Lorem Technologies Inc

Impact Level: Low

Lorem Cloud Platform

Lorem Cloud Platform provides scalable infrastructure services with integrated security monitoring and compliance automation for federal agencies and commercial enterprises.

📤 Upload New YAML 💾 Export YAML Data YAML Help

Last Assessment

6/15/2025

Recommendation: Authorize

47/48
Selected file: lorem-ipsum.yaml

YAML Structure Guide

The YAML file should follow this structure:

Package:
  CSPName: <Company name of Cloud Service Provider> 
  CSO: <Cloud Service Offering / Name of application>
  impact: <Low | Moderate | High>
  summaryOfCSO: <Description of CSO>
  Assessments:
  - Assessment:
      digitalSignature: <SHA hash of assessment elements below>
      assessorOrg: <Third Party Assessment Organization>
      date: <date of assessment>
      leadAssessor: <name of lead assessor>
      recommendation: <Authorize | Do Not Authorize>
      remarks: <assessment remarks>
      KSIs:
      - KSI:
      name: <name of KSI>
      shortName: <shortname of KSI>
      status: <status of implementation - Complete | Incomplete>
      Validations:
      - validation:
          id: <validation id>
          shortName: <shortname of validation>
          description: <description of validation>
          implementation: <short description of approach>
          implementationStatus: <True | False | Partial>
          digitalSignature: <SHA hash of validation elements>
          assessmentStatus: <True | False | Partial >
          assessedBy: <name of assessor>
          assessedOn: <date validation was assessed>
          remarks: <remarks from assessor>
          Evidences:
          - evidence:
          id: <evidence id>
          name: <name of evidence>
          description: <description of evidence>
          instructions: <how to retrieve evidence>
          automated: <True | False>
          commands: <computer instruction used if automated>
          scriptName: <filename>
          validationRules:
          - rule:
              id: <rule id>
              textValue: <value to look for in output file>
          validatedBy: <name of assessor>
          validateDate: <date evidence was validated>
          remarks: <remarks from assessor>
          Artifacts:
          - artifact:
              name: <name of artifact>
              reference: <evidence file>
              outputResults: <output of script if automated>
              effectiveDate: <date of evidence>

          

              
Example 1: Lorem Ipsum

              
Package:
CSPName: Lorem Technologies Inc
CSO: Lorem Cloud Platform
impact: Low
summaryOfCSO: Lorem Cloud Platform provides scalable infrastructure services with integrated security monitoring and compliance automation for federal agencies and commercial enterprises.
Assessments:
  - Assessment:
      digitalSignature: 9f4e2207df7d2b9f5a8c6b1e3d4a5f7c8e9b2a1d
      assessorOrg: Ipsum Security Partners
      date: 6/15/2025
      leadAssessor: Jane Consectetur
      recommendation: Authorize
      remarks: All KSIs demonstrated adequate implementation with minor findings addressed during assessment period.
      KSIs:
        - KSI:
            name: Cloud Native Architecture
            shortName: KSI-CNA
            status: Complete
            Validations:
              - validation:
                  id: 1
                  shortName: KSI-CNA-1
                  description: Have denial of service (DoS) protection
                  implementation: AWS WAF with rate limiting
                  implementationStatus: True
                  digitalSignature: 2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b
                  assessmentStatus: True
                  assessedBy: Jane Consectetur
                  assessedOn: 6/12/2025
                  remarks: WAF rules properly configured with rate limiting
                  Evidences:
                    - evidence:
                        id: 1.1
                        name: WAF Configuration
                        description: Web application firewall DoS protection rules
                        instructions: Review WAF rate limiting configuration
                        automated: True
                        commands: aws wafv2 list-web-acls --scope CLOUDFRONT
                        scriptName: check_waf_dos.sh
                        validationRules:
                          - rule:
                              id: 1.1.1
                              textValue: RateBasedStatement
                        validatedBy: Jane Consectetur
                        validateDate: 6/12/2025
                        remarks: Rate limiting rule found with 2000 requests per 5 minutes
                        Artifacts:
                          - artifact:
                              name: WAF Rules Output
                              reference: waf_rules_output.json
                              outputResults: '{"WebACLs":[{"Name":"lorem-waf","Id":"abc123","DefaultAction":{"Allow":{}},"Rules":[{"Name":"RateLimitRule","Priority":1,"Statement":{"RateBasedStatement":{"Limit":2000,"AggregateKeyType":"IP"}},"Action":{"Block":{}}}]}]}'
                              effectiveDate: 6/10/2025

          


          

              
Example 2: ACME SecureCloud Enterprise

              
Package:
CSPName: Acme Digital Solutions Corp
CSO: Acme SecureCloud Enterprise
impact: Low
summaryOfCSO: Acme SecureCloud Enterprise delivers enterprise-grade cloud infrastructure with advanced threat detection, automated compliance monitoring, and multi-region disaster recovery capabilities for government and commercial clients.
Assessments:
  - Assessment:
      digitalSignature: 3e7f1a8b9c2d4f5e6a7b8c9d0e1f2a3b4c5d6e7f
      assessorOrg: CyberGuard Security Associates
      date: 7/10/2025
      leadAssessor: Michael Rodriguez
      recommendation: Conditional
      remarks: Several KSIs require remediation before full authorization can be granted. Critical gaps identified in security controls implementation.
      KSIs:
        - KSI:
            name: Policy and Inventory
            shortName: KSI-PI
            status: Complete
            Validations:
              - validation:
                  id: 50
                  shortName: KSI-PI-1
                  description: Have an up-to-date asset inventory or code defining all deployed assets
                  implementation: Comprehensive asset discovery using Azure Resource Graph and Ansible inventory
                  implementationStatus: "True"
                  digitalSignature: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0
                  assessmentStatus: "True"
                  assessedBy: Michael Rodriguez
                  assessedOn: 7/12/2025
                  remarks: Real-time asset inventory with automated discovery and configuration management
                  Evidences:
                    - evidence:
                        id: 50.1
                        name: Azure Asset Discovery Report
                        description: Complete inventory of Azure cloud resources
                        instructions: Execute Azure Resource Graph query for comprehensive asset enumeration
                        automated: True
                        commands: az graph query -q "Resources | project name, type, resourceGroup, location, tags"
                        scriptName: azure_asset_discovery.sh
                        validationRules:
                          - rule:
                              id: 50.1.1
                              textValue: "resourceType"
                        validatedBy: Michael Rodriguez
                        validateDate: 7/12/2025
                        remarks: Asset inventory covers 100% of deployed resources with real-time updates
                        Artifacts:
                          - artifact:
                              name: Azure Resource Inventory
                              reference: azure_resources.json
                              outputResults: '{"resources":[{"name":"acme-web-app","type":"Microsoft.Web/sites","resourceGroup":"production-rg","location":"eastus","tags":{"Environment":"Production","Owner":"DevOps"}}],"totalResources":892,"lastSync":"2025-07-12T14:30:00Z"}'
                              effectiveDate: 7/12/2025

