8d0-6f7b-4da2-92c4-57cc270cfe8e","implementation-status":{"state":"planned"}},{"uuid":"6e0b21a8-0c66-45d0-a385-0b421a49d405","description":"Amazon API Gateway contributes to the implementation of CM-7 as described in the system-level implementation narrative.","component-uuid":"90e71a35-c0ac-40ef-b097-fec56c2da9f7","implementation-status":{"state":"planned"}},{"uuid":"13cd84fa-90b8-4ca4-93db-f101143e1797","description":"VPC Security Groups contributes to the implementation of CM-7 as described in the system-level implementation narrative.","component-uuid":"eea7b306-e9e5-4faf-9b5b-e79bcd5c0a3b","implementation-status":{"state":"planned"}}]},{"uuid":"279e5b22-90f6-48ca-8d36-d242a3378c80","control-id":"ia-11","by-components":[{"uuid":"82d5212e-b1f6-45e4-8297-ee0dd1648eba","description":"The Kalvico Identification and Authentication Policy establishes the organizational requirements and procedures that govern the implementation of IA-11.","component-uuid":"9c3548b9-1ad5-4f3b-80e6-7cc6a6ce6b93","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"23bc2d38-181d-4246-808d-1f50b85cdd85","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.SHAREPOINT.3.3v1: Reauthentication days for people who use a verification code SHALL be set to 30 days or less.","description":"Re-authentication is enforced through Auth0 (leveraged CIAM service) session policies and API Gateway token validation. Auth0 access tokens have a maximum lifetime of 1 hour. Refresh tokens require re-authentication after the configured absolute session timeout. Privileged operations within the application require step-up re-authentication regardless of current session validity.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"3fe73e5f-af4f-4996-9667-379f42535390","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of IA-11 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}},{"uuid":"ff4bbb31-ac32-4607-835d-8d88fe1500f3","description":"Amazon API Gateway contributes to the implementation of IA-11 as described in the system-level implementation narrative.","component-uuid":"90e71a35-c0ac-40ef-b097-fec56c2da9f7","implementation-status":{"state":"planned"}}]},{"uuid":"9615cce1-3d58-425c-8f78-d38aa1bb6455","control-id":"ia-2.1","by-components":[{"uuid":"b27792ba-1b6e-46fc-b8c1-a3411a55fd83","description":"The Kalvico Identification and Authentication Policy establishes the organizational requirements and procedures that govern the implementation of IA-2.1.","component-uuid":"9c3548b9-1ad5-4f3b-80e6-7cc6a6ce6b93","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"50d5f984-522a-4eeb-90ce-ed8565e5bca0","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.3.1v1: Phishing-resistant MFA SHALL be enforced for all users.\n\nMS.AAD.3.2v1: If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.\n\nMS.AAD.3.3v2: If Microsoft Authenticator is enabled, it SHALL be configured to show login context information.\n\nMS.AAD.3.6v1: Phishing-resistant MFA SHALL be required for highly privileged roles.","description":"Multi-factor authentication for privileged accounts is enforced through Auth0 MFA policies. All administrative accounts require MFA using FIDO2 security keys, authenticator apps, or Auth0 Guardian push notifications. AWS IAM privileged access requires MFA through IAM Identity Center. Microsoft Entra ID (leveraged privileged access service) enforces MFA for all federated enterprise users through conditional access policies.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"9cff49c4-04da-4952-8359-a417fa012bd4","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of IA-2.1 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}},{"uuid":"7efb168c-9483-452e-a26c-6337b307a121","description":"Microsoft Entra ID (Leveraged Boundary) (leveraged privileged access service) contributes to the implementation of IA-2.1 as described in the system-level implementation narrative.","component-uuid":"58e65041-0d92-40e3-9684-3bf14c4380fa","implementation-status":{"state":"planned"}}]},{"uuid":"e9f2c7fa-aa6e-4aa7-ae41-822b36e406bf","control-id":"ia-2.13","by-components":[{"uuid":"c7ea3772-0c8c-4399-96ff-b6fe8a1fd780","description":"The Kalvico Identification and Authentication Policy establishes the organizational requirements and procedures that govern the implementation of IA-2.13.","component-uuid":"9c3548b9-1ad5-4f3b-80e6-7cc6a6ce6b93","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"b4678fc7-2b50-4465-abfb-3f52a0239240","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.3.3v2: If Microsoft Authenticator is enabled, it SHALL be configured to show login context information.","description":"Out-of-band authentication is supported through Auth0 (leveraged CIAM service) Guardian push notifications sent to a registered mobile device, providing an authentication channel separate from the primary browser session. SMS-based OTP is available as a fallback but is not the primary out-of-band method per NIST guidance.