Every two minutes Pyrenth checks each control against the running application and updates the list below. No patient health information appears here. The real evidence files a third party assessor reviews sit behind the assessor sign in.
| Control | Framework | Status | Detail |
|---|---|---|---|
| NIST-171-3.1 | NIST-800-171 | Pass | Access control: Better Auth + RBAC + MFA enforced (or dev mode) |
| NIST-171-3.4 | NIST-800-171 | Pass | Configuration management: package-lock.json + git-tracked baselines |
| NIST-171-3.5 | NIST-800-171 | Pass | Identification: MFA enforced; TOTP via Better Auth (or dev mode) |
| NIST-171-3.6 | NIST-800-171 | Pass | Incident response: continuous monitoring + breach notification procedure (Sentry DSN configured (https://e36d88aff3690d03ca2cfc891b59d4b0@***)) |
| NIST-171-3.8 | NIST-800-171 | Pass | Media protection: pgcrypto column-level encryption for PHI fields |
| NIST-171-3.11 | NIST-800-171 | Pass | comprehensive-audit.ts plus rae-readiness.ts present; risk assessment cadence active via pyrenth_compound_health MCP tool |
| NIST-171-3.12 | NIST-800-171 | Pass | src/lib/compliance/auto-scanner.ts present; security assessment runs on every code change via pyrenth_security_scan plus pyrenth_hipaa_lint MCP tools |
| NIST-171-3.14 | NIST-800-171 | Pass | Information integrity: continuous monitoring + dependency scan + PHI-scrub guard (Sentry DSN configured (https://e36d88aff3690d03ca2cfc891b59d4b0@***)) |
| NIST-171-3.2 | NIST-800-171 | Not applicable | Awareness and training: documented in HIPAA pack /mnt/d/docs/legal-drafts/hipaa-pack-2026-05-09/policy-sanctions.md (process, not code) |
| NIST-171-3.3 | NIST-800-171 | Not applicable | NIST 800-171 3.3 Audit and Accountability satisfied AT STRENGTHENED level via cross walk of NIST 800-53 AU-2 plus AU-12. src/lib/audit-actions.ts present; AuditAction event catalog active for all DAL mutations and server actions via auditLogger. Above-baseline evidence count = 4 of 3: cloudtrail-multi-region, cloudtrail-customer-kms-encrypted, audit-chain-merkle-verified-ok, audit-actions-enum-present. |
| NIST-171-3.7 | NIST-800-171 | Not applicable | Maintenance: covered in operational runbook (process, not code) |
| NIST-171-3.9 | NIST-800-171 | Not applicable | Personnel security: covered in operational HR process (background checks, NDAs, training) |
| NIST-171-3.10 | NIST-800-171 | Not applicable | Physical protection: AWS data centers (FedRAMP authorized) for production deployment |
| NIST-171-3.13 | NIST-800-171 | Not applicable | NIST 800-171 3.13 System and Communications Protection satisfied AT STRENGTHENED level via cross walk of NIST 800-53 SC-28. TLS 1.3 minimum plus HSTS plus CSP headers. Above-baseline evidence count = 3 of 3: rds-storage-encrypted-customer-cmk, s3-default-encryption-customer-cmk, pgcrypto-column-level-phi-encryption. |