Total KSIs

9
Key Security Indicators

Validations

48
Total Validations

Success Rate

98%
Passed Validations

Automation

56%
Automated Evidence

Validation Status Distribution

Pass
Fail
Pending

Evidence Coverage

Automated Evidence 32/57
Manual Evidence 25/57
Assessment Information
Assessor Org: Ipsum Security Partners
Lead Assessor: Jane Consectetur
Assessment Date: 6/15/2025
Recommendation: Authorize
Digital Signature: 9f4e2207df7d2b9f5a8c6b1e3d4a5f7c8e9b2a1d
Remarks: All KSIs demonstrated adequate implementation with minor findings addressed during assessment period.
Key Security Indicators (KSIs)
Cloud Native Architecture (KSI-CNA)
Complete
KSI-CNA-1: Have denial of service (DoS) protection
true
Implementation:AWS WAF with rate limiting
Status:true
Assessed By:Jane Consectetur
Assessed On:6/12/2025
Digital Signature:2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b
Remarks:WAF rules properly configured with rate limiting
WAF Configuration: Web application firewall DoS protection rules
ID:1.1
Instructions:Review WAF rate limiting configuration
Commands:aws wafv2 list-web-acls --scope CLOUDFRONT
Automated:true
Script Name:check_waf_dos.sh
Validated By:Jane Consectetur
Validate Date:6/12/2025
Validation Rules:
Rule 1.1.1: RateBasedStatement
Artifacts:
WAF Rules Output
Reference: waf_rules_output.json
Effective Date: 6/10/2025
Results: {"WebACLs":[{"Name":"lorem-waf","Id":"abc123","DefaultAction":{"Allow":{}},"Rules":[{"Name":"RateLimitRule","Priority":1,"Statement":{"RateBasedStatement":{"Limit":2000,"AggregateKeyType":"IP"}},"Action":{"Block":{}}}]}]}
KSI-CNA-2: Configure firewalls/proxy servers to limit inbound and outbound traffic
true
Implementation:Security groups and NACLs
Status:true
Assessed By:Jane Consectetur
Assessed On:6/12/2025
Digital Signature:3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c
Remarks:Network controls properly restrict traffic flows
Security Group Rules: EC2 security group configurations
ID:2.1
Instructions:Audit security group rules for least privilege
Commands:aws ec2 describe-security-groups
Automated:true
Script Name:audit_security_groups.sh
Validated By:Jane Consectetur
Validate Date:6/12/2025
Validation Rules:
Rule 2.1.1: 0.0.0.0/0
Rule 2.1.2: FromPort
Artifacts:
Security Groups Audit
Reference: sg_audit_results.json
Effective Date: 6/10/2025
Results: {"SecurityGroups":[{"GroupId":"sg-12345","GroupName":"lorem-web","IpPermissions":[{"IpProtocol":"tcp","FromPort":443,"ToPort":443,"IpRanges":[{"CidrIp":"10.0.0.0/8"}]}]}]}
NACL Configuration: Network ACL rules review
ID:2.2
Instructions:Review network ACL entries for proper traffic control
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/12/2025
Validation Rules:
Artifacts:
NACL Rules Documentation
Reference: nacl_review.pdf
Effective Date: 6/10/2025
KSI-CNA-3: Use immutable containers and serverless functions with strictly defined functionality and privileges
true
Implementation:ECS Fargate with read-only root filesystem
Status:true
Assessed By:Jane Consectetur
Assessed On:6/13/2025
Digital Signature:4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d
Remarks:Container immutability properly enforced
Container Configuration: ECS task definition review
ID:3.1
Instructions:Verify read-only root filesystem settings
Commands:aws ecs describe-task-definition --task-definition lorem-app
Automated:true
Script Name:check_container_immutable.sh
Validated By:Jane Consectetur
Validate Date:6/13/2025
Validation Rules:
Rule 3.1.1: "readonlyRootFilesystem": True
Artifacts:
Task Definition
Reference: task_definition.json
Effective Date: 6/11/2025
Results: {"taskDefinition":{"containerDefinitions":[{"name":"lorem-container","readonlyRootFilesystem":True,"cpu":256,"memory":512}]}}
Lambda Function Config
Reference: lambda_config.json
Effective Date: 6/11/2025
Results: {"Configuration":{"FunctionName":"lorem-function","Runtime":"python3.9","Role":"arn:aws:iam::123456789012:role/lorem-lambda-role","Environment":{"Variables":{"ENV":"production"}}}}
KSI-CNA-4: Design systems as logically segmented micro-services to minimize the attack surface and lateral movement if compromised
Partial
Implementation:Microservices architecture with service mesh
Status:true
Assessed By:Jane Consectetur
Assessed On:6/13/2025
Digital Signature:5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e
Remarks:Service mesh partially implemented, some services need isolation improvements
Service Mesh Configuration: Istio service mesh policies
ID:4.1
Instructions:Review service-to-service communication policies
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/13/2025
Validation Rules:
Artifacts:
Istio Policies
Reference: istio_policies.yaml
Effective Date: 6/11/2025
KSI-CNA-5: Use cloud native virtual networks and related capabilities to enforce logical traffic flow controls
true
Implementation:VPC with subnets and routing tables
Status:true
Assessed By:Jane Consectetur
Assessed On:6/13/2025
Digital Signature:6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f
Remarks:Network segmentation properly implemented
VPC Configuration: Virtual private cloud network setup
ID:5.1
Instructions:Review VPC subnets and routing
Commands:aws ec2 describe-vpcs; aws ec2 describe-subnets
Automated:true
Script Name:audit_vpc_config.sh
Validated By:Jane Consectetur
Validate Date:6/13/2025
Validation Rules:
Rule 5.1.1: private
Rule 5.1.2: public
Artifacts:
VPC Audit Results
Reference: vpc_audit.json
Effective Date: 6/11/2025
Results: {"Vpcs":[{"VpcId":"vpc-12345","CidrBlock":"10.0.0.0/16","State":"available"}],"Subnets":[{"SubnetId":"subnet-12345","VpcId":"vpc-12345","CidrBlock":"10.0.1.0/24","MapPublicIpOnLaunch":false}]}
KSI-CNA-6: Execute continuous scanning of cloud native system components
true
Implementation:Amazon Inspector and third-party vulnerability scanning
Status:true
Assessed By:Jane Consectetur
Assessed On:6/14/2025
Digital Signature:7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a
Remarks:Continuous scanning operational with regular reporting
Inspector Scan Results: AWS Inspector vulnerability findings
ID:6.1
Instructions:Review recent vulnerability scan results
Commands:aws inspector2 list-findings --filter-criteria
Automated:true
Script Name:get_inspector_findings.sh
Validated By:Jane Consectetur
Validate Date:6/14/2025
Validation Rules:
Rule 6.1.1: findings
Artifacts:
Vulnerability Scan Report
Reference: vuln_scan_report.json
Effective Date: 6/13/2025
Results: {"findings":[{"severity":"MEDIUM","title":"Outdated package detected","status":"ACTIVE","remediation":"Update package to latest version"}]}