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"a2f1cb9c-ae56-4868-884d-e96bfe09afcc","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of IA-2.13 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}}]},{"uuid":"ac5a2295-2c66-433e-b0e2-58c4781fd760","control-id":"ia-2.2","by-components":[{"uuid":"47b68310-8c71-4a90-89c9-bd355c23d803","description":"The Kalvico Identification and Authentication Policy establishes the organizational requirements and procedures that govern the implementation of IA-2.2.","component-uuid":"9c3548b9-1ad5-4f3b-80e6-7cc6a6ce6b93","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"3cd200e4-6505-43bb-8727-1694b5c97ea1","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.3.1v1: Phishing-resistant MFA SHALL be enforced for all users.\n\nMS.AAD.3.2v1: If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.\n\nMS.AAD.3.3v2: If Microsoft Authenticator is enabled, it SHALL be configured to show login context information.","description":"Multi-factor authentication for non-privileged accounts is enforced through Auth0 adaptive MFA. All Application X users are required to enroll in MFA. Auth0 evaluates risk signals to trigger step-up authentication challenges. Federated users through the leveraged Entra ID service inherit MFA requirements from their enterprise identity provider.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"c4040418-566a-4c4f-a51b-58ee6c699f1c","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of IA-2.2 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}},{"uuid":"63ec7a46-f687-44d6-909d-40d8e12c1656","description":"Microsoft Entra ID (Leveraged Boundary) (leveraged privileged access service) contributes to the implementation of IA-2.2 as described in the system-level implementation narrative.","component-uuid":"58e65041-0d92-40e3-9684-3bf14c4380fa","implementation-status":{"state":"planned"}}]},{"uuid":"481c2b8d-b947-431c-a5c4-f80bc54287fe","control-id":"ia-2.8","by-components":[{"uuid":"bcb6c61e-cbf5-4cab-96fc-b21777c2d2c2","description":"The Kalvico Identification and Authentication Policy establishes the organizational requirements and procedures that govern the implementation of IA-2.8.","component-uuid":"9c3548b9-1ad5-4f3b-80e6-7cc6a6ce6b93","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"e1132877-35dd-4b25-8f5d-0cf93a8dc840","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.3.1v1: Phishing-resistant MFA SHALL be enforced for all users.\n\nMS.AAD.3.3v2: If Microsoft Authenticator is enabled, it SHALL be configured to show login context information.\n\nMS.AAD.3.6v1: Phishing-resistant MFA SHALL be required for highly privileged roles.","description":"Replay-resistant authentication is implemented through Auth0 (leveraged CIAM service) using time-based one-time passwords (TOTP), FIDO2/WebAuthn security keys, and push notifications. These mechanisms generate unique, time-limited authentication challenges that cannot be replayed. OAuth 2.0 authorization codes are single-use with PKCE enforcement.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"a90410ee-2efd-4aaf-8ec8-4c225cc39c83","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of IA-2.8 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}}]},{"uuid":"eb3d52ae-3699-4841-b015-48ae815fb71f","control-id":"ia-3","by-components":[{"uuid":"751800bb-f9f1-40eb-9b06-a0f0e4f65227","description":"The Kalvico Identification and Authentication Policy establishes the organizational requirements and procedures that govern the implementation of IA-3.","component-uuid":"9c3548b9-1ad5-4f3b-80e6-7cc6a6ce6b93","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"991417f7-ac81-4b88-994f-e039b7d6776e","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.3.7v1: Managed devices SHOULD be required for authentication.\n\nMS.AAD.3.8v1: Managed Devices SHOULD be required to register MFA.","description":"Device identification and authentication is implemented through Auth0 (leveraged CIAM service) device recognition and API Gateway mutual TLS capabilities. Auth0 tracks known devices and can challenge authentication from unrecognized devices. API clients authenticate using OAuth 2.0 client credentials with certificate-bound access tokens where required.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"c41e13db-8fa7-4ddf-b755-386647e67f8e","description":"Amazon API Gateway contributes to the implementation of IA-3 as described in the system-level implementation narrative.","component-uuid":"90e71a35-c0ac-40ef-b097-fec56c2da9f7","implementation-status":{"state":"planned"}},{"uuid":"b54a3e83-c4ff-46d2-bc7c-bc8e6453412f","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of IA-3 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}}]},{"uuid":"ddf00130-1847-4add-886c-b2a8b5d7407b","control-id":"ia-5","by-components":[{"uuid":"844dbc6c-2dc5-4968-acef-7907e6f78e81","description":"The Kalvico Identification and Authentication Policy establishes the organizational requirements and procedures that govern the implementation of IA-5.","component-uuid":"9c3548b9-1ad5-4f3b-80e6-7cc6a6ce6b93","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"9b346baf-fb07-424a-8c51-343b7bccd902","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.3.1v1: Phishing-resistant MFA SHALL be enforced for all users.