FedRAMP — Federal Risk and Authorization Management Program · vRev 5
FedRAMP — Federal Risk and Authorization Management Program
FedRAMP — Federal Risk and Authorization Management Program — 93% covered.
159 requirements · 144 enforced · 0 designed · 15 advisory · 0 deferred.
Source: GSA FedRAMP PMO — Rev 5 baselines (Low / Moderate / High) cross-walked via NIST SP 800-53 Rev 5 · License: Public Domain (U.S. Federal Government)
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| AC — Access Control | 39 | 35 | 0 | 4 | 0 | 92% |
| AU — Audit & Accountability | 20 | 20 | 0 | 0 | 0 | 100% |
| FedRAMP Baselines | 3 | 3 | 0 | 0 | 0 | 100% |
| CM — Configuration Management | 10 | 9 | 0 | 1 | 0 | 93% |
| CP — Contingency Planning | 8 | 7 | 0 | 1 | 0 | 91% |
| IR — Incident Response | 9 | 8 | 0 | 1 | 0 | 92% |
| RA — Risk Assessment | 6 | 6 | 0 | 0 | 0 | 100% |
| IA — Identification & Authentication | 19 | 17 | 0 | 2 | 0 | 92% |
| SC — System & Communications Protection | 27 | 22 | 0 | 5 | 0 | 86% |
| SI — System & Information Integrity | 18 | 17 | 0 | 1 | 0 | 96% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
fedramp.AC-1 |
AC-1 — Policy and procedures for access control | enforced | audit_events: kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-2 |
AC-2 — Account management — establishment, activation, modification, review, removal | enforced | audit_events: kye.authority.grant.v1, kye.admin.api_key.issued.v1, kye.admin.api_key.revoked.v1, kye.signal.revocation.cascaded.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-2.1 |
AC-2(1) — Automated system account management | enforced | audit_events: kye.admin.api_key.issued.v1, kye.admin.api_key.revoked.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-2.2 |
AC-2(2) — Automated temporary + emergency account management | enforced | audit_events: kye.admin.entitlement.expired.v1, kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-2.3 |
AC-2(3) — Disable accounts after defined period of inactivity | enforced | audit_events: kye.admin.entitlement.expired.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-2.4 |
AC-2(4) — Automated audit actions for account creation, modification, enable/disable, removal | enforced | audit_events: kye.audit.event.v1, kye.authority.grant.v1, kye.admin.tenant.revoked.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.AC-2.5 |
AC-2(5) — Inactivity logout | enforced | audit_events: kye.authority.grant.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-2.7 |
AC-2(7) — Privileged user accounts — role-based, tracked, audited | enforced | audit_events: kye.authority.grant.v1, kye.governedui.approval.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/36-GOVERNEDUI.md |
fedramp.AC-2.9 |
AC-2(9) — Restrictions on use of shared / group accounts | enforced | audit_events: kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/01-NAMING.md |
fedramp.AC-2.12 |
AC-2(12) — Account monitoring — atypical usage detected and reported | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.incident.opened.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.AC-3 |
AC-3 — Access enforcement | enforced | audit_events: kye.purpose.permission.v1, kye.purpose.admissibility.v1, kye.evidence.decision_map.v1engines: internal, internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-3.4 |
AC-3(4) — Discretionary access control — DAC for non-organisational use cases | enforced | audit_events: kye.authority.delegation.v1, kye.consent.acceptance.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-4 |
AC-4 — Information flow enforcement | enforced | audit_events: kye.evidence.tool_call_pin.v1, kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/31-DATA-GOVERNANCE-PACK.md |
fedramp.AC-4.4 |
AC-4(4) — Flow control of encrypted information | enforced | audit_events: kye.evidence.tool_call_pin.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-4.21 |
AC-4(21) — Physical / logical separation of information flows | enforced | audit_events: kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.AC-5 |
AC-5 — Separation of duties | enforced | audit_events: kye.governedui.approval.v1, kye.purpose.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/36-GOVERNEDUI.md |
fedramp.AC-6 |
AC-6 — Least privilege | enforced | audit_events: kye.purpose.permission.v1, kye.evidence.decision_map.v1engines: internal, internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-6.1 |
AC-6(1) — Authorise access to security functions | enforced | audit_events: kye.authority.grant.v1, kye.governedui.approval.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-6.2 |
AC-6(2) — Non-privileged access for non-security functions | enforced | audit_events: kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-6.5 |
AC-6(5) — Privileged accounts restricted to specific personnel + roles | enforced | audit_events: kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-6.7 |
AC-6(7) — Review of user privileges | enforced | audit_events: kye.compliance.attestation.v1, kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-6.9 |
AC-6(9) — Log use of privileged functions | enforced | audit_events: kye.audit.event.v1, kye.authority.grant.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.AC-6.10 |
