Every two minutes Pyrenth checks each control against the running application and updates the list below. No patient health information appears here. The real evidence files a third party assessor reviews sit behind the assessor sign in.
| Control | Framework | Status | Detail |
|---|---|---|---|
| AC-2 | NIST-800-53 | Pass | Better Auth configured; RBAC engine active via SecurityGroup + Policy + Permission (dev mode auto-secret) |
| AC-7 | NIST-800-53 | Pass | Rate-limit backing store configured (Dragonfly/Redis) AND src/lib/api/rate-limiter.ts present; Cognito advanced security ENFORCED=false; auth route protected |
| AC-12 | NIST-800-53 | Pass | Session timeout 14400s (<=12h FedRAMP requirement) |
| AC-17 | NIST-800-53 | Pass | Production traffic enforced over HTTPS |
| CM-2 | NIST-800-53 | Pass | package-lock.json present; npm install reproducible |
| CP-9 | NIST-800-53 | Pass | Backup bucket configured: pyrenth-backups-govcloud |
| IA-2 | NIST-800-53 | Pass | MFA enforcement at relying party (MFA_ENFORCEMENT=unset) and/or identity provider (Cognito MFA_ENFORCED=unset); satisfies NIST 800-53 IA-2 |
| IA-5 | NIST-800-53 | Pass | Min password length: relying party=14 Cognito=unset (FedRAMP 12 char minimum, NIST 800-63B 14 char target) |
| IR-4 | NIST-800-53 | Pass | IR-4 runtime probe PASSED: Sentry incident pipeline confirmed live. DSN configured, valid format, host=o4511394830483456.ingest.us.sentry.io, @sentry/nextjs client initialized at runtime. Incident detection and analysis active. NODE_ENV=development. PHI scrubbing happens upstream via phi-guard.ts beforeSend hook. |
| RA-5 | NIST-800-53 | Pass | Vulnerability scanning active via AWS Inspector V2 scans the built ECR image plus EC2 plus Lambda plus AWS Azure Pipelines project pyrenth-ehr-build runs npm audit per buildspec. GitHub Dependabot is NA-by-design (repo is on Azure DevOps, Dependabot only runs on GitHub); the dependabot.yml in the tree is an inert governance artifact, not the live scanner. |
| SI-2 | NIST-800-53 | Pass | AWS Azure Pipelines project pyrenth-ehr-build runs build pipeline per buildspec; flaw remediation cadence verified via Azure Pipelines post-github-migration |
| SI-4 | NIST-800-53 | Pass | Continuous monitoring active (Sentry DSN configured (https://e36d88aff3690d03ca2cfc891b59d4b0@***)) |
| SR-3 | NIST-800-53 | Pass | Lockfile pins all transitive dependencies; Azure Pipelines runs npm audit per buildspec |
| 3PAO-AU-2 | NIST-800-53 | Pass | AU-2 covered: all 7 3PAO AuditActions enumerated (request, pending, issued, consumed, rejected, evidence_access, session_ended). Discrete event taxonomy supports SAR chain of custody. |
| 3PAO-AU-12 | NIST-800-53 | Pass | AU-12 covered: 5/5 3PAO evidence pages emit THREE_PAO_EVIDENCE_ACCESS via auditLogger.logSystem. End-to-end audit generation proven. |
| 3PAO-AU-10 | NIST-800-53 | Pass | AU-10 covered: assessor session module exports consumeMagicLink + readAssessorSession; evidence rows carry sessionId and ride the canonical auditLogger emit path which feeds the Merkle audit chain (AU-10 Non-Repudiation end to end). |
| AC-3 | NIST-800-53 | Not applicable | AC-3 runtime artifacts unavailable: /tmp/pyrenth-tenant-iso-instant-pulse.json or /tmp/pyrenth-route-audit-latest.json missing, unreadable, or malformed. |
| AU-2 | NIST-800-53 | Not applicable | AU-2 satisfied AT STRENGTHENED level: audit_events table wired, Merkle chain root verified, 4290 audit record(s) in last 24h. Above-baseline evidence count = 3 of 3: merkle-chain-sealed-recently, audit-action-enum-526-events, recent-event-count-positive. NODE_ENV=development. |
| AU-3 | NIST-800-53 | Not applicable | AU-3 satisfied AT STRENGTHENED level via alternate evidence path: merkle-chain-root-present-verdict-ok, audit-action-enum-779-entries, audit-log-six-standard-payload-fields. Content-shape snapshot was unavailable; aggregate strengthening signal sourced from Merkle chain plus AuditAction enum depth plus AuditLog schema payload fields. |
| AU-6 | NIST-800-53 | Not applicable | AU-6 satisfied AT STRENGTHENED level: auditLogger singleton plus monitoring path plus admin review surface all present. Above-baseline evidence count = 3 of 3: audit-logger-singleton-present, monitoring-or-alert-queue-path-configured, admin-audit-review-page-present. |
| AU-7 | NIST-800-53 | Not applicable | AU-7 satisfied AT STRENGTHENED level: AuditAction reducer plus AuditLog payload fields plus report templates plus admin dashboard surface all present. Above-baseline evidence count = 3 of 3: structured-payload-reducer-fields-present, report-template-definitions-present, admin-dashboard-surface-present. |
| AU-9 | NIST-800-53 | Not applicable | AU-9 satisfied AT STRENGTHENED level: AuditLog model immutable plus @@map audit_logs pinned. Above-baseline evidence count = 3 of 3: cloudtrail-customer-managed-cmk, merkle-chain-root-present, audit-retention-six-years-plus. |