\n\nMS.AAD.3.3v2: If Microsoft Authenticator is enabled, it SHALL be configured to show login context information.\n\nMS.AAD.3.5v1: The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled.\n\nMS.AAD.3.6v1: Phishing-resistant MFA SHALL be required for highly privileged roles.\n\nMS.POWERBI.5.1v1: ResourceKey-based authentication SHOULD be blocked unless a specific use case (e.g., streaming and/or PUSH datasets) merits its use.","description":"Authenticator management is handled through Auth0 (leveraged CIAM service) for user credentials and MFA enrollments, AWS Secrets Manager for application secrets, and AWS KMS for cryptographic key management. Auth0 enforces password complexity requirements and breached password detection. Application secrets are rotated automatically through Secrets Manager rotation schedules. KMS customer-managed keys protect data encryption keys with automatic annual rotation.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"948222a7-963d-4012-a7f0-39d88a6d8cd6","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of IA-5 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}},{"uuid":"b36cf5d1-2a74-406e-9d28-4808bf8603c5","description":"AWS Secrets Manager contributes to the implementation of IA-5 as described in the system-level implementation narrative.","component-uuid":"f3778a8a-926e-4a43-8648-e3cdac9c5590","implementation-status":{"state":"planned"}},{"uuid":"d414d499-57a1-4c45-847b-bf9e184be7b6","description":"AWS Key Management Service (KMS) contributes to the implementation of IA-5 as described in the system-level implementation narrative.","component-uuid":"2f469b18-652b-4df1-930c-b22d5bd7c05d","implementation-status":{"state":"planned"}}]},{"uuid":"9d0848cb-ce86-4a6f-a64e-9fe4b69046fa","control-id":"ia-5.1","by-components":[{"uuid":"bf86a77b-3fc7-4f14-b5a6-ddd3be9a8130","description":"The Kalvico Identification and Authentication Policy establishes the organizational requirements and procedures that govern the implementation of IA-5.1.","component-uuid":"9c3548b9-1ad5-4f3b-80e6-7cc6a6ce6b93","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"c705e8c5-6b24-443c-865d-4a2116752a9f","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.AAD.6.1v1: User passwords SHALL NOT expire.","description":"Password-based authentication is managed through Auth0 (leveraged CIAM service) password policies that enforce minimum length of 12 characters, complexity requirements including uppercase, lowercase, numeric, and special characters, password history enforcement, and breached password detection. Account lockout is enforced after 10 consecutive failed attempts. Password reset requires MFA verification.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"4816e1bc-0a60-44da-8e71-5e64edc8012d","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of IA-5.1 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}}]},{"uuid":"23ed7e18-392f-4d1b-9763-de0a85445fb3","control-id":"ia-8","by-components":[{"uuid":"6124eb93-9d0e-4860-bdcd-c10e653c2bab","description":"The Kalvico Identification and Authentication Policy establishes the organizational requirements and procedures that govern the implementation of IA-8.","component-uuid":"9c3548b9-1ad5-4f3b-80e6-7cc6a6ce6b93","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"31823ee3-dbb8-4824-9a31-8adf6998c271","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.SHAREPOINT.1.1v1: External sharing for SharePoint SHALL be limited to Existing guests or Only people in your organization.\n\nMS.SHAREPOINT.1.2v1: External sharing for OneDrive SHALL be limited to Existing guests or Only people in your organization.","description":"Non-organizational user identification and authentication is managed through Auth0 for external users and federated through Microsoft Entra ID (leveraged privileged access service) for partner organizations. External users authenticate with Auth0 credentials subject to the same MFA and password policies as organizational users. Guest access policies restrict external user permissions to minimum necessary functions.