AC-6(10) — Prohibit non-privileged users from executing privileged functions | enforced | audit_events: kye.purpose.admissibility.v1, kye.signal.decision.denied.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-7 |
AC-7 — Unsuccessful logon attempts — limit + lockout | advisory | constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-8 |
AC-8 — System use notification | enforced | audit_events: kye.consent.acceptance.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-11 |
AC-11 — Device lock after period of inactivity | advisory | constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-12 |
AC-12 — Session termination — idle + absolute | enforced | audit_events: kye.authority.grant.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-14 |
AC-14 — Permitted actions without identification or authentication | enforced | audit_events: kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-17 |
AC-17 — Remote access — authorised, monitored, encrypted | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-17.1 |
AC-17(1) — Automated monitoring + control of remote access | enforced | audit_events: kye.signal.drift.detected.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.AC-17.2 |
AC-17(2) — Protection of confidentiality + integrity using cryptography | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.AC-17.3 |
AC-17(3) — Managed access control points | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.AC-17.4 |
AC-17(4) — Privileged commands + access via dedicated, documented channels | enforced | audit_events: kye.governedui.approval.v1, kye.audit.event.v1engines: internalconstitution_refs: constitution/36-GOVERNEDUI.md |
fedramp.AC-18 |
AC-18 — Wireless access — authorisation + monitoring | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.AC-19 |
AC-19 — Access control for mobile devices | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.AC-20 |
AC-20 — Use of external information systems | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.subprocessor.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/51-NO-SPOF.md |
fedramp.AC-20.1 |
AC-20(1) — Limits on use of external systems | enforced | audit_events: kye.evidence.tool_call_pin.v1, kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-21 |
AC-21 — Information sharing — purpose-bounded | enforced | audit_events: kye.purpose.grant.v1, kye.evidence.tool_call_pin.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AC-22 |
AC-22 — Publicly accessible content — controlled disclosure | enforced | audit_events: kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/06-WEBSITE.md |
fedramp.AU-1 |
AU-1 — Policy and procedures for audit + accountability | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.AU-2 |
AU-2 — Event logging — every PEP / PDP / engine emits to the chain | enforced | audit_events: kye.audit.event.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.AU-3 |
AU-3 — Content of audit records — who / what / when / where / outcome / source / identity | enforced | audit_events: kye.audit.event.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.AU-3.1 |
AU-3(1) — Additional audit information — decision inputs, model + prompt hashes, tool-call ledger pointer | enforced | audit_events: kye.evidence.observed_action.v1, kye.evidence.tool_call_pin.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.AU-4 |
AU-4 — Audit log storage capacity | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.AU-5 |
AU-5 — Response to audit logging failures — fail-closed | enforced | audit_events: kye.signal.incident.opened.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.AU-6 |
AU-6 — Audit record review + reporting | enforced | audit_events: kye.signal.drift.detected.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.AU-6.1 |
AU-6(1) — Automated process integration | enforced | audit_events: kye.signal.drift.detected.v1engines: internalconstitution_refs: constitution/35-STREAMING-LOGS.md |
fedramp.AU-6.3 |
AU-6(3) — Correlate audit record repositories | enforced | audit_events: kye.audit.event.v1engines: internalconstitution_refs: constitution/35-STREAMING-LOGS.md |
fedramp.AU-7 |
AU-7 — Audit reduction + report generation | enforced | audit_events: kye.evidence.pack.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
fedramp.AU-7.1 |
AU-7(1) — Automatic processing | enforced | audit_events: kye.evidence.pack.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
fedramp.AU-8 |
AU-8 — Time stamps — UTC, RFC 3339 nanosecond precision | enforced | audit_events: kye.compliance.attestation.v1, kye.signal.drift.detected.v1engines: internalconstitution_refs: constitution/35-STREAMING-LOGS.md |
fedramp.AU-9 |
AU-9 — Protection of audit information | enforced | audit_events: kye.audit.event.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.AU-9.2 |
AU-9(2) — Store on separate physical systems / components | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/51-NO-SPOF.md |
fedramp.AU-9.3 |
AU-9(3) — Cryptographic protection — signed events + integrity verification | enforced | audit_events: kye.audit.event.v1, kye.replay.proof.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.AU-9.4 |
AU-9(4) — Access by subset of privileged users | enforced | audit_events: kye.purpose.permission.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.AU-10 |
