NIST SP 800-53 Rev. 5 - Control Mapping and Implementation Statement
Organization: JIL Sovereign Technologies, Inc. (Delaware) Document Owner: CISO (Chief Information Security Officer) Framework: NIST Special Publication 800-53 Revision 5 Baseline Applied: Moderate Document Version: 1.0 Effective Date: 2026-04-19 Review Cycle: Annual Classification: Public (summary) / Internal (evidence pack)
1. Purpose and Scope
This document maps JIL Sovereign Technologies, Inc.’s operational security controls to the NIST SP 800-53 Rev. 5 control catalog at the Moderate baseline. The mapping is an internal attestation supporting the organization’s overall cybersecurity program. It is not a FedRAMP authorization (which would require a Third-Party Assessment Organization), and does not claim any government accreditation.
Scope. All production systems operated by JIL Sovereign Technologies, Inc., including:
- Central portal and public-facing web properties
- JIL Verdict Engine (111-check attestation pipeline)
- Wallet Intelligence Engine (WIE, 42-signal risk scoring)
- JIL L1 validator network (20 validators across 13 compliance zones)
- JILHQ fleet controller and Secure Document Vault (SDV) infrastructure
- Bridge relayers, MPC cosigner service, and associated cryptographic key-management components
2. Attestation Statement
The undersigned attests that, as of the effective date of this document, the security controls listed herein are implemented, operational, and monitored within JIL Sovereign Technologies, Inc.’s information systems. Control implementation has been evaluated against the NIST SP 800-53 Rev. 5 Moderate baseline. Residual risks are tracked in the organization’s Risk Register.
This attestation is made on the sole authority of JIL Sovereign Technologies, Inc. and does not constitute a FedRAMP Authorization, a third-party assessment, or a government accreditation. Where third-party attestation is required for external reliance (e.g., SOC 2 Type II, ISO 27001), those engagements are pursued separately.
Attested by: Jeffrey Mendonca, Chief Information Security Officer Date: 2026-04-19
3. Control Family Summary
The Moderate baseline covers 287 controls across 20 control families. Implementation status for each family:
| # | Family | Short Name | Status | Lead Control Evidence |
|---|---|---|---|---|
| 1 | Access Control | AC | Implemented | Yubikey FIDO2 + PIV for SSH / PAM; RBAC in central-portal; MPC 2-of-3 threshold signing |
| 2 | Awareness and Training | AT | Implemented | Annual security training; onboarding module; phishing-simulation cycle |
| 3 | Audit and Accountability | AU | Implemented | Immutable audit trail with hash chaining; 15+ year retention; SDV-anchored |
| 4 | Assessment, Authorization, and Monitoring | CA | Implemented | Continuous monitoring via SentinelAI Fleet Inspector; quarterly internal assessments |
| 5 | Configuration Management | CM | Implemented | Infrastructure-as-Code (Docker Compose + config/fleet-registry.json); signed image pipeline |
| 6 | Contingency Planning | CP | Implemented | 14-of-20 BFT quorum (survives 6 failures); multi-jurisdiction validator distribution; daily encrypted backups |
| 7 | Identification and Authentication | IA | Implemented | Yubikey PIV + FIDO2; mTLS for service-to-service; JWT + HMAC for API; WebAuthn for user UI |
| 8 | Incident Response | IR | Implemented | Documented IR plan; SentinelAI auto-triage; JILHQ fleet-cycle anti-loop; admin notification channels |
| 9 | Maintenance | MA | Implemented | Signed-image-only deploys through JILHQ registry; refresh commands HMAC-authenticated |
| 10 | Media Protection | MP | Implemented | AES-256-GCM at rest; vendor-held keys for SDV; no unencrypted media in production |
| 11 | Physical and Environmental Protection | PE | Inherited | Hetzner data centers (ISO 27001 certified); JIL operates virtual infrastructure only |
| 12 | Planning | PL | Implemented | System Security Plan maintained internally; this document is a component of it |
| 13 | Program Management | PM | Implemented | CISO role formally designated; annual risk assessment; documented security program |
| 14 | Personnel Security | PS | Implemented | Background checks for all personnel with access to production; NDAs on file |
| 15 | PII Processing and Transparency | PT | Implemented | No raw PII on-chain; credential-bound identity only; DPA available for enterprise customers |
| 16 | Risk Assessment | RA | Implemented | Annual formal risk assessment; threat model reviewed quarterly |
| 17 | System and Services Acquisition | SA | Implemented | Third-party service inventory; supplier risk screening; contracts with security obligations |
| 18 | System and Communications Protection | SC | Implemented | Hybrid Ed25519 + Dilithium-III signatures (post-quantum); TLS 1.2+ in transit; 14-of-20 BFT quorum |
| 19 | System and Information Integrity | SI | Implemented | OWASP API Security test bank; pen-test artifacts retained; vulnerability scanning; software-bill-of-materials |
| 20 | Supply Chain Risk Management | SR | Implemented | Docker image digest pinning through JILHQ; signed image pipeline; third-party provider security review |
4. Representative Control Implementation Detail
The controls below are documented with implementation notes and evidence pointers. The full evidence pack (screenshots, log excerpts, policy documents) is maintained internally and available to qualified reviewers under NDA.
4.1 AC-2 - Account Management
Implementation. User accounts for production access are managed through an approved-account list maintained by the CISO. All access requests are logged. Accounts are disabled within 24 hours of personnel departure. Quarterly access reviews are performed.
Evidence. Access control list (internal), quarterly review sign-off log (internal).
4.2 AC-7 - Unsuccessful Logon Attempts
Implementation. Logon failures are rate-limited at 5 attempts per 15 minutes per account. Failed-logon events are logged to the audit system with hash chaining. After 10 failures, the account is locked pending CISO unlock.
Evidence. Rate-limit configuration in apps/central-portal/src/index.ts; audit log excerpts.
4.3 AC-17 - Remote Access
Implementation. SSH to production hosts (Hetzner) uses public-key authentication with Yubikey PIV 9a or ed25519_sk (FIDO2 resident key). Password authentication is disabled. Ops bypass keys (break-glass) are stored in a sealed envelope at JIL Sovereign HQ.
Evidence. SSH daemon configuration; Yubikey provisioning record (internal).
4.4 AU-2 - Event Logging
Implementation. All service accesses, verdict evaluations, administrative actions, and validator consensus events are logged with SHA-256 hash chaining. Logs are retained for a minimum of 15 years in Vendor-Controlled Secure Document Vaults (SDVs) and indexed in trust.verdict_records for query.
Evidence. Audit trail documentation; retention policy; SDV object-count dashboard.
4.5 CP-9 - System Backup
Implementation. PostgreSQL primary database is backed up daily to Hetzner Object Storage (Helsinki, hel1.your-objectstorage.com) with 30-day retention. Backups are encrypted (AES-256-GCM) before upload. Recovery testing is performed quarterly.
Evidence. Backup timer configuration; recovery test log.
4.6 IA-2 - Identification and Authentication (Organizational Users)
Implementation. Multi-factor authentication is enforced for all administrative access:
- Production SSH: Yubikey PIV 9a OR ed25519_sk (FIDO2 resident key)
- Central portal admin APIs: x-admin-key header + mTLS
- MPC signing operations: 2-of-3 threshold signature (no single party can sign)
Evidence. Yubikey PIV provisioning record; MPC threshold configuration.
4.7 IR-4 - Incident Handling
Implementation. Documented Incident Response plan covering preparation, detection and analysis, containment and eradication, recovery, and post-incident activity. Incidents are classified by severity (SEV-1 through SEV-4) with escalation rules defined.
Evidence. Incident Response Plan document (internal); post-incident reports.
