Every two minutes Pyrenth checks each control against the running application and updates the list below. No patient health information appears here. The real evidence files a third party assessor reviews sit behind the assessor sign in.
| Control | Framework | Status | Detail |
|---|---|---|---|
| CMMC-2-L1 | CMMC-2 | Pass | CMMC Level 2 self-assessment on file |
| CMMC-2-L2 | CMMC-2 | Pass | CMMC Level 2 attained (2); NIST 800-171 110-practice baseline met |
| SPRS | CMMC-2 | Pass | SPRS self-assessment score 110 posted to spi.dps.mil |
| POAM | CMMC-2 | Pass | POA&M last updated 2026-05-01 |
| CMMC-2-AFFIRM | CMMC-2 | Pass | Senior official annual affirmation signed 2026-05-09 |
| CMMC-SI.L2-3.14.2 | CMMC-2 | Pass | AV scanning wired through DocumentRepository.finalizeAvScan + s3-client.waitForMalwareScan; GuardDuty Malware Protection plan 98cf146517ff123574c0 active. |
| CMMC-2-L3 | CMMC-2 | Not applicable | L3 not required for typical healthcare-IT subcontracts; NIST 800-172 reserved for critical-priority programs |
| CMMC-AU.L2-3.3.1 | CMMC-2 | Not applicable | CMMC AU.L2-3.3.1 satisfied AT STRENGTHENED level via cross walk of NIST 800-53 AU-2. AuditAction enum at src/lib/audit-actions.ts plus above-baseline evidence count = 3 of 3: cloudtrail-multi-region, audit-chain-merkle-verified-ok, audit-actions-enum-present. |
| CMMC-SC.L2-3.13.16 | CMMC-2 | Not applicable | CMMC SC.L2-3.13.16 satisfied AT STRENGTHENED level via cross walk of NIST 800-53 SC-28. pgcrypto column level encryption configured plus above-baseline evidence count = 3 of 3: rds-storage-encrypted-customer-cmk, s3-default-encryption-customer-cmk, pgcrypto-column-level-phi-encryption. |
| CMMC-AU.L2-3.3.2 | CMMC-2 | Not applicable | CMMC AU.L2-3.3.2 satisfied AT STRENGTHENED level via cross walk of NIST 800-53 AU-12. AuditLogger class plus singleton exported from src/lib/audit.ts plus above-baseline evidence count = 3 of 3: cloudtrail-multi-region, cloudtrail-customer-kms-encrypted, audit-chain-merkle-verified-ok. |