AU-10 — Non-repudiation | enforced | audit_events: kye.audit.event.v1, kye.replay.proof.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.AU-11 |
AU-11 — Audit record retention — 3 years online, 6 years total (FedRAMP-Mod default) | enforced | audit_events: kye.audit_retention_policy.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.AU-12 |
AU-12 — Audit generation — every engine emits to a single global chain per tenant | enforced | audit_events: kye.audit.event.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.AU-12.1 |
AU-12(1) — Compile records from across the system | enforced | audit_events: kye.audit.event.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.baseline.low |
FedRAMP Low baseline — minimum NIST SP 800-53 Rev 5 controls for low-impact federal systems | enforced | audit_events: kye.evidence.decision_map.v1, kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/00-INDEX.md, constitution/13-RESILIENCE-LOOP.md, constitution/21-DELEGATED-AUDITABILITY.md |
fedramp.baseline.moderate |
FedRAMP Moderate baseline — NIST SP 800-53 Rev 5 controls for moderate-impact federal systems | enforced | audit_events: kye.evidence.decision_map.v1, kye.evidence.pack.v1, kye.purpose.admissibility.v1, kye.compliance.attestation.v1, kye.audit_retention_policy.v1engines: internal, internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/21-DELEGATED-AUDITABILITY.md, constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.baseline.high |
FedRAMP High baseline — NIST SP 800-53 Rev 5 controls for high-impact federal systems | enforced | audit_events: kye.evidence.decision_map.v1, kye.evidence.pack.v1, kye.purpose.admissibility.v1, kye.purpose.grant.v1, kye.compliance.attestation.v1, kye.audit_retention_policy.v1, kye.federation.cross_org_delegation.v1, kye.evidence.trace_replay_spec.v1engines: internal, internal, internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/21-DELEGATED-AUDITABILITY.md, constitution/30-AUDIT-WORM-RETENTION.md, constitution/51-NO-SPOF.md |
fedramp.CM-1 |
CM-1 — Policy and procedures for configuration management | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
fedramp.CM-2 |
CM-2 — Baseline configuration | enforced | audit_events: kye.signal.drift.detected.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.mdrule_packs: kye:rule-pack:public-sector-governance |
fedramp.CM-3 |
CM-3 — Configuration change control | enforced | audit_events: kye.governedui.approval.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
fedramp.CM-4 |
CM-4 — Impact analyses | enforced | audit_events: kye.assurance.risk_assessment.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.CM-5 |
CM-5 — Access restrictions for change | enforced | audit_events: kye.governedui.approval.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.CM-6 |
CM-6 — Configuration settings — declarative + hashed | enforced | audit_events: kye.signal.drift.detected.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
fedramp.CM-7 |
CM-7 — Least functionality | enforced | audit_events: kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.CM-8 |
CM-8 — System component inventory | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
fedramp.CM-10 |
CM-10 — Software usage restrictions | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
fedramp.CM-11 |
CM-11 — User-installed software | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.CP-1 |
CP-1 — Policy and procedures for contingency planning | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.CP-2 |
CP-2 — Contingency plan | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/51-NO-SPOF.md |
fedramp.CP-3 |
CP-3 — Contingency training | advisory | constitution_refs: constitution/39-LEARN-RAIL.md |
fedramp.CP-4 |
CP-4 — Contingency plan testing — replay rail validates RPO/RTO | enforced | audit_events: kye.assurance.audit_replay_report.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.CP-6 |
CP-6 — Alternate storage site — cross-region R2 replication | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
fedramp.CP-7 |
CP-7 — Alternate processing site | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
fedramp.CP-9 |
CP-9 — System backup | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.CP-10 |
CP-10 — Recovery and reconstitution | enforced | audit_events: kye.assurance.audit_replay_report.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.IR-1 |
IR-1 — Policy and procedures for incident response | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.IR-2 |
IR-2 — Incident response training | advisory | constitution_refs: constitution/39-LEARN-RAIL.md |
fedramp.IR-3 |
IR-3 — Incident response testing | enforced | audit_events: kye.assurance.audit_replay_report.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.IR-4 |
IR-4 — Incident handling | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.revocation.cascaded.v1, kye.signal.incident.closed.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.IR-5 |
IR-5 — Incident monitoring | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.IR-6 |
IR-6 — Incident reporting — US-CERT channel | enforced | audit_events: kye.comms.dispatch.v1, kye.signal.incident.opened.v1engines: internal, internalconstitution_refs: constitution/38-COMMS-RAIL.md |