KSI-CNA-7: Use high availability design principles to maximize uptime
true
Implementation:Multi-AZ deployment with auto-scaling
Status:true
Assessed By:Jane Consectetur
Assessed On:6/14/2025
Digital Signature:8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b
Remarks:High availability architecture properly implemented
Auto Scaling Configuration: EC2 auto scaling group settings
ID:7.1
Instructions:Verify multi-AZ deployment and scaling policies
Commands:aws autoscaling describe-auto-scaling-groups
Automated:true
Script Name:check_ha_config.sh
Validated By:Jane Consectetur
Validate Date:6/14/2025
Validation Rules:
Rule 7.1.1: AvailabilityZones
Artifacts:
Auto Scaling Groups
Reference: asg_config.json
Effective Date: 6/12/2025
Results: {"AutoScalingGroups":[{"AutoScalingGroupName":"lorem-asg","MinSize":2,"MaxSize":10,"DesiredCapacity":3,"AvailabilityZones":["us-east-1a","us-east-1b","us-east-1c"]}]}
Service Configuration (KSI-SC)
Complete
KSI-SC-1: Harden and review network and system configurations
true
Implementation:CIS benchmarks and configuration management
Status:true
Assessed By:Jane Consectetur
Assessed On:6/15/2025
Digital Signature:9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c
Remarks:System hardening follows CIS benchmarks
CIS Benchmark Compliance: CIS benchmark assessment results
ID:8.1
Instructions:Run CIS benchmark assessment tools
Commands:sudo /opt/cis-cat/cis-cat.sh -b /opt/cis-cat/benchmarks/
Automated:true
Script Name:run_cis_assessment.sh
Validated By:Jane Consectetur
Validate Date:6/15/2025
Validation Rules:
Rule 8.1.1: PASS
Artifacts:
CIS Assessment Report
Reference: cis_assessment_report.xml
Effective Date: 6/14/2025
Results: CIS Ubuntu 20.0495PASS
KSI-SC-2: Encrypt all network traffic
true
Implementation:TLS 1.3 for all communications
Status:true
Assessed By:Jane Consectetur
Assessed On:6/15/2025
Digital Signature:0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d
Remarks:All network traffic encrypted with TLS 1.3
TLS Configuration: Application load balancer TLS settings
ID:9.1
Instructions:Verify TLS version and cipher suites
Commands:aws elbv2 describe-ssl-policies
Automated:true
Script Name:check_tls_config.sh
Validated By:Jane Consectetur
Validate Date:6/15/2025
Validation Rules:
Rule 9.1.1: TLSv1.3
Artifacts:
TLS Policy Configuration
Reference: tls_policies.json
Effective Date: 6/14/2025
Results: {"SslPolicies":[{"Name":"ELBSecurityPolicy-TLS13-1-2-2021-06","SslProtocols":["TLSv1.3"],"Ciphers":["TLS_AES_128_GCM_SHA256"]}]}
KSI-SC-3: Encrypt all federal and sensitive information at rest
true
Implementation:AWS KMS encryption for all data stores
Status:true
Assessed By:Jane Consectetur
Assessed On:6/15/2025
Digital Signature:1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e
Remarks:All data encrypted at rest using customer-managed KMS keys
S3 Encryption Status: S3 bucket encryption configuration
ID:10.1
Instructions:Verify S3 bucket encryption settings
Commands:aws s3api get-bucket-encryption --bucket lorem-data-bucket
Automated:true
Script Name:check_s3_encryption.sh
Validated By:Jane Consectetur
Validate Date:6/15/2025
Validation Rules:
Rule 10.1.1: aws:kms
Artifacts:
S3 Encryption Config
Reference: s3_encryption.json
Effective Date: 6/14/2025
Results: {"ServerSideEncryptionConfiguration":{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"}}]}}
RDS Encryption Status: RDS database encryption verification
ID:10.2
Instructions:Check RDS instance encryption status
Commands:aws rds describe-db-instances
Automated:true
Script Name:check_rds_encryption.sh
Validated By:Jane Consectetur
Validate Date:6/15/2025
Validation Rules:
Rule 10.2.1: "StorageEncrypted": True
Artifacts:
RDS Encryption Status
Reference: rds_encryption.json
Effective Date: 6/14/2025
Results: {"DBInstances":[{"DBInstanceIdentifier":"lorem-db","StorageEncrypted":True,"KmsKeyId":"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"}]}
KSI-SC-4: Manage configuration centrally
true
Implementation:AWS Systems Manager Parameter Store and Config
Status:true
Assessed By:Jane Consectetur
Assessed On:6/16/2025
Digital Signature:2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f
Remarks:Centralized configuration management implemented
Parameter Store Usage: Systems Manager Parameter Store configuration
ID:11.1
Instructions:Review parameter store usage for configuration management
Commands:aws ssm describe-parameters
Automated:true
Script Name:audit_parameter_store.sh
Validated By:Jane Consectetur
Validate Date:6/16/2025
Validation Rules:
Rule 11.1.1: Parameters
Artifacts:
Parameter Store Audit
Reference: parameter_store.json
Effective Date: 6/15/2025
Results: {"Parameters":[{"Name":"/lorem/app/database/url","Type":"SecureString","KeyId":"alias/lorem-kms-key","Description":"Database connection URL"}]}
KSI-SC-5: Enforce system and component integrity through cryptographic means
true
Implementation:Code signing and file integrity monitoring
Status:true
Assessed By:Jane Consectetur
Assessed On:6/16/2025
Digital Signature:3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a
Remarks:Cryptographic integrity controls in place
Code Signing Verification: Application code signing status
ID:12.1
Instructions:Verify digital signatures on application binaries
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/16/2025
Validation Rules:
Artifacts:
Code Signing Report
Reference: code_signing_report.pdf
Effective Date: 6/15/2025
KSI-SC-6: Use a key management capability to execute regular rotation of digital keys
true
Implementation:AWS KMS automatic key rotation
Status:true
Assessed By:Jane Consectetur
Assessed On:6/16/2025
Digital Signature:4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b
Remarks:Automatic key rotation enabled for all KMS keys
KMS Key Rotation Status: KMS key rotation configuration
ID:13.1
Instructions:Verify automatic key rotation is enabled
Commands:aws kms get-key-rotation-status --key-id lorem-kms-key
Automated:true
Script Name:check_key_rotation.sh
Validated By:Jane Consectetur
Validate Date:6/16/2025
Validation Rules:
Rule 13.1.1: "KeyRotationEnabled": True
Artifacts:
Key Rotation Status
Reference: key_rotation_status.json
Effective Date: 6/15/2025
Results: {"KeyRotationEnabled":True,"KeyId":"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"}
KSI-SC-7: Use a consistent, risk-informed approach for applying security patches
true
Implementation:AWS Systems Manager Patch Manager
Status:true
Assessed By:Jane Consectetur
Assessed On:6/16/2025
Digital Signature:5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c
