Appearance
Federal Risk Register
Document ID: PLCY-FED-003
Version: 1.0
Effective Date: December 30, 2025
Last Review: December 30, 2025
Owner: Hop And Haul Team
CONFIDENTIAL
This document is CONFIDENTIAL and for internal use only. Do not distribute outside the organization.
1. Purpose
This document serves as the "SSP-Lite" Risk and Mitigation Register for Hop And Haul. It documents the "High Consequence" threat model specific to a multi-tenant, inter-company rideshare system operating in federal and regulated environments. This register aligns with NIST RMF (Risk Management Framework) and supports FedRAMP Moderate authorization.
2. Risk Assessment Methodology
2.1 Impact Levels
| Level | Definition | Examples |
|---|---|---|
| Critical | Loss of life, severe injury, or catastrophic mission failure | Physical safety compromise, complete data breach |
| High | Significant harm to individuals, substantial financial loss, or major operational disruption | Identity theft, stalking enablement, regulatory violation |
| Moderate | Limited harm, manageable financial impact, or recoverable operational issues | Data exposure (non-PII), service degradation |
| Low | Minimal impact, easily recoverable | Minor inconvenience, cosmetic issues |
2.2 Likelihood Levels
| Level | Definition | Frequency |
|---|---|---|
| High | Expected to occur | Multiple times per year |
| Medium | Likely to occur | Once per year or less |
| Low | Unlikely but possible | Less than once per year |
| Rare | Exceptional circumstances | May never occur |
2.3 Risk Score Matrix
| Low Impact | Moderate Impact | High Impact | Critical Impact | |
|---|---|---|---|---|
| High Likelihood | Medium | High | Critical | Critical |
| Medium Likelihood | Low | Medium | High | Critical |
| Low Likelihood | Low | Low | Medium | High |
| Rare Likelihood | Low | Low | Low | Medium |
3. Physical Safety & Mission Risks
These risks address threats to the physical safety of drivers, riders, and mission integrity.
3.1 Risk Register - Physical Safety
| ID | Risk Scenario | Impact | Likelihood | Risk Score | NIST Controls |
|---|---|---|---|---|---|
| P1 | Predator/Stalker | Critical | Medium | Critical | AC-3, SI-4, AC-4 |
| P2 | Impersonation | High | Medium | High | IA-2, IA-5, IA-8 |
| P3 | Coercion/Duress | High | Low | Medium | AU-2, IR-4, SI-4 |
| P4 | Social Engineering (Voice) | Moderate | Medium | Medium | AT-2, SA-11, AC-3 |
3.2 Risk Details and Mitigations
P1: Predator/Stalker Risk
Description: Driver or Rider uses location data to stalk or ambush the other party.
Attack Vectors:
- Exploitation of real-time location data
- Pattern analysis from historical ride data
- Abuse of contact information
Technical & Process Mitigations:
| Control | Implementation | Status |
|---|---|---|
| Coarse Location | Show only "5 mins away" (no map dot) until pickup commitment | Implemented |
| Step-Up Reveal | Exact location requires in-app acceptance + step-up authentication | Implemented |
| Voice/SMS Masking | Voice and SMS relay through system; no real numbers shared | Implemented |
| Anti-Triangulation | Fuzzification algorithm with random offset per offer | Implemented |
| Time-Limited Access | Tracking tokens auto-expire after ride + 15 minutes | Implemented |
| Data Retention Limits | GPS breadcrumbs purged after 48 hours unless disputed | Implemented |
Residual Risk: Low (after mitigations)
P2: Impersonation Risk
Description: Wrong person picks up the rider, creating robbery or kidnapping risk.
Attack Vectors:
- Vehicle/driver substitution
- Stolen credentials
- Compromised device
Technical & Process Mitigations:
| Control | Implementation | Status |
|---|---|---|
| Mandatory Handshake | Ride cannot "Start" without PIN/QR exchange | Implemented |
| Mismatch Flow | One-tap "Report Mismatch" blocks the ride and alerts safety team | Implemented |
| Device Binding | Drivers cannot switch phones without re-authentication | Implemented |
| Photo Verification | Driver photo displayed to rider; rider can verify | Implemented |
| Vehicle Verification | License plate and vehicle description verified | Implemented |
Residual Risk: Low (after mitigations)
P3: Coercion/Duress Risk
Description: User forced to drive off-route or cancel ride under threat.