fedramp.IR-7 |
IR-7 — Incident response assistance | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.IR-8 |
IR-8 — Incident response plan | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.IR-9 |
IR-9 — Information spillage response | enforced | audit_events: kye.signal.revocation.cascaded.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.RA-1 |
RA-1 — Policy and procedures for risk assessment | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.RA-2 |
RA-2 — Security categorisation — FIPS 199 mapping | enforced | audit_events: kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
fedramp.RA-3 |
RA-3 — Risk assessment | enforced | audit_events: kye.assurance.risk_assessment.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.RA-5 |
RA-5 — Vulnerability monitoring + scanning | enforced | audit_events: kye.signal.drift.detected.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.RA-5.2 |
RA-5(2) — Update vulnerabilities to be scanned | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.RA-7 |
RA-7 — Risk response — POA&M | enforced | audit_events: kye.resilience.improvement_record.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.IA-1 |
IA-1 — Policy and procedures for identification + authentication | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.IA-2 |
IA-2 — Identification and authentication (organizational users) | enforced | audit_events: kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.IA-2.1 |
IA-2(1) — MFA for privileged accounts | enforced | audit_events: kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.IA-2.2 |
IA-2(2) — MFA for non-privileged accounts | enforced | audit_events: kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.IA-2.5 |
IA-2(5) — Individual authentication with group authentication | enforced | audit_events: kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.IA-2.8 |
IA-2(8) — Replay-resistant authentication | enforced | audit_events: kye.authority.grant.v1, kye.replay.proof.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.IA-2.12 |
IA-2(12) — Acceptance of PIV credentials | enforced | audit_events: kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.IA-3 |
IA-3 — Device identification + authentication | enforced | audit_events: kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
fedramp.IA-4 |
IA-4 — Identifier management — uniqueness + lifecycle | enforced | audit_events: kye.authority.grant.v1engines: internal, internalconstitution_refs: constitution/01-NAMING.md |
fedramp.IA-4.4 |
IA-4(4) — Identify status of users — active / inactive / suspended | enforced | audit_events: kye.admin.entitlement.expired.v1, kye.admin.entitlement.renewed.v1, kye.admin.tenant.revoked.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.IA-5 |
IA-5 — Authenticator management — generation, distribution, storage, rotation | enforced | audit_events: kye.admin.api_key.issued.v1, kye.admin.api_key.revoked.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.IA-5.1 |
IA-5(1) — Password-based authentication (when applicable) | advisory | constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.IA-5.2 |
IA-5(2) — PKI-based authentication | enforced | audit_events: kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
fedramp.IA-5.6 |
IA-5(6) — Protection of authenticators — private key never leaves boundary | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/51-NO-SPOF.md |
fedramp.IA-6 |
IA-6 — Authentication feedback — does not reveal enumeration | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.IA-7 |
IA-7 — Cryptographic module authentication | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
fedramp.IA-8 |
IA-8 — Identification and authentication (non-organizational users) | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.subprocessor.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.IA-11 |
IA-11 — Re-authentication at risk threshold | enforced | audit_events: kye.authority.grant.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.IA-12 |
IA-12 — Identity proofing | advisory | constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.SC-1 |
SC-1 — Policy and procedures for system + communications protection | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.SC-2 |
SC-2 — Separation of system and user functionality | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
fedramp.SC-4 |
SC-4 — Information in shared system resources — no residual disclosure | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.SC-5 |
SC-5 — Denial-of-service protection | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.SC-7 |
SC-7 — Boundary protection — tenant proxy + mTLS engine-to-engine | enforced | audit_events: kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/16-EDGE-RUNTIME.md, constitution/25-EDGE-GOVERNANCE.md |
fedramp.SC-7.3 |
SC-7(3) — Limit number of access points | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.SC-7.4 |
SC-7(4) — External telecommunications services | enforced | audit_events: kye.subprocessor.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
fedramp.SC-7.5 |
SC-7(5) — Deny by default — allow by exception | enforced | audit_events: kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.SC-7.7 |
SC-7(7) — Prevent split tunneling for remote devices | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.SC-7.8 |
