Hop And Haul Policies

Appearance

NIST 800-53 Configuration Management & System Integrity Policy (CM/SI)

Document ID: PLCY-NIST-CMSI-001
Version: 1.0
Effective Date: December 30, 2025
Last Review: December 30, 2025
Owner: Hop And Haul Team

CONFIDENTIAL

This document is CONFIDENTIAL and for internal use only. Do not distribute outside the organization.

1. Purpose

This document defines Hop And Haul' implementation of the NIST 800-53 Configuration Management (CM) and System and Information Integrity (SI) families for FedRAMP Moderate authorization. It establishes requirements for maintaining secure system configurations, managing changes, and ensuring system integrity.

2. Scope

This policy applies to:

  • All Hop And Haul system components (application, database, infrastructure)
  • All configuration items and baselines
  • All software and firmware
  • All change management processes
  • All integrity monitoring systems

3. Configuration Management Policy (CM-1)

3.1 Policy Statement

Hop And Haul implements configuration management that:

  • Establishes and maintains baseline configurations
  • Controls and documents all system changes
  • Restricts unauthorized configuration changes
  • Monitors for configuration drift

3.2 Responsibilities

RoleResponsibilities
Security TeamDefine security baselines, approve security changes
DevOps TeamMaintain configurations, implement changes
Development TeamApplication configuration, code changes
Change Advisory Board (CAB)Review and approve significant changes

4. Baseline Configuration (CM-2)

4.1 Configuration Baselines

ComponentBaseline TypeUpdate Frequency
EC2 instancesAMI golden imageMonthly
RDS PostgreSQLParameter groupsQuarterly
ApplicationDocker image + configPer release
NetworkSecurity groups, NACLsQuarterly
CloudflareZero Trust policiesQuarterly

4.2 Baseline Contents

ElementDocumentation
Operating systemVersion, patches, hardening
Installed softwarePackages, versions
Security settingsFirewall rules, permissions
Network configurationIPs, routes, DNS
Application settingsEnvironment variables, feature flags

4.3 Golden Image Management

ActivityFrequencyOwner
AMI creationMonthlyDevOps
Security scanningBefore promotionSecurity
Baseline testingBefore promotionQA
Documentation updateWith each AMIDevOps

4.4 Automation Support (CM-2(2))

ToolPurposeStatus
TerraformInfrastructure as CodeImplemented
AnsibleConfiguration managementImplemented
AWS ConfigConfiguration complianceImplemented
DockerApplication packagingImplemented

5. Configuration Change Control (CM-3)

5.1 Change Categories

CategoryDefinitionApprovalExamples
StandardPre-approved, low riskAutomatedDependency updates
NormalScheduled, moderate riskCABFeature releases
EmergencyUrgent, high impactPost-approvalSecurity patches
SignificantMajor architecturalCAB + SecurityInfrastructure changes

5.2 Change Process 

Request → Impact Analysis → Approval → Implementation →
Verification → Documentation → Close

5.3 Change Documentation

FieldRequirement
Change IDUnique identifier
RequestorPerson initiating change
DescriptionWhat is being changed
JustificationBusiness/technical reason
Impact analysisRisk assessment
Rollback planHow to revert if needed
Testing planVerification steps
ApproversRequired sign-offs
Implementation dateScheduled time
Post-implementation reviewVerification results

5.4 Testing and Validation (CM-3(2))

Change TypeTesting Required
Code changesUnit, integration, security tests
Configuration changesValidation in staging
Infrastructure changesTerraform plan review
Security changesSecurity team review

6. Impact Analysis (CM-4)

6.1 Analysis Requirements

Before any change, assess:

FactorConsideration
Security impactDoes this affect security posture?
Availability impactWill this cause downtime?
Performance impactWill this affect response times?
Compliance impactDoes this affect compliance status?
Data impactDoes this affect data handling?

