| Control | Title | Status | Evidence |
|---|---|---|---|
| CVS-0.1 | Automated Container and Dependency Scanning | implemented | Every release artifact scanned automatically pre-deployment via ThreatMapper 2.5.x (pinned) (Trivy + Grype-backed). Container images, declared dependencies, and transitive dependencies all in scope. SBOM (SPDX 2.3) emitted at release. |
| CVS-0.2 | Severity Classification Using Current Standards | partial |
CVSS v3.x classification implemented via ThreatMapper. EPSS + CISA KEV enrichment in progress — translator layer in scan-api ready, ingestion of EPSS feed scheduled for Phase 1.
POAM: POAM-CVS-002 |
| CVS-0.3 | AI-Augmented Vulnerability Analysis | partial |
Inference Gateway (formerly ai-gateway, reactivated for the agentic CD platform) provides the substrate for AI-augmented scan triage. Concrete LLM-assisted vulnerability analysis ships with the Recall Agent in Phase 1.
POAM: POAM-CVS-003 |
| CVS-0.4 | Automatic Detection, Mitigation, and Recall of Critical Findings | partial |
Detection + escalation implemented via tracker-service POAM lifecycle. Interim mitigation (network isolation, feature disablement) is the Recall Agent's remit — designed and specified in WHITEPAPER.md, builds in Phase 1. Fleet-wide recall orchestration is the Orchestration Engine + Recall Agent, scheduled for Phase 1 end-to-end demo.
POAM: POAM-CVS-004 |
| CVS-0.5 | Contextual Vulnerability Prioritization and Remediation SLAs | partial |
Attack-path context via ThreatMapper ThreatGraph. SLA-driven prioritization (EPSS + KEV + reachability + asset criticality) is the Compliance Agent's responsibility — designed in ARCHITECTURE.md, ships Phase 3.
POAM: POAM-CVS-005 |
| Control | Title | Status | Evidence |
|---|---|---|---|
| APM-1.1 | Attack Path Modeling Capability | implemented | ThreatMapper ThreatGraph provides multi-stage attack path modeling across the customer's deployed fleet. Toxic combinations (CVE + reachability + admin IAM) surface in the operator console. |
| APM-1.2 | Adversarial AI Simulation | poam |
Roadmapped for Phase 3. Atomic-red-team-style runs orchestrated by the Investigation Agent during pre-deployment canary phase. Currently no implementation.
POAM: POAM-APM-002 |
| APM-1.3 | Contextual Triage Integration | partial |
ThreatGraph context flows into finding severity decisions today via the scan-api translator. Full integration into the Planning Agent's prioritization logic ships Phase 2.
POAM: POAM-APM-003 |
| APM-1.4 | Threat Intelligence Integration | poam |
MITRE ATT&CK feed integration planned for Phase 2. The Recall Agent's CVE intake will subscribe to CISA KEV + nation-state TTP feeds (Mandiant, NVD enrichment, Microsoft Threat Intelligence Center). Currently relies on ThreatMapper's built-in feed.
POAM: POAM-APM-004 |
| Control | Title | Status | Evidence |
|---|---|---|---|
| INV-2.1 | Software Bill of Materials (SBOM) at Release | implemented | Every Product Release Manifest (per MANIFEST.md) requires an SBOM attestation in SPDX 2.3 or CycloneDX 1.5 format with explicit version pinning. Manifests without an SBOM are rejected at registration. |
| INV-2.2 | Runtime Inventory Continuous Reconciliation | partial |
Spoke Control Plane (Phase 1) continuously reconciles deployed release SBOM against runtime container manifest. Discrepancies auto-generate findings via scan-api. Currently the reconciliation loop is implemented for the existing ThreatMapper wrap; the Spoke generalizes it across all artifact types.
POAM: POAM-INV-002 |
| INV-2.3 | Environment-Level Deployment Visibility | partial |
Catalog (Phase 1) provides per-environment deployment state via machine-readable API. Today this is partial — scan-api exposes /findings/posture per tenant, but environment-level deployment state requires the Hub.
POAM: POAM-INV-003 |
| INV-2.4 | Supply Chain Visibility | implemented | Optimal's own SBOM published with every release. Sub-business-associate chain (AWS, GCP, Azure HIPAA-eligible services, ThreatMapper Apache 2.0 upstream) documented in the platform SSP. Supplier security attestation tracked via compliance_attestations field in the Product Release Manifest. |
| INV-2.5 | Air-Gapped and Disconnected Environment Coverage | poam |
Designed in ARCHITECTURE.md § 6.2 (air-gapped state sync via signed offline bundles). Implementation scheduled for Phase 3. Currently the Spoke is designed degraded-mode-tolerant but the offline bundle pipeline is not yet built.
POAM: POAM-INV-005 |
| Control | Title | Status | Evidence |
|---|---|---|---|
| ARO-3.1 | Automated Patch Deployment | partial |
remediation-service generates fix-PRs against customer Git today (the Recall Agent's actuator). End-to-end automated deployment of patched releases via Spoke executor ships in Phase 1's Recall Agent demo. Zero-downtime blue/green via Spoke executor + Helm chart conventions, Phase 2.
POAM: POAM-ARO-001 |
| ARO-3.2 | Fleet-Wide Remediation Orchestration | partial |
This is the agentic CD platform's core. Hub/Spoke topology + Orchestration Engine ship in Phase 1 (single connected environment first, multi-environment fleet in Phase 2, air-gapped in Phase 3). No fleet today; a synthetic demo environment lives on demo.gooptimal.io.
POAM: POAM-ARO-002 |
| ARO-3.3 | Compliance-Aware Change Management | partial |
stig-engine policy library + tracker-service POAM lifecycle provide the policy substrate. Compliance Agent (Phase 3) enforces these constraints at plan-evaluation time. Manual compliance review today; automated enforcement Phase 3.
POAM: POAM-ARO-003 |
| ARO-3.4 | Vulnerability Suppression with Audit Trail | implemented | tracker-service holds time-bounded suppressions with auto-expiration, full audit history, and risk-acceptance rationale. Hash-chained audit per services/ai-gateway/audit.py pattern (preserved from federal SKU work, repurposed for orchestration audit). |
| ARO-3.5 | Developer-Operator Workflow Integration | partial |
Vulnerability Discovery (tracker-service) and Patch Availability (scan-api) milestones captured today. Deployment Authorization milestone ships with the Control Panel UI in Phase 4. remediation-service generates PRs that bridge developer and operator workflows.
POAM: POAM-ARO-005 |
| ARO-3.6 | Remediation Metrics and Reporting | partial |
artifact-emitter pipeline supports the report generation format. MTTR by severity, SLA compliance rate, open findings by age, suppression inventory, fleet-wide deployment coverage — all generated from tracker-service + Catalog telemetry. Some metrics (SLA compliance rate, fleet-wide coverage) require the Catalog (Phase 1).
POAM: POAM-ARO-006 |