{
  "$schema": "https://fedramp.gov/20x/ksi/v1.json",
  "tenant": {
    "id": "t-acme-state",
    "display_name": "Department of Acme \u2014 Information Technology",
    "contact": "ciso@acme.state.example.gov"
  },
  "generated_at": "2026-05-15T03:10:23.952293+00:00",
  "window": {
    "start": "2026-04-15T03:10:23.952293+00:00",
    "end": "2026-05-15T03:10:23.952293+00:00"
  },
  "system": {
    "name": "Optimal Federal Gateway",
    "sku": "federal",
    "privacy_mode": "zero_persistence",
    "regions": [
      "us-east-2",
      "us-west-2"
    ],
    "fips_modules": [
      "AWS-LC FIPS 140-2 (Cert #4759)",
      "AWS KMS HSM (FIPS 140-2 L3)"
    ]
  },
  "ksi": [
    {
      "key": "KSI-001",
      "label": "Identity and access management",
      "status": "implemented",
      "evidence": "Gateway authenticates customer applications via API key (api_key_id surfaced in audit row). Gateway admin authn uses cloud-provider native MFA (AWS IAM MFA / GCP Cloud Identity / Entra ID). PIV/IA-2(12) tracked under POAM-011.",
      "poam_id": "POAM-011"
    },
    {
      "key": "KSI-002",
      "label": "Encryption at rest and in transit",
      "status": "implemented",
      "evidence": "In transit: TLS 1.2 over FIPS 140-2 validated modules (AWS-LC FIPS 140-2 (Cert #4759), AWS KMS HSM (FIPS 140-2 L3)). At rest: KMS CMK arn:aws:kms:us-east-2:317839577064:key/optimal-cnapp-cmk encrypts DynamoDB, Secrets Manager, CloudWatch Logs, CloudTrail S3, ECR. Cross-cloud: WIF (GCP), BYOK CMK in Key Vault HSM L3 (Azure).",
      "poam_id": null
    },
    {
      "key": "KSI-003",
      "label": "Vulnerability and patch management",
      "status": "implemented",
      "evidence": "ECR image scanning on push (scan_on_push=true). Lambda container rebuilds on dependency update (CodeBuild + CodeDeploy canary). Gateway is a single image \u2014 no long-running VMs to patch.",
      "poam_id": null
    },
    {
      "key": "KSI-004",
      "label": "Asset and configuration management",
      "status": "implemented",
      "evidence": "Infrastructure is Terraform-defined; drift detected by AWS Config. Image tags are immutable. System inventory matches the authorization boundary diagram (ABD) verbatim.",
      "poam_id": null
    },
    {
      "key": "KSI-005",
      "label": "Logging, monitoring, and incident response",
      "status": "implemented",
      "evidence": "CloudTrail multi-region, 7-yr retention with log file validation. CloudWatch Logs: app 90 d, API GW access 365 d, CMK encrypted, NO body content. GuardDuty + Config + Security Hub aggregate. Audit row hash-chained per services/ai-gateway/audit.py.",
      "poam_id": null
    },
    {
      "key": "KSI-006",
      "label": "Backup and recovery",
      "status": "implemented",
      "evidence": "DynamoDB PITR enabled (35-day continuous backup). CloudTrail S3 versioning + Glacier @1y, retained 7 yr. Single-AZ NAT documented as POAM (contingency plan; multi-AZ NAT planned).",
      "poam_id": null
    },
    {
      "key": "KSI-007",
      "label": "Security training",
      "status": "customer_responsibility",
      "evidence": "Customer is responsible for their own personnel security training. Optimal's personnel training is documented in the Optimal SSP \u00a7 AT controls.",
      "poam_id": null
    },
    {
      "key": "KSI-008",
      "label": "Third-party / supply chain risk",
      "status": "partial",
      "evidence": "Optimal's upstream providers (AWS, GCP, Azure, Anthropic via Bedrock) are documented in the SSP \u00a7 supply chain. Customer's downstream consumers are out of scope.",
      "poam_id": null
    }
  ],
  "audit_aggregates": {
    "request_count": 9402,
    "block_count": 2,
    "detection_count": 18,
    "providers_invoked": [
      "aws-cnapp"
    ],
    "models_invoked": []
  }
}