6.2 Impact Levels

LevelDefinitionApproval
LowMinimal impact, easily reversibleTeam lead
ModerateSome risk, rollback availableManager
HighSignificant risk, careful planning neededCAB
CriticalMajor impact, extensive testing requiredCAB + Executive

7. Access Restrictions for Change (CM-5)

7.1 Change Access Controls

SystemWho Can ChangeHow
Production codeDeployment pipeline onlyCI/CD
Production configDevOps (approved)Infrastructure as Code
Database schemaDBA (approved)Migration scripts
Security settingsSecurity teamChange request
InfrastructureDevOps (approved)Terraform

7.2 Separation of Duties

ActivityCannot Be Same Person
Code commitCode review approval
Change requestChange approval
Deployment initiationDeployment verification
Security exception requestException approval

8. Configuration Settings (CM-6)

8.1 Security Configuration Standards

ComponentStandardVerification
Linux OSCIS Benchmark Level 1Automated scanning
PostgreSQLCIS PostgreSQL BenchmarkConfiguration audit
Swift/VaporOWASP guidelinesCode review
AWSCIS AWS BenchmarkAWS Config rules

8.2 Configuration Parameters

ParameterRequirement
Password complexityManaged by SSO provider
Session timeout15 minutes (access token)
TLS versionMinimum TLS 1.2, prefer 1.3
EncryptionAES-256-GCM
LoggingComprehensive audit logging enabled

9. Least Functionality (CM-7)

9.1 Component Minimization

PrincipleImplementation
Minimal OSOnly required packages installed
Disabled servicesNon-essential services disabled
Closed portsOnly required ports open
Removed toolsDevelopment tools not in production

9.2 Periodic Review (CM-7(1))

ReviewFrequencyOwner
Installed packagesQuarterlyDevOps
Open portsMonthlySecurity
Running servicesMonthlyOperations
User accountsQuarterlySecurity

10. System Component Inventory (CM-8)

10.1 Inventory Requirements

Asset TypeTracked Information
HardwareInstance ID, type, region, tags
SoftwareName, version, license
Data storesDatabase, location, classification
NetworkVPC, subnets, security groups
EndpointsURLs, certificates, owners

10.2 Inventory Management

StatusImplementation
CurrentAWS resource tagging
PlannedAutomated CMDB (Phase 2)

11. System and Information Integrity (SI-1)

11.1 Integrity Policy Statement

Hop And Haul implements integrity controls that:

  • Detect and prevent malicious code
  • Identify and remediate vulnerabilities
  • Monitor system behavior for anomalies
  • Validate input and output data

12. Flaw Remediation (SI-2)

12.1 Vulnerability Management

ActivityFrequencyTool
SAST scanningEvery commitIntegrated scanner
Dependency scanningDailyDependabot
Container scanningEvery buildContainer scanner
Infrastructure scanningWeeklyAWS Inspector
Penetration testingAnnual3PAO

12.2 Remediation SLAs

SeverityResponse TimeRemediation Time
Critical4 hours24 hours
High24 hours7 days
Medium72 hours30 days
Low7 days90 days

12.3 Automated Status (SI-2(2))

AutomationImplementation
Vulnerability trackingIntegrated with ticketing
SLA monitoringAutomated alerts
Patch deploymentAutomated for standard patches
Status reportingDashboard and reports

13. Malicious Code Protection (SI-3)

13.1 Protection Mechanisms

LayerProtectionImplementation
ApplicationMemory-safe languageSwift (Vapor)
Input validationSchema validationAll API endpoints
DependencyVulnerability scanningAutomated CI/CD
InfrastructureAWS native protectionsGuardDuty, WAF
NetworkWAF rulesCloudflare WAF

13.2 Update Frequency

ProtectionUpdate Frequency
WAF rulesContinuous (Cloudflare managed)
Dependency versionsWeekly review
OS patchesMonthly (standard), immediate (critical)

14. System Monitoring (SI-4)

14.1 Monitoring Coverage

Monitoring TypeScopeTool
Security eventsAll authentication, authorizationCloudWatch + SIEM
Application behaviorAPI calls, business logicApplication logging
InfrastructureResource utilization, healthCloudWatch
NetworkTraffic patterns, anomaliesVPC Flow Logs
File integrityCritical system filesPlanned (Phase 3)

