{
  "generated_at": "2026-07-02T13:20:01.136176+00:00",
  "eval_period_hours": 4,
  "valid_until": "2026-07-02T17:20:01.136176+00:00",
  "total_ksis": 60,
  "summary": {
    "compliant": 59,
    "partial": 1,
    "non_compliant": 0,
    "not_implemented": 0,
    "not_applicable": 0,
    "automated": 60,
    "manual": 0,
    "average_score": 99.7,
    "monitoring": {
      "total_controls": 503,
      "monitored_controls": 267,
      "monitoring_coverage": 53.1,
      "total_tests": 125,
      "unique_controls_with_tests": 91
    }
  },
  "evidence_integrity": {
    "manifest_file": "evidence_integrity_manifest.json",
    "manifest_sha256_file": "evidence_integrity_manifest.json.sha256",
    "algorithm": "sha256",
    "note": "The manifest hashes this compliance file and other generated artifacts. The manifest checksum is written to the sidecar file to avoid a circular hash."
  },
  "results": [
    {
      "ksi_id": "KSI-AFR-ADS",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:59.920747+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-165 (DCF-165)",
          "control_id": "DCF-165",
          "status": "Passing",
          "description": "Drata control status for DCF-165",
          "date": "2026-07-02T13:19:59.920747+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:19:59.920747+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-11 (DCF-11)",
          "control_id": "DCF-11",
          "status": "Passing",
          "description": "Drata control status for DCF-11",
          "date": "2026-07-02T13:19:59.920747+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-45 (DCF-45)",
          "control_id": "DCF-45",
          "status": "Passing",
          "description": "Drata control status for DCF-45",
          "date": "2026-07-02T13:19:59.920747+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-102 (DCF-102)",
          "control_id": "DCF-102",
          "status": "Passing",
          "description": "Drata control status for DCF-102",
          "date": "2026-07-02T13:19:59.920747+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-AFR-ADS",
          "control_name": "Custom Automated Check: KSI-AFR-ADS",
          "control_description": "5/5 mapped controls passing; **Sustainment Technologies satisfies the KSI-AFR-ADS requirement through an automated governance strategy that leverages continuous monitoring to ensure the integrity and secure distribution of authorization data.**\n\n### Enhanced Monitoring for In-Scope FedRAMP Systems\nThis document contains enhanced monitoring requirements specific to in-scope FedRAMP systems, including:\n- **Reduced SLAs** for incident response and vulnerability remediation on FedRAMP-boundary systems\n- **Elevated logging and audit requirements** for systems processing federal data\n- **Stricter access controls** and authorization data handling procedures\n\n### Technical and Administrative Controls\n- **Centralized Logging** -- audit trail capture and retention for federal data systems\n- **Quarterly Vulnerability Scanning** -- third-party vulnerability assessments\n- **System Access Control Policy** -- administrative safeguards for authorization artifact handling\n- **Data Protection Policy** -- ensures authorization artifacts are shared only with authorized parties\n\n### Validation Approach\nThese combined capabilities are persistently validated via automated compliance checks to ensure ongoing alignment with the FedRAMP Authorization Data Sharing (ADS) process.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:59.920747+00:00",
          "updated_at": "2026-07-02T13:19:59.920747+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:59.920747+00:00",
          "requirements_updated_at": "",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-165 (DCF-165)",
              "description": "Drata control status for DCF-165",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.920747+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.136201+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.920747+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.136220+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-11 (DCF-11)",
              "description": "Drata control status for DCF-11",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.920747+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.136231+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-45 (DCF-45)",
              "description": "Drata control status for DCF-45",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.920747+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.136242+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-102 (DCF-102)",
              "description": "Drata control status for DCF-102",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.920747+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.136252+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 5,
            "passed": 5,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 64,
                "name": "Contractors Acknowledge the Data Protection Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that all contractors have acknowledged the company's Data Protection Policy.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 191,
                "enabled": true
              },
              {
                "test_id": 63,
                "name": "Employees Acknowledge Data Protection Policy",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has established a Data Protection Policy and requires assigned employees to acknowledge it upon hire. Management monitors employees' acknowledgement of the policy.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 57,
                "enabled": true
              },
              {
                "test_id": 62,
                "name": "Data Protection Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Data Protection Policy and confirmed that it was indeed in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 56,
                "enabled": true
              },
              {
                "test_id": 42,
                "name": "Data Classification Policy",
                "status": "PASSED",
                "description": "Drata inspected and confirmed that Sustainment Technologies Inc has a Data Classification Policy in order to identify the types of confidential information possessed by the entity and types of protection that were required.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 137,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-165",
              "DCF-10",
              "DCF-11",
              "DCF-45",
              "DCF-102"
            ]
          }
        },
        {
          "control_id": "DCF-165",
          "control_name": "Independent Assessment",
          "control_description": "Sustainment Technologies Inc has an independent assessment (e.g., internal audit) process to ensure that its information security program is effectively implemented, maintained, and in conformance.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:42.954Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:22.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 123,
              "name": "SOC 2 Type II Report",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/123_SOC 2 Type II Report.pdf",
              "updated_at": "2026-05-05T19:19:56.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.136526+00:00",
                "status": "hashed",
                "sha256": "80b9c22a7fd79023d195fd5b3cee1556c72f836d49ceef3e42d37a60c00da22e",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/123_SOC 2 Type II Report.pdf",
                "filename": "123_SOC 2 Type II Report.pdf",
                "size_bytes": 564071,
                "modified_at": "2026-07-02T13:17:00+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-165-owner",
              "name": "Assigned Control Owner - Independent Assessment (DCF-165)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.137050+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 176,
          "explanation": "The Independent Assessment control satisfies KSI-AFR-ADS by demonstrating a recurring process to *verify* the accuracy and completeness of authorization data. This assessment provides objective evidence that Sustainment Technologies Inc. is consistently maintaining its security posture Ã¢â‚¬â€œ a core component of the ADS process which requires ongoing validation of controls. Essentially, it proves they're not just *saying* they meet requirements, but *showing* they do through regular checks, addressing both requirements *and* recommendations for improvement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.137061+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.137067+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.137076+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "explanation": "The System Access Control Policy satisfies KSI-AFR-ADS by demonstrating a process for managing *who* has access to authorization data (via access reviews & requests), aligning with the need to control data sharing as outlined in the ADS process. Regularly reviewing and documenting access Ã¢â‚¬â€œ as evidenced by the annual reviews and request forms Ã¢â‚¬â€œ ensures only authorized personnel can view/modify authorization information, persistently addressing related requirements and recommendations.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-11",
          "control_name": "Annual Access Control Review",
          "control_description": "Sustainment Technologies Inc performs annual access control reviews.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.537Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 150,
              "name": "User Access Review",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/150_User Access Review.xlsx",
              "updated_at": "2026-03-02T15:28:18.965Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.137304+00:00",
                "status": "hashed",
                "sha256": "a83b78e92bd554ebc59378b2f58c3b86c8dfac37b561ea9ddea944b69ab811d9",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/150_User Access Review.xlsx",
                "filename": "150_User Access Review.xlsx",
                "size_bytes": 115456,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-11-owner",
              "name": "Assigned Control Owner - Annual Access Control Review (DCF-11)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.137434+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-11-policy",
              "name": "Policy Documentation - Annual Access Control Review (DCF-11)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.137441+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 89,
          "explanation": "The Annual Access Control Review directly supports KSI-AFR-ADS by verifying only *authorized* personnel retain access to systems and data relevant to the FedRAMP authorizationÃ¢â‚¬â€a core component of data sharing transparency. By regularly validating access rights (AC-4, AC-3), Sustainment Technologies Inc. demonstrates ongoing adherence to ADS requirements for controlled access and helps ensure only appropriate parties can view/handle authorization data. This persistent review addresses recommendations stemming from potential access-related findings during authorization.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-45",
          "control_name": "Data Protection Policy",
          "control_description": "Sustainment Technologies Inc has established a Data Protection Policy and requires all employees to accept it upon hire. Management monitors employees' acceptance of the policy.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.188Z",
          "updated_at": "2026-05-12T13:22:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-45-monitoring",
              "name": "Continuous Monitoring - Data Protection Policy (DCF-45)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-12T13:22:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.137448+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-45-policy",
              "name": "Policy Documentation - Data Protection Policy (DCF-45)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-12T13:22:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.137455+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 44,
          "explanation": "The Data Protection Policy (and employee acknowledgement) directly supports KSI-AFR-ADS by establishing clear expectations around handling authorization data Ã¢â‚¬â€œ a foundational element of the ADS process. By defining *how* data is protected and requiring employee commitment, Sustainment Technologies Inc demonstrates a persistent approach to meeting ADS requirements and addressing related recommendations regarding data confidentiality and accountability (as evidenced by the linked NIST controls). This policy provides a documented basis for sharing authorization data securely with necessary parties.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 64,
                "name": "Contractors Acknowledge the Data Protection Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that all contractors have acknowledged the company's Data Protection Policy.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 191,
                "enabled": true
              },
              {
                "test_id": 63,
                "name": "Employees Acknowledge Data Protection Policy",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has established a Data Protection Policy and requires assigned employees to acknowledge it upon hire. Management monitors employees' acknowledgement of the policy.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 57,
                "enabled": true
              },
              {
                "test_id": 62,
                "name": "Data Protection Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Data Protection Policy and confirmed that it was indeed in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 56,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-102",
          "control_name": "Data Classification",
          "control_description": "Sustainment Technologies Inc has established a data classification policy in order to identify the types of confidential information possessed by the entity and types of protection that are required.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.943Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-102-owner",
              "name": "Assigned Control Owner - Data Classification (DCF-102)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.137467+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-102-monitoring",
              "name": "Continuous Monitoring - Data Classification (DCF-102)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.137474+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-102-policy",
              "name": "Policy Documentation - Data Classification (DCF-102)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.137480+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 29,
          "explanation": "Data Classification (and related AC-4) directly supports KSI-AFR-ADS by enabling the accurate identification of *what* authorization data exists Ã¢â‚¬â€œ a foundational step for determining *how* to share it per the ADS process. By categorizing data sensitivity, Sustainment Technologies Inc. can then apply appropriate controls to ensure only authorized parties receive specific authorization information, fulfilling the persistent addressing of ADS requirements and recommendations.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 42,
                "name": "Data Classification Policy",
                "status": "PASSED",
                "description": "Drata inspected and confirmed that Sustainment Technologies Inc has a Data Classification Policy in order to identify the types of confidential information possessed by the entity and types of protection that were required.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 137,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "**Sustainment Technologies satisfies the KSI-AFR-ADS requirement through an automated governance strategy that leverages continuous monitoring to ensure the integrity and secure distribution of authorization data.**\n\n### Enhanced Monitoring for In-Scope FedRAMP Systems\nThis document contains enhanced monitoring requirements specific to in-scope FedRAMP systems, including:\n- **Reduced SLAs** for incident response and vulnerability remediation on FedRAMP-boundary systems\n- **Elevated logging and audit requirements** for systems processing federal data\n- **Stricter access controls** and authorization data handling procedures\n\n### Technical and Administrative Controls\n- **Centralized Logging** -- audit trail capture and retention for federal data systems\n- **Quarterly Vulnerability Scanning** -- third-party vulnerability assessments\n- **System Access Control Policy** -- administrative safeguards for authorization artifact handling\n- **Data Protection Policy** -- ensures authorization artifacts are shared only with authorized parties\n\n### Validation Approach\nThese combined capabilities are persistently validated via automated compliance checks to ensure ongoing alignment with the FedRAMP Authorization Data Sharing (ADS) process.\n### Key Controls\n- [OK] Independent Assessment (DCF-165)\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Annual Access Control Review (DCF-11)\n- [OK] Data Protection Policy (DCF-45)\n- [OK] Data Classification (DCF-102)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:59.920747+00:00",
      "ksi_name": "Authorization Data Sharing",
      "category": "AFR",
      "statement": "Determine how authorization data will be shared with all necessary parties in alignment with the FedRAMP Authorization Data Sharing (ADS) process and persistently address all related requirements and recommendations.",
      "reference_url": "https://fedramp.gov/docs/20x/authorization-data-sharing",
      "nist_controls": [
        "AC-3",
        "AC-4",
        "AU-2",
        "AU-3",
        "AU-6",
        "CA-2",
        "IR-4",
        "RA-5",
        "SC-8"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment ensures the integrity and secure distribution of authorization data to all required parties through continuous monitoring, access controls, data classification, and independent assessments.",
        "failure_condition": "Failure to maintain data classification and access controls for authorization data will cause a failure of the test. Additionally, an independent assessment, system access control policy, annual access reviews, data protection policy, and data classification must be in place to ensure authorization data is shared securely."
      },
      "outcome_metrics": [
        {
          "statement": "Authorization artifacts are current and shared only with authorized FedRAMP parties",
          "metric_name": "Recency",
          "target_value": "Authorization data shared within required SLA; no unauthorized disclosures",
          "target_unit": "",
          "frequency": "Quarterly",
          "source": "Drata continuous monitoring + authorization artifact log",
          "notes": "Artifact older than 30 days or shared outside approved channel"
        }
      ],
      "process_requirements": [
        {
          "id": "ADS-CSX-UTC",
          "name": "Use Trust Centers",
          "statement": "Providers MUST use a FedRAMP-compatible trust center to store and share authorization data with all necessary parties.",
          "keyword": "MUST",
          "role_group": "CSX",
          "section": "20x",
          "notes": [
            "Requirements and recommendations for FedRAMP-compatible trust centers are explained in ADS-TRC.",
            "This requirement only applies to FedRAMP 20x."
          ]
        },
        {
          "id": "ADS-CSL-UCP",
          "name": "USDA Connect",
          "statement": "Providers MUST share authorization data via the USDA Connect Community Portal UNLESS they use a FedRAMP-compatible trust center.",
          "keyword": "MUST",
          "role_group": "CSL",
          "section": "rev5"
        },
        {
          "id": "ADS-CSL-TCM",
          "name": "Trust Center Migration",
          "statement": "Providers MUST notify all necessary parties when migrating to a trust center and MUST provide information in their existing USDA Connect Community Portal secure folders explaining how to use the trust center to obtain authorization data.",
          "keyword": "MUST",
          "role_group": "CSL",
          "section": "rev5"
        },
        {
          "id": "ADS-CSO-PUB",
          "name": "Public Information",
          "statement": "Providers MUST publicly share up-to-date information about the cloud service offering in both human-readable and machine-readable formats, including at least:",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "Generally, this information should be available on a public webpage."
          ],
          "following_information": [
            "Direct link to the FedRAMP Marketplace for the offering",
            "Service Model",
            "Deployment Model",
            "Business Category",
            "UEI Number",
            "Contact Information",
            "Overall Service Description",
            "Detailed list of specific services and their security objectives (see ADS-CSO-SVC)",
            "Summary of customer responsibilities and secure configuration guidance (if applicable, see the FedRAMP Secure Configuration Guide process)",
            "Process for accessing information in the trust center (if applicable)",
            "Availability status and recent disruptions for the trust center (if applicable)",
            "Customer support information for the trust center (if applicable)",
            "Next Ongoing Authorization Report date (see CCM-OAR-NRD)"
          ]
        },
        {
          "id": "ADS-CSO-SVC",
          "name": "Service List",
          "statement": "Providers MUST publicly share a detailed list of specific services and their security objectives that are included in the cloud service offering using clear feature or service names that align with standard public marketing materials; this list MUST be complete enough for a potential customer to determine which services are and are not included in the FedRAMP Minimum Assessment Scope without requesting access to underlying authorization data.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both"
        },
        {
          "id": "ADS-CSO-CBF",
          "name": "Consistency Between Formats",
          "statement": "Providers MUST use automation to ensure information remains consistent between human-readable and machine-readable formats when authorization data is provided in both formats.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both"
        },
        {
          "id": "ADS-CSO-RIS",
          "name": "Responsible Information Sharing",
          "statement": "Providers MUST provide sufficient information in authorization data to support authorization decisions but SHOULD NOT include sensitive information that would likely enable a threat actor to gain unauthorized access, cause harm, disrupt operations, or otherwise have a negative adverse impact on the cloud service offering.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "This is not a license to exclude accurate risk information, but specifics that would likely lead to compromise should be abstracted. A breach of confidentiality with authorization data should be anticipated by a secure cloud service provider."
          ]
        },
        {
          "id": "ADS-CSO-HAD",
          "name": "Historical Authorization Data",
          "statement": "Providers MUST make historical versions of authorization data available for three years to all necessary parties UNLESS otherwise specified by applicable FedRAMP requirements; deltas between versions MAY be consolidated quarterly.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both"
        },
        {
          "id": "ADS-UTC-PGD",
          "name": "Public Guidance",
          "statement": "Providers MUST publicly provide plain-language policies and guidance for all necessary parties that explains how they can obtain and manage access to authorization data stored in the trust center.",
          "keyword": "MUST",
          "role_group": "UTC",
          "section": "both"
        },
        {
          "id": "ADS-UTC-AAD",
          "name": "Agency Access Denial",
          "statement": "Providers MUST notify FedRAMP by email to info@fedramp.gov within 5 business days of denying an agency access request for authorization data.",
          "keyword": "MUST",
          "role_group": "UTC",
          "section": "both",
          "timeframe": "5 bizdays"
        },
        {
          "id": "ADS-TRC-USH",
          "name": "Uninterrupted Sharing",
          "statement": "Trust centers MUST share authorization data with all necessary parties without interruption.",
          "keyword": "MUST",
          "role_group": "TRC",
          "section": "both",
          "notes": [
            "\"Without interruption\" means that parties should not have to request manual approval each time they need to access authorization data or go through a complicated process. The preferred way of ensuring access without interruption is to use on-demand just-in-time access provisioning."
          ]
        },
        {
          "id": "ADS-TRC-PAC",
          "name": "Programmatic Access",
          "statement": "Trust centers MUST provide documented programmatic access to all authorization data, including programmatic access to human-readable materials.",
          "keyword": "MUST",
          "role_group": "TRC",
          "section": "both"
        },
        {
          "id": "ADS-TRC-AAI",
          "name": "Agency Access Inventory",
          "statement": "Trust centers MUST maintain an inventory and history of federal agency users or systems with access to authorization data and MUST make this information available to FedRAMP without interruption.",
          "keyword": "MUST",
          "role_group": "TRC",
          "section": "both"
        },
        {
          "id": "ADS-TRC-ACL",
          "name": "Access Logging",
          "statement": "Trust centers MUST log access to authorization data and store summaries of access for at least six months; such information, as it pertains to specific parties, SHOULD be made available upon request by those parties.",
          "keyword": "MUST",
          "role_group": "TRC",
          "section": "both"
        },
        {
          "id": "ADS-CSL-UTC",
          "name": "Use Trust Centers",
          "statement": "Providers SHOULD use a FedRAMP-compatible trust center to store and share authorization data with all necessary parties.",
          "keyword": "SHOULD",
          "role_group": "CSL",
          "section": "rev5",
          "notes": [
            "Requirements and recommendations for FedRAMP-compatible trust centers are explained in ADS-TRC.",
            "This recommendation only applies to FedRAMP Rev5 (it is required for FedRAMP 20x)."