SC-7(8) — Route traffic to authenticated proxy servers | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.SC-8 |
SC-8 — Transmission confidentiality + integrity | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.SC-8.1 |
SC-8(1) — Cryptographic protection | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.SC-10 |
SC-10 — Network disconnect — session timeout + re-auth | enforced | audit_events: kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.SC-12 |
SC-12 — Cryptographic key establishment + management | enforced | audit_events: kye.admin.api_key.issued.v1, kye.admin.api_key.revoked.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.SC-12.1 |
SC-12(1) — Availability — backup of cryptographic keys | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
fedramp.SC-13 |
SC-13 — Cryptographic protection — approved algorithms | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.SC-15 |
SC-15 — Collaborative computing devices — explicit user activation | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.SC-17 |
SC-17 — PKI certificates — internal CA for engine certs | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
fedramp.SC-18 |
SC-18 — Mobile code — none in PDP/PEP path | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
fedramp.SC-20 |
SC-20 — Secure name + address resolution (authoritative) | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.SC-21 |
SC-21 — Secure name + address resolution (recursive) | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.SC-22 |
SC-22 — Architecture + provisioning for name + address resolution | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.SC-23 |
SC-23 — Session authenticity | enforced | audit_events: kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.SC-28 |
SC-28 — Protection of information at rest — BYOK envelope encryption | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.SC-28.1 |
SC-28(1) — Cryptographic protection of at-rest information | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.SC-39 |
SC-39 — Process isolation | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.SC-45 |
SC-45 — System time synchronization | enforced | audit_events: kye.signal.drift.detected.v1engines: internalconstitution_refs: constitution/35-STREAMING-LOGS.md |
fedramp.SI-1 |
SI-1 — Policy and procedures for system + information integrity | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.SI-2 |
SI-2 — Flaw remediation — patch SLO per severity | enforced | audit_events: kye.signal.drift.detected.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.SI-2.2 |
SI-2(2) — Automated flaw remediation status | enforced | audit_events: kye.signal.drift.detected.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.SI-2.3 |
SI-2(3) — Time-to-remediation tracking | enforced | audit_events: kye.compliance.attestation.v1, kye.resilience.improvement_record.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.SI-3 |
SI-3 — Malicious code protection | enforced | audit_events: kye.signal.incident.opened.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.SI-4 |
SI-4 — System monitoring | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.incident.opened.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/35-STREAMING-LOGS.md |
fedramp.SI-4.2 |
SI-4(2) — Automated tools for real-time analysis | enforced | audit_events: kye.signal.drift.detected.v1engines: internalconstitution_refs: constitution/35-STREAMING-LOGS.md |
fedramp.SI-4.4 |
SI-4(4) — Inbound + outbound communications traffic monitoring | enforced | audit_events: kye.evidence.tool_call_pin.v1, kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
fedramp.SI-4.5 |
SI-4(5) — System-generated alerts | enforced | audit_events: kye.signal.incident.opened.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.SI-5 |
SI-5 — Security alerts + advisories | enforced | audit_events: kye.signal.drift.detected.v1, kye.comms.dispatch.v1engines: internal, internalconstitution_refs: constitution/38-COMMS-RAIL.md |
fedramp.SI-6 |
SI-6 — Security and privacy function verification | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.SI-7 |
SI-7 — Software, firmware, information integrity | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.revocation.cascaded.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.SI-7.1 |
SI-7(1) — Integrity checks performed at startup + periodically | enforced | audit_events: kye.signal.drift.detected.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.SI-7.7 |
SI-7(7) — Detect unauthorised changes | enforced | audit_events: kye.resilience.drift.detected.v1, kye.signal.revocation.cascaded.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
fedramp.SI-10 |
SI-10 — Information input validation | enforced | audit_events: kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
fedramp.SI-11 |
SI-11 — Error handling — no PII / no stack in client errors | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
fedramp.SI-12 |
SI-12 — Information management + retention | enforced | audit_events: kye.audit_retention_policy.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
fedramp.SI-16 |
SI-16 — Memory protection — CSP-inherited | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |