Unclassified // For Official Use Only
AiuditSecurity & Compliance Dossier

Form AIUDIT-PUB-SEC-0007 · Security & Compliance Dossier

Authorization posture for U.S. federal, defense, state, and law-enforcement deployments.

Aiudit is architected to the highest U.S. cloud-authorization baselines. This dossier maps platform capabilities to FedRAMP High, DoD IL5, StateRAMP, and CJIS controls, and enumerates the artifacts an authorizing official, 3PAO, or inspector general can pull directly from a live tenant.

BASELINE
NIST SP 800-53 Rev. 5 High
CRYPTO
FIPS 140-3 · CNSA 2.0
AUDIT
SHA-256 chain · Merkle seal
ANCHOR
OpenTimestamps · Stellar

01 · AIUDIT-FED-01

FedRAMP High

GSA / FedRAMP PMO · NIST SP 800-53 Rev. 5 — High baseline (421 controls)

Authorization-ready

Scope

Single-tenant or GovCloud (US) deployment. SaaS boundary covers Aiudit control plane, evidence ledger, and ZK verifier.

Posture summary

Architected to the High baseline with FIPS 140-3 validated cryptography, hash-chained audit, and continuous-ATO telemetry. 3PAO assessment package generated from /ato as OSCAL 1.1 SAR JSON.

Representative control mapping

ControlFamilyTitleAiudit implementation
AC-2Access ControlAccount managementRBAC with specialized oversight roles; provisioning via signed invitations; quarterly attestation export.
AC-4Access ControlInformation flow enforcementClassification-aware redaction on every API; sovereign exchange bundles for cross-domain transfer.
AU-2 / AU-10AuditEvent logging & non-repudiationSHA-256 hash-chained audit ledger, Merkle-sealed evidence packages, OpenTimestamps + Stellar anchoring.
CA-7Continuous MonitoringContinuous monitoring/ato dashboard with control-by-control posture, drift detection, and OSCAL SAR export.
CM-3Configuration MgmtConfiguration change controlPolicy registry + guardrail bundles versioned; M-of-N quorum required for high-impact changes.
IA-2 (1)(2)Identification & AuthMFA for privileged / network accessEd25519 multi-party signatures; WebAuthn / PIV-CAC compatible auth integration.
IR-4 / IR-6Incident ResponseIncident handling & reportingIncidents module with EU AI Act Art. 73 regulatory clock; one-click Black Box NTSB-style export.
SC-12 / SC-13System CommsCryptographic key establishment & useFIPS façade in src/lib/aiudit/crypto/fips.ts; CNSA 2.0 algorithm selection.
SI-4System IntegritySystem monitoringContinuous agent telemetry ingestion, EWS anomaly detection (Z-score + Poisson).
SR-3 / SR-6Supply ChainSupply chain controls & assessmentsThird-party AI vendor module with NIST AI RMF-mapped weighted risk scoring.

02 · AIUDIT-DOD-01

DoD Impact Level 5 (IL5)

DISA — DoD Cloud Computing SRG · FedRAMP High + DoD SRG IL5 overlay (CUI, NSS-adjacent, mission-critical)

Authorization-ready

Scope

Dedicated tenancy on DoD-authorized cloud (e.g., AWS GovCloud, Azure Government, Oracle Government). Up to CUI Specified and unclassified NSS workloads.

Posture summary

IL5 overlay applied: dedicated infrastructure, CAC/PIV-only privileged access, CNSA 2.0 cryptographic suite, and air-gapped sovereign-deployment mode for disconnected operations.

Representative control mapping

ControlFamilyTitleAiudit implementation
SRG 5.1.1TenancyPhysical and logical separationSingle-tenant deployment topology documented in /deployment; no shared compute with non-DoD workloads.
SRG 5.6.1PersonnelU.S. persons only for privileged opsRole assignment gated by personnel attribute claims; foreign-national flagging in audit ledger.
SRG 5.10.1ConnectivityCAP / BCAP routingNetwork egress configured for NIPRNet via BCAP; IL5-eligible regions enforced.
SRG 5.11CryptoFIPS 140-3 validated modulesFIPS façade isolates approved providers; CNSA 2.0 algorithms selectable per environment.
AC-17 (DoD)Remote AccessPrivileged remote accessEd25519 quorum + CAC/PIV; all privileged sessions counter-signed and ledgered.
AU-9 (DoD)AuditTamper-evident auditHash-chained ledger with public anchoring; air-gap export via signed sovereign bundles.
MP-5 (DoD)Media ProtectionMedia transport (cross-domain)Sovereign exchange bundles (WebCrypto AES-GCM + X25519) for hand-carry between enclaves.
SC-7 (22)Boundary ProtectionSeparate subnets for connected systemsExternal integration API enforces classification ceiling and IP allowlists per credential.
CM-7 (DoD)Least FunctionalityService whitelistingPilot mode restricts production actions; guardrail bundles enumerate permitted tools.