          ]
        },
        {
          "id": "ADS-UTC-AGA",
          "name": "Agency Access",
          "statement": "Providers SHOULD share the authorization package with agencies upon request.",
          "keyword": "SHOULD",
          "role_group": "UTC",
          "section": "both"
        },
        {
          "id": "ADS-TRC-HMR",
          "name": "Human and Machine-Readable",
          "statement": "Trust centers SHOULD make authorization data available to view and download in both human-readable and machine-readable formats.",
          "keyword": "SHOULD",
          "role_group": "TRC",
          "section": "both"
        },
        {
          "id": "ADS-TRC-SSM",
          "name": "Self-Service Access Management",
          "statement": "Trust centers SHOULD include features that encourage all necessary parties to provision and manage access to authorization data for their users and services directly.",
          "keyword": "SHOULD",
          "role_group": "TRC",
          "section": "both"
        },
        {
          "id": "ADS-TRC-RSP",
          "name": "Responsive Performance",
          "statement": "Trust centers SHOULD deliver responsive performance during normal operating conditions and minimize service disruptions.",
          "keyword": "SHOULD",
          "role_group": "TRC",
          "section": "both"
        },
        {
          "id": "ADS-CSL-LRE",
          "name": "Legacy Repository Exception",
          "statement": "Providers of FedRAMP Rev5 Authorized cloud service offerings at FedRAMP High using a legacy self-managed repository for authorization data MAY ignore the Authorization Data Sharing process until future notice.",
          "keyword": "MAY",
          "role_group": "CSL",
          "section": "rev5"
        }
      ],
      "process_requirements_summary": {
        "total": 20,
        "must": 14,
        "should": 5,
        "may": 1
      },
      "monitoring": {
        "total_tests": 5,
        "passed": 5,
        "failed": 0,
        "controls_with_monitoring": 3,
        "monitoring_coverage": 50.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-AFR-CCM",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:57.991510+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "document",
          "name": "KSI Compliance Tracking System",
          "path": "scripts/generate_ksi_compliance.py",
          "description": "Active KSI compliance tracking and monitoring system",
          "date": "2026-07-02T13:19:57.991510+00:00"
        },
        {
          "type": "document",
          "name": "KSI Coverage Analysis Capability",
          "path": "scripts/analyze_ksi_coverage.py",
          "description": "Coverage analysis generator is available and can produce artifacts during pipeline execution",
          "date": "2026-07-02T13:19:57.991510+00:00",
          "details": "scripts/analyze_ksi_coverage.py"
        },
        {
          "type": "report",
          "name": "Automated KSI Runner",
          "path": "scripts/ksi_runner.py",
          "description": "Continuous automated execution of KSI compliance checks",
          "date": "2026-07-02T13:19:57.991510+00:00",
          "details": "scripts/ksi_runner.py"
        },
        {
          "type": "report",
          "name": "Drata Platform: 4 In-Scope Controls",
          "description": "4 passing, 0 in progress, 0 failing | 0 monitored, 0 with evidence",
          "date": "2026-07-02T13:17:03.716280+00:00",
          "status": "passing",
          "source": "drata_controls"
        },
        {
          "type": "document",
          "name": "Drata Compliance Visualization and KSI Tracking System",
          "path": ".",
          "description": "This project demonstrates continuous monitoring and reporting capabilities for FedRAMP compliance requirements",
          "date": "2026-07-02T13:19:57.991510+00:00"
        }
      ],
      "notes": "Sustainment Technologies operates a continuous compliance monitoring pipeline that fetches control data from Drata, runs automated KSI checks, and deploys results to a compliance dashboard. The pipeline validates data freshness, dashboard availability, and overall compliance posture.\n### Key Controls\n- [OK] Logging and Monitoring Policy (DCF-741)\n- [OK] Cloud Security Configuration Monitoring (DCF-817)\n- [OK] Remote Connection Monitoring (DCF-824)\n- [OK] Network Traffic Monitoring (DCF-829)",
      "drata_stats": {
        "total": 4,
        "passing": 4,
        "failing": 0,
        "in_progress": 0,
        "archived": 0,
        "monitored": 0,
        "with_evidence": 0,
        "last_updated": "2026-07-02T13:17:03.716280+00:00",
        "source": "drata_controls",
        "flags_available": true
      },
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-AFR-CCM",
          "control_name": "Custom Automated Check: KSI-AFR-CCM",
          "control_description": "Collaborative Continuous Monitoring validated through automated infrastructure checks and Drata control coverage analysis. Drata is actively monitoring 4 applicable controls (4 passing, 0 in progress, 0 failing). 0 controls have automated monitoring enabled and 0 have linked evidence. Drata data last synced: 2026-07-02T13:17:03.716280+00:00.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:57.991510+00:00",
          "updated_at": "2026-07-02T13:19:57.991510+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:57.991510+00:00",
          "requirements_updated_at": "",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": null,
              "name": "KSI Compliance Tracking System",
              "description": "Active KSI compliance tracking and monitoring system",
              "type": "document",
              "source": "scripts/generate_ksi_compliance.py",
              "updated_at": "2026-07-02T13:19:57.991510+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.137660+00:00",
                "status": "hashed",
                "sha256": "758f335e54f49c32619fb54f2dd0095244039d0fa2ade37761d04d2422644d58",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/scripts/generate_ksi_compliance.py",
                "filename": "generate_ksi_compliance.py",
                "size_bytes": 120601,
                "modified_at": "2026-07-02T13:19:22.260546+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo"
              }
            },
            {
              "id": null,
              "name": "KSI Coverage Analysis Capability",
              "description": "Coverage analysis generator is available and can produce artifacts during pipeline execution",
              "type": "document",
              "source": "scripts/analyze_ksi_coverage.py",
              "updated_at": "2026-07-02T13:19:57.991510+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.137945+00:00",
                "status": "hashed",
                "sha256": "5bf577a085a6f775ebe532319b1126fa44b5f61d1397fb4358a9a02ebcaa0822",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/scripts/analyze_ksi_coverage.py",
                "filename": "analyze_ksi_coverage.py",
                "size_bytes": 13142,
                "modified_at": "2026-07-02T13:19:22.260546+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo"
              }
            },
            {
              "id": null,
              "name": "Automated KSI Runner",
              "description": "Continuous automated execution of KSI compliance checks",
              "type": "report",
              "source": "scripts/ksi_runner.py",
              "updated_at": "2026-07-02T13:19:57.991510+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138158+00:00",
                "status": "hashed",
                "sha256": "39fb7f60878a81a86dbf3a5cea2353d695e65b2002ce46eedadffb6aaf6e5bb2",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/scripts/ksi_runner.py",
                "filename": "ksi_runner.py",
                "size_bytes": 21621,
                "modified_at": "2026-07-02T13:19:22.260546+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo"
              }
            },
            {
              "id": null,
              "name": "Drata Platform: 4 In-Scope Controls",
              "description": "4 passing, 0 in progress, 0 failing | 0 monitored, 0 with evidence",
              "type": "report",
              "source": "drata_controls",
              "updated_at": "2026-07-02T13:17:03.716280+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138205+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "Drata Compliance Visualization and KSI Tracking System",
              "description": "This project demonstrates continuous monitoring and reporting capabilities for FedRAMP compliance requirements",
              "type": "document",
              "source": ".",
              "updated_at": "2026-07-02T13:19:57.991510+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138212+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-741",
          "control_name": "Logging and Monitoring Policy",
          "control_description": "Sustainment Technologies Inc has a documented policy that outlines requirements for audit logging and monitoring of system activity at the company.",
          "status": "compliant",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171"
          ],
          "created_at": "2024-05-07T23:18:52.900Z",
          "updated_at": "2025-02-22T02:40:20.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-06-24T19:13:14.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-741-policy",
              "name": "Policy Documentation - Logging and Monitoring Policy (DCF-741)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-02-22T02:40:20.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138219+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 673,
          "stale_evidence_count": 1,
          "all_evidence_stale": true,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-817",
          "control_name": "Cloud Security Configuration Monitoring",
          "control_description": "Sustainment Technologies Inc has implemented automated tools to analyze the security configurations of its cloud environment(s) and continuously monitor for misconfigurations, vulnerabilities, and security risks (e.g., cloud security posture management software, configuration management tools, etc.)",
          "status": "compliant",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171"
          ],
          "created_at": "2024-09-05T23:20:45.037Z",
          "updated_at": "2025-02-04T19:00:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-06-24T19:13:14.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-817-policy",
              "name": "Policy Documentation - Cloud Security Configuration Monitoring (DCF-817)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-02-04T19:00:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138225+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 725,
          "stale_evidence_count": 1,
          "all_evidence_stale": true,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-824",
          "control_name": "Remote Connection Monitoring",
          "control_description": "Sustainment Technologies Inc has implemented mechanisms to monitor remote access sessions on system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).",
          "status": "compliant",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171"
          ],
          "created_at": "2024-09-05T23:20:45.088Z",
          "updated_at": "2025-02-04T19:00:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-06-24T19:13:13.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-824-policy",
              "name": "Policy Documentation - Remote Connection Monitoring (DCF-824)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-02-04T19:00:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138232+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 732,
          "stale_evidence_count": 1,
          "all_evidence_stale": true,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-829",
          "control_name": "Network Traffic Monitoring",
          "control_description": "Sustainment Technologies Inc monitors and logs inbound and outbound communications traffic to detect unusual or unauthorized activities or events.",
          "status": "compliant",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171"
          ],
          "created_at": "2024-09-05T23:20:45.114Z",
          "updated_at": "2025-02-04T19:00:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-06-24T19:13:14.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-829-policy",
              "name": "Policy Documentation - Network Traffic Monitoring (DCF-829)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-02-04T19:00:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138239+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 737,
          "stale_evidence_count": 1,
          "all_evidence_stale": true,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "implementation_details": {
        "method": "automated-script",
        "tools": [
          "python",
          "Drata API",
          "JSON Analysis"
        ],
        "responsible_party": "Compliance Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:57.991510+00:00",
      "ksi_name": "Collaborative Continuous Monitoring",
      "category": "AFR",
      "statement": "Maintain a plan and process for providing Ongoing Authorization Reports and Quarterly Reviews for all necessary parties in alignment with the FedRAMP Collaborative Continuous Monitoring (CCM) process and persistently address all related requirements and recommendations.",
      "reference_url": "https://fedramp.gov/docs/20x/collaborative-continuous-monitoring",
      "nist_controls": [],
      "failure_conditions": {
        "conditional_check": "Sustainment operates a continuous compliance monitoring pipeline that fetches control data from Drata, runs automated KSI checks, and deploys results to a compliance dashboard to validate data freshness and overall compliance posture.",
        "failure_condition": "Pipeline not run in more than 48 hours, dashboard not deployed, or compliance data stale will cause a failure of the test. The continuous monitoring pipeline, automated KSI checks, and dashboard deployment must be operational to ensure compliance data is current and accessible."
      },
      "outcome_metrics": [
        {
          "statement": "Collaborative monitoring activities are completed on schedule with documented outputs",
          "metric_name": "Completion",
          "target_value": "100% of scheduled ConMon deliverables submitted on time",
          "target_unit": "",
          "frequency": "Monthly",
          "source": "FedRAMP ConMon tracker; Drata dashboard recency",
          "notes": "Missed submission deadline or stale dashboard data >7 days"
        }
      ],
      "process_requirements": [
        {
          "id": "CCM-OAR-AVL",
          "name": "Report Availability",
          "statement": "Providers MUST make an Ongoing Authorization Report available to all necessary parties every 3 months, covering the entire period since the previous summary, in a consistent format that is human readable; this report MUST include high-level summaries of at least the following information:",
          "keyword": "MUST",
          "role_group": "OAR",
          "section": "both",
          "following_information": [
            "Changes to authorization data",
            "Planned changes to authorization data during at least the next 3 months",
            "Accepted vulnerabilities",
            "Transformative changes",
            "Updated recommendations or best practices for security, configuration, usage, or similar aspects of the cloud service offering"
          ]
        },
        {
          "id": "CCM-OAR-NRD",
          "name": "Next Report Date",
          "statement": "Providers MUST publicly include the target date for their next Ongoing Authorization Report with other public authorization data.",
          "keyword": "MUST",
          "role_group": "OAR",
          "section": "both"
        },
        {
          "id": "CCM-OAR-FBM",
          "name": "Feedback Mechanism",
          "statement": "Providers MUST establish and share an asynchronous mechanism for all necessary parties to provide feedback or ask questions about each Ongoing Authorization Report.",
          "keyword": "MUST",
          "role_group": "OAR",
          "section": "both",
          "notes": [
            "This could be email by default but providers are encouraged to consider something more interactive as appropriate."
          ]
        },
        {
          "id": "CCM-OAR-AFS",
          "name": "Anonymized Feedback Summary",
          "statement": "Providers MUST maintain an anonymized and desensitized summary of the feedback, questions, and answers about each Ongoing Authorization Report as an addendum to the Ongoing Authorization Report.",
          "keyword": "MUST",
          "role_group": "OAR",
          "section": "both",
          "notes": [
            "This is intended to encourage sharing of information and decrease the burden on the cloud service provider - providing this summary will reduce duplicate questions from agencies and ensure FedRAMP has access to this information. It is generally in the provider’s interest to update this addendum frequently throughout the quarter."
          ]
        },
        {
          "id": "CCM-OAR-LSI",
          "name": "Limit Sensitive Information",
          "statement": "Providers MUST NOT irresponsibly disclose sensitive information in an Ongoing Authorization Report that would likely have an adverse effect on the cloud service offering.",
          "keyword": "MUST NOT",
          "role_group": "OAR",
          "section": "both"
        },
        {
          "id": "CCM-QTR-REG",
          "name": "Meeting Registration Info",
          "statement": "Providers MUST include either a registration link or a downloadable calendar file with meeting information for Quarterly Reviews in the authorization data available to all necessary parties required by ADS-CSL-UCP and ADS-CSO-FCT.",
          "keyword": "MUST",
          "role_group": "QTR",
          "section": "both"
        },
        {
          "id": "CCM-QTR-NRD",
          "name": "Next Review Date",
          "statement": "Providers MUST publicly include the target date for their next Quarterly Review with other public authorization data.",
          "keyword": "MUST",
          "role_group": "QTR",
          "section": "both"
        },
        {
          "id": "CCM-QTR-NID",
          "name": "No Irresponsible Disclosure",
          "statement": "Providers MUST NOT irresponsibly disclose sensitive information in a Quarterly Review that would likely have an adverse effect on the cloud service offering.",
          "keyword": "MUST NOT",
          "role_group": "QTR",
          "section": "both"
        },
        {
          "id": "CCM-OAR-SOR",
          "name": "Spread Out Reports",
          "statement": "Providers SHOULD establish a regular 3 month cycle for Ongoing Authorization Reports that is spread out from the beginning, middle, or end of each quarter.",
          "keyword": "SHOULD",
          "role_group": "OAR",
          "section": "both",
          "notes": [
            "This recommendation is intended to discourage hundreds of cloud service providers from releasing their Ongoing Authorization Reports during the first or last week of each quarter because that is the easiest way for a single provider to track this deliverable; the result would overwhelm agencies with many cloud services. Widely used cloud service providers are encouraged to work with their customers to identify ideal timeframes for this cycle."
          ]
        },
        {
          "id": "CCM-QTR-SAR",
          "name": "Schedule Around Reports",
          "statement": "Providers SHOULD regularly schedule Quarterly Reviews to occur at least 3 business days after releasing an Ongoing Authorization Report AND within 10 business days of such release.",
          "keyword": "SHOULD",
          "role_group": "QTR",
          "section": "both"
        },
        {
          "id": "CCM-QTR-ACT",
          "name": "Additional Content",
          "statement": "Providers SHOULD include additional information in Quarterly Reviews that the provider determines is of interest, use, or otherwise relevant to agencies.",
          "keyword": "SHOULD",
          "role_group": "QTR",
          "section": "both"
        },
        {
          "id": "CCM-QTR-RTR",
          "name": "Record/Transcribe Reviews",
          "statement": "Providers SHOULD record or transcribe Quarterly Reviews and make such available to all necessary parties with other authorization data.",
          "keyword": "SHOULD",
          "role_group": "QTR",
          "section": "both"
        },
        {
          "id": "CCM-QTR-RTP",
          "name": "Restrict Third Parties",
          "statement": "Providers SHOULD NOT invite third parties to attend Quarterly Reviews intended for agencies unless they have specific relevance.",
          "keyword": "SHOULD NOT",
          "role_group": "QTR",
          "section": "both",
          "notes": [
            "This is because agencies are less likely to actively participate in meetings with third parties; the cloud service provider's independent assessor should be considered relevant by default."
          ]
        },
        {
          "id": "CCM-OAR-RPS",
          "name": "Responsible Public Sharing",
          "statement": "Providers MAY responsibly share some or all of the information an Ongoing Authorization Report publicly or with other parties if the provider determines doing so will NOT likely have an adverse effect on the cloud service offering.",
          "keyword": "MAY",
          "role_group": "OAR",
          "section": "both"
        },
        {
          "id": "CCM-QTR-SRR",
          "name": "Share Recordings Responsibly",
          "statement": "Providers MAY responsibly share recordings or transcriptions of Quarterly Reviews with the public or other parties ONLY if the provider removes all agency information (comments, questions, names, etc.) AND determines sharing will NOT likely have an adverse effect on the cloud service offering.",
          "keyword": "MAY",
          "role_group": "QTR",
          "section": "both"
        },
        {
          "id": "CCM-QTR-SCR",
          "name": "Share Content Responsibly",
          "statement": "Providers MAY responsibly share content prepared for a Quarterly Review with the public or other parties if the provider determines doing so will NOT likely have an adverse effect on the cloud service offering.",
          "keyword": "MAY",
          "role_group": "QTR",
          "section": "both"
        },
        {
          "id": "CCM-QTR-MTG",
          "name": "Quarterly Review Meeting",
          "statement": "",
          "keyword": "",
          "role_group": "QTR",
          "section": "both"
        }
      ],
      "process_requirements_summary": {
        "total": 17,
        "must": 8,
        "should": 5,
        "may": 3
      },
      "monitoring": {
        "total_tests": 0,
        "passed": 0,
        "failed": 0,
        "controls_with_monitoring": 0,
        "monitoring_coverage": 0.0,
        "test_pass_rate": 0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-AFR-FSI",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:53.881453+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "Security Inbox Email Configuration",
          "description": "Inbox configured as security@sustainment.com",
          "date": "2026-07-02T13:19:53.881442+00:00"
        }
      ],
      "notes": "**Sustainment Technologies ensures the secure operation of the FedRAMP Security Inbox through automated configuration validation.**\n\n### Key Capabilities\n- **Automated Configuration Checks** -- validates inbox alignment with FSI requirements\n- **Secure Communication Channel** -- ensures critical government communications are received via a verified channel\n\n### Validation Approach\nAutomated checks verify the inbox configuration (`security@sustainment.com`) is active and properly configured. Sustainment Technologies is currently formalizing supporting operational procedures to ensure all FSI recommendations are persistently addressed and documented.\n### Key Controls\n- [OK] Incident Report Template and Process (DCF-131)\n- [OK] Communication with Security and Privacy Organizations (DCF-188)\n- [OK] Incident Response Management (DCF-511)",
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-AFR-FSI",
          "control_name": "Custom Automated Check: KSI-AFR-FSI",
          "control_description": "Automated validation of FedRAMP Security Inbox configuration",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:53.881453+00:00",
          "updated_at": "2026-07-02T13:19:53.881453+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:53.881453+00:00",
          "requirements_updated_at": "",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": null,
              "name": "Security Inbox Email Configuration",
              "description": "Inbox configured as security@sustainment.com",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.881442+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138246+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-131",
          "control_name": "Incident Report Template and Process",
          "control_description": "Sustainment Technologies Inc has incident management procedures that include detailed instructions on how to escalate a suspected incident to the Information Security Team and, when necessary, to the Privacy or Legal department. Sustainment Technologies Inc has a standard incident report template th",
          "status": "compliant",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.797Z",
          "updated_at": "2025-11-24T13:51:34.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-131-owner",
              "name": "Assigned Control Owner - Incident Report Template and Process (DCF-131)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138253+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-131-policy",
              "name": "Policy Documentation - Incident Report Template and Process (DCF-131)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138260+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 152,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-188",
          "control_name": "Communication with Security and Privacy Organizations",
          "control_description": "Sustainment Technologies Inc exchanges information with relevant security and privacy organizations, including information on newly identified threats and vulnerabilities, through bulletin subscriptions, email alerts from security advisories, participation in conferences, etc.",
          "status": "compliant",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171"
          ],
          "created_at": "2023-03-21T16:43:16.610Z",
          "updated_at": "2025-11-24T13:51:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-06-24T19:13:14.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-188-policy",
              "name": "Policy Documentation - Communication with Security and Privacy Organizations (DCF-188)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:37.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138266+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 610,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-511",
          "control_name": "Incident Response Management",
          "control_description": "Sustainment Technologies Inc's IRP addresses roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum.",
          "status": "compliant",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:01.124Z",
          "updated_at": "2025-11-24T18:38:45.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-511-policy",
              "name": "Policy Documentation - Incident Response Management (DCF-511)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:45.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138273+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 530,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "implementation_details": {
        "method": "automated-script",
        "tools": [
          "python",
          "email-monitoring-system"
        ],
        "responsible_party": "Security Operations Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:53.881453+00:00",
      "ksi_name": "FedRAMP Security Inbox",
      "category": "AFR",
      "statement": "Operate a secure inbox to receive critical communication from FedRAMP and other government entities in alignment with FedRAMP Security Inbox (FSI) requirements and persistently address all related requirements and recommendations.",
      "reference_url": "https://fedramp.gov/docs/20x/fedramp-security-inbox",
      "nist_controls": [],
      "failure_conditions": {
        "conditional_check": "Sustainment ensures the secure operation of the FedRAMP Security Inbox through automated configuration validation and alignment with FSI requirements.",
        "failure_condition": "Security inbox email not configured or bouncing will cause a failure of the test. Automated configuration checks must validate inbox alignment with FSI requirements to ensure secure communications are maintained."
      },
      "outcome_metrics": [
        {
          "statement": "Security inbox monitored and FedRAMP communications acknowledged within required timeframe",
          "metric_name": "Recency",
          "target_value": "All inbox items acknowledged within 48 hours; no unread items >7 days",
          "target_unit": "",
          "frequency": "Weekly",
          "source": "FedRAMP security inbox log; ticket system",
          "notes": "Unacknowledged message older than 48 hours"
        }
      ],
      "process_requirements": [
        {
          "id": "FSI-CSO-INB",
          "name": "Maintain a FedRAMP Security Inbox",
          "statement": "Providers MUST establish and maintain an email address to receive messages from FedRAMP; this inbox is a FedRAMP Security Inbox (FSI).",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "Unless otherwise notified, FedRAMP will use the listed Security Email on the Marketplace for these notifications.",
            "If a provider establishes a new inbox in reaction to this guidance that is different from the Security EMail then they must follow the requirements in FSI-CSO-NOC to notify FedRAMP."
          ]
        },
        {
          "id": "FSI-CSO-NOC",
          "name": "Notification of Changes",
          "statement": "Providers MUST immediately notify FedRAMP of any changes in addressing for their FedRAMP Security Inbox by emailing info@fedramp.gov with the name and FedRAMP ID of the cloud service offering and the updated email address.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both"
        },
        {
          "id": "FSI-CSO-TFG",
          "name": "Trust @fedramp.gov and @gsa.gov",
          "statement": "Providers MUST treat any email originating from an @fedramp.gov or @gsa.gov email address as if it was sent from FedRAMP by default; if such a message is confirmed to originate from someone other than FedRAMP then FedRAMP Security Inbox requirements no longer apply.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both"
        },
        {
          "id": "FSI-CSO-RCV",
          "name": "Receive Email Without Disruption",
          "statement": "Providers MUST receive and react to email messages from FedRAMP without disruption and without requiring additional actions from FedRAMP.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "This requirement is intended to prevent cloud service providers from requiring FedRAMP to complete a CAPTCHA, log into a customer portal, or otherwise take service-specific actions that might prevent the security team from receiving the message."