Attack Vectors:
- Physical threat during ride
- Kidnapping scenario
- Forced route deviation
Technical & Process Mitigations:
| Control | Implementation | Status |
|---|---|---|
| Silent SOS | "Fake Cancel" button triggers safety ops but ends ride in UI | Planned (Phase 2) |
| Deviation Alerts | Server triggers check-in if route deviates >5 miles/minutes | Implemented |
| Duress Code | Entering a specific PIN alerts safety teams silently | Planned (Phase 2) |
| Real-Time Monitoring | Safety ops can monitor active rides flagged for deviation | Implemented |
| Emergency Escalation | Automatic 911 dispatch integration for unresponsive alerts | Planned (Phase 2) |
Residual Risk: Medium (pending Phase 2 implementation)
P4: Social Engineering (Voice) Risk
Description: Attacker spoofs "Fleet Seats Agent" to redirect driver via phone call.
Attack Vectors:
- Caller ID spoofing
- Pretexting as support agent
- Manipulation to change destination
Technical & Process Mitigations:
| Control | Implementation | Status |
|---|---|---|
| Verifiable Request | Agent calls must reference a code displayed in-app | Implemented |
| In-App Confirmation | Agent cannot "accept" for a driver; driver must tap in-app | Implemented |
| No Phone Instructions | Policy: Agents never instruct drivers to deviate via voice | Implemented |
| Training | Driver awareness training on social engineering tactics | Implemented |
Residual Risk: Low (after mitigations)
4. Technical & Data Risks
These risks address threats to the confidentiality, integrity, and availability of the Hop And Haul platform and data.
4.1 Risk Register - Technical & Data
| ID | Risk Scenario | Impact | Likelihood | Risk Score | NIST Controls |
|---|---|---|---|---|---|
| T1 | Tenant Leak (Blast Radius) | Critical | Low | High | AC-4, SC-4, AC-3 |
| T2 | Device Compromise | High | Medium | High | SC-7, SI-4, AC-19 |
| T3 | Insider Threat (Admin) | Critical | Low | High | AC-5, AU-12, AC-6 |
| T4 | Samsara/API Key Leak | High | Medium | High | SC-12, SC-28, SA-9 |
| T5 | Data Permanence | Moderate | Medium | Medium | SI-12, MP-6, AU-11 |
4.2 Risk Details and Mitigations
T1: Tenant Leak (Blast Radius) Risk
Description: Bug exposes all fleets' drivers to one user, breaking tenant isolation.
Attack Vectors:
- SQL injection bypassing tenant filters
- API parameter manipulation
- Authorization logic flaws
Technical & Process Mitigations:
| Control | Implementation | Status |
|---|---|---|
| Row Level Security (RLS) | Tenant ID enforced at PostgreSQL database level | Implemented |
| Middleware Enforcement | Application layer rejects queries without Tenant ID | Implemented |
| Schema Isolation | Separate schema/encryption keys for "Mission Mode" fleets | Planned (Phase 3) |
| Tenant ID Validation | All API endpoints validate tenant context | Implemented |
| Automated Testing | Cross-tenant access tests in CI/CD pipeline | Implemented |
Residual Risk: Low (after mitigations)
T2: Device Compromise Risk
Description: Stolen unlocked phone accesses fleet data.
Attack Vectors:
- Device theft
- Malware on device
- Rooted/jailbroken devices
Technical & Process Mitigations:
| Control | Implementation | Status |
|---|---|---|
| Short Sessions | Access tokens expire in 15 minutes; refresh rotation | Implemented |
| Step-Up Auth | Critical actions (Accept/Start/Export) require FaceID/PIN | Implemented |
| MDM Integration | Block rooted/jailbroken devices; remote session revoke | Planned (Phase 2) |
| Device Binding | Session tied to device fingerprint | Implemented |
| Remote Wipe Capability | Fleet admin can revoke device access | Implemented |
Residual Risk: Medium (pending MDM integration)
T3: Insider Threat (Admin) Risk
Description: Support staff uses admin tools to spy on locations or access sensitive data.