Remarks:Automated patch management with risk-based prioritization
Patch Compliance Status: Systems Manager patch compliance report
ID:14.1
Instructions:Review patch compliance across all systems
Commands:aws ssm describe-instance-patch-states
Automated:true
Script Name:check_patch_compliance.sh
Validated By:Jane Consectetur
Validate Date:6/16/2025
Validation Rules:
Rule 14.1.1: CompliantCount
Artifacts:
Patch Compliance Report
Reference: patch_compliance.json
Effective Date: 6/15/2025
Results: {"InstancePatchStates":[{"InstanceId":"i-1234567890abcdef0","PatchGroup":"lorem-patch-group","BaselineId":"pb-12345","SnapshotId":"s-12345","CriticalNonCompliantCount":0,"SecurityNonCompliantCount":1,"OtherNonCompliantCount":2,"InstalledCount":145,"InstalledOtherCount":23,"MissingCount":3,"FailedCount":0,"UnreportedNotApplicableCount":5,"NotApplicableCount":212,"OperationType":"Scan","OperationStartTime":"2025-06-15T10:00:00Z","OperationEndTime":"2025-06-15T10:30:00Z"}]}
Identity and Access Management (KSI-IAM)
Complete
KSI-IAM-1: Enforce phishing-resistant multi-factor authentication (MFA)
true
Implementation:Hardware security keys and AWS IAM MFA
Status:true
Assessed By:Jane Consectetur
Assessed On:6/17/2025
Digital Signature:6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d
Remarks:FIDO2/WebAuthn MFA enforced for all privileged accounts
MFA Enforcement Policy: IAM policy requiring MFA for all users
ID:15.1
Instructions:Review IAM policies for MFA requirements
Commands:aws iam list-policies --scope Local | jq '.Policies[] | select(.PolicyName | contains("MFA"))'
Automated:true
Script Name:check_mfa_policies.sh
Validated By:Jane Consectetur
Validate Date:6/17/2025
Validation Rules:
Rule 15.1.1: aws:MultiFactorAuthPresent
Artifacts:
MFA Policy Document
Reference: mfa_policy.json
Effective Date: 6/16/2025
Results: {"Policy":{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"*","Resource":"*","Condition":{"BoolIfExists":{"aws:MultiFactorAuthPresent":"false"}}}]}}
User MFA Status: Current MFA device assignments
ID:15.2
Instructions:Audit user MFA device enrollment
Commands:aws iam list-users --query 'Users[*].[UserName]' | xargs -I {} aws iam list-mfa-devices --user-name {}
Automated:true
Script Name:audit_user_mfa.sh
Validated By:Jane Consectetur
Validate Date:6/17/2025
Validation Rules:
Rule 15.2.1: MFADevices
Artifacts:
MFA Device Report
Reference: mfa_devices.json
Effective Date: 6/16/2025
Results: {"Users":[{"UserName":"lorem.admin","MFADevices":[{"UserName":"lorem.admin","SerialNumber":"arn:aws:iam::123456789012:mfa/lorem.admin","EnableDate":"2025-06-01T10:00:00Z"}]}]}
KSI-IAM-2: Enforce strong passwords
true
Implementation:IAM password policy with complexity requirements
Status:true
Assessed By:Jane Consectetur
Assessed On:6/17/2025
Digital Signature:7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e
Remarks:Strong password policy enforced organization-wide
Password Policy Configuration: IAM account password policy settings
ID:16.1
Instructions:Review current password policy requirements
Commands:aws iam get-account-password-policy
Automated:true
Script Name:check_password_policy.sh
Validated By:Jane Consectetur
Validate Date:6/17/2025
Validation Rules:
Rule 16.1.1: "MinimumPasswordLength": 14
Rule 16.1.2: "RequireSymbols": True
Artifacts:
Password Policy
Reference: N/A
Effective Date: N/A
KSI-IAM-3: Use secure API authentication methods via industry standard protocols
true
Implementation:OAuth 2.0 and JWT tokens with API Gateway
Status:true
Assessed By:Jane Consectetur
Assessed On:6/17/2025
Digital Signature:8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f
Remarks:API authentication uses industry standard OAuth 2.0
API Gateway Authorizers: API Gateway authentication configuration
ID:17.1
Instructions:Review API Gateway authorizer settings
Commands:aws apigateway get-authorizers --rest-api-id lorem-api-id
Automated:true
Script Name:check_api_auth.sh
Validated By:Jane Consectetur
Validate Date:6/17/2025
Validation Rules:
Rule 17.1.1: JWT
Rule 17.1.2: COGNITO_USER_POOLS
Artifacts:
API Authorizers Config
Reference: api_authorizers.json
Effective Date: 6/16/2025
Results: {"items":[{"id":"abc123","name":"lorem-jwt-authorizer","type":"JWT","jwtConfiguration":{"issuer":"https://cognito-idp.us-east-1.amazonaws.com/us-east-1_EXAMPLE","audience":["lorem-client-id"]}}]}
Cognito User Pool Configuration: Cognito user pool OAuth settings
ID:17.2
Instructions:Verify OAuth 2.0 configuration in Cognito
Commands:aws cognito-idp describe-user-pool --user-pool-id us-east-1_EXAMPLE
Automated:true
Script Name:check_cognito_oauth.sh
Validated By:Jane Consectetur
Validate Date:6/17/2025
Validation Rules:
Rule 17.2.1: SupportedIdentityProviders
Artifacts:
Cognito User Pool Config
Reference: cognito_config.json
Effective Date: 6/16/2025
Results: {"UserPool":{"Id":"us-east-1_EXAMPLE","Name":"lorem-user-pool","Policies":{"PasswordPolicy":{"MinimumLength":14,"RequireUppercase":True,"RequireLowercase":True,"RequireNumbers":True,"RequireSymbols":True}},"AutoVerifiedAttributes":["email"],"MfaConfiguration":"ON"}}
KSI-IAM-4: Use a least-privileged, role-based, and just-in-time security model
true
Implementation:IAM roles with time-bound permissions and AWS IAM Identity Center
Status:true
Assessed By:Jane Consectetur
Assessed On:6/18/2025
Digital Signature:9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a
Remarks:Least privilege access implemented with just-in-time elevation
IAM Role Permissions Audit: IAM roles and attached policies review
ID:18.1
Instructions:Audit IAM roles for least privilege compliance
Commands:aws iam list-roles | jq '.Roles[] | select(.RoleName | startswith("lorem"))'
Automated:true
Script Name:audit_iam_roles.sh
Validated By:Jane Consectetur
Validate Date:6/18/2025
Validation Rules:
Rule 18.1.1: AssumeRolePolicyDocument
Artifacts:
IAM Roles Audit
Reference: iam_roles_audit.json
Effective Date: 6/17/2025
Results: {"Roles":[{"RoleName":"lorem-app-role","AssumeRolePolicyDocument":"%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service%22%3A%22ec2.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D","CreateDate":"2025-06-01T10:00:00Z","RoleId":"AROAEXAMPLE","MaxSessionDuration":3600}]}
Identity Center Permission Sets: AWS IAM Identity Center permission set configuration
ID:18.2
Instructions:Review Identity Center permission sets for JIT access
Commands:aws sso-admin list-permission-sets --instance-arn arn:aws:sso:::instance/ssoins-EXAMPLE
Automated:true
Script Name:check_identity_center.sh
Validated By:Jane Consectetur
Validate Date:6/18/2025
Validation Rules:
