Form AIUDIT-PUB-SEC-0007 · Security & Compliance Dossier
Authorization posture for U.S. federal, defense, state, and law-enforcement deployments.
Aiudit is architected to the highest U.S. cloud-authorization baselines. This dossier maps platform capabilities to FedRAMP High, DoD IL5, StateRAMP, and CJIS controls, and enumerates the artifacts an authorizing official, 3PAO, or inspector general can pull directly from a live tenant.
Single-tenant or GovCloud (US) deployment. SaaS boundary covers Aiudit control plane, evidence ledger, and ZK verifier.
Posture summary
Architected to the High baseline with FIPS 140-3 validated cryptography, hash-chained audit, and continuous-ATO telemetry. 3PAO assessment package generated from /ato as OSCAL 1.1 SAR JSON.
Representative control mapping
Control
Family
Title
Aiudit implementation
AC-2
Access Control
Account management
RBAC with specialized oversight roles; provisioning via signed invitations; quarterly attestation export.
AC-4
Access Control
Information flow enforcement
Classification-aware redaction on every API; sovereign exchange bundles for cross-domain transfer.
Third-party AI vendor module with NIST AI RMF-mapped weighted risk scoring.
02 · AIUDIT-DOD-01
DoD Impact Level 5 (IL5)
DISA — DoD Cloud Computing SRG · FedRAMP High + DoD SRG IL5 overlay (CUI, NSS-adjacent, mission-critical)
Authorization-ready
Scope
Dedicated tenancy on DoD-authorized cloud (e.g., AWS GovCloud, Azure Government, Oracle Government). Up to CUI Specified and unclassified NSS workloads.
Posture summary
IL5 overlay applied: dedicated infrastructure, CAC/PIV-only privileged access, CNSA 2.0 cryptographic suite, and air-gapped sovereign-deployment mode for disconnected operations.
Representative control mapping
Control
Family
Title
Aiudit implementation
SRG 5.1.1
Tenancy
Physical and logical separation
Single-tenant deployment topology documented in /deployment; no shared compute with non-DoD workloads.
SRG 5.6.1
Personnel
U.S. persons only for privileged ops
Role assignment gated by personnel attribute claims; foreign-national flagging in audit ledger.
SRG 5.10.1
Connectivity
CAP / BCAP routing
Network egress configured for NIPRNet via BCAP; IL5-eligible regions enforced.
SRG 5.11
Crypto
FIPS 140-3 validated modules
FIPS façade isolates approved providers; CNSA 2.0 algorithms selectable per environment.
AC-17 (DoD)
Remote Access
Privileged remote access
Ed25519 quorum + CAC/PIV; all privileged sessions counter-signed and ledgered.
AU-9 (DoD)
Audit
Tamper-evident audit
Hash-chained ledger with public anchoring; air-gap export via signed sovereign bundles.
MP-5 (DoD)
Media Protection
Media transport (cross-domain)
Sovereign exchange bundles (WebCrypto AES-GCM + X25519) for hand-carry between enclaves.
SC-7 (22)
Boundary Protection
Separate subnets for connected systems
External integration API enforces classification ceiling and IP allowlists per credential.
CM-7 (DoD)
Least Functionality
Service whitelisting
Pilot mode restricts production actions; guardrail bundles enumerate permitted tools.
03 · AIUDIT-STR-01
StateRAMP Moderate / High
StateRAMP PMO · NIST SP 800-53 Rev. 5 — Moderate or High (reciprocity with FedRAMP)
Authorization-ready
Scope
State, local, tribal, and territorial (SLTT) deployments. Common authorization reusable across participating states and authorized vendor list.
Posture summary
Reciprocity-first: the FedRAMP authorization package and OSCAL SAR are accepted by StateRAMP with minimal jurisdictional addenda. Multi-tenant SaaS with per-state data residency enforcement.
Representative control mapping
Control
Family
Title
Aiudit implementation
AC-3
Access Control
Access enforcement (per-state)
Multi-tenant RLS scoped by org_id; per-jurisdiction visibility on CIX and intel exchanges.
