Every two minutes Pyrenth checks each control against the running application and updates the list below. No patient health information appears here. The real evidence files a third party assessor reviews sit behind the assessor sign in.
| Control | Framework | Status | Detail |
|---|---|---|---|
| VA-6500-1 | VA-6500 | Pass | Privacy Officer + Security Officer designated (Robert Ryczek + Robert Ryczek); designation docs present privacy=true security=true |
| VA-6500-2 | VA-6500 | Pass | Security Officer is Robert Ryczek; functions as Pyrenth ISO; designation doc present=true |
| VA-6500-3 | VA-6500 | Pass | Continuous monitoring stack active (Sentry + auditLogger + comprehensive-audit cadence) |
| VA-6500-4 | VA-6500 | Pass | NIST RMF aligned via src/lib/audit/federal-compliance.ts auditors; categorize, select, implement, assess, authorize, monitor cycle established |
| VA-6500.6 | VA-6500 | Pass | VA BAA effective from 2026-05-11 |
| VA-6500-6 | VA-6500 | Pass | Incident response last tested 2026-04-15 |
| VA-6500-7 | VA-6500 | Pass | Last security assessment 2026-05-01 |
| VA-6500.10 | VA-6500 | Pass | Hosting on VAEC-compatible environment (aws-govcloud) |
| VA-6500-5 | VA-6500 | Not applicable | VA ATO is a Tier 4 pre-award dependency. FEDERAL_PRE_AWARD_DEFERRAL=true marks this Not Applicable until Pyrenth lands a VA FSS Schedule or direct VA contract. Will activate after award. |