14.2 Automated Tools (SI-4(2))

ToolPurposeAlerts
CloudWatchInfrastructure monitoringPagerDuty
SIEMSecurity event correlationPagerDuty
WAFAttack detectionCloudWatch
GuardDutyThreat detectionSecurity team

14.3 Traffic Monitoring (SI-4(4))

Traffic TypeMonitoring
Inbound APIRequest logging, rate analysis
OutboundConnection tracking
InternalService-to-service logging
DatabaseQuery logging (performance)

14.4 System-Generated Alerts (SI-4(5))

Alert TypeThresholdResponse
Failed authentication5 in 15 minAccount lockout, alert
Unusual access patternML anomalySecurity review
Resource exhaustion80% capacityOperations alert
Error rate spike5x baselineDevelopment alert

15. Security Alerts (SI-5)

15.1 Alert Sources

SourceTypes of Alerts
AWS Security HubSecurity findings
US-CERTFederal advisories
Vendor advisoriesProduct vulnerabilities
Threat intelligenceEmerging threats

15.2 Alert Response

SeverityResponse TimeAction
CriticalImmediateEmergency patch process
High24 hoursAssess and plan remediation
Medium72 hoursSchedule remediation
Low7 daysAdd to backlog

16. Software and Information Integrity (SI-7)

16.1 Integrity Verification

StatusImplementation
CurrentCode review, dependency checksums
PlannedCode signing, SBOM (Phase 3)

16.2 Planned Enhancements

EnhancementTargetTimeline
Code signingAll releasesPhase 3
SBOM generationAll buildsPhase 3
Binary attestationContainer imagesPhase 3
Runtime integrityCritical componentsPhase 3

17. Information Input Validation (SI-10)

17.1 Validation Requirements

Input TypeValidation
API requestsJSON schema validation
User inputType, length, format validation
File uploadsType verification, size limits, scanning
ConfigurationSchema validation

17.2 Validation Implementation

LayerMechanism
API GatewayRequest schema validation
ApplicationInput sanitization
DatabaseParameterized queries
OutputEncoding, escaping

18. Error Handling (SI-11)

18.1 Error Response Standards

PrincipleImplementation
No sensitive data in errorsGeneric error messages to clients
Detailed internal loggingFull context logged server-side
Graceful degradationFallback behavior defined
Error correlationRequest ID in all responses

18.2 Error Categories

CategoryClient ResponseLogging
Validation errorSpecific field errorsDebug level
Authorization errorGeneric "forbidden"Warning level
System errorGeneric "internal error"Error level
Security eventGeneric responseAlert + audit

19. Information Management and Retention (SI-12)

19.1 Data Lifecycle

PhaseControls
CreationClassification, encryption
StorageAccess controls, encryption at rest
TransmissionTLS encryption
ProcessingLeast privilege access
RetentionPer retention schedule
DisposalSecure deletion/cryptographic erasure

19.2 Retention Alignment

See PLCY-RET-001 for authoritative retention schedule.

20. Memory Protection (SI-16)

20.1 Memory Safety

ProtectionImplementation
Memory-safe languageSwift (application code)
Stack protectionOS-level protections enabled
ASLREnabled on all systems
NX bitNon-executable stack

21. FedRAMP-Specific Enhancements (Planned)

EnhancementTarget ControlTimeline
FIPS 140-2 crypto modulesSC-13, SI-7Phase 3
Code signingSI-7Phase 3
Automated CMDBCM-8Phase 2
File integrity monitoringSI-7(1)Phase 3

22. Related Documents

DocumentRelationship
PLCY-SEC-001Security controls baseline
PLCY-DRP-001Configuration recovery
PLCY-FED-005NIST control mapping

23. Document Control

VersionDateAuthorChanges
1.0December 30, 2025Hop And Haul TeamInitial release

CONFIDENTIAL - Internal Use Only - Hop And Haul Policy Documentation

Hop And Haul Team - Do Not Distribute