| Control | Title | Status | Evidence |
|---|---|---|---|
| CC1.1 | Demonstrates Commitment to Integrity and Ethical Values | customer responsibility |
Customer organization's responsibility.
Customer org governance. |
| CC2.1 | Communication and Information — Internal | implemented | Incident notification procedure ships with every contract; SLA included. |
| CC6.1 | Logical and Physical Access Controls — Software | implemented | API Gateway enforces API key auth. Admin access via cloud-native MFA. NACL denies SSH/RDP. |
| CC6.6 | Logical Access — Authentication for External Users | implemented | sk-optimal-* API key validated at the edge; usage plans rate-limit. |
| CC6.7 | Restriction of Information Flow | implemented | VPCE-restricted egress to AWS services; NAT EIP single allowlistable IP for cross-cloud. |
| CC6.8 | Prevention of Malicious Software | implemented | ECR image scanning. WAFv2 (POAM-014) blocks OWASP top 10. |
| CC7.1 | Detection of Configuration Changes | implemented | AWS Config + GuardDuty + Access Analyzer + Security Hub aggregator. |
| CC7.2 | Monitoring | implemented | CloudWatch metrics + alarms (latency, errors, throttles). GuardDuty findings. |
| CC7.3 | Incident Response Procedures | implemented | Incident procedure emitter ships per-tenant. SLA-bound notification. |
| CC8.1 | Change Management | implemented | Terraform PR review. ECR immutable tags. CodeBuild + CodeDeploy canary. |
| A1.1 | Availability — Performance Monitoring | implemented | Lambda + API Gateway are regional managed services. CW alarms on errors / latency. |
| A1.2 | Availability — Backup | implemented | DDB PITR (35 d). CT S3 versioned + Glacier. Single-AZ NAT documented as POAM. |
| A1.3 | Availability — Recovery Testing | poam |
Contingency plan documented; quarterly restore drill cadence pending.
POAM: POAM-RECOVERY-DRILL |
| C1.1 | Confidentiality — Identification and Maintenance | implemented | Zero-persistence: prompt + response bodies NEVER written to disk / logs / store. Audit row contains only operational metadata. |
| C1.2 | Confidentiality — Disposal | implemented | Body content does not exist at rest; nothing to dispose of. Metadata retention follows the audit table schedule. |