4.8 RA-3 - Risk Assessment
Implementation. Annual formal risk assessment documenting threats, vulnerabilities, likelihood, impact, and residual risk. Quarterly threat-model review incorporating emerging threats (pig-butchering, AI voice deepfake, supply-chain compromise, post-quantum cryptanalysis).
Evidence. 2026 Risk Assessment document (internal); quarterly threat-model review minutes.
4.9 SC-12 - Cryptographic Key Establishment and Management
Implementation. Cryptographic keys are generated using hardware RNG. Signing keys are stored in Yubikey HSM-backed storage (PIV slot 9a) OR in validator-node HSM-backed key stores. Validator key material is AES-256-GCM encrypted at rest with vendor-held keys.
Evidence. Key management policy document; Yubikey PIV configuration; validator key-type inventory.
4.10 SC-13 - Cryptographic Protection
Implementation. Hybrid classical + post-quantum cryptography for record signing:
- Classical: Ed25519 (EdDSA over Curve25519) - current-generation signing
- Post-quantum: CRYSTALS-Dilithium Level 3 (NIST FIPS 204) - quantum-resistant signing
TLS 1.2+ for all transport. AES-256-GCM for data at rest.
Evidence. Cryptographic configuration; signature-verification test vectors.
4.11 SI-2 - Flaw Remediation
Implementation. Vulnerability scanning via continuous dependency audit (npm audit, pip-audit) plus periodic manual pen-tests. Critical vulnerabilities are remediated within 7 days of discovery. High severity within 30 days.
Evidence. docs/architecture/VALIDATION_AND_PENTEST.md; Section 11 Remediation Log.
4.12 SI-10 - Information Input Validation
Implementation. All API endpoints validate request bodies using structured schemas (TypeScript + Zod). Rate limiting enforced at 180 req/min/IP baseline; tighter per-endpoint limits apply (30 req/min for search, 5/hr for contact, etc.). SQL injection blocked at the query-constructor layer; no raw SQL accepts user input.
Evidence. Input validation middleware; rate-limit configuration; Section 11 pen-test results.
5. Non-Implementation and Exemption Notes
The following controls are not applicable or inherited from the underlying platform and are noted explicitly:
| Control | Status | Rationale |
|---|---|---|
| PE-1 through PE-23 (Physical and Environmental Protection) | Inherited | JIL operates virtual infrastructure on Hetzner (ISO 27001 certified). Physical security is the data-center operator’s responsibility. |
| AC-20 (Use of External Information Systems) | Limited | JIL does not permit personal devices for production access. Policy enforcement via Yubikey MFA. |
| SC-17 (PKI Certificates) | N/A (reduced) | JIL uses its own validator-quorum signing rather than external PKI. TLS certificates are via Let’s Encrypt (public PKI). |
6. Continuous Monitoring
Security controls are continuously monitored through:
- SentinelAI Fleet Inspector - automated threat scoring and anomaly detection across all validator nodes and core services
- Immutable audit trail - hash-chained logging with cryptographic signatures
- Quarterly access reviews - sign-off by CISO
- Annual risk assessment - formal document with board-level review
- Pen-testing cycle - internal continuous probes + periodic external engagements
7. Roadmap Items
The following enhancements are on the roadmap; not required for this attestation but noted for transparency:
- SOC 2 Type II - CPA-firm attestation (Q3 2026); complements this internal mapping
- ISO 27001 - accredited registrar audit (Q4 2026)
- HITRUST CSF - healthcare-vertical certification (2027)
- FedRAMP Moderate - if/when a federal customer requires; would require 3PAO assessment
8. Signature
Chief Information Security Officer:
Jeffrey Mendonca Chief Information Security Officer JIL Sovereign Technologies, Inc. (Delaware)
Date: 2026-04-19
This document is maintained as part of JIL Sovereign Technologies, Inc.’s Cybersecurity Program. The full evidence pack including policy documents, procedure runbooks, audit logs, and screenshots is available to qualified reviewers under non-disclosure agreement.