Rule 18.2.1: PermissionSets
Artifacts:
Identity Center Permission Sets
Reference: identity_center_perms.json
Effective Date: 6/17/2025
Results: {"PermissionSets":["arn:aws:sso:::permissionSet/ssoins-EXAMPLE/ps-EXAMPLE1","arn:aws:sso:::permissionSet/ssoins-EXAMPLE/ps-EXAMPLE2"]}
Session Duration Limits: Role session duration configuration
ID:18.3
Instructions:Verify maximum session durations for all roles
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/18/2025
Validation Rules:
Artifacts:
Session Duration Report
Reference: session_duration_report.pdf
Effective Date: 6/17/2025
Monitoring, Logging, and Auditing (KSI-MLA)
Complete
KSI-MLA-1: Operate a Security Information and Event Management (SIEM) system for centralized, tamper-resistent event, activity, and change logging
true
Implementation:Splunk SIEM with AWS CloudTrail integration
Status:true
Assessed By:Jane Consectetur
Assessed On:6/19/2025
Digital Signature:0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b
Remarks:SIEM operational with comprehensive log aggregation and tamper protection
SIEM Configuration: Splunk deployment and data source configuration
ID:19.1
Instructions:Review SIEM data sources and retention policies
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/19/2025
Validation Rules:
Artifacts:
SIEM Data Sources Report
Reference: siem_data_sources.pdf
Effective Date: 6/18/2025
CloudTrail Integration: AWS CloudTrail to SIEM data flow
ID:19.2
Instructions:Verify CloudTrail logs are flowing to SIEM
Commands:aws cloudtrail describe-trails
Automated:true
Script Name:check_cloudtrail_siem.sh
Validated By:Jane Consectetur
Validate Date:6/19/2025
Validation Rules:
Rule 19.2.1: IsLogging
Artifacts:
CloudTrail Configuration
Reference: cloudtrail_config.json
Effective Date: 6/18/2025
Results: {"trailList":[{"Name":"lorem-cloudtrail","S3BucketName":"lorem-cloudtrail-logs","IncludeGlobalServiceEvents":True,"IsMultiRegionTrail":True,"HomeRegion":"us-east-1","IsLogging":True}]}
KSI-MLA-2: Regularly review and audit logs
true
Implementation:Automated log analysis with weekly security reviews
Status:true
Assessed By:Jane Consectetur
Assessed On:6/19/2025
Digital Signature:1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c
Remarks:Structured log review process with automated alerting
Log Review Procedures: Security log review documentation and schedules
ID:20.1
Instructions:Review log analysis procedures and audit trail
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/19/2025
Validation Rules:
Artifacts:
Log Review Schedule
Reference: log_review_schedule.pdf
Effective Date: 6/18/2025
Sample Log Review Report
Reference: log_review_sample.pdf
Effective Date: 6/15/2025
KSI-MLA-3: Rapidly detect and remediate or mitigate vulnerabilities
true
Implementation:AWS Inspector with automated remediation workflows
Status:true
Assessed By:Jane Consectetur
Assessed On:6/20/2025
Digital Signature:2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d
Remarks:Vulnerability detection and remediation SLA met consistently
Vulnerability Detection Metrics: Mean time to detection and remediation metrics
ID:21.1
Instructions:Review vulnerability management KPIs
Commands:aws inspector2 list-findings --filter-criteria '{"findingStatus":[{"comparison":"EQUALS","value":"ACTIVE"}]}'
Automated:true
Script Name:vuln_metrics.sh
Validated By:Jane Consectetur
Validate Date:6/20/2025
Validation Rules:
Rule 21.1.1: findings
Artifacts:
Vulnerability Metrics Dashboard
Reference: vuln_metrics.json
Effective Date: 6/19/2025
Results: {"summary":{"totalFindings":45,"criticalFindings":2,"highFindings":8,"mediumFindings":23,"lowFindings":12},"metrics":{"averageMTTD":"18 hours","averageMTTR":"48 hours"}}
KSI-MLA-4: Perform authenticated vulnerability scanning on publicly accessible components
true
Implementation:Nessus authenticated scanning with API integration
Status:true
Assessed By:Jane Consectetur
Assessed On:6/20/2025
Digital Signature:3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e
Remarks:Monthly authenticated scans of all public-facing systems
Authenticated Scan Results: Nessus authenticated vulnerability scan reports
ID:22.1
Instructions:Review latest authenticated scan results for public systems
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/20/2025
Validation Rules:
Artifacts:
Nessus Scan Report
Reference: nessus_auth_scan.pdf
Effective Date: 6/19/2025
KSI-MLA-5: Perform Infrastructure as Code (IaC) and configuration scanning
true
Implementation:Checkov and AWS Config for IaC scanning
Status:true
Assessed By:Jane Consectetur
Assessed On:6/20/2025
Digital Signature:4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f
Remarks:IaC scanning integrated into CI/CD pipeline
IaC Scan Results: Checkov terraform scanning results
ID:23.1
Instructions:Review IaC security scanning output
Commands:checkov -f terraform/main.tf --framework terraform
Automated:true
Script Name:run_iac_scan.sh
Validated By:Jane Consectetur
Validate Date:6/20/2025
Validation Rules:
Rule 23.1.1: PASSED
Artifacts:
Checkov Scan Results
Reference: checkov_results.json
Effective Date: 6/19/2025
Results: {"results":{"passed_checks":[{"check_id":"CKV_AWS_79","file_path":"terraform/main.tf","check_name":"Ensure Instance Metadata Service Version 1 is not enabled"}],"failed_checks":[],"skipped_checks":[]}}
KSI-MLA-6: Centrally track and prioritize the remediation of identified vulnerabilities
true
Implementation:Jira integration with vulnerability management workflow
Status:true
Assessed By:Jane Consectetur
Assessed On:6/21/2025
Digital Signature:5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a
Remarks:Centralized vulnerability tracking with risk-based prioritization
Vulnerability Tracking System: Jira vulnerability management dashboard
ID:24.1
Instructions:Review vulnerability tracking and prioritization workflow
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/21/2025
Validation Rules:
Artifacts:
Vulnerability Dashboard
Reference: vuln_dashboard_screenshot.png
Effective Date: 6/20/2025
Configuration Management (KSI-CM)
Complete
KSI-CM-1: Log and monitor system modifications
true
Implementation:AWS Config and CloudTrail for change tracking
Status:true
Assessed By:Jane Consectetur
Assessed On:6/21/2025
Digital Signature:6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b
Remarks:All system modifications logged and monitored
AWS Config Rules: Configuration change detection rules
ID:25.1
Instructions:Review AWS Config rules for change monitoring
Commands:aws configservice describe-config-rules
Automated:true
