Appearance
System Security Plan (SSP-Lite)
Document ID: PLCY-FED-002
Version: 1.0
Effective Date: December 30, 2025
Last Review: December 30, 2025
Owner: Hop And Haul Team
CONFIDENTIAL
This document is CONFIDENTIAL and for internal use only. Do not distribute outside the organization.
1. Purpose
This document provides a condensed System Security Plan (SSP-Lite) for the Hop And Haul platform, establishing the foundation for FedRAMP Moderate authorization. It documents the system boundary, security categorization, control implementation, and continuous monitoring strategy in alignment with NIST SP 800-53 and FedRAMP requirements.
2. System Identification
2.1 System Information
| Attribute | Value |
|---|---|
| System Name | Hop And Haul |
| System Abbreviation | FS |
| Version | 1.0 |
| System Type | Major Application |
| Service Model | Software as a Service (SaaS) |
| Deployment Model | Public Cloud (AWS) |
| Authorization Type | FedRAMP Moderate |
2.2 System Owner
| Role | Organization |
|---|---|
| System Owner | Hop And Haul Operations |
| Authorizing Official | [To be designated] |
| Information System Security Officer (ISSO) | Hop And Haul Security Team |
2.3 Operational Status
| Status | Description |
|---|---|
| Current | Operational |
| Authorization Status | Seeking FedRAMP Moderate |
3. System Description
3.1 System Purpose
Hop And Haul is a multi-tenant SaaS platform that provides fleet rideshare matching services. The system enables:
- Secure matching between drivers and riders across fleet organizations
- Real-time location tracking with privacy protections
- Safety monitoring and incident response capabilities
- Fleet management and reporting
- Voice agent integration for hands-free operation
3.2 System Architecture
┌─────────────────────────────────────────────────────────────┐
│ Hop And Haul Authorization Boundary │
├─────────────────────────────────────────────────────────────┤
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Mobile │ │ Cloudflare │ │ Admin │ │
│ │ Apps │────▶│ Zero Trust │────▶│ Portal │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Hop And Haul API (Swift Vapor) │ │
│ │ EC2 r6g.xlarge (32GB RAM) │ │
│ └─────────────────────────────────────────────────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ RDS │ │ S3 │ │ CloudWatch │ │
│ │ PostgreSQL │ │ Storage │ │ Logs │ │
│ │ (Multi-AZ) │ │ (Encrypted) │ │ │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
┌─────────┴─────────┐
│ External Services │
│ (Outside Boundary)│
├───────────────────┤
│ • Twilio (Voice) │
│ • Samsara (ELD) │
│ • Maps Provider │
└───────────────────┘3.3 System Components
| Component | Description | Location |
|---|---|---|
| Hop And Haul API | Swift Vapor application server | EC2 (us-east-1) |
| PostgreSQL Database | Primary data store with RLS | RDS Multi-AZ |
| Object Storage | Encrypted file storage | S3 |
| CDN/WAF | Content delivery and protection | Cloudflare |
| Logging | Audit and operational logs | CloudWatch |
3.4 System Interconnections
| External System | Type | Data Exchanged | Direction |
|---|---|---|---|
| AWS | Infrastructure | All system operations | Bidirectional |
| Cloudflare | Security/Network | Traffic, authentication | Bidirectional |
| Twilio | Communications | Voice/SMS (masked) | Bidirectional |
| Samsara | Telematics | Vehicle location, ELD | Inbound |
| Corporate IdP | Authentication | SSO tokens | Inbound |
4. Security Categorization
4.1 FIPS 199 Categorization
Based on FIPS 199 and NIST SP 800-60:
| Security Objective | Impact Level | Rationale |
|---|---|---|
| Confidentiality | Moderate | PII (names, locations), business data |
| Integrity | Moderate | Safety-critical matching, financial transactions |
| Availability | Moderate | Business operations dependent, safety monitoring |
Overall Categorization: Moderate
4.2 Information Types
| Information Type | Category | Confidentiality | Integrity | Availability |
|---|---|---|---|---|
| User identity | PII | Moderate | Moderate | Low |
| Location data | Sensitive | Moderate | Moderate | Moderate |
| Ride transactions | Business | Low | Moderate | Moderate |
| Safety incidents | Sensitive | Moderate | High | High |
| Authentication data | Security | High | High | Moderate |
| Audit logs | Security | Moderate | High | Moderate |
5. Authorization Boundary
5.1 Boundary Definition
The Hop And Haul authorization boundary includes:
Included:
- Hop And Haul API application code and configuration
- Application servers (EC2)
- Database instances (RDS)
- Storage buckets (S3)
- Network configuration (VPC, security groups)
- Logging infrastructure (CloudWatch)
- Mobile application code (iOS, Android)
Excluded (External/Inherited):
- AWS infrastructure (FedRAMP High inherited)
- Cloudflare services (FedRAMP Moderate inherited)
- Twilio communications (FedRAMP Moderate, data minimized)
- Samsara telematics (not FedRAMP, customer managed)
- Customer corporate networks
- End-user devices
5.2 Data Flow
| Flow | Source | Destination | Classification | Protection |
|---|---|---|---|---|
| Mobile → API | Driver/Rider device | Hop And Haul API | Moderate | TLS 1.3 |
| API → Database | Hop And Haul API | PostgreSQL | Moderate | TLS 1.2+ |
| API → Storage | Hop And Haul API | S3 | Moderate | TLS, SSE |
| API → Logs | Hop And Haul API | CloudWatch | Moderate | TLS |
| API → External | Hop And Haul API | Twilio, Samsara | Low | TLS, scoped |
6. Security Control Implementation Summary
6.1 Control Implementation Status
| Control Family | Total Controls | Implemented | Planned | Inherited |
|---|---|---|---|---|
| Access Control (AC) | 25 | 20 | 3 | 2 |
| Audit & Accountability (AU) | 16 | 15 | 1 | 0 |
| Configuration Management (CM) | 11 | 9 | 1 | 1 |
| Contingency Planning (CP) | 13 | 12 | 1 | 0 |
| Identification & Authentication (IA) | 12 | 10 | 1 | 1 |
| Incident Response (IR) | 10 | 9 | 1 | 0 |
| Maintenance (MA) | 6 | 4 | 0 | 2 |
| Media Protection (MP) | 8 | 6 | 0 | 2 |
| Physical & Environmental (PE) | 20 | 0 | 0 | 20 |
| Planning (PL) | 9 | 7 | 2 | 0 |
| Personnel Security (PS) | 9 | 0 | 0 | 9 |
| Risk Assessment (RA) | 9 | 8 | 1 | 0 |
| System & Services Acquisition (SA) | 22 | 14 | 6 | 2 |
| System & Communications (SC) | 41 | 32 | 7 | 2 |
| System & Information Integrity (SI) | 23 | 18 | 4 | 1 |
6.2 Inherited Controls
Controls inherited from AWS (FedRAMP High):
- PE family (Physical and Environmental Protection)
- PS family (Personnel Security) - partial
- MA family (Maintenance) - partial
Controls inherited from Cloudflare (FedRAMP Moderate):
- SC family (System and Communications Protection) - partial
- AC family (Access Control) - partial
6.3 Key Control Implementations
| Control | Implementation Summary |
|---|---|
| AC-2 | SSO integration, automated provisioning, role-based access |
| AC-3 | JWT enforcement, RLS at database, API middleware validation |
| AU-2 | Comprehensive event logging for all security events |
| CM-2 | AMI golden images, Infrastructure as Code |
| CP-9 | Automated backups, Multi-AZ deployment |
| IA-2 | MFA required for privileged access, biometric for mobile |
| IR-4 | Documented IR procedures, 24/7 on-call rotation |
| SC-8 | TLS 1.3 for all external, TLS 1.2+ for internal |
| SC-28 | AES-256-GCM encryption at rest |
7. Continuous Monitoring Strategy
7.1 Monitoring Components
| Component | Tool | Frequency |
|---|---|---|
| Vulnerability scanning | AWS Inspector | Weekly |
| Configuration compliance | AWS Config | Continuous |
| Security event monitoring | CloudWatch + SIEM | Real-time |
| Log analysis | CloudWatch Insights | Daily |
| Access review | Manual process | Quarterly |
| Penetration testing | 3PAO | Annual |