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"27b782d9-b4e1-467b-aef2-2bf07bfa0c47","description":"Auth0 - External Customer Identity and Access Management (CIAM) Service (leveraged external CIAM service) contributes to the implementation of IA-8 as described in the system-level implementation narrative.","component-uuid":"f0a21ebb-f20d-4e15-ba9e-3a5685b98c7e","implementation-status":{"state":"planned"}},{"uuid":"dc021832-1649-4c0d-93ef-74a626b05bd6","description":"Microsoft Entra ID (Leveraged Boundary) (leveraged privileged access service) contributes to the implementation of IA-8 as described in the system-level implementation narrative.","component-uuid":"58e65041-0d92-40e3-9684-3bf14c4380fa","implementation-status":{"state":"planned"}}]},{"uuid":"d83c5710-9cd3-4148-9d18-f5fd40e6b99a","control-id":"sc-15","by-components":[{"uuid":"053b876c-58bc-47dc-a000-234284ef3889","description":"The Kalvico System and Communications Protection Policy establishes the organizational requirements and procedures that govern the implementation of SC-15.","component-uuid":"1b93debf-3823-4ea1-a5bc-bb499d01d97a","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"8c5a7584-a684-42e9-a042-d6cc942845ab","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.TEAMS.1.2v2: Anonymous users SHALL NOT be enabled to start meetings.\n\nMS.TEAMS.1.3v1: Anonymous users and dial-in callers SHOULD NOT be admitted automatically.\n\nMS.TEAMS.1.5v1: Dial-in users SHOULD NOT be enabled to bypass the lobby.","description":"Collaborative computing devices and applications within Application X are restricted to authorized capabilities only. The application does not provide screen sharing, remote desktop, or collaborative editing features. Communication between browser clients and the API is limited to RESTful API calls over HTTPS. AWS WAF blocks unauthorized content types and request patterns.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"system-admin","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"8f0581a0-2ccd-4c46-ad8f-98cd9befbb30","description":"AWS WAF (Web Application Firewall) contributes to the implementation of SC-15 as described in the system-level implementation narrative.","component-uuid":"58de1ebb-e60c-47b4-8306-ce189c83357b","implementation-status":{"state":"planned"}}]},{"uuid":"950949f7-9bdd-416a-b1a3-aaef81fb05a4","control-id":"sc-7.10","by-components":[{"uuid":"12536ec3-5526-4898-863a-7f95134f99b7","description":"The Kalvico System and Communications Protection Policy establishes the organizational requirements and procedures that govern the implementation of SC-7.10.","component-uuid":"1b93debf-3823-4ea1-a5bc-bb499d01d97a","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"c5f7ae6d-9efc-4896-9c8a-c5ba7197177c","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.DEFENDER.4.1v2: A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN).\n\nMS.DEFENDER.4.2v1: The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams chat, and Devices.\n\nMS.DEFENDER.4.3v1: The action for the custom policy SHOULD be set to block sharing sensitive information with everyone.\n\nMS.DEFENDER.4.5v1: A list of apps that are restricted from accessing files protected by DLP policy SHOULD be defined.\n\nMS.EXO.6.1v1: Contact folders SHALL NOT be shared with all domains.\n\nMS.EXO.6.2v1: Calendar details SHALL NOT be shared with all domains.\n\nMS.EXO.8.1v2: A DLP solution SHALL be used.\n\nMS.EXO.8.2v2: The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency.\n\nMS.EXO.8.3v1: The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.\n\nMS.EXO.8.4v1: At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email.\n\nMS.POWERBI.1.1v1: The Publish to Web feature SHOULD be disabled unless the agency mission requires the capability.\n\nMS.POWERBI.7.1v1: Sensitivity labels SHOULD be enabled for Power BI and employed for sensitive data per enterprise data protection policies.\n\nMS.POWERPLATFORM.2.1v1: A DLP policy SHALL be created to restrict connector access in the default Power Platform environment.\n\nMS.POWERPLATFORM.2.2v1: Non-default environments SHOULD have at least one DLP policy affecting them.\n\nMS.TEAMS.2.3v2: Internal users SHOULD NOT be enabled to initiate contact with unmanaged users.\n\nMS.TEAMS.4.1v1: Teams email integration SHALL be disabled.\n\nMS.TEAMS.6.1v1: A DLP solution SHALL be enabled. The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.\n\nMS.TEAMS.6.2v1: The DLP solution SHALL protect personally identifiable information (PII)","description":"Application X prevents unauthorized exfiltration of information across managed interfaces. AWS WAF rules inspect and filter outbound content at the CloudFront edge. API Gateway response validation ensures only expected data structures are returned. Lambda functions enforce data classification and filtering rules before responding to API requests. VPC Flow Logs monitor all network traffic patterns for anomalous data transfers.