Attack Vectors:
- Unauthorized data browsing
- Abuse of admin privileges
- Data exfiltration
Technical & Process Mitigations:
| Control | Implementation | Status |
|---|---|---|
| Just-In-Time Access | Admins cannot browse; access requires Ticket ID + Time-box | Planned (Phase 2) |
| Break-Glass Alerts | "View all" triggers immediate alert + audit log | Implemented |
| Redaction | Location/PII masked by default in admin views | Implemented |
| Separation of Duties | Different roles for different admin functions | Implemented |
| Comprehensive Logging | All admin actions logged to immutable audit trail | Implemented |
| Periodic Access Reviews | Quarterly review of admin access rights | Implemented |
Residual Risk: Medium (pending JIT access implementation)
T4: Samsara/API Key Leak Risk
Description: Fleet API key stolen, exposing entire fleet map and telematics data.
Attack Vectors:
- Key in source code
- Key in logs
- Compromised integration service
Technical & Process Mitigations:
| Control | Implementation | Status |
|---|---|---|
| Secrets Manager | Keys stored in AWS Secrets Manager; never in code/DB text | Implemented |
| Least Privilege | Scoped keys (read-only, specific tags) | Implemented |
| Kill Switch | Auto-revoke if anomaly detection sees usage spikes | Planned (Phase 2) |
| Key Rotation | Quarterly rotation of integration keys | Implemented |
| Envelope Encryption | Tenant keys encrypted with master key | Implemented |
Residual Risk: Medium (pending anomaly detection)
T5: Data Permanence Risk
Description: Old GPS trails subpoenaed or leaked years later, enabling retrospective surveillance.
Attack Vectors:
- Legal discovery
- Data breach of historical archives
- Regulatory overreach
Technical & Process Mitigations:
| Control | Implementation | Status |
|---|---|---|
| Lifecycle Policy - Live | GPS data retained <24 hours in hot database | Implemented |
| Lifecycle Policy - Summary | Billing data only in cold storage (no GPS) | Implemented |
| Lifecycle Policy - Incident | Encrypted package with legal hold flag | Implemented |
| Auto-Deletion | GPS breadcrumbs purged after 48 hours unless disputed | Implemented |
| Cryptographic Erasure | Key destruction for expired data | Planned (Phase 3) |
Residual Risk: Low (after mitigations)
5. Risk Treatment Summary
5.1 Current Risk Posture
| Risk Level | Count | Risks |
|---|---|---|
| Critical | 0 | - |
| High | 2 | T1 (pending isolation), T3 (pending JIT) |
| Medium | 4 | P3, P4, T2, T4 |
| Low | 3 | P1, P2, T5 |
5.2 Risk Treatment Decisions
| Risk | Treatment | Rationale |
|---|---|---|
| P1 | Mitigate | Multiple layers of location protection implemented |
| P2 | Mitigate | Identity verification controls in place |
| P3 | Mitigate | Phase 2 will add duress detection |
| P4 | Mitigate | Training and verification codes implemented |
| T1 | Mitigate | RLS and middleware provide strong isolation |
| T2 | Mitigate | MDM integration planned for Phase 2 |
| T3 | Mitigate | JIT access planned for Phase 2 |
| T4 | Mitigate | Anomaly detection planned for Phase 2 |
| T5 | Mitigate | Retention policies minimize data permanence |
6. Risk Monitoring
6.1 Key Risk Indicators (KRIs)
| KRI | Threshold | Frequency | Owner |
|---|---|---|---|
| Failed authentication attempts | >100/hour | Real-time | Security |
| Cross-tenant query attempts | Any | Real-time | Security |
| Admin break-glass usage | Any | Real-time | Security |
| Route deviation alerts | >10/day | Daily | Safety Ops |
| Data export volume | >1000 records | Real-time | Security |
6.2 Risk Review Cadence
| Activity | Frequency | Participants |
|---|---|---|
| Risk register review | Quarterly | Security, Operations, Legal |
| Threat model update | Semi-annual | Security, Development |
| Tabletop exercise | Quarterly | All stakeholders |
| Penetration testing | Annual | 3PAO |
7. Related Documents
| Document | Relationship |
|---|---|
| PLCY-RSK-001 | Risk assessment methodology |
| PLCY-SEC-001 | Security controls implementation |
| PLCY-INC-001 | Incident response procedures |
| PLCY-FED-004 | Remediation timeline |
| PLCY-FED-005 | NIST control mapping |
8. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | December 30, 2025 | Hop And Haul Team | Initial release |