AT-3
Awareness & Training
Role-based security training
Aiudit Academy: ~18 modules, role-based paths, completion ledgered for evidence.
CA-2
Assessment
Control assessments
Evidence packages sealed with Merkle root + multi-party counter-signatures; auditor-shareable.
Law-enforcement deployments handling Criminal Justice Information (CJI). Applies when Aiudit oversees agents that ingest CJI or produce decisions on CJI.
Posture summary
CJIS overlay covers advanced authentication, encryption-in-transit/at-rest, personnel screening, and 7-year auditability. CJI never leaves the authorized boundary; intel exchange operates on differential-privacy aggregates only.
Representative control mapping
Control
Family
Title
Aiudit implementation
CJIS 5.2
Awareness & Training
Security awareness training
Mandatory Academy track for CJI-handling roles; completion ledgered with timestamps.
CJIS 5.3
Incident Response
Incident response
Incidents module with 24-hour breach reporting clock; Black Box export for IR retros.
CJIS 5.4
Audit & Accountability
Auditing & accountability (7-year retention)
Hash-chained audit + 50+ year intergenerational ledger; tamper-evident, replication-ready.
CJIS 5.5
Access Control
Access control
RBAC + ABAC via role-claim predicates in constitution DSL; least-privilege defaults.
CJIS 5.6
Identification & Auth
Advanced authentication
MFA via WebAuthn / PIV; Ed25519 quorum for sensitive actions.
CJIS 5.7
Configuration Mgmt
Configuration management
Versioned policies + guardrail bundles; promotion gates require quorum approval.
CJIS 5.8
Media Protection
Media protection
Sovereign bundles encrypted (X25519 + AES-GCM) for any media transport.
CJIS 5.10
System & Comms
Encryption (FIPS 140-3)
FIPS façade; TLS 1.3 with FIPS-approved cipher suites enforced.
CJIS 5.12
Personnel Security
Personnel security screening
Role assignment hooks support fingerprint-based background-check attestation evidence.
Cross-program guarantees
Engineering controls that satisfy every program in this dossier.
FIPS 140-3 cryptographic core
All hashing, signing, and key-derivation routed through a FIPS façade with CNSA 2.0 algorithm selection.
M-of-N Ed25519 quorum
Privileged actions require multi-party signatures; ledgered with counter-signatures.
Tamper-evident audit
SHA-256 hash-chain + Merkle-sealed evidence packages + public anchoring.
Classification ceiling
Every API credential carries a classification ceiling; responses redacted in-flight.
Sovereign / air-gapped mode
Hand-carry exchange bundles (X25519 + AES-GCM) for disconnected enclaves.
Continuous ATO
Live OSCAL 1.1 SAR + POA&M export from /ato; drift detection on sealed packages.
Downloadable artifacts
Evidence an authorizing official can pull from a live tenant.
Every artifact below is generated deterministically from live data — no manual spreadsheet curation. Hashes are written to the audit ledger at the moment of export.
Downloads are protected by short-lived signed URLs. Each link is minted on demand, bound to your account, and expires after 5 minutes. Unauthenticated requests receive an HTTP 401 from /api/public/artifacts.
Showing 0–0 of 0 artifacts · loading…
Programs
Families
Download
No artifacts match the current filters. .
Rows per page
Page 1 of 1
This page is maintained by the Aiudit team to summarize platform capabilities and the artifacts a deploying organization can produce. It is not a certification, a FedRAMP / DoD / StateRAMP / CJIS authorization decision, or a substitute for an authorizing official's risk determination. Authorization decisions are made by the deploying agency on the basis of an assessment performed by a qualified 3PAO or equivalent assessor against the relevant baseline.
Need the full authorization package for your AO?
Start a sovereign pilot — provision a tenant, ingest an agent, and produce a signed evidence package and OSCAL SAR in one session.
Unclassified // For Official Use OnlyDoc AIUDIT-PUB-SEC-0007 · Rev 3.1