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"system-admin","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"c8f130c8-927d-4304-81d7-a9b9faceb883","description":"AWS WAF (Web Application Firewall) contributes to the implementation of SC-7.10 as described in the system-level implementation narrative.","component-uuid":"58de1ebb-e60c-47b4-8306-ce189c83357b","implementation-status":{"state":"planned"}},{"uuid":"4f41da3b-6cca-48f6-996a-8e1dc26e5887","description":"Amazon CloudFront contributes to the implementation of SC-7.10 as described in the system-level implementation narrative.","component-uuid":"d6adfd46-e666-480a-b74a-14a411b7e173","implementation-status":{"state":"planned"}},{"uuid":"b0da234f-d053-4e03-917e-9c260910231c","description":"Amazon API Gateway contributes to the implementation of SC-7.10 as described in the system-level implementation narrative.","component-uuid":"90e71a35-c0ac-40ef-b097-fec56c2da9f7","implementation-status":{"state":"planned"}}]},{"uuid":"8e82c8ff-5107-47f4-b69b-742ff6daabc1","control-id":"sc-7.5","by-components":[{"uuid":"5f571095-f645-4bb0-ba85-607d23a11c81","description":"The Kalvico System and Communications Protection Policy establishes the organizational requirements and procedures that govern the implementation of SC-7.5.","component-uuid":"1b93debf-3823-4ea1-a5bc-bb499d01d97a","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"9074cb8c-34b4-4b78-9898-9390c7f1147f","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.POWERPLATFORM.3.1v1: Power Platform tenant isolation SHALL be enabled.\n\nMS.POWERPLATFORM.3.2v1: An inbound/outbound connection allowlist SHOULD be configured.","description":"Managed interfaces at the VPC boundary deny traffic by default and allow only explicitly authorized connections. Security Groups on Lambda ENIs and RDS instances implement deny-all inbound rules except from designated source security groups. NAT Gateways restrict private subnet internet access to outbound-only connections. VPC endpoint policies restrict service access to approved resources only.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"system-admin","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"f64fb5dc-cfda-4d08-8f3d-d59cd7a596c3","description":"Application X Virtual Private Cloud (VPC) contributes to the implementation of SC-7.5 as described in the system-level implementation narrative.","component-uuid":"4ab08036-da91-4c78-9fbe-1baefd6b1c34","implementation-status":{"state":"planned"}},{"uuid":"a3782891-8bec-41aa-8996-f18f6737fd73","description":"VPC Security Groups contributes to the implementation of SC-7.5 as described in the system-level implementation narrative.","component-uuid":"eea7b306-e9e5-4faf-9b5b-e79bcd5c0a3b","implementation-status":{"state":"planned"}},{"uuid":"62999b4f-f5b6-4b55-a1ec-fb1405ba1091","description":"NAT Gateways contributes to the implementation of SC-7.5 as described in the system-level implementation narrative.","component-uuid":"472e300e-07c0-4714-b160-57c3291fdffb","implementation-status":{"state":"planned"}}]},{"uuid":"209475f9-a88f-4099-a157-01bb886dd28e","control-id":"sc-8","by-components":[{"uuid":"3fc20147-c6e0-4f53-a26b-da17bb0384af","description":"The Kalvico System and Communications Protection Policy establishes the organizational requirements and procedures that govern the implementation of SC-8.","component-uuid":"1b93debf-3823-4ea1-a5bc-bb499d01d97a","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"7e47b019-5e14-41f1-a4c1-67c58ffc3aab","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.EXO.3.1v1: DKIM SHOULD be enabled for all domains.","description":"Transmission confidentiality and integrity is protected through TLS 1.2+ encryption on all communication channels. CloudFront enforces HTTPS-only with a minimum TLS 1.2 security policy. API Gateway requires TLS for all API communications. Lambda functions communicate with RDS through encrypted connections enforced by the RDS instance SSL requirement. Internal AWS service communications leverage AWS PrivateLink through VPC Endpoints.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"system-admin","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"05644056-4c74-4321-a965-9f4b2531c48b","description":"Amazon CloudFront contributes to the implementation of SC-8 as described in the system-level implementation narrative.","component-uuid":"d6adfd46-e666-480a-b74a-14a411b7e173","implementation-status":{"state":"planned"}},{"uuid":"95df4d4a-62a8-4c94-b091-1d91002c1691","description":"Amazon API Gateway contributes to the implementation of SC-8 as described in the system-level implementation narrative.","component-uuid":"90e71a35-c0ac-40ef-b097-fec56c2da9f7","implementation-status":{"state":"planned"}},{"uuid":"b8519f71-b359-41d7-a03d-4aa5bba98404","description":"AWS Key Management Service (KMS) contributes to the implementation of SC-8 as described in the system-level implementation narrative.","component-uuid":"2f469b18-652b-4df1-930c-b22d5bd7c05d","implementation-status":{"state":"planned"}}]},{"uuid":"d8985ce1-c6e5-4d0d-8af2-ab82046d7ced","control-id":"si-3","by-components":[{"uuid":"1c08f7c7-025f-46ea-a391-e5131f954cd1","description":"The Kalvico System and Information Integrity Policy establishes the organizational requirements and procedures that govern the implementation of SI-3.","component-uuid":"48380626-0e4e-4d1f-8221-99fdfc51978a","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"0d55b9c1-f59c-46fd-9e78-0577e2209f5d","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.DEFENDER.1.1v1: The standard and strict preset security policies SHALL be enabled.\n\nMS.DEFENDER.1.2v1: All users SHALL be added to Exchange Online Protection (EOP) in either the standard or strict preset security policy.\n\nMS.DEFENDER.1.3v1: All users SHALL be added to Defender for Office 365 protection in either the standard or strict preset security policy.\n\nMS.DEFENDER.1.4v1: Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy.\n\nMS.DEFENDER.1.5v1: Sensitive accounts SHALL be added to Defender for Office 365 protection in the strict preset security policy.\n\nMS.DEFENDER.3.1v1: Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams.\n\nMS.EXO.9.1v2: Emails SHALL be filtered by attachment file types.\n\nMS.EXO.9.2v1: The attachment filter SHOULD attempt to determine the true file type and assess the file extension.\n\nMS.EXO.9.3v2: Disallowed file types SHALL be determined and enforced.\n\nMS.EXO.9.4v1: Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender's Common Attachment Filter.\n\nMS.EXO.9.5v1: At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe).\n\nMS.EXO.10.1v1: Emails SHALL be scanned for malware.\n\nMS.EXO.10.2v1: Emails identified as containing malware SHALL be quarantined or dropped.\n\nMS.EXO.10.3v1: Email scanning SHALL be capable of reviewing emails after delivery.\n\nMS.EXO.15.1v1: URL comparison with a block-list SHOULD be enabled.\n\nMS.EXO.15.2v1: Direct download links SHOULD be scanned for malware.\n\nMS.EXO.15.3v1: User click tracking SHOULD be enabled.\n\nMS.POWERBI.6.1v1: Python and R interactions SHOULD be disabled.\n\nMS.TEAMS.7.1v1: Attachments included with Teams messages SHOULD be scanned for malware.\n\nMS.TEAMS.7.2v1: Users SHOULD be prevented from opening or downloading files detected as malware.\n\nMS.TEAMS.8.1v1: URL comparison with a blocklist SHOULD be enabled.","description":"Malicious code protection is implemented at multiple layers. AWS WAF provides web application firewall rules that detect and block common attack patterns including SQL injection, cross-site scripting, and known malicious payloads. Lambda functions process input through validation and sanitization routines. Container images are scanned for vulnerabilities before deployment. Dependency scanning is integrated into the CI/CD pipeline to detect known vulnerable libraries.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"security-operations","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"4ce92dea-0902-4330-9d02-4b375d5a65da","description":"AWS WAF (Web Application Firewall) contributes to the implementation of SI-3 as described in the system-level implementation narrative.","component-uuid":"58de1ebb-e60c-47b4-8306-ce189c83357b","implementation-status":{"state":"planned"}},{"uuid":"c36da83d-c8f5-491d-aceb-a2cb432b1812","description":"AWS Lambda (Python API Functions) contributes to the implementation of SI-3 as described in the system-level implementation narrative.","component-uuid":"22feb8d0-6f7b-4da2-92c4-57cc270cfe8e","implementation-status":{"state":"planned"}}]},{"uuid":"57dc8139-4fb5-401e-bde6-4dbcf9c9743c","control-id":"si-4.12","by-components":[{"uuid":"a3d3f643-5246-4a7b-871f-c5784a336de8","description":"The Kalvico System and Information Integrity Policy establishes the organizational requirements and procedures that govern the implementation of SI-4.12.","component-uuid":"48380626-0e4e-4d1f-8221-99fdfc51978a","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"c325ad45-0b39-4101-8809-6c485eba3e6c","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.EXO.16.2v1: The alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system.","description":"Automated organization-generated alerts are configured through CloudWatch metric filters and alarms. Alert rules generate notifications for events including unauthorized configuration changes, abnormal traffic volumes, repeated authentication failures, and out-of-policy administrative actions. Alerts are delivered through SNS topics to the security operations team.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"security-operations","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"c19c5dbd-1392-47a0-8532-777dd279e754","description":"Amazon CloudWatch contributes to the implementation of SI-4.12 as described in the system-level implementation narrative.","component-uuid":"7bf653d6-95ae-41df-8a9e-ef5f99126ba6","implementation-status":{"state":"planned"}}]},{"uuid":"8316ff60-8a91-47de-a8c7-a9d5ef531cca","control-id":"si-4.5","by-components":[{"uuid":"72c180fc-6c5f-437a-ab7e-93564f3624c5","description":"The Kalvico System and Information Integrity Policy establishes the organizational requirements and procedures that govern the implementation of SI-4.5.","component-uuid":"48380626-0e4e-4d1f-8221-99fdfc51978a","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"5cc5f1d0-99b4-4512-b59b-6b2c8e59864e","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.DEFENDER.5.1v1: At a minimum, the alerts required by the CISA M365 Secure Configuration Baseline for Exchange Online SHALL be enabled.\n\nMS.DEFENDER.5.2v1: The alerts SHOULD be sent to a monitored address or incorporated into a Security Information and Event Management (SIEM).\n\nMS.EXO.4.3v1: The DMARC point of contact for aggregate reports SHALL include `reports@dmarc.cyber.dhs.gov`.\n\nMS.EXO.4.4v1: An agency point of contact SHOULD be included for aggregate and failure reports.\n\nMS.EXO.16.1v1: At a minimum, the following alerts SHALL be enabled:","description":"System monitoring generates alerts when indicators of compromise or potential threats are detected. CloudWatch alarms monitor for unusual API call patterns, authentication failures, privilege escalation attempts, and resource access anomalies. CloudTrail insights detect unusual management activity. Alert thresholds are tuned based on baseline operational patterns and trigger notifications to the security operations team.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"security-operations","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"ec276425-75db-4d38-9289-0ce80efac07f","description":"Amazon CloudWatch contributes to the implementation of SI-4.5 as described in the system-level implementation narrative.","component-uuid":"7bf653d6-95ae-41df-8a9e-ef5f99126ba6","implementation-status":{"state":"planned"}},{"uuid":"fb3b8226-e6e2-4579-91cf-d78f3078e8df","description":"AWS CloudTrail contributes to the implementation of SI-4.5 as described in the system-level implementation narrative.","component-uuid":"b278e3d3-7a87-4d27-9dcb-d2394931262f","implementation-status":{"state":"planned"}}]},{"uuid":"64692ed0-c624-422b-b809-5c581c1062e7","control-id":"si-8","by-components":[{"uuid":"5f10af82-4980-48ba-8cba-9d9a7eb57d00","description":"The Kalvico System and Information Integrity Policy establishes the organizational requirements and procedures that govern the implementation of SI-8.","component-uuid":"48380626-0e4e-4d1f-8221-99fdfc51978a","responsible-roles":[{"role-id":"isso","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"implemented"}},{"uuid":"f97ad0a4-8bea-4951-b29b-e20c06e79b83","remarks":"This control implementation addresses the following CISA SCuBA policy requirements:\n\nMS.DEFENDER.1.1v1: The standard and strict preset security policies SHALL be enabled.\n\nMS.DEFENDER.1.2v1: All users SHALL be added to Exchange Online Protection (EOP) in either the standard or strict preset security policy.\n\nMS.DEFENDER.1.3v1: All users SHALL be added to Defender for Office 365 protection in either the standard or strict preset security policy.\n\nMS.DEFENDER.1.4v1: Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy.\n\nMS.DEFENDER.1.5v1: Sensitive accounts SHALL be added to Defender for Office 365 protection in the strict preset security policy.\n\nMS.DEFENDER.2.1v1: User impersonation protection SHOULD be enabled for sensitive accounts in both the standard and strict preset policies.\n\nMS.DEFENDER.2.2v1: Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies.\n\nMS.DEFENDER.2.3v1: Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies.\n\nMS.EXO.4.1v1: A DMARC policy SHALL be published for every second-level domain.\n\nMS.EXO.4.2v1: The DMARC message rejection option SHALL be p=reject.\n\nMS.EXO.7.1v1: External sender warnings SHALL be implemented.\n\nMS.EXO.11.1v1: Impersonation protection checks SHOULD be used.\n\nMS.EXO.11.2v1: User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed.\n\nMS.EXO.11.3v1: The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence.\n\nMS.EXO.14.1v2: A spam filter SHALL be enabled.\n\nMS.EXO.14.2v1: Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder.\n\nMS.EXO.14.3v1: Allowed domains SHALL NOT be added to inbound anti-spam protection policies.\n\nMS.EXO.14.4v1: If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft.\n\nMS.TEAMS.2.2v2: Unmanaged users SHALL NOT be enabled to initiate contact with internal users.\n\nMS.TEAMS.4.1v1: Teams email integration SHALL be disabled.","description":"Spam protection capabilities are implemented through AWS WAF rate limiting rules and API Gateway throttling. Application X API endpoints are protected against automated abuse through request rate limits, CAPTCHA challenges for suspicious activity, and Auth0 bot detection. CloudFront geographic restrictions limit access to approved regions.","component-uuid":"40cf2b15-01ec-4a43-8a89-fcaccac7f857","responsible-roles":[{"role-id":"security-operations","party-uuids":["3a491fe9-e141-4833-b7fb-be33c7538616"]}],"implementation-status":{"state":"planned"}},{"uuid":"5b6a3bcb-61d2-46f8-ac05-bec913fd8057","description":"AWS WAF (Web Application Firewall) contributes to the implementation of SI-8 as described in the system-level implementation narrative.","component-uuid":"58de1ebb-e60c-47b4-8306-ce189c83357b","implementation-status":{"state":"planned"}}]}]},"back-matter":{"resources":[{"uuid":"21c16bc5-f848-4ddf-ad3a-1f768217cb90","title":"Application X Architecture Diagram (Model Office)","rlinks":[{"href":"./resources/21c16bc5-f848-4ddf-ad3a-1f768217cb90"}],"remarks":"Model Office DRAFT 2026-01-20. Shows browser clients, CloudFront, WAF, Route 53, API Gateway, VPC with multi-AZ subnets, Lambda functions, RDS PostgreSQL, and all supporting AWS services. Auth0 and Entra ID are shown as external and leveraged boundary services respectively.","description":"AWS architecture diagram depicting the Application X authorization boundary, network topology, and component relationships."},{"uuid":"b6b08069-de39-4dd2-9a7f-3437989054d2","props":[{"name":"type","value":"policy"}],"title":"Kalvico Access Control and Identity Management Policy","rlinks":[{"href":"./resources/b6b08069-de39-4dd2-9a7f-3437989054d2"}],"description":"Organizational policy document governing access control for all Kalvico information systems."},{"uuid":"a7945a54-bd40-431c-951f-f8f7c6b9ef6c","props":[{"name":"type","value":"policy"}],"title":"Kalvico Identification and Authentication Policy","rlinks":[{"href":"./resources/a7945a54-bd40-431c-951f-f8f7c6b9ef6c"}],"description":"Organizational policy document governing identification and authentication requirements."},{"uuid":"5cbbf634-a99b-4dee-9429-6f01f0834226","props":[{"name":"type","value":"policy"}],"title":"Kalvico Configuration Management Policy","rlinks":[{"href":"./resources/5cbbf634-a99b-4dee-9429-6f01f0834226"}],"description":"Organizational policy document governing configuration management and change control."},{"uuid":"f2c26cda-f359-4509-b6cc-aeb8340dca6b","props":[{"name":"type","value":"policy"}],"title":"Kalvico System and Communications Protection Policy","rlinks":[{"href":"./resources/f2c26cda-f359-4509-b6cc-aeb8340dca6b"}],"description":"Organizational policy document governing communications protection and cryptographic standards."},{"uuid":"90439a75-36fb-47f7-aa53-ac789adec8f4","props":[{"name":"type","value":"policy"}],"title":"Kalvico System and Information Integrity Policy","rlinks":[{"href":"./resources/90439a75-36fb-47f7-aa53-ac789adec8f4"}],"description":"Organizational policy document governing system integrity, malicious code protection, and monitoring."},{"uuid":"67ad4cae-298a-42c5-bde3-b6e9edfbda95","props":[{"name":"type","value":"policy"}],"title":"Kalvico Audit and Accountability Policy","rlinks":[{"href":"./resources/67ad4cae-298a-42c5-bde3-b6e9edfbda95"}],"description":"Organizational policy document governing audit record generation, retention, and review."},{"uuid":"6b78455a-c9ec-4cf4-8ec6-45f68cbde434","props":[{"name":"type","value":"policy"}],"title":"Kalvico Awareness and Training Policy","rlinks":[{"href":"./resources/6b78455a-c9ec-4cf4-8ec6-45f68cbde434"}],"description":"Organizational policy document governing security awareness and role-based training."},{"uuid":"d5d79082-bbaa-4ac9-ac2e-0f16e93b6c85","props":[{"name":"type","value":"image"}],"title":"Application X Physical Architecture Diagram (Model Office)","rlinks":[{"href":"2026-01_Model_Office.svg","media-type":"image/svg+xml"}],"remarks":"Model Office DRAFT 2026-01-20. Physical view showing the complete AWS deployment architecture.","description":"Detailed AWS architecture diagram showing all physical components within the authorization boundary including VPC subnets, Security Groups, Lambda functions, RDS instances, NAT Gateways, and all supporting AWS services. Shows Auth0 and Entra ID as external leveraged services."},{"uuid":"3145b917-ba5b-46df-b568-52301262a16d","props":[{"name":"type","value":"image"}],"title":"Application X Logical Architecture Diagram (Model Office)","rlinks":[{"href":"2026-01_Model_Office-logical.svg","media-type":"image/svg+xml"}],"remarks":"Model Office DRAFT 2026-01-20. Logical view showing service tiers, data flows, and boundary relationships.","description":"High-level logical boundary diagram showing the authorization boundary with Public-Facing Services (Front-end Code, S3, API Management Services) and Internal Services (API Server Python Code, PostgreSQL). Shows Auth0 as leveraged CIAM and Entra ID as leveraged privileged access boundary. Includes VPC Enforced Data Flow Rules."}]}}}