7.2 Metrics and Reporting
| Metric | Target | Reporting |
|---|---|---|
| Vulnerability remediation (Critical) | 24 hours | Weekly |
| Vulnerability remediation (High) | 7 days | Weekly |
| Incident response time | Per SLA | Monthly |
| System availability | 99.9% | Monthly |
| Failed login rate | Baseline | Monthly |
7.3 POA&M Management
| Activity | Frequency | Owner |
|---|---|---|
| POA&M review | Monthly | Security |
| Finding remediation | Per timeline | Assigned owner |
| Risk acceptance review | Quarterly | Security Manager |
| FedRAMP reporting | Monthly | Compliance |
8. Roles and Responsibilities
8.1 Security Roles
| Role | Responsibilities |
|---|---|
| ISSO | Security oversight, compliance, reporting |
| Security Team | Control implementation, monitoring, incident response |
| DevOps | Infrastructure security, patching, configuration |
| Development | Secure coding, vulnerability remediation |
| Legal/Compliance | Regulatory compliance, contract security |
8.2 User Roles
| Role | Access Level | Authorization |
|---|---|---|
| Driver | Own rides, limited PII | Org membership |
| Rider | Own rides, driver basics | Org membership |
| Fleet Admin | Org data, user management | Customer approval |
| Support Staff | Ticket-scoped access | Employment + training |
| System Admin | Infrastructure | Security approval |
9. Privacy Considerations
9.1 PII Inventory
| PII Type | Collection | Storage | Retention |
|---|---|---|---|
| Name | Required | Encrypted DB | Per retention policy |
| Phone | Required | Encrypted DB | Per retention policy |
| Location | Operational | Fuzzed/encrypted | 48 hours (GPS detail) |
| Trip history | Generated | Encrypted DB | 36 months |
9.2 Privacy Controls
| Control | Implementation |
|---|---|
| Data minimization | Collect only necessary data |
| Purpose limitation | Use data only for stated purposes |
| Location fuzzification | Protect precise location pre-match |
| Number masking | Relay calls, no direct numbers |
| Retention limits | Automated data deletion |
10. Contingency Planning
10.1 Recovery Objectives
| Objective | Target |
|---|---|
| Recovery Time Objective (RTO) | 4 hours |
| Recovery Point Objective (RPO) | 1 hour |
| Maximum Tolerable Downtime (MTD) | 24 hours |
10.2 Backup Strategy
| Component | Backup Type | Frequency | Retention |
|---|---|---|---|
| Database | Automated snapshots | Continuous | 35 days |
| Configuration | Git repository | Every change | Indefinite |
| Logs | S3 lifecycle | Continuous | Per policy |
| AMIs | Point-in-time | Weekly | 90 days |
10.3 Recovery Procedures
See PLCY-DRP-001 for detailed recovery procedures.
11. Authorization Package Components
11.1 Required Documents
| Document | Status |
|---|---|
| System Security Plan (this document) | Complete |
| Control Implementation Summary | Complete |
| Risk Assessment | Complete (PLCY-RSK-001) |
| Contingency Plan | Complete (PLCY-DRP-001) |
| Incident Response Plan | Complete (PLCY-INC-001) |
| POA&M | In progress |
| Privacy Impact Assessment | Planned |
| Rules of Behavior | Complete |
| Configuration Management Plan | Complete |
11.2 Assessment Status
| Activity | Status | Timeline |
|---|---|---|
| Self-assessment | Complete | - |
| Readiness assessment | Planned | After Phase 2 |
| 3PAO assessment | Planned | After readiness |
| Authorization decision | Planned | After assessment |
12. Related Documents
| Document | Relationship |
|---|---|
| PLCY-FED-001 | Federal compliance overview |
| PLCY-FED-003 | Risk register |
| PLCY-FED-004 | Implementation roadmap |
| PLCY-FED-005 | Control mapping |
| PLCY-SYS-001 | System description |
| PLCY-DRP-001 | Disaster recovery |
| PLCY-INC-001 | Incident response |
13. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | December 30, 2025 | Hop And Haul Team | Initial release |