| AU-10 | NIST-800-53 | Not applicable | AU-10 satisfied AT STRENGTHENED level: Merkle audit chain root present plus sha256 chain verification verdict ok plus verifier function callable. Above-baseline evidence count = 3 of 3: merkle-chain-root-present, sha256-chain-integrity-verified, verifier-function-callable. |
| AU-11 | NIST-800-53 | Not applicable | AU-11 satisfied AT STRENGTHENED level: audit retention 2555 days exceeds the FedRAMP 1095 day floor. Above-baseline evidence count = 2 of 2: audit-retention-2555-days-six-year-hhs-bar, audit-log-retention-policy-doc-present. |
| AU-12 | NIST-800-53 | Not applicable | AU-12 satisfied AT STRENGTHENED level: AuditLogger class plus singleton exported from src/lib/audit.ts; emits via DAL plus server-actions plus route-handlers. Above-baseline evidence count = 3 of 3: cloudtrail-multi-region, cloudtrail-customer-kms-encrypted, audit-chain-merkle-verified-ok. |
| SC-8 | NIST-800-53 | Not applicable | SC-8 satisfied AT STRENGTHENED level: ALB enforces ELBSecurityPolicy-TLS13-1-2-2021-06 (TLS 1.3 capable = true), HTTPS redirect enforced = true, certificate valid for 181 more day(s). Above-baseline evidence count = 2 of 3. |
| SC-12 | NIST-800-53 | Not applicable | SC-12 satisfied AT STRENGTHENED level: 10 customer-managed CMK(s), all 10 have rotation enabled, zero wildcard principals, 1 multi-region key(s) for CP-6 resilience. Above-baseline evidence count = 4 of 4. |
| SC-13 | NIST-800-53 | Not applicable | SC-13 satisfied AT STRENGTHENED level via full AWS-managed FIPS-validated module inheritance — all 3 inheritance signals present (FIPS endpoint plus customer-managed CMK plus FedRAMP region). Evidence: useFipsEndpoint=true, kmsCmkConfigured=true, secretsManagerRegionSet=true (3 of 3 signals). OpenSSL build = 3.5.5. NODE_ENV=development. |
| SC-28 | NIST-800-53 | Not applicable | SC-28 satisfied AT STRENGTHENED level: pgcrypto column-level encryption configured for PHI at rest. Above-baseline evidence count = 3 of 3: rds-storage-encrypted-customer-cmk, s3-default-encryption-customer-cmk, pgcrypto-column-level-phi-encryption. |
| ELASTICACHE-ENCRYPTION-AT-REST-AND-TRANSIT | NIST-800-53 | Not applicable | ElastiCache encryption probe runs only in NODE_ENV=production by default (current NODE_ENV=development). Set PYRENTH_ELASTICACHE_PROBE_ALWAYS=true to opt in for local verification. Production audits always run the live probe. |
| SI-7 | NIST-800-53 | Not applicable | SI-7 satisfied AT STRENGTHENED level: Merkle audit chain root present plus sha256 chain integrity verified plus git tree integrity verified. Above-baseline evidence count = 3 of 3: merkle-chain-root-present, sha256-chain-integrity-verified, git-tree-integrity-verified. |
| SI-10 | NIST-800-53 | Not applicable | SI-10 satisfied AT STRENGTHENED level: Zod action coverage greater than 50 plus z.object schemas across lib greater than 50 plus 6 step server action pattern verified in sample. Above-baseline evidence count = 3 of 3: zod-action-coverage-183, z-object-schema-count-243, six-step-pattern-4-of-5. |
| SI-11 | NIST-800-53 | Not applicable | SI-11 satisfied AT STRENGTHENED level: errorJson uniform envelope across routes greater than 100 plus phi-guard module present plus Sentry PHI scrub active in beforeSend. Above-baseline evidence count = 3 of 3: error-json-route-coverage-844, phi-guard-module-present, sentry-phi-scrub-active. |
| HEALTHLAKE-CMK-CUSTOMER-MANAGED | NIST-800-53 | Not applicable | HealthLake CMK posture probe could not be evaluated (NOT a pass): either AWS_HEALTHLAKE_DATASTORE_ID or AWS_HEALTHLAKE_KMS_KEY_ARN is unset, OR the aws healthlake describe-fhir-datastore call failed or returned malformed JSON. Treat the control as unverified. To run the probe set both env vars and confirm the pyrenth-claude-admin profile can reach AWS HealthLake in us-west-2. |
| AAL3-WEBAUTHN | NIST-800-53 | Not applicable | Cognito not stood up yet (COGNITO_USER_POOL_ID unset); AAL3 device-bound factor will activate after Cognito deploy. CFN template at /tmp/pyrenth-cognito-staging/cloudformation/pyrenth-cognito-user-pool.yaml enables WebAuthn with UserVerification required and RelyingPartyId pyrenth.app. |
| FEDRAMP-COGNITO | NIST-800-53 | Not applicable | Cognito not stood up yet; FedRAMP Moderate inheritance will activate after Cognito deploy in us-west-2 commercial region. |
| SC-13-COGNITO-CMK | NIST-800-53 | Not applicable | Cognito not stood up yet; KMS CMK token signing will activate after deploy. CFN template provisions alias/pyrenth-prod-cognito-signing with EnableKeyRotation true. |
| AC-7-COGNITO | NIST-800-53 | Not applicable | Cognito not stood up yet; advanced security adaptive auth + account lockout will activate after deploy with AdvancedSecurityMode ENFORCED per CFN template |
| IA-5-COGNITO | NIST-800-53 | Not applicable | Cognito not stood up yet; 14 char password floor + 24 history will activate after deploy per CFN template Policies.PasswordPolicy |