          ]
        },
        {
          "id": "FSI-CSO-CRA",
          "name": "Complete Required Actions",
          "statement": "Providers MUST complete the required actions in Emergency or Emergency Test designated messages sent by FedRAMP within the timeframe included in the message.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "Timeframes may vary by impact level of the cloud service offering."
          ]
        },
        {
          "id": "FSI-CSO-EMR",
          "name": "Emergency Message Routing",
          "statement": "Providers MUST route Emergency designated messages sent by FedRAMP to a senior security official for their awareness.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "Senior security officials are determined by the provider."
          ]
        },
        {
          "id": "FSI-CSO-IMA",
          "name": "Important Message Actions",
          "statement": "Providers SHOULD complete the required actions in Important designated messages sent by FedRAMP within the timeframe specified in the message.",
          "keyword": "SHOULD",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "Timeframes may vary by impact level of the cloud service offering."
          ]
        },
        {
          "id": "FSI-CSO-ACK",
          "name": "Acknowledge Receipt",
          "statement": "Providers SHOULD promptly and automatically acknowledge the receipt of messages received from FedRAMP in their FedRAMP Security Inbox.",
          "keyword": "SHOULD",
          "role_group": "CSO",
          "section": "both"
        }
      ],
      "process_requirements_summary": {
        "total": 8,
        "must": 6,
        "should": 2,
        "may": 0
      },
      "monitoring": {
        "total_tests": 0,
        "passed": 0,
        "failed": 0,
        "controls_with_monitoring": 0,
        "monitoring_coverage": 0.0,
        "test_pass_rate": 0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-AFR-ICP",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:56.649312+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "document",
          "name": "Incident Response Plan FedRAMP Addendum: Incident Response Plan FedRamp Addendum",
          "description": "Version 2, last updated 77 days ago by Alex Stoll",
          "source": "https://sustainment-tech.atlassian.net/wiki/spaces/Policies/pages/1295253507/Incident+Response+Plan+FedRamp+Addendum",
          "date": "2026-04-15T21:04:21.589Z",
          "control_id": "1295253507",
          "status": "Passing"
        }
      ],
      "notes": "**Sustainment Technologies integrates a dedicated FedRAMP Addendum into its Incident Response Plan, documenting all required communication protocols and reporting timelines.**\n\n### Key Capabilities\n- **FedRAMP IR Addendum** -- dedicated addendum covering incident communication procedures, notification requirements, contact information, and reporting procedures\n- **Automated Documentation Verification** -- Confluence API checks validate document freshness and required section presence\n- **Staleness Monitoring** -- documents flagged if not updated within 90 days\n\n### Validation Approach\nCompliance is maintained through formal procedures documented in Confluence combined with automated verification checks. Sustainment Technologies is finalizing API configurations to enable continuous automated monitoring of these controls.\n### Key Controls\n- [OK] Incident Report Template and Process (DCF-131)\n- [OK] Incident Response Plan (DCF-159)\n- [OK] Incident Response Team (DCF-29)",
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:56.649312+00:00",
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-AFR-ICP",
          "control_name": "Custom Automated Check: KSI-AFR-ICP",
          "control_description": "Incident Response Plan FedRAMP Addendum \"Incident Response Plan FedRamp Addendum\" (v2) verified via Confluence API. Document is fresh (updated 77 days ago), all required sections present. URL: https://sustainment-tech.atlassian.net/wiki/spaces/Policies/pages/1295253507/Incident+Response+Plan+FedRamp+Addendum",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:56.649312+00:00",
          "updated_at": "2026-07-02T13:19:56.649312+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:56.649312+00:00",
          "requirements_updated_at": "",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": null,
              "name": "Incident Response Plan FedRAMP Addendum: Incident Response Plan FedRamp Addendum",
              "description": "Version 2, last updated 77 days ago by Alex Stoll",
              "type": "document",
              "source": "https://sustainment-tech.atlassian.net/wiki/spaces/Policies/pages/1295253507/Incident+Response+Plan+FedRamp+Addendum",
              "updated_at": "2026-04-15T21:04:21.589Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138285+00:00",
                "status": "not_hashed",
                "reason": "remote_source_not_downloaded",
                "source": "https://sustainment-tech.atlassian.net/wiki/spaces/Policies/pages/1295253507/Incident+Response+Plan+FedRamp+Addendum"
              }
            }
          ],
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              },
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-131",
              "DCF-159",
              "DCF-29"
            ]
          }
        },
        {
          "control_id": "DCF-131",
          "drata_control_id": 152,
          "control_name": "Incident Report Template and Process",
          "control_description": "Sustainment Technologies Inc has incident management procedures that include detailed instructions on how to escalate a suspected incident to the Information Security Team and, when necessary, to the Privacy or Legal department. Sustainment Technologies Inc has a standard incident report template th",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "explanation": "",
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.797Z",
          "updated_at": "2025-11-24T13:51:34.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-131-owner",
              "name": "Assigned Control Owner - Incident Report Template and Process (DCF-131)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138293+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-131-policy",
              "name": "Policy Documentation - Incident Report Template and Process (DCF-131)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138299+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-159",
          "drata_control_id": 77,
          "control_name": "Incident Response Plan",
          "control_description": "Sustainment Technologies Inc has an established Incident Response Plan that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "explanation": "",
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.576Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-159-evidence",
              "name": "Incident Response Plan (DCF-159)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138305+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-owner",
              "name": "Assigned Control Owner - Incident Response Plan (DCF-159)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138311+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-monitoring",
              "name": "Continuous Monitoring - Incident Response Plan (DCF-159)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138318+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-29",
          "drata_control_id": 74,
          "control_name": "Incident Response Team",
          "control_description": "Sustainment Technologies Inc has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality at the company.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "explanation": "",
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.562Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-29-evidence",
              "name": "Incident Response Team (DCF-29)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138324+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-owner",
              "name": "Assigned Control Owner - Incident Response Team (DCF-29)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138330+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-monitoring",
              "name": "Continuous Monitoring - Incident Response Team (DCF-29)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138336+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "ksi_name": "Incident Communications Procedures",
      "category": "AFR",
      "statement": "Integrate FedRAMP's Incident Communications Procedures (ICP) into incident response procedures and persistently address all related requirements and recommendations.",
      "reference_url": "https://fedramp.gov/docs/20x/incident-communications-procedures",
      "nist_controls": [],
      "failure_conditions": {
        "conditional_check": "Sustainment integrates a dedicated FedRAMP Addendum into its Incident Response Plan documenting all required communication protocols and reporting timelines.",
        "failure_condition": "Incident response addendum not updated or required sections missing will cause a failure of the test. Additionally, an incident response plan, incident response team, and incident report template must be in place to ensure FedRAMP incident communication procedures are documented and current."
      },
      "outcome_metrics": [
        {
          "statement": "Incident communications follow FedRAMP ICP and are reported within required windows",
          "metric_name": "Completion",
          "target_value": "100% of qualifying incidents reported per ICP timeline",
          "target_unit": "",
          "frequency": "Per incident",
          "source": "Incident tracker; FedRAMP report submissions",
          "notes": "Qualifying incident not reported within ICP window"
        }
      ],
      "process_requirements": [
        {
          "id": "ICP-CSX-IRF",
          "name": "Incident Reporting to FedRAMP",
          "statement": "Providers MUST responsibly report incidents to FedRAMP within 1 hour of identification by sending an email to fedramp_security@fedramp.gov or fedramp_security@gsa.gov.",
          "keyword": "MUST",
          "role_group": "CSX",
          "section": "20x",
          "timeframe": "1 hours"
        },
        {
          "id": "ICP-CSX-IRA",
          "name": "Incident Reporting to Agencies",
          "statement": "Providers MUST responsibly report incidents to all agency customers within 1 hour of identification using the incident communications points of contact provided by each agency customer.",
          "keyword": "MUST",
          "role_group": "CSX",
          "section": "20x",
          "timeframe": "1 hours"
        },
        {
          "id": "ICP-CSX-IRC",
          "name": "Incident Reporting to CISA",
          "statement": "Providers MUST responsibly report incidents to CISA within 1 hour of identification if the incident is confirmed or suspected to be the result of an attack vector listed at https://www.cisa.gov/federal-incident-notification-guidelines#attack-vectors-taxonomy, following the CISA Federal Incident Notification Guidelines at https://www.cisa.gov/federal-incident-notification-guidelines, by using the CISA Incident Reporting System at https://myservices.cisa.gov/irf. ",
          "keyword": "MUST",
          "role_group": "CSX",
          "section": "20x",
          "timeframe": "1 hours"
        },
        {
          "id": "ICP-CSX-ICU",
          "name": "Incident Updates",
          "statement": "Providers MUST update all necessary parties, including at least FedRAMP, CISA (if applicable), and all agency customers, at least once per calendar day until the incident is resolved and recovery is complete.",
          "keyword": "MUST",
          "role_group": "CSX",
          "section": "20x"
        },
        {
          "id": "ICP-CSX-RPT",
          "name": "Incident Report Availability",
          "statement": "Providers MUST make incident report information available in their secure FedRAMP repository (such as USDA Connect) or trust center.",
          "keyword": "MUST",
          "role_group": "CSX",
          "section": "20x"
        },
        {
          "id": "ICP-CSX-FIR",
          "name": "Final Incident Report",
          "statement": "Providers MUST provide a final report once the incident is resolved and recovery is complete that describes at least:",
          "keyword": "MUST",
          "role_group": "CSX",
          "section": "20x",
          "following_information": [
            "What occurred",
            "Root cause",
            "Response",
            "Lessons learned",
            "Changes needed"
          ]
        },
        {
          "id": "ICP-CSX-RSD",
          "name": "Responsible Disclosure",
          "statement": "Providers MUST NOT irresponsibly disclose specific sensitive information about incidents that would likely increase the impact of the incident, but MUST disclose sufficient information for informed risk-based decision-making to all necessary parties.",
          "keyword": "MUST NOT",
          "role_group": "CSX",
          "section": "20x"
        },
        {
          "id": "ICP-CSX-AUR",
          "name": "Automated Reporting",
          "statement": "Providers SHOULD use automated mechanisms for reporting incidents and providing updates to all necessary parties (including CISA).",
          "keyword": "SHOULD",
          "role_group": "CSX",
          "section": "20x"
        },
        {
          "id": "ICP-CSX-HRM",
          "name": "Human and Machine-Readable",
          "statement": "Providers SHOULD make incident report information available in consistent human-readable and machine-readable formats.",
          "keyword": "SHOULD",
          "role_group": "CSX",
          "section": "20x"
        }
      ],
      "process_requirements_summary": {
        "total": 9,
        "must": 7,
        "should": 2,
        "may": 0
      },
      "monitoring": {
        "total_tests": 2,
        "passed": 2,
        "failed": 0,
        "controls_with_monitoring": 2,
        "monitoring_coverage": 50.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-AFR-MAS",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:55.703680+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-86 (DCF-86)",
          "control_id": "DCF-86",
          "status": "Passing",
          "description": "Drata control status for DCF-86",
          "date": "2026-07-02T13:19:55.703680+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-18 (DCF-18)",
          "control_id": "DCF-18",
          "status": "Passing",
          "description": "Drata control status for DCF-18",
          "date": "2026-07-02T13:19:55.703680+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-160 (DCF-160)",
          "control_id": "DCF-160",
          "status": "Passing",
          "description": "Drata control status for DCF-160",
          "date": "2026-07-02T13:19:55.703680+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:19:55.703680+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-80 (DCF-80)",
          "control_id": "DCF-80",
          "status": "Passing",
          "description": "Drata control status for DCF-80",
          "date": "2026-07-02T13:19:55.703680+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-87 (DCF-87)",
          "control_id": "DCF-87",
          "status": "Passing",
          "description": "Drata control status for DCF-87",
          "date": "2026-07-02T13:19:55.703680+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-15 (DCF-15)",
          "control_id": "DCF-15",
          "status": "Passing",
          "description": "Drata control status for DCF-15",
          "date": "2026-07-02T13:19:55.703680+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-159 (DCF-159)",
          "control_id": "DCF-159",
          "status": "Passing",
          "description": "Drata control status for DCF-159",
          "date": "2026-07-02T13:19:55.703680+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-29 (DCF-29)",
          "control_id": "DCF-29",
          "status": "Passing",
          "description": "Drata control status for DCF-29",
          "date": "2026-07-02T13:19:55.703680+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-AFR-MAS",
          "control_name": "Custom Automated Check: KSI-AFR-MAS",
          "control_description": "9/9 mapped controls passing; **Sustainment Technologies satisfies the Minimum Assessment Scope (MAS) requirement by employing a strategy of continuous boundary validation integrated with a robust governance framework.**\n\n### Required Artifacts\n- **Architecture Diagram** -- A current system architecture diagram depicting all in-scope components, data flows, and authorization boundaries *(Drata Evidence ID: 152 -- pending next pipeline sync)*\n- **In-Scope Systems Inventory** -- A maintained list of all systems, services, and interconnections within the FedRAMP authorization boundary *(Failing -- not yet uploaded to Drata as evidence)*\n\n### Continuous Boundary Validation\n- **Automated Control Monitoring** -- continuous monitoring via Drata\n- **Quarterly Vulnerability Assessments** -- periodic security validation of in-scope systems\n- **Formal Security Policies** -- governance framework ensuring the CSO scope is accurately documented and persistently managed\n\n### Validation Approach\nThis integrated approach enables real-time visibility into the assessment boundary and ensures that all related FedRAMP security requirements are consistently addressed and maintained.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:55.703680+00:00",
          "updated_at": "2026-07-02T13:19:55.703680+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:55.703680+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-86 (DCF-86)",
              "description": "Drata control status for DCF-86",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.703680+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138343+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-18 (DCF-18)",
              "description": "Drata control status for DCF-18",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.703680+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138349+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-160 (DCF-160)",
              "description": "Drata control status for DCF-160",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.703680+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138355+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.703680+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138361+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-80 (DCF-80)",
              "description": "Drata control status for DCF-80",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.703680+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138367+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-87 (DCF-87)",
              "description": "Drata control status for DCF-87",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.703680+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138373+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-15 (DCF-15)",
              "description": "Drata control status for DCF-15",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.703680+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138378+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-159 (DCF-159)",
              "description": "Drata control status for DCF-159",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.703680+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138384+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-29 (DCF-29)",
              "description": "Drata control status for DCF-29",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.703680+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138390+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 14,
            "passed": 14,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:45.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 7,
                "name": "Infrastructure Instance CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's server monitoring and alerting configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:42.000Z",
                "test_definition_id": 118,
                "enabled": true
              },
              {
                "test_id": 6,
                "name": "NoSQL Cluster Storage Utilization Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's NoSQL cluster monitoring and alerting configurations and confirmed that storage utilization is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:50.000Z",
                "test_definition_id": 117,
                "enabled": true
              },
              {
                "test_id": 4,
                "name": "Messaging Queue Message Age Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's messaging queue monitoring configurations and confirmed that message age is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:59.000Z",
                "test_definition_id": 115,
                "enabled": true
              },
              {
                "test_id": 3,
                "name": "Database Read I/O Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that read I/O is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 114,
                "enabled": true
              },
              {
                "test_id": 2,
                "name": "Database Free Storage Space Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that free storage space is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 113,
                "enabled": true
              },
              {
                "test_id": 1,
                "name": "Database CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 112,
                "enabled": true
              },
              {
                "test_id": 66,
                "name": "Vulnerability Scanning",
                "status": "PASSED",
                "description": "Drata validated that a vulnerability scanning system is connected to Drata.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 21,
                "enabled": true
              },
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              },
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              },
              {
                "test_id": 135,
                "name": "Threat Detection in Place",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has Threat Detection in place to detect unauthorized file additions within the cloud environment, server instances, and application containers.",
                "last_run": "2026-07-01T18:28:45.000Z",
                "test_definition_id": 105,
                "enabled": true
              },
              {
                "test_id": 100,
                "name": "Risk Assessment Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Risk Assessment Policy and confirmed that it specifies risk tolerances and the process for evaluating risks based on identified threats and specified tolerances.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 18,
                "enabled": true
              },
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              },
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-86",
              "DCF-18",
              "DCF-160",
              "DCF-10",
              "DCF-80",
              "DCF-87",
              "DCF-15",
              "DCF-159",
              "DCF-29"
            ]
          }
        },
        {
          "control_id": "DCF-86",
          "control_name": "Operational Audit",
          "control_description": "Sustainment Technologies Inc's cloud infrastructure is monitored through an operational audit system that sends alerts to appropriate personnel",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.431Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:22.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-86-evidence",
              "name": "Operational Audit (DCF-86)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138396+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-86-owner",
              "name": "Assigned Control Owner - Operational Audit (DCF-86)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138402+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-86-monitoring",
              "name": "Continuous Monitoring - Operational Audit (DCF-86)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138409+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 5,
          "explanation": "Drata's Operational Audit control directly supports KSI-AFR-MAS by providing continuous monitoring and logging of system activity *within the defined FedRAMP MAS*. This audit trail helps identify and document the systems and data *in scope* for assessment, and the alerts ensure any deviations or vulnerabilities Ã¢â‚¬â€œ including those impacting MAS controls Ã¢â‚¬â€œ are addressed persistently, fulfilling the requirement for ongoing compliance within the authorized boundaries. Essentially, it proves you know what's in scope and are actively maintaining it.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 6,
            "passed": 6,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:02.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 7,
                "name": "Infrastructure Instance CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's server monitoring and alerting configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:42.000Z",
                "test_definition_id": 118,
                "enabled": true
              },
              {
                "test_id": 6,
                "name": "NoSQL Cluster Storage Utilization Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's NoSQL cluster monitoring and alerting configurations and confirmed that storage utilization is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:50.000Z",
                "test_definition_id": 117,
                "enabled": true
              },
              {
                "test_id": 4,
                "name": "Messaging Queue Message Age Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's messaging queue monitoring configurations and confirmed that message age is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:59.000Z",
                "test_definition_id": 115,
                "enabled": true
              },
              {
                "test_id": 3,
                "name": "Database Read I/O Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that read I/O is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 114,
                "enabled": true
              },
              {
                "test_id": 2,
                "name": "Database Free Storage Space Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that free storage space is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 113,
                "enabled": true
              },
              {
                "test_id": 1,
                "name": "Database CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 112,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-18",
          "control_name": "Quarterly Vulnerability Scan",
          "control_description": "Sustainment Technologies Inc engages with third-party to conduct vulnerability scans of the production environment at least quarterly. Results are reviewed by management and high priority findings are tracked to resolution.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.858Z",
          "updated_at": "2026-05-11T12:55:17.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:22.000Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 149,
              "name": "Vulnerability scanning - historical scans.",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/149_Vulnerability scanning - historical scans..zip",
              "updated_at": "2026-03-02T14:54:37.097Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.138588+00:00",
                "status": "hashed",
                "sha256": "1bca3af621b9ac72ecaf5ccb180f7c18cc49f95a24e05a54e8c83a05fa411b37",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/149_Vulnerability scanning - historical scans..zip",
                "filename": "149_Vulnerability scanning - historical scans..zip",
                "size_bytes": 629615,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 148,
              "name": "Vulnerability Scan Report repository (screenshot)",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/148_Vulnerability Scan Report repository (screenshot).png",
              "updated_at": "2026-03-02T14:51:39.054Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.139270+00:00",
                "status": "hashed",
                "sha256": "cbd856d7f75726db39106a98e93d3f94d3574bb28b0bc44483de3aa2a36f063e",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/148_Vulnerability Scan Report repository (screenshot).png",
                "filename": "148_Vulnerability Scan Report repository (screenshot).png",
                "size_bytes": 307470,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-18-owner",
              "name": "Assigned Control Owner - Quarterly Vulnerability Scan (DCF-18)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-11T12:55:17.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.139544+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 46,
          "explanation": "The Quarterly Vulnerability Scan control directly supports KSI-AFR-MAS by helping to **define and validate the \"production environment\" which *is* the in-scope system** for FedRAMP assessment. Regularly identifying vulnerabilities *within* that defined scope (via scanning) ensures ongoing attention to security requirements and recommendations applicable to the authorized cloud service, fulfilling the \"persistently address\" portion of the requirement. Essentially, it proves you know what you're protecting and are actively securing it.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 66,
                "name": "Vulnerability Scanning",
                "status": "PASSED",
                "description": "Drata validated that a vulnerability scanning system is connected to Drata.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 21,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-160",
          "control_name": "Continuous Control Monitoring",
          "control_description": "Sustainment Technologies Inc conducts continuous monitoring of security controls using Drata, and addresses issues in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.170Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 160,
              "name": "Silent Log Sources - Crowdstrike",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/160_Silent Log Sources - Crowdstrike.png",
              "updated_at": "2026-06-17T22:10:26.030Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.139711+00:00",
                "status": "hashed",
                "sha256": "4355516d11f210c6981374184d617ae5fe381cdce7b22a19795747db92d14581",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/160_Silent Log Sources - Crowdstrike.png",
                "filename": "160_Silent Log Sources - Crowdstrike.png",
                "size_bytes": 239901,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-160-owner",
              "name": "Assigned Control Owner - Continuous Control Monitoring (DCF-160)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.139918+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-160-policy",
              "name": "Policy Documentation - Continuous Control Monitoring (DCF-160)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.139925+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 70,
          "explanation": "Continuous Control Monitoring (CCM) via Drata directly supports KSI-AFR-MAS by providing ongoing evidence that security controls *within the defined FedRAMP MAS scope* are operating effectively. This persistent monitoring and remediation process demonstrates sustained compliance with all related requirements and recommendations identified during the initial assessment, fulfilling the \"persistently address\" component of the KSI. Essentially, Drata proves you're not just compliant *at a point in time*, but *continuously* within your authorized scope.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.139932+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.139938+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.139944+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "explanation": "The System Access Control Policy directly supports KSI-AFR-MAS by demonstrating a defined process for managing *who* has access to the systems within the FedRAMP MAS scope. Regular reviews (annual & triggered by personnel changes) ensure access remains appropriate and aligned with the documented scope, persistently addressing requirements related to authorized users and their permissions Ã¢â‚¬â€œ a key element of FedRAMP authorization. This control establishes a foundational element for consistently applying security controls *within* the defined assessment boundary.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-80",
          "control_name": "Log Management System",
          "control_description": "Sustainment Technologies Inc uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.779Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 151,
              "name": "DataDog Security alerts sample",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/151_DataDog Security alerts sample.csv",
              "updated_at": "2026-03-02T15:57:18.424Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140108+00:00",
                "status": "hashed",
                "sha256": "3a6f138a1019b8d39d01a2e02dc11e84fa1a8b504f306fadf42619746948a934",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/151_DataDog Security alerts sample.csv",
                "filename": "151_DataDog Security alerts sample.csv",
                "size_bytes": 82445,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-80-owner",
              "name": "Assigned Control Owner - Log Management System (DCF-80)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140210+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-80-monitoring",
              "name": "Continuous Monitoring - Log Management System (DCF-80)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140217+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 123,
          "explanation": "This Log Management System control directly supports KSI-AFR-MAS by providing a persistent record of system activity *within the defined FedRAMP MAS*. These logs are crucial for demonstrating ongoing compliance with all requirements and recommendations scoped during the assessment, as they provide audit evidence of security control operation and effectiveness. Essentially, logging *is* how you prove youÃ¢â‚¬â„¢re consistently meeting requirements within your authorized scope.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-87",
          "control_name": "Logging/Monitoring",
          "control_description": "Sustainment Technologies Inc has infrastructure logging configured to monitor web traffic and suspicious activity. When anomalous traffic activity is identified, alerts are automatically created, sent to appropriate personnel and resolved, as necessary.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.217Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:21.976Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 161,
              "name": "DCF87 Testing Results History",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/161_DCF87 Testing Results History.png",
              "updated_at": "2026-06-17T22:38:41.159Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140381+00:00",
                "status": "hashed",
                "sha256": "297e5a03cc7fa8c4f1a971f581eae381efbbf3eb5e9b6ec8f5a4f498073de962",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/161_DCF87 Testing Results History.png",
                "filename": "161_DCF87 Testing Results History.png",
                "size_bytes": 195440,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 160,
              "name": "Silent Log Sources - Crowdstrike",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/160_Silent Log Sources - Crowdstrike.png",
              "updated_at": "2026-06-17T22:10:26.030Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140712+00:00",
                "status": "hashed",
                "sha256": "4355516d11f210c6981374184d617ae5fe381cdce7b22a19795747db92d14581",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/160_Silent Log Sources - Crowdstrike.png",
                "filename": "160_Silent Log Sources - Crowdstrike.png",
                "size_bytes": 239901,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-87-owner",
              "name": "Assigned Control Owner - Logging/Monitoring (DCF-87)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140902+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 118,
          "explanation": "This Logging/Monitoring control satisfies KSI-AFR-MAS by demonstrably covering systems *within* the defined FedRAMP MAS. By actively monitoring web traffic and alerting on anomalies across that infrastructure, Sustainment Technologies Inc. provides evidence they are persistently assessing and addressing security requirements *specifically for* the scoped cloud service offering Ã¢â‚¬â€œ a core tenet of the MAS requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:45.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              },
              {
                "test_id": 135,
                "name": "Threat Detection in Place",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has Threat Detection in place to detect unauthorized file additions within the cloud environment, server instances, and application containers.",
                "last_run": "2026-07-01T18:28:45.000Z",
                "test_definition_id": 105,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-15",
          "control_name": "Risk Assessment Policy",
          "control_description": "Sustainment Technologies Inc has defined a formal risk management process that specifies risk tolerances and the process for evaluating risks based on identified threats and the specified tolerances.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.142Z",
          "updated_at": "2025-12-03T18:49:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-15-monitoring",
              "name": "Continuous Monitoring - Risk Assessment Policy (DCF-15)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-12-03T18:49:50.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140909+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-15-policy",
              "name": "Policy Documentation - Risk Assessment Policy (DCF-15)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-12-03T18:49:50.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140916+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 86,
          "explanation": "The Risk Assessment Policy satisfies KSI-AFR-MAS by demonstrating a defined process to *identify* risks Ã¢â‚¬â€œ including those specific to the FedRAMP MAS scope Ã¢â‚¬â€œ and establish tolerances. This directly supports documenting the cloud service offering's assessment boundaries (scope) as required, and ensures ongoing attention to related security requirements and recommendations through continuous risk evaluation. Essentially, knowing what's *in* scope is foundational to a proper risk assessment, fulfilling the KSIÃ¢â‚¬â„¢s core intent.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 100,
                "name": "Risk Assessment Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Risk Assessment Policy and confirmed that it specifies risk tolerances and the process for evaluating risks based on identified threats and specified tolerances.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 18,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-159",
          "control_name": "Incident Response Plan",
          "control_description": "Sustainment Technologies Inc has an established Incident Response Plan that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.576Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-159-evidence",
              "name": "Incident Response Plan (DCF-159)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140923+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-owner",
              "name": "Assigned Control Owner - Incident Response Plan (DCF-159)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140929+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-monitoring",
              "name": "Continuous Monitoring - Incident Response Plan (DCF-159)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140936+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 77,
          "explanation": "The Incident Response Plan (IRP) satisfies KSI-AFR-MAS by demonstrating a defined process for handling security incidents *within the defined FedRAMP MAS*. Documenting incident handling proceduresÃ¢â‚¬â€including roles, responsibilities, and testingÃ¢â‚¬â€proves the organization is actively managing security *across the scoped cloud service offering*, addressing potential vulnerabilities identified during assessment and ensuring persistent remediation as required by the KSI. Essentially, a functioning IRP shows the organization can *maintain* security within the authorized boundaries.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-29",
          "control_name": "Incident Response Team",
          "control_description": "Sustainment Technologies Inc has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality at the company.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.562Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-29-evidence",
              "name": "Incident Response Team (DCF-29)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140942+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-owner",
              "name": "Assigned Control Owner - Incident Response Team (DCF-29)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140949+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-monitoring",
              "name": "Continuous Monitoring - Incident Response Team (DCF-29)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140955+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 74,
          "explanation": "The Incident Response Team control directly supports KSI-AFR-MAS by demonstrating a defined process for *handling* security incidents *within the defined scope* of the cloud service offering. Identifying, quantifying, and monitoring incidents (as the control states) ensures all security-related events Ã¢â‚¬â€œ impacting the MAS Ã¢â‚¬â€œ are addressed, fulfilling the requirement to persistently address related recommendations and maintain scope coverage. This aligns with IR-1 by establishing a core capability for responding to events affecting the system's security posture within the authorized boundaries.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "**Sustainment Technologies satisfies the Minimum Assessment Scope (MAS) requirement by employing a strategy of continuous boundary validation integrated with a robust governance framework.**\n\n### Required Artifacts\n- **Architecture Diagram** -- A current system architecture diagram depicting all in-scope components, data flows, and authorization boundaries *(Drata Evidence ID: 152 -- pending next pipeline sync)*\n- **In-Scope Systems Inventory** -- A maintained list of all systems, services, and interconnections within the FedRAMP authorization boundary *(Failing -- not yet uploaded to Drata as evidence)*\n\n### Continuous Boundary Validation\n- **Automated Control Monitoring** -- continuous monitoring via Drata\n- **Quarterly Vulnerability Assessments** -- periodic security validation of in-scope systems\n- **Formal Security Policies** -- governance framework ensuring the CSO scope is accurately documented and persistently managed\n\n### Validation Approach\nThis integrated approach enables real-time visibility into the assessment boundary and ensures that all related FedRAMP security requirements are consistently addressed and maintained.\n### Key Controls\n- [OK] Operational Audit (DCF-86)\n- [OK] Quarterly Vulnerability Scan (DCF-18)\n- [OK] Continuous Control Monitoring (DCF-160)\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Log Management System (DCF-80)\n- [OK] Logging/Monitoring (DCF-87)\n- [OK] Risk Assessment Policy (DCF-15)\n- [OK] Incident Response Plan (DCF-159)\n- [OK] Incident Response Team (DCF-29)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:55.703680+00:00",
      "ksi_name": "Minimum Assessment Scope",
      "category": "AFR",
      "statement": "Apply the FedRAMP Minimum Assessment Scope (MAS) to identify and document the scope of the cloud service offering to be assessed for FedRAMP authorization and persistently address all related requirements and recommendations.",
      "reference_url": "https://fedramp.gov/docs/20x/minimum-assessment-scope",
      "nist_controls": [
        "AC-1",
        "AC-21",
        "AT-1",
        "AU-1",
        "CA-1",
        "CM-1",
        "CP-1",
        "CP-2.1",
        "CP-2.8",
        "CP-4.1",
        "IA-1",
        "IR-1",
        "MA-1",
        "MP-1",
        "PE-1",
        "PL-1",
        "PL-2",
        "PL-4",
        "PL-4.1",
        "PS-1",
        "RA-1",
        "RA-9",
        "SA-1",
        "SC-1",
        "SI-1",
        "SR-1",
        "SR-2",
        "SR-3",
        "SR-11"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment satisfies the Minimum Assessment Scope requirement through continuous boundary validation, architecture documentation, vulnerability scanning, and a robust governance framework including operational audits and risk assessments.",
        "failure_condition": "Authorization boundary documentation not reviewed within 12 months or failure to maintain a current architecture diagram will cause a failure of the test. Additionally, operational audits, quarterly vulnerability scans, continuous control monitoring, a log management system, a risk assessment policy, an incident response plan, and an incident response team must be in place to ensure the assessment scope is comprehensive and current."
      },
      "process_requirements": [
        {
          "id": "MAS-CSO-IIR",
          "name": "Identify Information Resources",
          "statement": "Providers MUST identify a set of information resources to assess for FedRAMP authorization that includes all information resources that are likely to handle federal customer data or likely to impact the confidentiality, integrity, or availability of federal customer data handled by the cloud service offering; this set of information resources is the cloud service offering.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "Certain categories of cloud computing products and services are specified as entirely outside the scope of FedRAMP by the Director of the Office of Management and Budget. All such products and services are therefore not included in the cloud service offering for FedRAMP. For more, see https://fedramp.gov/scope.",
            "Software produced by cloud service providers that is delivered separately for installation on agency systems and not operated in a shared responsibility model (typically including agents, application clients, mobile applications, etc. that are not fully managed by the cloud service provider) is not a cloud computing product or service and is entirely outside the scope of FedRAMP under the FedRAMP Authorization Act. All such software is therefore not included in the cloud service offering for FedRAMP. For more, see fedramp.gov/scope.",
            "All aspects of the cloud service offering are determined and maintained by the cloud service provider in accordance with related FedRAMP authorization requirements and documented by the cloud service provider in their assessment and authorization materials."
          ]
        },
        {
          "id": "MAS-CSO-FLO",
          "name": "Information Flows and Security Objectives",
          "statement": "Providers MUST clearly identify, document, and explain information flows and security objectives for ALL information resources or sets of information resources in the cloud service offering.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "Information resources (including third-party information resources) MAY vary by security objectives as appropriate to the level of information handled or impacted by the information resource."
          ]
        },
        {
          "id": "MAS-CSO-TPR",
          "name": "Third-Party Information Resources",
          "statement": "Providers MUST address the potential impact to federal customer data from third-party information resources used by the cloud service offering, ONLY IF MAS-CSO-IIR APPLIES, by documenting the following information about each applicable third-party information resource:",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both",
          "following_information": [
            "General usage and configuration",
            "Explanation or justification for use",
            "Mitigation measures in place to reduce the potential impact to federal customer data",
            "Compensating controls in place to reduce the potential impact to federal customer data"
          ]
        },
        {
          "id": "MAS-CSO-MDI",
          "name": "Metadata Inclusion",
          "statement": "Providers MUST include metadata (including metadata about federal customer data) in the Minimum Assessment Scope ONLY IF MAS-CSO-IIR APPLIES.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both"
        },
        {
          "id": "MAS-CSO-SUP",
          "name": "Supplemental Information",
          "statement": "Providers MAY include additional materials about other information resources that are not part of the cloud service offering in a FedRAMP assessment and authorization package supplement; these resources will not be FedRAMP authorized and MUST be clearly marked and separated from the cloud service offering.",
          "keyword": "MAY",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "This is intended to allow inclusion of things like security materials for apps, supplemental marketing collateral, and other information that is not part of the cloud service offering but may be useful to agencies."
          ]
        }
      ],
      "process_requirements_summary": {
        "total": 5,
        "must": 4,
        "should": 0,
        "may": 1
      },
      "monitoring": {
        "total_tests": 14,
        "passed": 14,
        "failed": 0,
        "controls_with_monitoring": 8,
        "monitoring_coverage": 80.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-AFR-PVA",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:54.948654+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "report",
          "name": "FedRAMP Documentation Source",
          "description": "FedRAMP KSI documentation and compliance generator are present",
          "date": "2026-07-02T13:19:54.950800+00:00",
          "status": "Passing"
        },
        {
          "type": "report",
          "name": "KSI Coverage",
          "description": "Monitoring 60 Key Security Indicators",
          "date": "2026-07-02T13:19:54.950817+00:00",
          "status": "Passing"
        },
        {
          "type": "report",
          "name": "Compliance Artifact Generation Capability",
          "description": "Compliance artifact and KSI check history are generated by the active pipeline after check execution; pending outputs: ksi_compliance.json",
          "date": "2026-07-02T13:19:54.950852+00:00",
          "status": "Passing"
        },
        {
          "type": "report",
          "name": "Compliance Dashboard",
          "description": "Dashboard is available for persistent reporting",
          "date": "2026-07-02T13:19:54.950912+00:00",
          "status": "Passing"
        }
      ],
      "notes": "**Sustainment Technologies employs an automated continuous monitoring strategy to persistently validate and report on security policy effectiveness in alignment with the FedRAMP 20x PVA process.**\n\n### Key Capabilities\n- **Automated Meta-Check** -- monitors the integrity and operational status of the compliance dashboard, data pipelines, and reporting mechanisms\n- **Pipeline Health Validation** -- verifies pipeline runs within 48 hours with a minimum 90% success rate\n- **KSI Coverage Analysis** -- ensures all KSIs meet a minimum compliance score of 70\n- **Jira Integration** -- automated ticket creation for compliance findings\n\n### Validation Approach\nBy validating the health of the monitoring system itself, Sustainment Technologies ensures consistent oversight and the ability to persistently address security requirements and recommendations.\n### Key Controls\n- [OK] Periodic Dynamic Threat Assessment (DCF-185)\n- [OK] Audit Logs Available for Analysis (DCF-442)\n- [OK] Policy for Security Monitoring and Testing Documented and Accessible (DCF-481)\n- [OK] System Security Planning Policy (DCF-577)",
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-AFR-PVA",
          "control_name": "Custom Automated Check: KSI-AFR-PVA",
          "control_description": "Persistent Validation and Assessment (PVA) check: 4/4 checks passed. This meta-check validates that the continuous monitoring system itself is functioning. Dashboard, pipeline, and compliance data are operational. | Findings: MEDIUM: Last pipeline status: running",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:54.948654+00:00",
          "updated_at": "2026-07-02T13:19:54.948654+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:54.948654+00:00",
          "requirements_updated_at": "",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": null,
              "name": "FedRAMP Documentation Source",
              "description": "FedRAMP KSI documentation and compliance generator are present",
              "type": "report",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.950800+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140963+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "KSI Coverage",
              "description": "Monitoring 60 Key Security Indicators",
              "type": "report",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.950817+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140969+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "Compliance Artifact Generation Capability",
              "description": "Compliance artifact and KSI check history are generated by the active pipeline after check execution; pending outputs: ksi_compliance.json",
              "type": "report",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.950852+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140976+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "Compliance Dashboard",
              "description": "Dashboard is available for persistent reporting",
              "type": "report",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.950912+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140981+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-185",
              "DCF-442",
              "DCF-481",
              "DCF-577"
            ]
          }
        },
        {
          "control_id": "DCF-185",
          "control_name": "Periodic Dynamic Threat Assessment",
          "control_description": "Sustainment Technologies Inc has an established threat assessment process to continuously analyze threats and disseminate the information appropriately.",
          "status": "compliant",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:16.577Z",
          "updated_at": "2025-11-24T13:51:39.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:39.688Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-185-evidence",
              "name": "Periodic Dynamic Threat Assessment (DCF-185)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:39.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140988+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-185-policy",
              "name": "Policy Documentation - Periodic Dynamic Threat Assessment (DCF-185)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:39.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.140995+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 609,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-442",
          "control_name": "Audit Logs Available for Analysis",
          "control_description": "Sustainment Technologies Inc has the three most current months' logs, at the least, immediately available for analysis.",
          "status": "compliant",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:58.989Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.697Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-442-monitoring",
              "name": "Continuous Monitoring - Audit Logs Available for Analysis (DCF-442)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141001+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 461,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-481",
          "control_name": "Policy for Security Monitoring and Testing Documented and Accessible",
          "control_description": "Sustainment Technologies Inc has security policies and operational procedures for security monitoring and testing that are documented, in use, and known to all affected parties.",
          "status": "compliant",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:00.106Z",
          "updated_at": "2026-01-23T16:15:14.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.696Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-481-policy",
              "name": "Policy Documentation - Policy for Security Monitoring and Testing Documented and Accessible (DCF-481)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-01-23T16:15:14.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141009+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 500,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-577",
          "control_name": "System Security Planning Policy",
          "control_description": "Sustainment Technologies Inc has a defined policy for system security planning to ensure resources and information systems are established with effective security controls and control enhancements.",
          "status": "compliant",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:04.697Z",
          "updated_at": "2025-11-24T13:51:39.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:17:05.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-577-policy",
              "name": "Policy Documentation - System Security Planning Policy (DCF-577)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:39.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141015+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 544,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:54.948654+00:00",
      "resolved_findings": [
        {
          "severity": "medium",
          "description": "Last pipeline status: running",
          "remediation": "Check CI/CD pipeline logs for errors",
          "affected_resources": [
            "gitlab_pipeline"
          ],
          "resolved": true,
          "resolved_at": "2026-07-02T13:20:01.115979+00:00"
        }
      ],
      "ksi_name": "Persistent Validation and Assessment",
      "category": "AFR",
      "statement": "Persistently validate, assess, and report on the effectiveness and status of security decisions and policies that are implemented within the cloud service offering in alignment with the FedRAMP 20x Persistent Validation and Assessment (PVA) process, and persistently address all related requirements and recommendations.",
      "reference_url": "https://fedramp.gov/docs/20x/persistent-validation-and-assessment",
      "nist_controls": [],
      "failure_conditions": {
        "conditional_check": "Sustainment employs an automated continuous monitoring strategy to persistently validate and report on security policy effectiveness in alignment with the FedRAMP 20x PVA process.",
        "failure_condition": "Compliance pipeline failing, dashboard down, or compliance data older than 48 hours will cause a failure of the test. The automated meta-check, continuous monitoring pipeline, and dashboard deployment must be operational to ensure policy validation and assurance reporting is current."
      },
      "outcome_metrics": [
        {
          "statement": "Control effectiveness is continuously validated and reported with current data",
          "metric_name": "Recency / Validation",
          "target_value": "Automated validation run within 24 hours; report currency < 7 days",
          "target_unit": "",
          "frequency": "Daily",
          "source": "Drata automated checks; pipeline run timestamps",
          "notes": "Validation older than 24 hours or report not updated within 7 days"
        }
      ],
      "process_requirements": [
        {
          "id": "PVA-CSX-VAL",
          "name": "Persistent Validation",
          "statement": "Providers MUST persistently perform validation of their Key Security Indicators; this process is called persistent validation and is part of vulnerability detection.",
          "keyword": "MUST",
          "role_group": "CSX",
          "section": "20x"
        },
        {
          "id": "PVA-CSX-FAV",
          "name": "Issues As Vulnerabilities",
          "statement": "Providers MUST treat issues detected during persistent validation and failures of the persistent validation process as vulnerabilities, then follow the requirements and recommendations in the FedRAMP Vulnerability Detection and Response process for such findings.",
          "keyword": "MUST",
          "role_group": "CSX",
          "section": "20x"
        },
        {
          "id": "PVA-CSX-RPV",
          "name": "Report Persistent Validation",
          "statement": "Providers MUST include persistent validation activity in the reports on vulnerability detection and response activity required by the FedRAMP Vulnerability Detection and Response process.",
          "keyword": "MUST",
          "role_group": "CSX",
          "section": "20x"
        },
        {
          "id": "PVA-CSX-IVV",
          "name": "Independent Verification and Validation",
          "statement": "Providers MUST have the implementation of their goals and validation processes assessed by a FedRAMP-recognized independent assessor OR by FedRAMP directly AND MUST include the results of this assessment in their authorization data without modification.",
          "keyword": "MUST",
          "role_group": "CSX",
          "section": "20x",
          "notes": [
            "The option for assessment by FedRAMP directly is limited to cloud services that are explicitly prioritized by FedRAMP, in consultation with the FedRAMP Board and the federal Chief Information Officers Council. During 20x Phase Two this includes AI services that meet certain criteria as shown at https://fedramp.gov/ai.",
            "FedRAMP recognized assessors are listed on the FedRAMP Marketplace."
          ]
        },
        {
          "id": "PVA-CSX-NMV",
          "name": "Non-Machine Validation",
          "statement": "Providers MUST complete the validation processes for Key Security Indicators of non-machine-based information resources at least once every 3 months.",
          "keyword": "MUST",
          "role_group": "CSX",
          "section": "20x"
        },
        {
          "id": "PVA-CSX-PTE",
          "name": "Provide Technical Evidence",
          "statement": "Providers SHOULD provide technical explanations, demonstrations, and other relevant supporting information to all necessary assessors for the technical capabilities they employ to meet Key Security Indicators and to provide validation.",
          "keyword": "SHOULD",
          "role_group": "CSX",
          "section": "20x"
        },
        {
          "id": "PVA-CSX-RAD",
          "name": "Receiving Advice",
          "statement": "Providers MAY ask for and accept advice from their assessor during assessment regarding techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their validation and reporting procedures for Key Security Indicators, UNLESS doing so might compromise the objectivity and integrity of the assessment (see also PVA-TPX-SHA).",
          "keyword": "MAY",
          "role_group": "CSX",
          "section": "20x",
          "notes": [
            "The related A2LA requirements are waived for FedRAMP 20x Phase Two assessments."
          ]
        },
        {
          "id": "PVA-CSX-PMV",
          "name": "Persistent Machine Validation",
          "statement": "",
          "keyword": "",
          "role_group": "CSX",
          "section": "20x"
        }
      ],
      "process_requirements_summary": {
        "total": 8,
        "must": 5,
        "should": 1,
        "may": 1
      },
      "monitoring": {
        "total_tests": 1,
        "passed": 1,
        "failed": 0,
        "controls_with_monitoring": 1,
        "monitoring_coverage": 20.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-AFR-SCG",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:55.896988+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "document",
          "name": "Secure Configuration Guide: Sustainment Platform - Secure Configuration Guide",
          "description": "Version 4, Confluence page last modified 110 days ago by Zachary Tschirhart; required sections verified",
          "source": "https://sustainment-tech.atlassian.net/wiki/spaces/Policies/pages/1323237378/Sustainment+Platform+-+Secure+Configuration+Guide",
          "date": "2026-03-13T15:25:50.769Z",
          "control_id": "1323237378",
          "status": "Passing"
        }
      ],
      "notes": "**Sustainment Technologies implements secure-by-default configurations and provides alignment-based guidance in accordance with the FedRAMP SCG process.**\n\n### Key Capabilities\n- **Documented Security Baselines** -- formalized configuration management strategy with documented hardening standards\n- **Automated Verification Framework** -- Confluence API checks validate that the Secure Configuration Guide exists and contains all required sections\n- **Required Sections** -- Account Types and Administrative Controls, Authentication and Identity Configuration, Security Controls, Network and Session Security, Data Protection Settings\n\n### Validation Approach\nAutomated checks verify required section presence via the Confluence API. Document freshness is not scored unless a direct SCG review timestamp is available or freshness enforcement is explicitly enabled. Manual verification serves as a fail-safe while API integration is finalized.\n### Key Controls\n- [OK] Baseline Configurations (DCF-597)\n- [OK] Baseline Configuration and Hardening Standards (DCF-12)",
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:55.896988+00:00",
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-AFR-SCG",
          "control_name": "Custom Automated Check: KSI-AFR-SCG",
          "control_description": "Secure Configuration Guide \"Sustainment Platform - Secure Configuration Guide\" (v4) verified via Confluence API. Document freshness not assessed because no direct SCG review timestamp is available; all required sections present. URL: https://sustainment-tech.atlassian.net/wiki/spaces/Policies/pages/1323237378/Sustainment+Platform+-+Secure+Configuration+Guide",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:55.896988+00:00",
          "updated_at": "2026-07-02T13:19:55.896988+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:55.896988+00:00",
          "requirements_updated_at": "",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": null,
              "name": "Secure Configuration Guide: Sustainment Platform - Secure Configuration Guide",
              "description": "Version 4, Confluence page last modified 110 days ago by Zachary Tschirhart; required sections verified",
              "type": "document",
              "source": "https://sustainment-tech.atlassian.net/wiki/spaces/Policies/pages/1323237378/Sustainment+Platform+-+Secure+Configuration+Guide",
              "updated_at": "2026-03-13T15:25:50.769Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141027+00:00",
                "status": "not_hashed",
                "reason": "remote_source_not_downloaded",
                "source": "https://sustainment-tech.atlassian.net/wiki/spaces/Policies/pages/1323237378/Sustainment+Platform+-+Secure+Configuration+Guide"
              }
            }
          ],
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-597",
          "drata_control_id": 586,
          "control_name": "Baseline Configurations",
          "control_description": "Sustainment Technologies Inc uses automated tools to maintain completeness, currency, accuracy, and availability of baseline configurations.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "explanation": "",
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:11.095Z",
          "updated_at": "2025-11-24T18:38:42.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-597-evidence",
              "name": "Baseline Configurations (DCF-597)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T18:38:42.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141034+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-597-policy",
              "name": "Policy Documentation - Baseline Configurations (DCF-597)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:42.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141041+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-12",
          "drata_control_id": 93,
          "control_name": "Baseline Configuration and Hardening Standards",
          "control_description": "Sustainment Technologies Inc has identified and documented baseline security configuration standards for all system components in accordance with industry-accepted hardening standards or vendor recommendations. These standards are reviewed periodically and updated as needed (e.g., when vulnerabiliti",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "explanation": "",
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.743Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-12-evidence",
              "name": "Baseline Configuration and Hardening Standards (DCF-12)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141048+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-12-policy",
              "name": "Policy Documentation - Baseline Configuration and Hardening Standards (DCF-12)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141054+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "ksi_name": "Secure Configuration Guide",
      "category": "AFR",
      "statement": "Develop secure by default configurations and provide guidance for secure configuration of the cloud service offering to customers in alignment with the FedRAMP Secure Configuration Guide (SCG) process and persistently address all related requirements and recommendations.",
      "reference_url": "https://fedramp.gov/docs/20x/secure-configuration-guide",
      "nist_controls": [],
      "failure_conditions": {
        "conditional_check": "Sustainment implements secure-by-default configurations and provides alignment-based guidance in accordance with the FedRAMP SCG process through documented security baselines and formalized configuration management.",
        "failure_condition": "Required sections missing from the secure configuration guide will cause a failure of the test. Additionally, baseline configuration and hardening standards and documented baseline configurations must be in place to ensure secure configuration guidance is comprehensive."
      },
      "outcome_metrics": [
        {
          "statement": "Secure configuration guide contains required guidance and is applied to all in-scope systems",
          "metric_name": "Integrity",
          "target_value": "SCG contains required guidance sections; 100% of systems reflect current SCG baseline",
          "target_unit": "",
          "frequency": "At each significant change",
          "source": "SCG document content; configuration baseline scan",
          "notes": "Required SCG section missing or systems diverge from baseline"
        }
      ],
      "process_requirements": [
        {
          "id": "SCG-CSO-RSC",
          "name": "Recommended Secure Configuration",
          "statement": "Providers MUST create, maintain, and make available recommendations for securely configuring their cloud services (the Secure Configuration Guide) that includes at least the following information:",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "These requirements and recommendations refer to this guidance as a Secure Configuration Guide but cloud service providers may make this guidance available in various appropriate forms that provide the best customer experience.",
            "This guidance should explain how top-level administrative accounts are named and referred to in the cloud service offering."
          ],
          "following_information": [
            "Required: Instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering.",
            "Required: Explanations of security-related settings that can be operated only by top-level administrative accounts and their security implications.",
            "Recommended: Explanations of security-related settings that can be operated only by privileged accounts and their security implications."
          ]
        },
        {
          "id": "SCG-CSO-AUP",
          "name": "Use Instructions",
          "statement": "Providers MUST include instructions in the FedRAMP authorization package that explain how to obtain and use the Secure Configuration Guide.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "These instructions may appear in a variety of ways; it is up to the provider to do so in the most appropriate and effective ways for their specific customer needs."
          ]
        },
        {
          "id": "SCG-CSO-PUB",
          "name": "Public Guidance",
          "statement": "Providers SHOULD make the Secure Configuration Guide available publicly.",
          "keyword": "SHOULD",
          "role_group": "CSO",
          "section": "both"
        },
        {
          "id": "SCG-CSO-SDF",
          "name": "Secure Defaults",
          "statement": "Providers SHOULD set all settings to their recommended secure defaults for top-level administrative accounts and privileged accounts when initially provisioned.",
          "keyword": "SHOULD",
          "role_group": "CSO",
          "section": "both"
        },
        {
          "id": "SCG-ENH-CMP",
          "name": "Comparison Capability",
          "statement": "Providers SHOULD offer the capability to compare all current settings for top-level administrative accounts and privileged accounts to the recommended secure defaults.",
          "keyword": "SHOULD",
          "role_group": "ENH",
          "section": "both"
        },
        {
          "id": "SCG-ENH-EXP",
          "name": "Export Capability",
          "statement": "Providers SHOULD offer the capability to export all security settings in a machine-readable format.",
          "keyword": "SHOULD",
          "role_group": "ENH",
          "section": "both"
        },
        {
          "id": "SCG-ENH-API",
          "name": "API Capability",
          "statement": "Providers SHOULD offer the capability to view and adjust security settings via an API or similar capability.",
          "keyword": "SHOULD",
          "role_group": "ENH",
          "section": "both"
        },
        {
          "id": "SCG-ENH-MRG",
          "name": "Machine-Readable Guidance",
          "statement": "Providers SHOULD also provide the Secure Configuration Guide in a machine-readable format that can be used by customers or third-party tools to compare against current settings.",
          "keyword": "SHOULD",
          "role_group": "ENH",
          "section": "both"
        },
        {
          "id": "SCG-ENH-VRH",
          "name": "Versioning and Release History",
          "statement": "Providers SHOULD provide versioning and a release history for recommended secure default settings for top-level administrative accounts and privileged accounts as they are adjusted over time.",
          "keyword": "SHOULD",
          "role_group": "ENH",
          "section": "both"
        }
      ],
      "process_requirements_summary": {
        "total": 9,
        "must": 2,
        "should": 7,
        "may": 0
      },
      "monitoring": {
        "total_tests": 0,
        "passed": 0,
        "failed": 0,
        "controls_with_monitoring": 0,
        "monitoring_coverage": 0.0,
        "test_pass_rate": 0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-AFR-SCN",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:56.548913+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-18 (DCF-18)",
          "control_id": "DCF-18",
          "status": "Passing",
          "description": "Drata control status for DCF-18",
          "date": "2026-07-02T13:19:56.548913+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-80 (DCF-80)",
          "control_id": "DCF-80",
          "status": "Passing",
          "description": "Drata control status for DCF-80",
          "date": "2026-07-02T13:19:56.548913+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-29 (DCF-29)",
          "control_id": "DCF-29",
          "status": "Passing",
          "description": "Drata control status for DCF-29",
          "date": "2026-07-02T13:19:56.548913+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-9 (DCF-9)",
          "control_id": "DCF-9",
          "status": "Passing",
          "description": "Drata control status for DCF-9",
          "date": "2026-07-02T13:19:56.548913+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-50 (DCF-50)",
          "control_id": "DCF-50",
          "status": "Passing",
          "description": "Drata control status for DCF-50",
          "date": "2026-07-02T13:19:56.548913+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-155 (DCF-155)",
          "control_id": "DCF-155",
          "status": "Passing",
          "description": "Drata control status for DCF-155",
          "date": "2026-07-02T13:19:56.548913+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-31 (DCF-31)",
          "control_id": "DCF-31",
          "status": "Passing",
          "description": "Drata control status for DCF-31",
          "date": "2026-07-02T13:19:56.548913+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-5 (DCF-5)",
          "control_id": "DCF-5",
          "status": "Passing",
          "description": "Drata control status for DCF-5",
          "date": "2026-07-02T13:19:56.548913+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-152 (DCF-152)",
          "control_id": "DCF-152",
          "status": "Passing",
          "description": "Drata control status for DCF-152",
          "date": "2026-07-02T13:19:56.548913+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-AFR-SCN",
          "control_name": "Custom Automated Check: KSI-AFR-SCN",
          "control_description": "9/9 mapped controls passing; **Sustainment Technologies employs a governance-led approach to significant change notifications by integrating formal SDLC policies with automated continuous monitoring via Drata.**\n\n### Key Capabilities\n- **SDLC Policy Integration** -- formal Software Development Life Cycle policy with rigorous code review processes\n- **Change Tracking** -- all system modifications are tracked, tested, and validated prior to deployment\n- **Vulnerability Visibility** -- quarterly vulnerability scans and automated logging identify security-impacting changes\n- **Stakeholder Notification** -- significant changes are identified and reported to the FedRAMP PMO and relevant stakeholders\n\n### Validation Approach\n8 curated Drata controls provide continuous monitoring, ensuring strict alignment with the SCN process.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:56.548913+00:00",
          "updated_at": "2026-07-02T13:19:56.548913+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:56.548913+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-18 (DCF-18)",
              "description": "Drata control status for DCF-18",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.548913+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141061+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-80 (DCF-80)",
              "description": "Drata control status for DCF-80",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.548913+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141068+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-29 (DCF-29)",
              "description": "Drata control status for DCF-29",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.548913+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141074+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-9 (DCF-9)",
              "description": "Drata control status for DCF-9",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.548913+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141080+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-50 (DCF-50)",
              "description": "Drata control status for DCF-50",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.548913+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141086+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-155 (DCF-155)",
              "description": "Drata control status for DCF-155",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.548913+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141092+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-31 (DCF-31)",
              "description": "Drata control status for DCF-31",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.548913+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141098+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-5 (DCF-5)",
              "description": "Drata control status for DCF-5",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.548913+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141104+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-152 (DCF-152)",
              "description": "Drata control status for DCF-152",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.548913+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141110+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 8,
            "passed": 8,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:54.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 66,
                "name": "Vulnerability Scanning",
                "status": "PASSED",
                "description": "Drata validated that a vulnerability scanning system is connected to Drata.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 21,
                "enabled": true
              },
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              },
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              },
              {
                "test_id": 86,
                "name": "Process for Responsible Disclosure",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they detail a process for employees to report security, confidentiality, integrity, and availability failures, incidents, and concerns.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 12,
                "enabled": true
              },
              {
                "test_id": 133,
                "name": "Malware Detection Software Installed on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices have  antimalware software installed.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 64,
                "enabled": true
              },
              {
                "test_id": 144,
                "name": "Production Code Changes Restricted",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's version control tool and confirmed that only authorized personnel push or make changes to production code.",
                "last_run": "2026-07-01T18:29:54.000Z",
                "test_definition_id": 9,
                "enabled": true
              },
              {
                "test_id": 137,
                "name": "Formal Code Review Process",
                "status": "PASSED",
                "description": "Drata validated configurations for the version control system repositories and confirmed code reviews are enforced via branch restrictions.",
                "last_run": "2026-07-01T18:29:19.000Z",
                "test_definition_id": 8,
                "enabled": true
              },
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-18",
              "DCF-80",
              "DCF-29",
              "DCF-9",
              "DCF-50",
              "DCF-155",
              "DCF-31",
              "DCF-5",
              "DCF-152"
            ]
          }
        },
        {
          "control_id": "DCF-18",
          "control_name": "Quarterly Vulnerability Scan",
          "control_description": "Sustainment Technologies Inc engages with third-party to conduct vulnerability scans of the production environment at least quarterly. Results are reviewed by management and high priority findings are tracked to resolution.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.858Z",
          "updated_at": "2026-05-11T12:55:17.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:22.000Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 149,
              "name": "Vulnerability scanning - historical scans.",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/149_Vulnerability scanning - historical scans..zip",
              "updated_at": "2026-03-02T14:54:37.097Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.141304+00:00",
                "status": "hashed",
                "sha256": "1bca3af621b9ac72ecaf5ccb180f7c18cc49f95a24e05a54e8c83a05fa411b37",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/149_Vulnerability scanning - historical scans..zip",
                "filename": "149_Vulnerability scanning - historical scans..zip",
                "size_bytes": 629615,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 148,
              "name": "Vulnerability Scan Report repository (screenshot)",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/148_Vulnerability Scan Report repository (screenshot).png",
              "updated_at": "2026-03-02T14:51:39.054Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142009+00:00",
                "status": "hashed",
                "sha256": "cbd856d7f75726db39106a98e93d3f94d3574bb28b0bc44483de3aa2a36f063e",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/148_Vulnerability Scan Report repository (screenshot).png",
                "filename": "148_Vulnerability Scan Report repository (screenshot).png",
                "size_bytes": 307470,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-18-owner",
              "name": "Assigned Control Owner - Quarterly Vulnerability Scan (DCF-18)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-11T12:55:17.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142281+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 46,
          "explanation": "This Quarterly Vulnerability Scan control helps satisfy KSI-AFR-SCN by providing a regular assessment identifying \"significant changes\" to the system's security posture (vulnerabilities). Tracking high-priority findings to resolution demonstrates persistent addressing of these changes, allowing Sustainment Technologies Inc. to accurately determine notification requirements per the FedRAMP SCN process Ã¢â‚¬â€œ as vulnerabilities often *are* significant changes needing communication.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 66,
                "name": "Vulnerability Scanning",
                "status": "PASSED",
                "description": "Drata validated that a vulnerability scanning system is connected to Drata.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 21,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-80",
          "control_name": "Log Management System",
          "control_description": "Sustainment Technologies Inc uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.779Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 151,
              "name": "DataDog Security alerts sample",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/151_DataDog Security alerts sample.csv",
              "updated_at": "2026-03-02T15:57:18.424Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142443+00:00",
                "status": "hashed",
                "sha256": "3a6f138a1019b8d39d01a2e02dc11e84fa1a8b504f306fadf42619746948a934",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/151_DataDog Security alerts sample.csv",
                "filename": "151_DataDog Security alerts sample.csv",
                "size_bytes": 82445,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-80-owner",
              "name": "Assigned Control Owner - Log Management System (DCF-80)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142540+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-80-monitoring",
              "name": "Continuous Monitoring - Log Management System (DCF-80)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142547+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 123,
          "explanation": "This Drata control satisfies KSI-AFR-SCN by demonstrating a mechanism for *detecting* significant changes via logging and alerting appropriate personnel Ã¢â‚¬â€œ a key step in the FedRAMP SCN process. The timely corrective actions following alerts ensure related requirements & recommendations (identified through logs) are persistently addressed, fulfilling the requirement for ongoing management of changes and associated risks. Essentially, logging provides the *evidence* of change needed for notification and remediation.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-29",
          "control_name": "Incident Response Team",
          "control_description": "Sustainment Technologies Inc has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality at the company.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.562Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-29-evidence",
              "name": "Incident Response Team (DCF-29)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142554+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-owner",
              "name": "Assigned Control Owner - Incident Response Team (DCF-29)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142560+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-monitoring",
              "name": "Continuous Monitoring - Incident Response Team (DCF-29)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142567+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 74,
          "explanation": "While seemingly indirect, an established Incident Response Team (IRT) directly supports KSI-AFR-SCN by providing the *mechanism* to detect and assess \"significant changes\" Ã¢â‚¬â€œ security incidents are often indicators of such changes. The IRT's monitoring and quantification processes ensure changes impacting FedRAMP requirements are identified, allowing for timely notification and remediation as mandated by the SCN process, fulfilling the requirement to *persistently address* related issues. Essentially, the IRT is the early warning system for things that *require* a Significant Change Notification.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-9",
          "control_name": "Employee Disclosure Process",
          "control_description": "Sustainment Technologies Inc provides a process to employees for reporting security, confidentiality, integrity, and availability features, incidents, and concerns, and other complaints to company management.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.552Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:39.886Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 12,
              "name": "Responsible Disclosure Policy",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/12_Responsible Disclosure Policy.pdf",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142727+00:00",
                "status": "hashed",
                "sha256": "b6489e47f58841ad1ce45e8778355f9c7fb94b51d728f831e0d27edebb7f9f91",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/12_Responsible Disclosure Policy.pdf",
                "filename": "12_Responsible Disclosure Policy.pdf",
                "size_bytes": 126853,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-9-owner",
              "name": "Assigned Control Owner - Employee Disclosure Process (DCF-9)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142849+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-9-monitoring",
              "name": "Continuous Monitoring - Employee Disclosure Process (DCF-9)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142856+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 72,
          "explanation": "The Employee Disclosure Process supports KSI-AFR-SCN by providing a mechanism for employees to report potential *significant changes* impacting system security Ã¢â‚¬â€œ including vulnerabilities or incidents that could necessitate an SCN. This reporting channel allows Sustainment Technologies Inc. to *detect* changes requiring notification and initiate the FedRAMP SCN process, fulfilling the requirement to track and address related issues persistently (as RA-5 focuses on security incident handling).",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 86,
                "name": "Process for Responsible Disclosure",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they detail a process for employees to report security, confidentiality, integrity, and availability failures, incidents, and concerns.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 12,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-50",
          "control_name": "Malware Detection Software Installed",
          "control_description": "Sustainment Technologies Inc requires antivirus software to be installed on workstations to protect the network against malware.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.207Z",
          "updated_at": "2026-06-24T20:54:45.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-50-owner",
              "name": "Assigned Control Owner - Malware Detection Software Installed (DCF-50)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-24T20:54:45.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142863+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-50-monitoring",
              "name": "Continuous Monitoring - Malware Detection Software Installed (DCF-50)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-24T20:54:45.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142869+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-50-policy",
              "name": "Policy Documentation - Malware Detection Software Installed (DCF-50)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-24T20:54:45.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142875+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 116,
          "explanation": "While seemingly unrelated, Malware Detection Software (installed & *maintained* Ã¢â‚¬â€œ a key aspect not explicitly stated but implied for sustainment) contributes to FedRAMP KSI-AFR-SCN by ensuring system integrity. Detecting and mitigating malware *is* a significant change in system security posture; consistent monitoring and alerts from this software provide data needed to assess impact and trigger appropriate SCN processes if a serious incident occurs, fulfilling the requirement to track & notify regarding significant changes. This aligns with CM-4 (Configuration Management) by maintaining a known, secure baseline.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 133,
                "name": "Malware Detection Software Installed on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices have  antimalware software installed.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 64,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-155",
          "control_name": "Code Changes are Tested",
          "control_description": "Sustainment Technologies Inc ensures that code changes are tested prior to deployment to ensure quality and security.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.161Z",
          "updated_at": "2026-06-29T13:23:58.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-155-evidence",
              "name": "Code Changes are Tested (DCF-155)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-29T13:23:58.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142882+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-155-monitoring",
              "name": "Continuous Monitoring - Code Changes are Tested (DCF-155)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-29T13:23:58.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142888+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-155-policy",
              "name": "Policy Documentation - Code Changes are Tested (DCF-155)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-29T13:23:58.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142894+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 130,
          "explanation": "This Drata control addresses KSI-AFR-SCN by demonstrating a process for managing changes to the system Ã¢â‚¬â€œ a core component of FedRAMP SCN. Testing code changes *before* deployment (CM-4) helps identify potential impacts from modifications, allowing Sustainment Technologies Inc. to assess significance and trigger appropriate notifications if a substantial change requiring an SCN is identified.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:54.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 144,
                "name": "Production Code Changes Restricted",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's version control tool and confirmed that only authorized personnel push or make changes to production code.",
                "last_run": "2026-07-01T18:29:54.000Z",
                "test_definition_id": 9,
                "enabled": true
              },
              {
                "test_id": 137,
                "name": "Formal Code Review Process",
                "status": "PASSED",
                "description": "Drata validated configurations for the version control system repositories and confirmed code reviews are enforced via branch restrictions.",
                "last_run": "2026-07-01T18:29:19.000Z",
                "test_definition_id": 8,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-31",
          "control_name": "Software Development Life Cycle Policy",
          "control_description": "Sustainment Technologies Inc has developed policies and procedures governing the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.156Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:31:00.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-31-owner",
              "name": "Assigned Control Owner - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142900+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-monitoring",
              "name": "Continuous Monitoring - Software Development Life Cycle Policy (DCF-31)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142906+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-policy",
              "name": "Policy Documentation - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142912+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 129,
          "explanation": "The Software Development Life Cycle (SDLC) Policy directly addresses KSI-AFR-SCN by establishing a documented process for tracking *all* system changes Ã¢â‚¬â€œ a core component of identifying \"significant changes\" required by FedRAMP SCN. By outlining procedures for testing, approval, and validation, the policy ensures changes are assessed for impact and appropriate notifications can be triggered, persistently addressing related requirements as mandated by the KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-5",
          "control_name": "Code Review Process",
          "control_description": "When Sustainment Technologies Inc's application code changes, code reviews and tests are performed by someone other than the person who made the code change.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.355Z",
          "updated_at": "2026-06-29T13:23:58.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:31:00.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-5-owner",
              "name": "Assigned Control Owner - Code Review Process (DCF-5)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-29T13:23:58.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142918+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-5-monitoring",
              "name": "Continuous Monitoring - Code Review Process (DCF-5)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-29T13:23:58.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142923+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-5-policy",
              "name": "Policy Documentation - Code Review Process (DCF-5)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-29T13:23:58.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142929+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 120,
          "explanation": "The Code Review Process directly supports KSI-AFR-SCN by establishing a mechanism to *detect* significant changes to the system's code Ã¢â‚¬â€œ a primary trigger for SCNs. By requiring independent review, this control ensures changes are assessed for impact, allowing Sustainment Technologies Inc. to accurately identify and address any related FedRAMP requirements or recommendations *before* deployment and subsequent notification.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 137,
                "name": "Formal Code Review Process",
                "status": "PASSED",
                "description": "Drata validated configurations for the version control system repositories and confirmed code reviews are enforced via branch restrictions.",
                "last_run": "2026-07-01T18:29:19.000Z",
                "test_definition_id": 8,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-152",
          "control_name": "Virtual Machine OS are Patched Monthly",
          "control_description": "Sustainment Technologies Inc ensures that virtual machine OS patches are applied monthly.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.221Z",
          "updated_at": "2025-11-24T13:51:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-152-evidence",
              "name": "Virtual Machine OS are Patched Monthly (DCF-152)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142935+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-152-owner",
              "name": "Assigned Control Owner - Virtual Machine OS are Patched Monthly (DCF-152)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142941+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-152-policy",
              "name": "Policy Documentation - Virtual Machine OS are Patched Monthly (DCF-152)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:37.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142947+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 119,
          "explanation": "This control directly addresses KSI-AFR-SCN by demonstrating a consistent, documented change management process Ã¢â‚¬â€œ monthly patching *is* a significant change. Regularly patching VMs (and tracking it via SI-2) provides evidence of identifying, implementing, and maintaining system security, fulfilling the requirement to track changes and notify relevant parties should a patch introduce unforeseen issues or require configuration updates. Essentially, consistent patching *is* a persistent addressal of related security recommendations and requirements.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "**Sustainment Technologies employs a governance-led approach to significant change notifications by integrating formal SDLC policies with automated continuous monitoring via Drata.**\n\n### Key Capabilities\n- **SDLC Policy Integration** -- formal Software Development Life Cycle policy with rigorous code review processes\n- **Change Tracking** -- all system modifications are tracked, tested, and validated prior to deployment\n- **Vulnerability Visibility** -- quarterly vulnerability scans and automated logging identify security-impacting changes\n- **Stakeholder Notification** -- significant changes are identified and reported to the FedRAMP PMO and relevant stakeholders\n\n### Validation Approach\n8 curated Drata controls provide continuous monitoring, ensuring strict alignment with the SCN process.\n### Key Controls\n- [OK] Quarterly Vulnerability Scan (DCF-18)\n- [OK] Log Management System (DCF-80)\n- [OK] Incident Response Team (DCF-29)\n- [OK] Employee Disclosure Process (DCF-9)\n- [OK] Malware Detection Software Installed (DCF-50)\n- [OK] Code Changes are Tested (DCF-155)\n- [OK] Software Development Life Cycle Policy (DCF-31)\n- [OK] Code Review Process (DCF-5)\n- [OK] Virtual Machine OS are Patched Monthly (DCF-152)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:56.548913+00:00",
      "ksi_name": "Significant Change Notifications",
      "category": "AFR",
      "statement": "Determine how significant changes will be tracked and how all necessary parties will be notified in alignment with the FedRAMP Significant Change Notifications (SCN) process and persistently address all related requirements and recommendations.",
      "reference_url": "https://fedramp.gov/docs/20x/significant-change-notifications",
      "nist_controls": [
        "CA-7.4",
        "CM-3.4",
        "CM-4",
        "CM-7.1",
        "AU-5",
        "CA-5",
        "CA-7",
        "RA-5",
        "RA-5.2",
        "SA-22",
        "SI-2",
        "SI-2.2",
        "SI-3",
        "SI-5",
        "SI-7.7",
        "SI-10",
        "SI-11"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment employs a governance-led approach to significant change notifications by integrating formal SDLC policies with automated continuous monitoring to ensure all significant changes are identified, reviewed, and reported.",
        "failure_condition": "A significant change not reported within the required timeframe will cause a failure of the test. Additionally, an SDLC policy, code review process, code change testing, quarterly vulnerability scans, a log management system, an incident response team, malware detection, and monthly OS patching must be in place to ensure significant changes are detected and communicated."
      },
      "outcome_metrics": [
        {
          "statement": "All significant changes are identified and notified to FedRAMP within required timeframe",
          "metric_name": "Completion",
          "target_value": "100% of significant changes notified within 30 days of approval",
          "target_unit": "",
          "frequency": "Per change",
          "source": "Change management log; FedRAMP notification records",
          "notes": "Significant change without FedRAMP notification within 30 days"
        }
      ],
      "process_requirements": [
        {
          "id": "SCN-CSO-EVA",
          "name": "Evaluate Changes",
          "statement": "Providers MUST evaluate all potential significant changes to determine the type of significant change and apply the appropriate Significant Change Notification requirements and recommendations.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both",
          "following_information": [
            "Is it a significant change? --> Continue evaluation and follow the Significant Change Notification process.",
            "If it is, is it an impact categorization change?  --> This requires a new assessment and cannot be done under the Significant Change Notification process.",
            "If it is not, is it a routine recurring change? --> Follow the Routine Recurring Change process (SCN-RTR Routine Recurring Changes).",
            "If it is not, is it a transformative change? --> Follow the Transformative Change process (SCN-TRF Transformative Changes).",
            "If it is not, then it is an adaptive change --> Follow the Adaptive Change process (SCN-ADP Adaptive Changes)."
          ]
        },
        {
          "id": "SCN-CSO-MAR",
          "name": "Maintain Audit Records",
          "statement": "Providers MUST maintain auditable records of the significant change evaluation activities required by SCN-CSO-EVA (Evaluate Changes) and make them available to FedRAMP.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "These audit records must be available to FedRAMP on request; these records do not need to be included in the authorization package by default."
          ]
        },
        {
          "id": "SCN-CSO-INF",
          "name": "Required Information",
          "statement": "Providers MUST include at least the following information in Significant Change Notifications:",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "Structure of the information may vary depending on how the provider tracks this internally."
          ],
          "following_information": [
            "Service Offering FedRAMP ID",
            "Assessor Name (if applicable)",
            "Related POA&M (if applicable)",
            "Significant Change type and explanation of categorization",
            "Short description of change",
            "Reason for change",
            "Summary of customer impact, including changes to services and customer configuration responsibilities",
            "Plan and timeline for the change, including for the verification, assessment, and/or validation of impacted Key Security Indicators or controls",
            "Copy of the business or security impact analysis",
            "Name and title of approver"
          ]
        },
        {
          "id": "SCN-CSO-HIS",
          "name": "Historical Notifications",
          "statement": "Providers MUST keep 12 months of historical Significant Change Notifications available with their authorization data.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both"
        },
        {
          "id": "SCN-CSO-HRM",
          "name": "Human and Machine-Readable",
          "statement": "Providers MUST make ALL Significant Change Notifications and related audit records available in human-readable and machine-readable formats.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "During the SCN beta, many cloud service providers met this requirement by using carefully structured and organized csv files to meet human-readable and machine-readable requirements simultaneously."
          ]
        },
        {
          "id": "SCN-ADP-NTF",
          "name": "Notification Requirements",
          "statement": "Providers MUST notify all necessary parties within 10 business days after finishing adaptive changes, also including the following information:",
          "keyword": "MUST",
          "role_group": "ADP",
          "section": "both",
          "notes": [
            "Activities that match the adaptive significant change type are a frequent and normal part of iteratively improving a service by deploying new functionality or modifying existing functionality in a way that is typically transparent to customers and does not introduce significant new security risks.",
            "In general, most changes that do not happen regularly will be adaptive changes. This change type deliberately covers a wide range of activities in a way that requires assessment and consideration."
          ],
          "timeframe": "10 bizdays",
          "following_information": [
            "Summary of any new risks identified and/or POA&Ms resulting from the change (if applicable)"
          ]
        },
        {
          "id": "SCN-TRF-NIP",
          "name": "Notification of Initial Plans",
          "statement": "Providers MUST notify all necessary parties of initial plans for transformative changes at least 30 business days before starting transformative changes, including a summary of any likely security impacts or changes in risk.",
          "keyword": "MUST",
          "role_group": "TRF",
          "section": "both",
          "timeframe": "30 bizdays"
        },
        {
          "id": "SCN-TRF-NFP",
          "name": "Notification of Final Plans",
          "statement": "Providers MUST notify all necessary parties of final plans for transformative changes at least 10 business days before starting transformative changes, including updates to all previously sent information.",
          "keyword": "MUST",
          "role_group": "TRF",
          "section": "both",
          "timeframe": "10 bizdays"
        },
        {
          "id": "SCN-TRF-NAF",
          "name": "Notification After Finishing",
          "statement": "Providers MUST notify all necessary parties within 5 business days after finishing transformative changes, including updates to all previously sent information.",
          "keyword": "MUST",
          "role_group": "TRF",
          "section": "both",
          "timeframe": "5 bizdays"
        },
        {
          "id": "SCN-TRF-NAV",
          "name": "Notification After Verification",
          "statement": "Providers MUST notify all necessary parties within 5 business days after completing the verification, assessment, and/or validation of transformative changes, also including the following information:",
          "keyword": "MUST",
          "role_group": "TRF",
          "section": "both",
          "timeframe": "5 bizdays",
          "following_information": [
            "Updates to all previously sent information",
            "Summary of any new risks identified and/or POA&Ms resulting from the change (if applicable)",
            "Copy of the security assessment report (if applicable)"
          ]
        },
        {
          "id": "SCN-TRF-UPD",
          "name": "Update Documentation",
          "statement": "Providers MUST publish updated service documentation and other materials to reflect transformative changes within 30 business days after finishing transformative changes.",
          "keyword": "MUST",
          "role_group": "TRF",
          "section": "both",
          "notes": [
            "This requirement is focused on service documentation like user guides, information listed in the marketplace, and other such materials; it does not require updating the system security plan or authorization package."
          ],
          "timeframe": "30 bizdays"
        },
        {
          "id": "SCN-RTR-NNR",
          "name": "No Notification Requirements",
          "statement": "Providers SHOULD NOT make formal Significant Change Notifications for routine recurring changes; this type of change is exempted from the notification requirements of this process.",
          "keyword": "SHOULD NOT",
          "role_group": "RTR",
          "section": "both",
          "notes": [
            "Activities that match the routine recurring significant change type are performed regularly and routinely by cloud service providers to address flaws or vulnerabilities, address incidents, and generally perform the typical maintenance and service delivery changes expected during day-to-day operations.",
            "These changes leverage mature processes and capabilities to identify, mitigate, and remediate risks as part of the change. They are often entirely automated and may occur without human intervention, even though they have an impact on security of the service.",
            "If the activity does not occur regularly and routinely then it cannot be a significant change of this type (e.g., replacing all physical firewalls to remediate a vulnerability is obviously not regular or routine)."
          ]
        },
        {
          "id": "SCN-TRF-TPR",
          "name": "Third-Party Review",
          "statement": "Providers SHOULD engage a third-party assessor to review the scope and impact of the planned change before starting transformative changes if human validation is necessary; such reviews SHOULD be limited to security decisions that require human validation.",
          "keyword": "SHOULD",
          "role_group": "TRF",
          "section": "both",
          "notes": [
            "Activities that match the transformative significant change type are rare for a cloud service offering, adjusted for the size, scale, and complexity of the service. Small cloud service offerings may go years without transformative changes, while hyperscale providers may release multiple transformative changes per year."
          ]
        },
        {
          "id": "SCN-CSO-ARI",
          "name": "Additional Relevant Information",
          "statement": "Providers MAY include additional relevant information in Significant Change Notifications.",
          "keyword": "MAY",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "This allows providers to convey whatever additional information they think is relevant without worrying about negative consequences from not following an exact template."
          ]
        },
        {
          "id": "SCN-CSO-NOM",
          "name": "Notification Mechanisms",
          "statement": "Providers MAY notify necessary parties in a variety of ways as long as the mechanism for notification is clearly documented in the authorization package and easily accessible.",
          "keyword": "MAY",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "The sharing mechanism should be designed based on the needs of the provider and their customers and may vary between providers.",
            "The default sharing mechanism for most providers during the SCN beta was to send an email to agency customers and upload a copy of the notification to the provider's secure sharing location."
          ]
        },
        {
          "id": "SCN-CSO-EMG",
          "name": "Emergency Changes",
          "statement": "Providers MAY execute significant changes (including transformative changes) during an emergency or incident without meeting Significant Change Notification requirements in advance. In such emergencies, providers MUST follow all relevant procedures, notify all necessary parties, retroactively provide all Significant Change Notification materials, and complete appropriate assessment after the incident.",
          "keyword": "MAY",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "Procedures for emergency changes should be documented in the authorization package."
          ]
        }
      ],
      "process_requirements_summary": {
        "total": 16,
        "must": 11,
        "should": 2,
        "may": 3
      },
      "monitoring": {
        "total_tests": 9,
        "passed": 9,
        "failed": 0,
        "controls_with_monitoring": 8,
        "monitoring_coverage": 80.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-AFR-UCM",
      "status": "partial",
      "automated": true,
      "last_checked": "2026-07-02T13:19:59.559895+00:00",
      "score": 82,
      "findings": [
        {
          "severity": "medium",
          "description": "No local evidence_history entry found for cryptography policy evidence.",
          "remediation": "Ensure evidence_history.json retains the Cryptography Policy entry or configure an alternate evidence name.",
          "affected_resources": [
            "evidence_history.json"
          ]
        },
        {
          "severity": "high",
          "description": "No local key-management evidence found for credential keys.",
          "remediation": "Add a current AWS KMS, 1Password, or equivalent credential-key management evidence entry to evidence_history.json.",
          "affected_resources": [
            "evidence_history.json"
          ]
        }
      ],
      "evidence": [
        {
          "type": "policy",
          "name": "Encryption Policy Review Freshness",
          "description": "Encryption policy export found with last update 2025-11-13T04:51:47.173000+00:00 (231 days old).",
          "date": "2026-07-02T13:19:59.559895+00:00",
          "control_id": "DCF-181",
          "status": "Passing",
          "metadata": {
            "policy_path": "evidence/policies/11_Encryption Policy.pdf",
            "last_updated": "2025-11-13T04:51:47.173000+00:00",
            "age_days": 231,
            "max_age_days": 365,
            "source": "drata_policies",
            "policy_id": "11"
          }
        },
        {
          "type": "policy",
          "name": "Cryptography Policy Content Coverage",
          "description": "Matched 0 of 4 required cryptography policy statements.",
          "date": "2026-07-02T13:19:59.559895+00:00",
          "control_id": "DCF-53",
          "status": "Passing",
          "metadata": {
            "matched_phrases": [],
            "missing_phrases": [
              "NIST Special Publication 800-131A",
              "FIPS 140-3",
              "Encryption must be used to protect digital data at rest",
              "Company applications must use TLS encryption"
            ]
          }
        },
        {
          "type": "configuration",
          "name": "TLS Enforcement Validation",
          "description": "TLS certificate check for fed.sustainment.us: Certificate is valid and properly configured. Issued by Amazon RSA 2048 M04, expires 2026-09-09 (69 days). TLS version: TLSv1.2.",
          "date": "2026-07-02T13:19:59.579743+00:00",
          "control_id": "DCF-53",
          "status": "Passing",
          "metadata": {
            "tls_status": "compliant",
            "score": 100
          }
        },
        {
          "type": "policy",
          "name": "Credential Key Management Policy Coverage",
          "description": "Matched 0 of 4 required key-management statements.",
          "date": "2026-07-02T13:19:59.559895+00:00",
          "control_id": "DCF-93",
          "status": "Warning",
          "metadata": {
            "matched_phrases": [],
            "missing_phrases": [
              "Cryptographic keys must be generated, stored, and managed in a secure manner",
              "All users with access to keys must be uniquely identifiable",
              "procedures and controls in place for key or certificate revocation",
              "FIPS 140-3 validated modules"
            ]
          }
        }
      ],
      "notes": "**Sustainment Technologies employs continuous automated verification to ensure cryptographic modules align with FedRAMP UCM guidance.**\n\n### Key Capabilities\n- **TLS Endpoint Monitoring** -- automated checks on `fed.sustainment.us` validate TLS v1.2+ and RSA 2048 configurations\n- **Certificate Chain Validation** -- verifies full certificate chain integrity and expiry (30-day minimum)\n- **Persistent Compliance** -- cryptographic protections for sensitive federal data are consistently maintained against federal standards\n\n### Validation Approach\nCustom automated checks persistently monitor key endpoints, validating that TLS configurations remain valid and compliant with established federal cryptographic standards.\n### Key Controls\n- [OK] Encryption Policy (DCF-181)\n- [OK] Credential Keys Managed (DCF-93)\n- [OK] Cryptography Policies (DCF-53)",
      "test_results": [
        {
          "test_name": "Security Policies Cover Encryption",
          "mapped_controls": [
            "DCF-181"
          ],
          "status": "passed",
          "summary": "Encryption policy export found with last update 2025-11-13T04:51:47.173000+00:00 (231 days old).",
          "evidence": [
            {
              "type": "policy",
              "name": "Encryption Policy Review Freshness",
              "description": "Encryption policy export found with last update 2025-11-13T04:51:47.173000+00:00 (231 days old).",
              "date": "2026-07-02T13:19:59.559895+00:00",
              "control_id": "DCF-181",
              "status": "Passing",
              "metadata": {
                "policy_path": "evidence/policies/11_Encryption Policy.pdf",
                "last_updated": "2025-11-13T04:51:47.173000+00:00",
                "age_days": 231,
                "max_age_days": 365,
                "source": "drata_policies",
                "policy_id": "11"
              }
            }
          ],
          "findings": []
        },
        {
          "test_name": "Cryptography Policy",
          "mapped_controls": [
            "DCF-53"
          ],
          "status": "warning",
          "summary": "Cryptography policy matched 0/4 required statements; TLS check status is compliant. Historical evidence entry is missing. Policy source is drata_control_mapping.",
          "evidence": [
            {
              "type": "policy",
              "name": "Cryptography Policy Content Coverage",
              "description": "Matched 0 of 4 required cryptography policy statements.",
              "date": "2026-07-02T13:19:59.559895+00:00",
              "control_id": "DCF-53",
              "status": "Passing",
              "metadata": {
                "matched_phrases": [],
                "missing_phrases": [
                  "NIST Special Publication 800-131A",
                  "FIPS 140-3",
                  "Encryption must be used to protect digital data at rest",
                  "Company applications must use TLS encryption"
                ]
              }
            },
            {
              "type": "configuration",
              "name": "TLS Enforcement Validation",
              "description": "TLS certificate check for fed.sustainment.us: Certificate is valid and properly configured. Issued by Amazon RSA 2048 M04, expires 2026-09-09 (69 days). TLS version: TLSv1.2.",
              "date": "2026-07-02T13:19:59.579743+00:00",
              "control_id": "DCF-53",
              "status": "Passing",
              "metadata": {
                "tls_status": "compliant",
                "score": 100
              }
            }
          ],
          "findings": [
            {
              "severity": "medium",
              "description": "No local evidence_history entry found for cryptography policy evidence.",
              "remediation": "Ensure evidence_history.json retains the Cryptography Policy entry or configure an alternate evidence name.",
              "affected_resources": [
                "evidence_history.json"
              ]
            }
          ]
        },
        {
          "test_name": "AWS CMK Rotation",
          "mapped_controls": [
            "DCF-93"
          ],
          "status": "warning",
          "summary": "Key-management evidence is missing or stale; policy matched 0/4 required key-management statements. Policy source is drata_control_mapping.",
          "evidence": [
            {
              "type": "policy",
              "name": "Credential Key Management Policy Coverage",
              "description": "Matched 0 of 4 required key-management statements.",
              "date": "2026-07-02T13:19:59.559895+00:00",
              "control_id": "DCF-93",
              "status": "Warning",
              "metadata": {
                "matched_phrases": [],
                "missing_phrases": [
                  "Cryptographic keys must be generated, stored, and managed in a secure manner",
                  "All users with access to keys must be uniquely identifiable",
                  "procedures and controls in place for key or certificate revocation",
                  "FIPS 140-3 validated modules"
                ]
              }
            }
          ],
          "findings": [
            {
              "severity": "high",
              "description": "No local key-management evidence found for credential keys.",
              "remediation": "Add a current AWS KMS, 1Password, or equivalent credential-key management evidence entry to evidence_history.json.",
              "affected_resources": [
                "evidence_history.json"
              ]
            }
          ]
        }
      ],
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:59.559895+00:00",
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-AFR-UCM",
          "control_name": "Custom Automated Check: KSI-AFR-UCM",
          "control_description": "Security Policies Cover Encryption: Encryption policy export found with last update 2025-11-13T04:51:47.173000+00:00 (231 days old). Cryptography Policy: Cryptography policy matched 0/4 required statements; TLS check status is compliant. Historical evidence entry is missing. Policy source is drata_control_mapping. AWS CMK Rotation: Key-management evidence is missing or stale; policy matched 0/4 required key-management statements. Policy source is drata_control_mapping. | Findings: MEDIUM: No local evidence_history entry found for cryptography policy evidence.; HIGH: No local key-management evidence found for credential keys.",
          "status": "partial",
          "compliant": false,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": true,
            "isReady": false,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:59.559895+00:00",
          "updated_at": "2026-07-02T13:19:59.559895+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:59.559895+00:00",
          "requirements_updated_at": "",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": null,
              "name": "Encryption Policy Review Freshness",
              "description": "Encryption policy export found with last update 2025-11-13T04:51:47.173000+00:00 (231 days old).",
              "type": "policy",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.559895+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142953+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "Cryptography Policy Content Coverage",
              "description": "Matched 0 of 4 required cryptography policy statements.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.559895+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142960+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "TLS Enforcement Validation",
              "description": "TLS certificate check for fed.sustainment.us: Certificate is valid and properly configured. Issued by Amazon RSA 2048 M04, expires 2026-09-09 (69 days). TLS version: TLSv1.2.",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.579743+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142966+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "Credential Key Management Policy Coverage",
              "description": "Matched 0 of 4 required key-management statements.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.559895+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142972+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              },
              {
                "test_id": 85,
                "name": "Cryptography Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's cryptography policies and confirmed that they list resources that employees may access to ensure they understand the procedures and their responsibilities.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 67,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-181",
              "DCF-93",
              "DCF-53"
            ]
          }
        },
        {
          "control_id": "DCF-181",
          "drata_control_id": 100,
          "control_name": "Encryption Policy",
          "control_description": "Sustainment Technologies Inc has a defined policy that establishes requirements for the use of cryptographic controls.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "explanation": "",
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.777Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-181-owner",
              "name": "Assigned Control Owner - Encryption Policy (DCF-181)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142978+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-181-monitoring",
              "name": "Continuous Monitoring - Encryption Policy (DCF-181)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142985+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-181-policy",
              "name": "Policy Documentation - Encryption Policy (DCF-181)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142991+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-93",
          "drata_control_id": 99,
          "control_name": "Credential Keys Managed",
          "control_description": "Sustainment Technologies Inc has an established key management process in place to support the organization's use of cryptographic techniques.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "explanation": "",
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.773Z",
          "updated_at": "2026-04-30T19:27:08.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-93-evidence",
              "name": "Credential Keys Managed (DCF-93)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-30T19:27:08.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.142997+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-93-owner",
              "name": "Assigned Control Owner - Credential Keys Managed (DCF-93)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-30T19:27:08.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143003+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-93-monitoring",
              "name": "Continuous Monitoring - Credential Keys Managed (DCF-93)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-30T19:27:08.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143009+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-53",
          "drata_control_id": 67,
          "control_name": "Cryptography Policies",
          "control_description": "Sustainment Technologies Inc has an established policy and procedures that governs the use of cryptographic controls.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "explanation": "",
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.157Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-53-owner",
              "name": "Assigned Control Owner - Cryptography Policies (DCF-53)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143015+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-53-monitoring",
              "name": "Continuous Monitoring - Cryptography Policies (DCF-53)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143021+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-53-policy",
              "name": "Policy Documentation - Cryptography Policies (DCF-53)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143027+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 85,
                "name": "Cryptography Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's cryptography policies and confirmed that they list resources that employees may access to ensure they understand the procedures and their responsibilities.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 67,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "ksi_name": "Using Cryptographic Modules",
      "category": "AFR",
      "statement": "Ensure that cryptographic modules used to protect potentially sensitive federal customer data are selected and used in alignment with the FedRAMP 20x Using Cryptographic Modules (UCM) guidance and persistently address all related requirements and recommendations.",
      "reference_url": "https://fedramp.gov/docs/20x/using-cryptographic-modules",
      "nist_controls": [],
      "failure_conditions": {
        "conditional_check": "Sustainment employs continuous automated verification to ensure cryptographic modules align with FedRAMP UCM guidance through TLS endpoint monitoring and enforced encryption and cryptography policies.",
        "failure_condition": "TLS certificate expired, use of a non-FIPS cryptographic module, or failure to manage credential keys will cause a failure of the test. Additionally, an encryption policy, cryptography policies, and managed credential keys must be in place to ensure cryptographic modules meet FedRAMP requirements."
      },
      "outcome_metrics": [
        {
          "statement": "Cryptographic modules protecting federal data are validated (FIPS 140) and current",
          "metric_name": "Integrity",
          "target_value": "100% of cryptographic modules FIPS-validated; no unapproved algorithms",
          "target_unit": "",
          "frequency": "Annually + at each module change",
          "source": "FIPS validation certificates; cryptography inventory",
          "notes": "Non-FIPS module detected or validation certificate expired"
        }
      ],
      "process_requirements": [
        {
          "id": "UCM-CSX-CMD",
          "name": "Cryptographic Module Documentation",
          "statement": "Providers MUST document the cryptographic modules used in each service (or groups of services that use the same modules) where cryptographic services are used to protect federal customer data, including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules.",
          "keyword": "MUST",
          "role_group": "CSX",
          "section": "20x"
        },
        {
          "id": "UCM-CSX-CAT",
          "name": "Configuration of Agency Tenants",
          "statement": "Providers SHOULD configure agency tenants by default to use cryptographic services that use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when such modules are available.",
          "keyword": "SHOULD",
          "role_group": "CSX",
          "section": "20x"
        },
        {
          "id": "UCM-CSX-UVM",
          "name": "Using Validated Cryptographic Modules",
          "statement": "",
          "keyword": "",
          "role_group": "CSX",
          "section": "20x"
        }
      ],
      "process_requirements_summary": {
        "total": 3,
        "must": 1,
        "should": 1,
        "may": 0
      },
      "monitoring": {
        "total_tests": 3,
        "passed": 3,
        "failed": 0,
        "controls_with_monitoring": 3,
        "monitoring_coverage": 75.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-AFR-VDR",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:59.039665+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-183 (DCF-183)",
          "control_id": "DCF-183",
          "status": "Passing",
          "description": "Drata control status for DCF-183",
          "date": "2026-07-02T13:19:59.039665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-18 (DCF-18)",
          "control_id": "DCF-18",
          "status": "Passing",
          "description": "Drata control status for DCF-18",
          "date": "2026-07-02T13:19:59.039665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-23 (DCF-23)",
          "control_id": "DCF-23",
          "status": "Passing",
          "description": "Drata control status for DCF-23",
          "date": "2026-07-02T13:19:59.039665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-24 (DCF-24)",
          "control_id": "DCF-24",
          "status": "Passing",
          "description": "Drata control status for DCF-24",
          "date": "2026-07-02T13:19:59.039665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-131 (DCF-131)",
          "control_id": "DCF-131",
          "status": "Passing",
          "description": "Drata control status for DCF-131",
          "date": "2026-07-02T13:19:59.039665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-159 (DCF-159)",
          "control_id": "DCF-159",
          "status": "Passing",
          "description": "Drata control status for DCF-159",
          "date": "2026-07-02T13:19:59.039665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-29 (DCF-29)",
          "control_id": "DCF-29",
          "status": "Passing",
          "description": "Drata control status for DCF-29",
          "date": "2026-07-02T13:19:59.039665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-9 (DCF-9)",
          "control_id": "DCF-9",
          "status": "Passing",
          "description": "Drata control status for DCF-9",
          "date": "2026-07-02T13:19:59.039665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-80 (DCF-80)",
          "control_id": "DCF-80",
          "status": "Passing",
          "description": "Drata control status for DCF-80",
          "date": "2026-07-02T13:19:59.039665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-34 (DCF-34)",
          "control_id": "DCF-34",
          "status": "Passing",
          "description": "Drata control status for DCF-34",
          "date": "2026-07-02T13:19:59.039665+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-AFR-VDR",
          "control_name": "Custom Automated Check: KSI-AFR-VDR",
          "control_description": "10/10 mapped controls passing",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:59.039665+00:00",
          "updated_at": "2026-07-02T13:19:59.039665+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:59.039665+00:00",
          "requirements_updated_at": "",
          "evidence_count": 10,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-183 (DCF-183)",
              "description": "Drata control status for DCF-183",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.039665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143033+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-18 (DCF-18)",
              "description": "Drata control status for DCF-18",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.039665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143039+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-23 (DCF-23)",
              "description": "Drata control status for DCF-23",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.039665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143045+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-24 (DCF-24)",
              "description": "Drata control status for DCF-24",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.039665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143051+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-131 (DCF-131)",
              "description": "Drata control status for DCF-131",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.039665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143057+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-159 (DCF-159)",
              "description": "Drata control status for DCF-159",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.039665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143063+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-29 (DCF-29)",
              "description": "Drata control status for DCF-29",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.039665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143068+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-9 (DCF-9)",
              "description": "Drata control status for DCF-9",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.039665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143074+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-80 (DCF-80)",
              "description": "Drata control status for DCF-80",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.039665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143079+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-34 (DCF-34)",
              "description": "Drata control status for DCF-34",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.039665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143085+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 8,
            "passed": 8,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:35.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 66,
                "name": "Vulnerability Scanning",
                "status": "PASSED",
                "description": "Drata validated that a vulnerability scanning system is connected to Drata.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 21,
                "enabled": true
              },
              {
                "test_id": 138,
                "name": "Security Issues are Prioritized",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's task tracking system and confirmed that security issues are being tagged and prioritized accordingly.",
                "last_run": "2026-07-01T18:27:35.000Z",
                "test_definition_id": 26,
                "enabled": true
              },
              {
                "test_id": 93,
                "name": "SLA for Security Bugs",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's procedure settings in Drata and determined that an SLA for P0 security bugs was set.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 27,
                "enabled": true
              },
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              },
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              },
              {
                "test_id": 86,
                "name": "Process for Responsible Disclosure",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they detail a process for employees to report security, confidentiality, integrity, and availability failures, incidents, and concerns.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 12,
                "enabled": true
              },
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              },
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-183",
              "DCF-18",
              "DCF-23",
              "DCF-24",
              "DCF-131",
              "DCF-159",
              "DCF-29",
              "DCF-9",
              "DCF-80",
              "DCF-34"
            ]
          }
        },
        {
          "control_id": "DCF-183",
          "control_name": "Vulnerability Management",
          "control_description": "Sustainment Technologies Inc has a defined policy that establishes requirements for vulnerability assessments and reporting.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.542Z",
          "updated_at": "2025-11-24T13:51:39.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:33:48.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-183-owner",
              "name": "Assigned Control Owner - Vulnerability Management (DCF-183)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:39.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143092+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-183-policy",
              "name": "Policy Documentation - Vulnerability Management (DCF-183)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:39.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143097+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 90,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-18",
          "control_name": "Quarterly Vulnerability Scan",
          "control_description": "Sustainment Technologies Inc engages with third-party to conduct vulnerability scans of the production environment at least quarterly. Results are reviewed by management and high priority findings are tracked to resolution.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.858Z",
          "updated_at": "2026-05-11T12:55:17.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:22.000Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 149,
              "name": "Vulnerability scanning - historical scans.",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/149_Vulnerability scanning - historical scans..zip",
              "updated_at": "2026-03-02T14:54:37.097Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143272+00:00",
                "status": "hashed",
                "sha256": "1bca3af621b9ac72ecaf5ccb180f7c18cc49f95a24e05a54e8c83a05fa411b37",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/149_Vulnerability scanning - historical scans..zip",
                "filename": "149_Vulnerability scanning - historical scans..zip",
                "size_bytes": 629615,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 148,
              "name": "Vulnerability Scan Report repository (screenshot)",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/148_Vulnerability Scan Report repository (screenshot).png",
              "updated_at": "2026-03-02T14:51:39.054Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.143953+00:00",
                "status": "hashed",
                "sha256": "cbd856d7f75726db39106a98e93d3f94d3574bb28b0bc44483de3aa2a36f063e",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/148_Vulnerability Scan Report repository (screenshot).png",
                "filename": "148_Vulnerability Scan Report repository (screenshot).png",
                "size_bytes": 307470,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-18-owner",
              "name": "Assigned Control Owner - Quarterly Vulnerability Scan (DCF-18)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-11T12:55:17.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144213+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 46,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 66,
                "name": "Vulnerability Scanning",
                "status": "PASSED",
                "description": "Drata validated that a vulnerability scanning system is connected to Drata.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 21,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-23",
          "control_name": "Security Issues are Prioritized",
          "control_description": "Sustainment Technologies Inc tracks and prioritizes security deficiencies through internal tools according to their severity by an independent technical resource.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.770Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:34.445Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-23-owner",
              "name": "Assigned Control Owner - Security Issues are Prioritized (DCF-23)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144220+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-23-monitoring",
              "name": "Continuous Monitoring - Security Issues are Prioritized (DCF-23)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144226+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-23-policy",
              "name": "Policy Documentation - Security Issues are Prioritized (DCF-23)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144233+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 121,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:35.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 138,
                "name": "Security Issues are Prioritized",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's task tracking system and confirmed that security issues are being tagged and prioritized accordingly.",
                "last_run": "2026-07-01T18:27:35.000Z",
                "test_definition_id": 26,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-24",
          "control_name": "SLA for Security Bugs",
          "control_description": "Sustainment Technologies Inc tracks security deficiencies through internal tools and closes them within an SLA that management has pre-specified.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.994Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:33:48.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-24-owner",
              "name": "Assigned Control Owner - SLA for Security Bugs (DCF-24)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144240+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-24-monitoring",
              "name": "Continuous Monitoring - SLA for Security Bugs (DCF-24)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144246+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-24-policy",
              "name": "Policy Documentation - SLA for Security Bugs (DCF-24)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144252+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 79,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 93,
                "name": "SLA for Security Bugs",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's procedure settings in Drata and determined that an SLA for P0 security bugs was set.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 27,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-131",
          "control_name": "Incident Report Template and Process",
          "control_description": "Sustainment Technologies Inc has incident management procedures that include detailed instructions on how to escalate a suspected incident to the Information Security Team and, when necessary, to the Privacy or Legal department. Sustainment Technologies Inc has a standard incident report template th",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.797Z",
          "updated_at": "2025-11-24T13:51:34.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-131-owner",
              "name": "Assigned Control Owner - Incident Report Template and Process (DCF-131)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144258+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-131-policy",
              "name": "Policy Documentation - Incident Report Template and Process (DCF-131)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144264+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 152,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-159",
          "control_name": "Incident Response Plan",
          "control_description": "Sustainment Technologies Inc has an established Incident Response Plan that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.576Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-159-evidence",
              "name": "Incident Response Plan (DCF-159)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144270+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-owner",
              "name": "Assigned Control Owner - Incident Response Plan (DCF-159)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144276+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-monitoring",
              "name": "Continuous Monitoring - Incident Response Plan (DCF-159)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144282+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 77,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-29",
          "control_name": "Incident Response Team",
          "control_description": "Sustainment Technologies Inc has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality at the company.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.562Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-29-evidence",
              "name": "Incident Response Team (DCF-29)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144289+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-owner",
              "name": "Assigned Control Owner - Incident Response Team (DCF-29)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144295+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-monitoring",
              "name": "Continuous Monitoring - Incident Response Team (DCF-29)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144300+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 74,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-9",
          "control_name": "Employee Disclosure Process",
          "control_description": "Sustainment Technologies Inc provides a process to employees for reporting security, confidentiality, integrity, and availability features, incidents, and concerns, and other complaints to company management.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.552Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:39.886Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 12,
              "name": "Responsible Disclosure Policy",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/12_Responsible Disclosure Policy.pdf",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144473+00:00",
                "status": "hashed",
                "sha256": "b6489e47f58841ad1ce45e8778355f9c7fb94b51d728f831e0d27edebb7f9f91",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/12_Responsible Disclosure Policy.pdf",
                "filename": "12_Responsible Disclosure Policy.pdf",
                "size_bytes": 126853,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-9-owner",
              "name": "Assigned Control Owner - Employee Disclosure Process (DCF-9)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144596+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-9-monitoring",
              "name": "Continuous Monitoring - Employee Disclosure Process (DCF-9)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144603+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 72,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 86,
                "name": "Process for Responsible Disclosure",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they detail a process for employees to report security, confidentiality, integrity, and availability failures, incidents, and concerns.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 12,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-80",
          "control_name": "Log Management System",
          "control_description": "Sustainment Technologies Inc uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.779Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 151,
              "name": "DataDog Security alerts sample",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/151_DataDog Security alerts sample.csv",
              "updated_at": "2026-03-02T15:57:18.424Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144761+00:00",
                "status": "hashed",
                "sha256": "3a6f138a1019b8d39d01a2e02dc11e84fa1a8b504f306fadf42619746948a934",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/151_DataDog Security alerts sample.csv",
                "filename": "151_DataDog Security alerts sample.csv",
                "size_bytes": 82445,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-80-owner",
              "name": "Assigned Control Owner - Log Management System (DCF-80)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144845+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-80-monitoring",
              "name": "Continuous Monitoring - Log Management System (DCF-80)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144851+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 123,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-34",
          "control_name": "Security Team/Steering Committee",
          "control_description": "Sustainment Technologies Inc has an assigned security team that is responsible for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.883Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:40.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-34-owner",
              "name": "Assigned Control Owner - Security Team/Steering Committee (DCF-34)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144858+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-monitoring",
              "name": "Continuous Monitoring - Security Team/Steering Committee (DCF-34)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144864+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-policy",
              "name": "Policy Documentation - Security Team/Steering Committee (DCF-34)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144870+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 49,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:18.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "10/10 mapped controls passing\n### Key Controls\n- [OK] Vulnerability Management (DCF-183)\n- [OK] Quarterly Vulnerability Scan (DCF-18)\n- [OK] Security Issues are Prioritized (DCF-23)\n- [OK] SLA for Security Bugs (DCF-24)\n- [OK] Incident Report Template and Process (DCF-131)\n- [OK] Incident Response Plan (DCF-159)\n- [OK] Incident Response Team (DCF-29)\n- [OK] Employee Disclosure Process (DCF-9)\n- [OK] Log Management System (DCF-80)\n- [OK] Security Team/Steering Committee (DCF-34)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:59.039665+00:00",
      "ksi_name": "Vulnerability Detection and Response",
      "category": "AFR",
      "statement": "Document the vulnerability detection and vulnerability response methodology used within the cloud service offering in alignment with the FedRAMP Vulnerability Detection and Response (VDR) process and persistently address all related requirements and recommendations.",
      "reference_url": "https://fedramp.gov/docs/20x/vulnerability-detection-and-response",
      "nist_controls": [
        "CA-2",
        "CA-7",
        "CA-7.6",
        "IR-1",
        "IR-4",
        "IR-4.1",
        "IR-5",
        "IR-5.1",
        "IR-6",
        "IR-6.1",
        "IR-6.2",
        "PM-3",
        "PM-5",
        "PM-31",
        "RA-2",
        "RA-2.1",
        "RA-3",
        "RA-3.3",
        "RA-5",
        "RA-5.2",
        "RA-5.3",
        "RA-5.4",
        "RA-5.5",
        "RA-5.6",
        "RA-5.7",
        "RA-5.11",
        "RA-9",
        "RA-10",
        "SI-2",
        "SI-2.1",
        "SI-2.2",
        "SI-2.4",
        "SI-2.5",
        "SI-3",
        "SI-3.1",
        "SI-3.2",
        "SI-4",
        "SI-4.2",
        "SI-4.3",
        "SI-4.7",
        "CA-7.4",
        "RA-7"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment maintains a comprehensive vulnerability detection and response program through vulnerability management, quarterly scanning, prioritized remediation, defined SLAs for security bugs, and an incident response capability.",
        "failure_condition": "A high or critical vulnerability open without a remediation plan, failure to conduct quarterly vulnerability scans, or failure to prioritize security issues will cause a failure of the test. Additionally, a vulnerability management program, incident response plan, incident response team, incident report template, an employee disclosure process, a log management system, SLAs for security bugs, and a security steering committee must be in place to ensure vulnerabilities are detected and responded to promptly."