03 · AIUDIT-STR-01

StateRAMP Moderate / High

StateRAMP PMO · NIST SP 800-53 Rev. 5 — Moderate or High (reciprocity with FedRAMP)

Authorization-ready

Scope

State, local, tribal, and territorial (SLTT) deployments. Common authorization reusable across participating states and authorized vendor list.

Posture summary

Reciprocity-first: the FedRAMP authorization package and OSCAL SAR are accepted by StateRAMP with minimal jurisdictional addenda. Multi-tenant SaaS with per-state data residency enforcement.

Representative control mapping

ControlFamilyTitleAiudit implementation
AC-3Access ControlAccess enforcement (per-state)Multi-tenant RLS scoped by org_id; per-jurisdiction visibility on CIX and intel exchanges.
AT-3Awareness & TrainingRole-based security trainingAiudit Academy: ~18 modules, role-based paths, completion ledgered for evidence.
CA-2AssessmentControl assessmentsEvidence packages sealed with Merkle root + multi-party counter-signatures; auditor-shareable.
CP-9Contingency PlanningSystem backupVersioned artifact snapshots; ledger replication; legal-hold triggers block destructive mutations.
PL-2PlanningSystem security and privacy plansSSP/PSP scaffolding emitted from policy registry and harmonization engine.
SA-9AcquisitionExternal system servicesThird-party vendor module + ingestion webhook; supplier risk surfaced in evidence packs.
SI-7System IntegritySoftware, firmware, and information integritySHA-256 + Ed25519 attestations on every governance artifact; drift detection on sealed packages.

04 · AIUDIT-CJIS-01

CJIS Security Policy

FBI Criminal Justice Information Services Division · CJIS Security Policy v5.9.x (and v6 alignment)

Authorization-ready

Scope

Law-enforcement deployments handling Criminal Justice Information (CJI). Applies when Aiudit oversees agents that ingest CJI or produce decisions on CJI.

Posture summary

CJIS overlay covers advanced authentication, encryption-in-transit/at-rest, personnel screening, and 7-year auditability. CJI never leaves the authorized boundary; intel exchange operates on differential-privacy aggregates only.

Representative control mapping

ControlFamilyTitleAiudit implementation
CJIS 5.2Awareness & TrainingSecurity awareness trainingMandatory Academy track for CJI-handling roles; completion ledgered with timestamps.
CJIS 5.3Incident ResponseIncident responseIncidents module with 24-hour breach reporting clock; Black Box export for IR retros.
CJIS 5.4Audit & AccountabilityAuditing & accountability (7-year retention)Hash-chained audit + 50+ year intergenerational ledger; tamper-evident, replication-ready.
CJIS 5.5Access ControlAccess controlRBAC + ABAC via role-claim predicates in constitution DSL; least-privilege defaults.
CJIS 5.6Identification & AuthAdvanced authenticationMFA via WebAuthn / PIV; Ed25519 quorum for sensitive actions.
CJIS 5.7Configuration MgmtConfiguration managementVersioned policies + guardrail bundles; promotion gates require quorum approval.
CJIS 5.8Media ProtectionMedia protectionSovereign bundles encrypted (X25519 + AES-GCM) for any media transport.
CJIS 5.10System & CommsEncryption (FIPS 140-3)FIPS façade; TLS 1.3 with FIPS-approved cipher suites enforced.
CJIS 5.12Personnel SecurityPersonnel security screeningRole assignment hooks support fingerprint-based background-check attestation evidence.

Cross-program guarantees

Engineering controls that satisfy every program in this dossier.

FIPS 140-3 cryptographic core

All hashing, signing, and key-derivation routed through a FIPS façade with CNSA 2.0 algorithm selection.

M-of-N Ed25519 quorum

Privileged actions require multi-party signatures; ledgered with counter-signatures.

Tamper-evident audit

SHA-256 hash-chain + Merkle-sealed evidence packages + public anchoring.

Classification ceiling

Every API credential carries a classification ceiling; responses redacted in-flight.

Sovereign / air-gapped mode

Hand-carry exchange bundles (X25519 + AES-GCM) for disconnected enclaves.

Continuous ATO

Live OSCAL 1.1 SAR + POA&M export from /ato; drift detection on sealed packages.

Downloadable artifacts

Evidence an authorizing official can pull from a live tenant.

Every artifact below is generated deterministically from live data — no manual spreadsheet curation. Hashes are written to the audit ledger at the moment of export.

Downloads are protected by short-lived signed URLs. Each link is minted on demand, bound to your account, and expires after 5 minutes. Unauthenticated requests receive an HTTP 401 from /api/public/artifacts.
ProgramsFamiliesDownload
No artifacts match the current filters. .

This page is maintained by the Aiudit team to summarize platform capabilities and the artifacts a deploying organization can produce. It is not a certification, a FedRAMP / DoD / StateRAMP / CJIS authorization decision, or a substitute for an authorizing official's risk determination. Authorization decisions are made by the deploying agency on the basis of an assessment performed by a qualified 3PAO or equivalent assessor against the relevant baseline.

Need the full authorization package for your AO?

Start a sovereign pilot — provision a tenant, ingest an agent, and produce a signed evidence package and OSCAL SAR in one session.

Unclassified // For Official Use Only