Script Name:check_config_rules.sh
Validated By:Jane Consectetur
Validate Date:6/21/2025
Validation Rules:
Rule 25.1.1: ConfigRules
Artifacts:
Config Rules Status
Reference: config_rules.json
Effective Date: 6/20/2025
Results: {"ConfigRules":[{"ConfigRuleName":"lorem-security-group-changes","ConfigRuleState":"ACTIVE","Source":{"Owner":"AWS","SourceIdentifier":"INCOMING_SSH_DISABLED"}}]}
KSI-CM-2: Execute changes though redeployment of version controlled immutable resources rather than direct modification wherever possible
true
Implementation:GitOps with Terraform and immutable infrastructure
Status:true
Assessed By:Jane Consectetur
Assessed On:6/22/2025
Digital Signature:7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c
Remarks:Infrastructure deployed through version-controlled IaC templates
GitOps Workflow: Git-based infrastructure deployment process
ID:26.1
Instructions:Review GitOps deployment pipeline and version control
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/22/2025
Validation Rules:
Artifacts:
GitOps Pipeline Documentation
Reference: gitops_pipeline.pdf
Effective Date: 6/21/2025
Terraform State Management: Terraform remote state configuration
ID:26.2
Instructions:Verify Terraform state is managed remotely with locking
Commands:terraform show
Automated:true
Script Name:check_terraform_state.sh
Validated By:Jane Consectetur
Validate Date:6/22/2025
Validation Rules:
Rule 26.2.1: remote
Artifacts:
Terraform Backend Config
Reference: terraform_backend.tf
Effective Date: 6/21/2025
Results: terraform { backend "s3" { bucket = "lorem-terraform-state" key = "prod/terraform.tfstate" region = "us-east-1" dynamodb_table = "lorem-terraform-locks" encrypt = True } }
KSI-CM-3: Implement automated testing and validation of changes prior to deployment
true
Implementation:CI/CD pipeline with automated testing and security scans
Status:true
Assessed By:Jane Consectetur
Assessed On:6/22/2025
Digital Signature:8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d
Remarks:Comprehensive automated testing in deployment pipeline
CI/CD Pipeline Configuration: GitHub Actions workflow with testing stages
ID:27.1
Instructions:Review automated testing in CI/CD pipeline
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/22/2025
Validation Rules:
Artifacts:
GitHub Actions Workflow
Reference: github_actions.yml
Effective Date: 6/21/2025
Results: name: Deploy Infrastructure on: push jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Run Tests run: pytest tests/ - name: Security Scan run: checkov -d . - name: Terraform Plan run: terraform plan
KSI-CM-4: Have a documented change management procedure
true
Implementation:ITIL-based change management with approval workflows
Status:true
Assessed By:Jane Consectetur
Assessed On:6/23/2025
Digital Signature:9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e
Remarks:Formal change management process documented and followed
Change Management Policy: Documented change management procedures
ID:28.1
Instructions:Review change management policy and procedures
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/23/2025
Validation Rules:
Artifacts:
Change Management Procedure
Reference: change_mgmt_policy.pdf
Effective Date: 6/22/2025
KSI-CM-5: Evaluate the risk and potential impact of any change
true
Implementation:Risk assessment matrix integrated into change approval process
Status:true
Assessed By:Jane Consectetur
Assessed On:6/23/2025
Digital Signature:0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f
Remarks:Risk assessment required for all changes with documented impact analysis
Change Risk Assessment Form: Risk evaluation template and examples
ID:29.1
Instructions:Review change risk assessment documentation
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/23/2025
Validation Rules:
Artifacts:
Risk Assessment Template
Reference: risk_assessment_template.pdf
Effective Date: 6/22/2025
Sample Risk Assessment
Reference: sample_risk_assessment.pdf
Effective Date: 6/20/2025
Policy and Inventory (KSI-PI)
Complete
KSI-PI-1: Have an up-to-date asset inventory or code defining all deployed assets
true
Implementation:AWS Config and Terraform state for asset inventory
Status:true
Assessed By:Jane Consectetur
Assessed On:6/24/2025
Digital Signature:1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a
Remarks:Comprehensive asset inventory maintained through automated discovery
Asset Inventory Report: AWS resource discovery and inventory
ID:30.1
Instructions:Generate current asset inventory from AWS Config
Commands:aws configservice get-resource-config-history --resource-type AWS::EC2::Instance
Automated:true
Script Name:generate_asset_inventory.sh
Validated By:Jane Consectetur
Validate Date:6/24/2025
Validation Rules:
Rule 30.1.1: resourceType
Artifacts:
Current Asset Inventory
Reference: asset_inventory.json
Effective Date: 6/24/2025
Results: {"assets":[{"resourceType":"AWS::EC2::Instance","resourceId":"i-1234567890abcdef0","resourceName":"lorem-web-server","tags":[{"key":"Environment","value":"Production"}],"region":"us-east-1"}],"totalAssets":247,"lastUpdated":"2025-06-24T10:00:00Z"}
KSI-PI-2: Have policies outlining their security objectives
true
Implementation:Comprehensive security policy framework
Status:true
Assessed By:Jane Consectetur
Assessed On:6/24/2025
Digital Signature:2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b
Remarks:Security policies documented and regularly reviewed
Security Policy Framework: Complete set of security policies and procedures
ID:31.1
Instructions:Review security policy documentation suite
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/24/2025
Validation Rules:
Artifacts:
Security Policy Index
Reference: security_policies_index.pdf
Effective Date: 6/23/2025
KSI-PI-3: Maintain a vulnerability disclosure program
true
Implementation:Public vulnerability disclosure policy and bug bounty program
Status:true
Assessed By:Jane Consectetur
Assessed On:6/25/2025
Digital Signature:3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c
Remarks:Active vulnerability disclosure program with clear reporting procedures
Vulnerability Disclosure Policy: Public vulnerability reporting policy
ID:32.1
Instructions:Review public vulnerability disclosure documentation
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/25/2025
Validation Rules:
Artifacts:
Vulnerability Disclosure Policy
Reference: vuln_disclosure_policy.pdf
Effective Date: 6/24/2025
KSI-PI-4: Build security considerations into the Software Development Lifecycle (SDLC) and aligning with Secure By Design principles
true
Implementation:DevSecOps practices with security integrated throughout SDLC
Status:true
Assessed By:Jane Consectetur
Assessed On:6/25/2025
Digital Signature:4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d
Remarks:Security controls integrated throughout development lifecycle
Secure SDLC Documentation: DevSecOps practices and security gates
ID:33.1
Instructions:Review secure development lifecycle procedures
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/25/2025
Validation Rules:
Artifacts:
Secure SDLC Process
Reference: secure_sdlc.pdf
Effective Date: 6/24/2025
Security Code Review Results: Static application security testing results
ID:33.2
Instructions:Review SAST scan results from recent builds
Commands:sonar-scanner -Dsonar.projectKey=lorem-app
Automated:true
Script Name:run_sast_scan.sh
Validated By:Jane Consectetur
Validate Date:6/25/2025
Validation Rules:
Rule 33.2.1: security_hotspots
Artifacts:
SAST Scan Results
Reference: sast_results.json
Effective Date: 6/24/2025
Results: {"summary":{"security_hotspots":2,"vulnerabilities":0,"bugs":3,"code_smells":12},"security_rating":"A","status":"PASSED"}
KSI-PI-5: Document methods used to automatically evaluate implementations
true
Implementation:Automated compliance scanning and continuous monitoring
Status:true
Assessed By:Jane Consectetur
Assessed On:6/25/2025
Digital Signature:5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e
Remarks:Automated evaluation methods documented and operational
Automated Evaluation Framework: Documentation of automated assessment tools and methods
ID:34.1
Instructions:Review automated compliance evaluation documentation
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/25/2025
Validation Rules:
Artifacts:
Automated Evaluation Methods
Reference: automated_evaluation.pdf
Effective Date: 6/24/2025
KSI-PI-6: Have a dedicated staff and budget for security
true
Implementation:Security team with defined roles and allocated budget
Status:true
Assessed By:Jane Consectetur
Assessed On:6/26/2025
Digital Signature:6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f
Remarks:Dedicated security organization with appropriate staffing and budget
Security Organization Chart: Security team structure and roles
ID:35.1
Instructions:Review security organization structure and responsibilities
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/26/2025
Validation Rules:
Artifacts:
Security Org Chart
Reference: security_org_chart.pdf
Effective Date: 6/25/2025
Third Party Information Resources (KSI-3IR)
Complete
KSI-3IR-1: Regularly confirm that services storing Federal information are all FedRAMP authorized and securely configured
true
Implementation:FedRAMP marketplace verification and configuration audits
Status:true
Assessed By:Jane Consectetur
Assessed On:6/26/2025
Digital Signature:7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a
Remarks:All third-party services verified against FedRAMP marketplace
FedRAMP Service Inventory: List of FedRAMP authorized services in use
ID:36.1
Instructions:Review current third-party services against FedRAMP marketplace
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/26/2025
Validation Rules:
Artifacts:
FedRAMP Services List
Reference: fedramp_services.xlsx
Effective Date: 6/26/2025
KSI-3IR-2: Identify and prioritize potential supply chain risks
true
Implementation:Supply chain risk assessment framework with vendor evaluation
Status:true
Assessed By:Jane Consectetur
Assessed On:6/26/2025
Digital Signature:8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b
Remarks:Comprehensive supply chain risk management program implemented
Supply Chain Risk Assessment: Vendor risk evaluation and prioritization matrix
ID:37.1
Instructions:Review supply chain risk assessment documentation
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/26/2025
Validation Rules:
Artifacts:
Supply Chain Risk Matrix
Reference: supply_chain_risk_matrix.xlsx
Effective Date: 6/25/2025
KSI-3IR-3: Obtain a Software Bill of Materials (SBOM) for third party commercial software components
true
Implementation:SBOM collection and management for all third-party components
Status:true
Assessed By:Jane Consectetur
Assessed On:6/27/2025
Digital Signature:9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c
Remarks:SBOMs obtained for all critical software components
SBOM Repository: Collection of software bills of materials
ID:38.1
Instructions:Review SBOM documentation for third-party components
Commands:syft dir:. -o spdx-json
Automated:true
Script Name:generate_sbom.sh
Validated By:Jane Consectetur
Validate Date:6/27/2025
Validation Rules:
Rule 38.1.1: spdxVersion
Artifacts:
Master SBOM Inventory
Reference: sbom_inventory.json
Effective Date: 6/27/2025
Results: {"spdxVersion":"SPDX-2.3","packages":[{"SPDXID":"SPDXRef-Package-nodejs","name":"nodejs","downloadLocation":"https://nodejs.org","filesAnalyzed":false,"packageVerificationCode":{"packageVerificationCodeValue":"abc123"}}],"totalPackages":156}
KSI-3IR-4: Confirm that third party information resources have a Secure Software Development Attestation with CISA
true
Implementation:CISA attestation verification for all third-party software providers
Status:true
Assessed By:Jane Consectetur
Assessed On:6/27/2025
Digital Signature:0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d
Remarks:All critical third-party providers have valid CISA attestations
CISA Attestation Registry: Tracking of vendor CISA secure development attestations
ID:39.1
Instructions:Verify CISA attestation status for all third-party providers
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/27/2025
Validation Rules:
Artifacts:
Vendor Attestation Status
Reference: cisa_attestations.xlsx
Effective Date: 6/27/2025
KSI-3IR-5: Implement zero trust design principles
true
Implementation:Zero trust architecture with continuous verification and least privilege access
Status:true
Assessed By:Jane Consectetur
Assessed On:6/27/2025
Digital Signature:1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e
Remarks:Zero trust principles implemented across all system components
Zero Trust Architecture Assessment: Implementation of zero trust design principles
ID:40.1
Instructions:Review zero trust architecture documentation and controls
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/27/2025
Validation Rules:
Artifacts:
Zero Trust Architecture Plan
Reference: zero_trust_architecture.pdf
Effective Date: 6/26/2025
Cybersecurity Education (KSI-CE)
Complete
KSI-CE-1: Ensure all employees receive security awareness training
true
Implementation:Mandatory annual security awareness training program
Status:true
Assessed By:Jane Consectetur
Assessed On:6/28/2025
Digital Signature:2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f
Remarks:100% completion rate for mandatory security training
Security Training Completion Records: Employee security awareness training status
ID:41.1
Instructions:Review training completion records and certificates
Commands:curl -H "Authorization: Bearer $API_TOKEN" https://training.api/completion-status
Automated:true
Script Name:check_training_completion.sh
Validated By:Jane Consectetur
Validate Date:6/28/2025
Validation Rules:
Rule 41.1.1: completion_rate
Artifacts:
Training Completion Report
Reference: training_completion.json
Effective Date: 6/28/2025
Results: {"total_employees":245,"completed_training":245,"completion_rate":"100%","last_updated":"2025-06-28T09:00:00Z"}
KSI-CE-2: Require role-specific training for high risk roles
true
Implementation:Specialized security training for privileged and high-risk positions
Status:true
Assessed By:Jane Consectetur
Assessed On:6/28/2025
Digital Signature:3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a
Remarks:Role-specific training completed for all high-risk positions
Role-Specific Training Matrix: Specialized training requirements by role
ID:42.1
Instructions:Review role-specific training completion for high-risk positions
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/28/2025
Validation Rules:
Artifacts:
High-Risk Role Training Status
Reference: role_specific_training.xlsx
Effective Date: 6/28/2025
Incident Response (KSI-IR)
Complete
KSI-IR-1: Define Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
true
Implementation:Documented RTO and RPO targets for all critical systems
Status:true
Assessed By:Jane Consectetur
Assessed On:6/29/2025
Digital Signature:4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b
Remarks:RTO and RPO objectives defined and documented for all systems
Business Continuity Plan: RTO and RPO definitions for critical systems
ID:43.1
Instructions:Review business continuity documentation
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/29/2025
Validation Rules:
Artifacts:
RTO/RPO Matrix
Reference: rto_rpo_matrix.xlsx
Effective Date: 6/28/2025
KSI-IR-2: Perform system backups aligned with the RTO and RPO
true
Implementation:Automated backup system with RTO/RPO compliance monitoring
Status:true
Assessed By:Jane Consectetur
Assessed On:6/29/2025
Digital Signature:5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c
Remarks:Backup system meets all defined RTO and RPO requirements
Backup Verification Report: Backup system performance against RTO/RPO targets
ID:44.1
Instructions:Verify backup completion and recovery capabilities
Commands:aws s3 ls s3://backup-bucket --recursive | grep $(date +%Y-%m-%d)
Automated:true
Script Name:verify_backups.sh
Validated By:Jane Consectetur
Validate Date:6/29/2025
Validation Rules:
Rule 44.1.1: backup_status
Artifacts:
Backup Status Report
Reference: backup_status.json
Effective Date: 6/29/2025
Results: {"backup_jobs":{"completed":47,"failed":0,"in_progress":0},"rpo_compliance":"100%","last_backup":"2025-06-29T02:00:00Z"}
KSI-IR-3: Test the capability to recover from incidents and contingencies
true
Implementation:Regular disaster recovery testing and tabletop exercises
Status:true
Assessed By:Jane Consectetur
Assessed On:6/30/2025
Digital Signature:6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d
Remarks:Quarterly disaster recovery tests demonstrate full recovery capability
Disaster Recovery Test Results: Results from recent DR testing exercises
ID:45.1
Instructions:Review disaster recovery test documentation
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/30/2025
Validation Rules:
Artifacts:
DR Test Report Q2 2025
Reference: dr_test_q2_2025.pdf
Effective Date: 6/29/2025
KSI-IR-4: Report incidents according to federal requirements
true
Implementation:Automated incident reporting system with federal compliance
Status:true
Assessed By:Jane Consectetur
Assessed On:6/30/2025
Digital Signature:7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e
Remarks:Incident reporting procedures comply with all federal requirements
Incident Reporting Procedures: Federal incident reporting compliance documentation
ID:46.1
Instructions:Review incident reporting procedures and compliance records
Commands:N/A
Automated:N/A
Script Name:N/A
Validated By:Jane Consectetur
Validate Date:6/30/2025
Validation Rules:
Artifacts:
Incident Reporting Log
Reference: incident_reporting_log.xlsx
Effective Date: 6/30/2025
KSI-IR-5: Maintain a log of incidents and periodically review past incidents for patterns or vulnerabilities
true
Implementation:Centralized incident logging with trend analysis and pattern recognition
Status:true
Assessed By:Jane Consectetur
Assessed On:6/30/2025
Digital Signature:8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f
Remarks:Comprehensive incident logging with monthly trend analysis
Incident Trend Analysis: Quarterly review of incident patterns and trends
ID:47.1
Instructions:Review incident log analysis and pattern identification
Commands:python3 analyze_incidents.py --period quarterly
Automated:true
Script Name:analyze_incidents.py
Validated By:Jane Consectetur
Validate Date:6/30/2025
Validation Rules:
Rule 47.1.1: incident_count
Artifacts:
Q2 2025 Incident Analysis
Reference: incident_analysis_q2_2025.json
Effective Date: 6/30/2025
Results: {"total_incidents":12,"critical":1,"high":3,"medium":5,"low":3,"common_patterns":["phishing attempts","failed authentication"],"trends":"decreasing"}
KSI-IR-6: Measure Mean Time To Detect (MTTD) and Mean Time To Resolution (MTTR) for incidents
true
Implementation:Automated MTTD and MTTR calculation with performance dashboards
Status:true
Assessed By:Jane Consectetur
Assessed On:6/30/2025
Digital Signature:9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a
Remarks:MTTD and MTTR metrics tracked and continuously improved
Incident Response Metrics Dashboard: Real-time MTTD and MTTR performance metrics
ID:48.1
Instructions:Review incident response performance metrics
Commands:curl -H "Authorization: Bearer $API_TOKEN" https://metrics.api/incident-response
Automated:true
Script Name:get_ir_metrics.sh
Validated By:Jane Consectetur
Validate Date:6/30/2025
Validation Rules:
Rule 48.1.1: avg_mttd
Rule 48.1.2: avg_mttr
Artifacts:
Incident Response Metrics
Reference: ir_metrics.json
Effective Date: 6/30/2025
Results: {"avg_mttd":"15 minutes","avg_mttr":"2.5 hours","incidents_resolved":47,"sla_compliance":"98%","period":"Q2 2025"}