      },
      "outcome_metrics": [
        {
          "statement": "Vulnerabilities are detected and remediated within FedRAMP-required SLAs",
          "metric_name": "Remediation",
          "target_value": "Critical: remediated <= 30 days; High: <= 90 days; 0 overdue critical vulns",
          "target_unit": "",
          "frequency": "Weekly",
          "source": "Vulnerability scanner; Drata vuln tracking",
          "notes": "Any critical vulnerability open > 30 days or high > 90 days"
        }
      ],
      "process_requirements": [
        {
          "id": "VDR-CSO-DET",
          "name": "Vulnerability Detection",
          "statement": "Providers MUST systematically, persistently, and promptly discover and identify vulnerabilities within their cloud service offering using appropriate techniques such as assessment, scanning, threat intelligence, vulnerability disclosure mechanisms, bug bounties, supply chain monitoring, and other relevant capabilities; this process is called vulnerability detection.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both"
        },
        {
          "id": "VDR-CSO-RES",
          "name": "Vulnerability Response",
          "statement": "Providers MUST systematically, persistently, and promptly track, evaluate, monitor, mitigate, remediate, assess exploitation of, report, and otherwise manage all detected vulnerabilities within their cloud service offering; this process is called vulnerability response.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both",
          "notes": [
            "If it is not possible to fully mitigate or remediate detected vulnerabilities, providers SHOULD instead partially mitigate vulnerabilities promptly, progressively, and persistently."
          ]
        },
        {
          "id": "VDR-CSO-DOC",
          "name": "Documentation for Recommendations",
          "statement": "Providers MUST document the reason and resulting implications for their customers when choosing not to meet FedRAMP recommendations in this process; this documentation MUST be included in the authorization data for the cloud service offering.",
          "keyword": "MUST",
          "role_group": "CSO",
          "section": "both"
        },
        {
          "id": "VDR-EVA-ELX",
          "name": "Evaluate Exploitability",
          "statement": "Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to determine if they are likely exploitable vulnerabilities.",
          "keyword": "MUST",
          "role_group": "EVA",
          "section": "both",
          "notes": [
            "The simple reality is that most traditional vulnerabilities discovered by scanners or during assessment are not likely to be exploitable; exploitation typically requires an unrealistic set of circumstances that will not occur during normal operation. The likelihood of exploitation will vary depending on so many factors that FedRAMP will not recommend a specific framework for approaching this beyond the recommendations and requirements in this document.",
            "The proof, ultimately, is in the pudding - providers who regularly evaluate vulnerabilities as not likely exploitable without careful consideration are more likely to suffer from an adverse impact where the root cause was an exploited vulnerability that was improperly evaluated. If done recklessly or deliberately, such actions will have a potential adverse impact on a provider's FedRAMP authorization."
          ]
        },
        {
          "id": "VDR-EVA-EIR",
          "name": "Evaluate Internet-Reachability",
          "statement": "Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to determine if they are internet-reachable vulnerabilities.",
          "keyword": "MUST",
          "role_group": "EVA",
          "section": "both",
          "notes": [
            "FedRAMP focuses on internet-reachable (rather than internet-accessible) to ensure that any service that might receive a payload from the internet is prioritized if that service has a vulnerability that can be triggered by processing the data in the payload.",
            "The simplest way to prevent exploitation of internet-reachable vulnerabilities is to intercept, inspect, filter, sanitize, reject, or otherwise deflect triggering payloads before they are processed by the vulnerable resource; once this prevention is in place the vulnerability should no longer be considered an internet-reachable vulnerability.",
            "A classic example of an internet-reachable vulnerability on systems that are not typically internet-accessible is [SQL injection](https://en.wikipedia.org/wiki/SQL_injection), where an application stack behind a load balancer and firewall with no ability to route traffic to or from the internet can receive a payload indirectly from the internet that triggers the manipulation or compromise of data in a database that can only be accessed by an authorized connection from the application server on a private network.",
            "Another simple example is the infamous Log4Shell (https://en.wikipedia.org/wiki/Log4Shell) vulnerability from 2021, where exploitation was possible via vulnerable internet-reachable resources deep in the application stack that were often not internet-accessible themselves."
          ]
        },
        {
          "id": "VDR-EVA-EPA",
          "name": "Estimate Potential Adverse Impact",
          "statement": "Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to estimate the potential adverse impact of exploitation on government customers AND assign one of the following potential adverse impact ratings:",
          "keyword": "MUST",
          "role_group": "EVA",
          "section": "both"
        },
        {
          "id": "VDR-TFR-MHR",
          "name": "Monthly Activity Report",
          "statement": "Providers MUST report vulnerability detection and response activity to all necessary parties in a consistent format that is human readable at least monthly.",
          "keyword": "MUST",
          "role_group": "TFR",
          "section": "both",
          "timeframe": "1 month"
        },
        {
          "id": "VDR-TFR-MAV",
          "name": "Mark Accepted Vulnerabilities",
          "statement": "Providers MUST categorize any vulnerability that is not or will not be fully mitigated or remediated within 192 days of evaluation as an accepted vulnerability.",
          "keyword": "MUST",
          "role_group": "TFR",
          "section": "both",
          "timeframe": "192 days"
        },
        {
          "id": "VDR-RPT-PER",
          "name": "Persistent Reporting",
          "statement": "Providers MUST report vulnerability detection and response activity to all necessary parties persistently, summarizing ALL activity since the previous report; these reports are authorization data and are subject to the FedRAMP Authorization Data Sharing (ADS) process.",
          "keyword": "MUST",
          "role_group": "RPT",
          "section": "both"
        },
        {
          "id": "VDR-RPT-NID",
          "name": "Responsible Disclosure",
          "statement": "Providers MUST NOT irresponsibly disclose specific sensitive information about vulnerabilities that would likely lead to exploitation, but MUST disclose sufficient information for informed risk-based decision-making to all necessary parties.",
          "keyword": "MUST NOT",
          "role_group": "RPT",
          "section": "both",
          "notes": [
            "This requirement will be superseded in the event of formal action related to an investigation or corrective action plan."
          ]
        },
        {
          "id": "VDR-RPT-VDT",
          "name": "Vulnerability Details",
          "statement": "Providers MUST include the following information (if applicable) on detected vulnerabilities when reporting on vulnerability detection and response activity, UNLESS it is an accepted vulnerability:",
          "keyword": "MUST",
          "role_group": "RPT",
          "section": "both",
          "following_information": [
            "Provider's internally assigned tracking identifier",
            "Time and source of the detection",
            "Time of completed evaluation",
            "Is it an internet-reachable vulnerability or not?",
            "Is it a likely exploitable vulnerability or not?",
            "Historically and currently estimated potential adverse impact of exploitation",
            "Time and level of each completed and evaluated reduction in potential adverse impact",
            "Estimated time and target level of next reduction in potential adverse impact",
            "Is it currently or is it likely to become an overdue vulnerability or not? If so, explain.",
            "Any supplementary information the provider responsibly determines will help federal agencies assess or mitigate the risk to their federal customer data within the cloud service offering resulting from the vulnerability",
            "Final disposition of the vulnerability"
          ]
        },
        {
          "id": "VDR-RPT-AVI",
          "name": "Accepted Vulnerability Info",
          "statement": "Providers MUST include the following information on accepted vulnerabilities when reporting on vulnerability detection and response activity:",
          "keyword": "MUST",
          "role_group": "RPT",
          "section": "both",
          "following_information": [
            "Provider's internally assigned tracking identifier",
            "Time and source of the detection",
            "Time of completed evaluation",
            "Is it an internet-reachable vulnerability or not?",
            "Is it a likely exploitable vulnerability or not?",
            "Currently estimated potential adverse impact of exploitation",
            "Explanation of why this is an accepted vulnerability",
            "Any supplementary information the provider determines will responsibly help federal agencies assess or mitigate the risk to their federal customer data within the cloud service offering resulting from the accepted vulnerability"
          ]
        },
        {
          "id": "VDR-EVA-GRV",
          "name": "Group Vulnerabilities",
          "statement": "Providers SHOULD evaluate detected vulnerabilities, considering the context of the cloud service offering, to identify logical groupings of affected information resources that may improve the efficiency and effectiveness of vulnerability response by consolidating further activity; requirements and recommendations in this process are then applied to these consolidated groupings of vulnerabilities instead of each individual detected instance.",
          "keyword": "SHOULD",
          "role_group": "EVA",
          "section": "both"
        },
        {
          "id": "VDR-EVA-EFP",
          "name": "Evaluate False Positives",
          "statement": "Providers SHOULD evaluate detected vulnerabilities, considering the context of the cloud service offering, to determine if they are false positive vulnerabilities.",
          "keyword": "SHOULD",
          "role_group": "EVA",
          "section": "both"
        },
        {
          "id": "VDR-EVA-EFA",
          "name": "Evaluation Factors",
          "statement": "Providers SHOULD consider at least the following factors when considering the context of the cloud service offering to evaluate detected vulnerabilities:",
          "keyword": "SHOULD",
          "role_group": "EVA",
          "section": "both",
          "following_information": [
            "**Criticality**: How important are the systems or information that might be impacted by the vulnerability?",
            "**Reachability**: How might a threat actor reach the vulnerability and how likely is that?",
            "**Exploitability**: How easy is it for a threat actor to exploit the vulnerability and how likely is that?",
            "**Detectability**: How easy is it for a threat actor to become aware of the vulnerability and how likely is that?",
            "**Prevalence**: How much of the cloud service offering is affected by the vulnerability?",
            "**Privilege**: How much privileged authority or access is granted or can be gained from exploiting the vulnerability?",
            "**Proximate Vulnerabilities**: How does this vulnerability interact with previously detected vulnerabilities, especially partially or fully mitigated vulnerabilities?",
            "**Known Threats**: How might already known threats leverage the vulnerability and how likely is that?"
          ]
        },
        {
          "id": "VDR-BST-DFR",
          "name": "Design For Resilience",
          "statement": "Providers SHOULD make design and architecture decisions for their cloud service offering that mitigate the risk of vulnerabilities by default AND decrease the risk and complexity of vulnerability detection and response.",
          "keyword": "SHOULD",
          "role_group": "BST",
          "section": "both"
        },
        {
          "id": "VDR-BST-ADT",
          "name": "Automate Detection",
          "statement": "Providers SHOULD use automated services to improve and streamline vulnerability detection and response.",
          "keyword": "SHOULD",
          "role_group": "BST",
          "section": "both"
        },
        {
          "id": "VDR-BST-DAC",
          "name": "Detect After Changes",
          "statement": "Providers SHOULD automatically perform vulnerability detection on representative samples of new or significantly changed information resources.",
          "keyword": "SHOULD",
          "role_group": "BST",
          "section": "both"
        },
        {
          "id": "VDR-BST-MSP",
          "name": "Maintain Security",
          "statement": "Providers SHOULD NOT weaken the security of information resources to facilitate vulnerability scanning, detection, or assessment activities.",
          "keyword": "SHOULD NOT",
          "role_group": "BST",
          "section": "both"
        },
        {
          "id": "VDR-BST-AKE",
          "name": "Avoid KEVs",
          "statement": "Providers SHOULD NOT deploy or otherwise activate new machine-based information resources with Known Exploited Vulnerabilities.",
          "keyword": "SHOULD NOT",
          "role_group": "BST",
          "section": "both"
        },
        {
          "id": "VDR-TFR-KEV",
          "name": "Remediate KEVs",
          "statement": "Providers SHOULD remediate Known Exploited Vulnerabilities according to the due dates in the CISA Known Exploited Vulnerabilities Catalog (even if the vulnerability has been fully mitigated) as required by CISA Binding Operational Directive (BOD) 22-01 or any successor guidance from CISA.",
          "keyword": "SHOULD",
          "role_group": "TFR",
          "section": "both"
        },
        {
          "id": "VDR-TFR-RMN",
          "name": "Remaining Vulnerabilities",
          "statement": "Providers SHOULD mitigate or remediate remaining vulnerabilities during routine operations as determined necessary by the provider.",
          "keyword": "SHOULD",
          "role_group": "TFR",
          "section": "both"
        },
        {
          "id": "VDR-RPT-HLO",
          "name": "High-Level Overviews",
          "statement": "Providers SHOULD include high-level overviews of ALL vulnerability detection and response activities conducted during this period for the cloud service offering; this includes vulnerability disclosure programs, bug bounty programs, penetration testing, assessments, etc.",
          "keyword": "SHOULD",
          "role_group": "RPT",
          "section": "both"
        },
        {
          "id": "VDR-BST-SIR",
          "name": "Sampling",
          "statement": "Providers MAY sample effectively identical information resources, especially machine-based information resources, when performing vulnerability detection UNLESS doing so would decrease the efficiency or effectiveness of vulnerability detection.",
          "keyword": "MAY",
          "role_group": "BST",
          "section": "both"
        },
        {
          "id": "VDR-RPT-RPD",
          "name": "Responsible Public Disclosure",
          "statement": "Providers MAY responsibly disclose vulnerabilities publicly or with other parties if the provider determines doing so will NOT likely lead to exploitation.",
          "keyword": "MAY",
          "role_group": "RPT",
          "section": "both"
        },
        {
          "id": "VDR-TFR-MRH",
          "name": "Historical Activity",
          "statement": "",
          "keyword": "",
          "role_group": "TFR",
          "section": "both"
        },
        {
          "id": "VDR-TFR-PSD",
          "name": "Persistent Sample Detection",
          "statement": "",
          "keyword": "",
          "role_group": "TFR",
          "section": "both"
        },
        {
          "id": "VDR-TFR-PDD",
          "name": "Persistent Drift Detection",
          "statement": "",
          "keyword": "",
          "role_group": "TFR",
          "section": "both"
        },
        {
          "id": "VDR-TFR-PCD",
          "name": "Persistent Complete Detection",
          "statement": "",
          "keyword": "",
          "role_group": "TFR",
          "section": "both"
        },
        {
          "id": "VDR-TFR-EVU",
          "name": "Evaluate Vulnerabilities Quickly",
          "statement": "",
          "keyword": "",
          "role_group": "TFR",
          "section": "both"
        },
        {
          "id": "VDR-TFR-PVR",
          "name": "Mitigation and Remediation Expectations",
          "statement": "",
          "keyword": "",
          "role_group": "TFR",
          "section": "both"
        },
        {
          "id": "VDR-TFR-IRI",
          "name": "Internet-Reachable Incidents",
          "statement": "",
          "keyword": "",
          "role_group": "TFR",
          "section": "both"
        },
        {
          "id": "VDR-TFR-NRI",
          "name": "Non-Internet-Reachable Incidents",
          "statement": "",
          "keyword": "",
          "role_group": "TFR",
          "section": "both"
        }
      ],
      "process_requirements_summary": {
        "total": 33,
        "must": 12,
        "should": 11,
        "may": 2
      },
      "monitoring": {
        "total_tests": 8,
        "passed": 8,
        "failed": 0,
        "controls_with_monitoring": 8,
        "monitoring_coverage": 72.7,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-CMT-LMC",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:55.797793+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-80 (DCF-80)",
          "control_id": "DCF-80",
          "status": "Passing",
          "description": "Drata control status for DCF-80",
          "date": "2026-07-02T13:19:55.797793+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-79 (DCF-79)",
          "control_id": "DCF-79",
          "status": "Passing",
          "description": "Drata control status for DCF-79",
          "date": "2026-07-02T13:19:55.797793+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-87 (DCF-87)",
          "control_id": "DCF-87",
          "status": "Passing",
          "description": "Drata control status for DCF-87",
          "date": "2026-07-02T13:19:55.797793+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-71 (DCF-71)",
          "control_id": "DCF-71",
          "status": "Passing",
          "description": "Drata control status for DCF-71",
          "date": "2026-07-02T13:19:55.797793+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:19:55.797793+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-40 (DCF-40)",
          "control_id": "DCF-40",
          "status": "Passing",
          "description": "Drata control status for DCF-40",
          "date": "2026-07-02T13:19:55.797793+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-31 (DCF-31)",
          "control_id": "DCF-31",
          "status": "Passing",
          "description": "Drata control status for DCF-31",
          "date": "2026-07-02T13:19:55.797793+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-4 (DCF-4)",
          "control_id": "DCF-4",
          "status": "Passing",
          "description": "Drata control status for DCF-4",
          "date": "2026-07-02T13:19:55.797793+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-11 (DCF-11)",
          "control_id": "DCF-11",
          "status": "Passing",
          "description": "Drata control status for DCF-11",
          "date": "2026-07-02T13:19:55.797793+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-160 (DCF-160)",
          "control_id": "DCF-160",
          "status": "Passing",
          "description": "Drata control status for DCF-160",
          "date": "2026-07-02T13:19:55.797793+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-CMT-LMC",
          "control_name": "Custom Automated Check: KSI-CMT-LMC",
          "control_description": "10/10 mapped controls passing; Sustainment Technologies' Software Development Life Cycle Policy requires all modifications to the cloud service offering to be logged and monitored. This is implemented through a centralized log management system that captures changes in version control, enforces unique account usage for attribution, and stores logs in a tamper-resistant central repository. Drata continuously monitors these controls Ã¢â‚¬â€ validating that logging is active, access reviews are current, and system access policies are enforced Ã¢â‚¬â€ providing persistent assurance that all changes are tracked and auditable.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:55.797793+00:00",
          "updated_at": "2026-07-02T13:19:55.797793+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:55.797793+00:00",
          "requirements_updated_at": "",
          "evidence_count": 10,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-80 (DCF-80)",
              "description": "Drata control status for DCF-80",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.797793+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144877+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-79 (DCF-79)",
              "description": "Drata control status for DCF-79",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.797793+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144883+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-87 (DCF-87)",
              "description": "Drata control status for DCF-87",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.797793+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144889+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-71 (DCF-71)",
              "description": "Drata control status for DCF-71",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.797793+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144895+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.797793+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144902+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-40 (DCF-40)",
              "description": "Drata control status for DCF-40",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.797793+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144908+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-31 (DCF-31)",
              "description": "Drata control status for DCF-31",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.797793+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144914+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-4 (DCF-4)",
              "description": "Drata control status for DCF-4",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.797793+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144919+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-11 (DCF-11)",
              "description": "Drata control status for DCF-11",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.797793+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144925+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-160 (DCF-160)",
              "description": "Drata control status for DCF-160",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.797793+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.144931+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 16,
            "passed": 16,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              },
              {
                "test_id": 140,
                "name": "Only Authorized Users can Access Log Sinks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of the system that collects and stores server logs and confirmed that it only accepts connections from authorized users.",
                "last_run": "2026-07-01T18:27:22.000Z",
                "test_definition_id": 110,
                "enabled": true
              },
              {
                "test_id": 139,
                "name": "Logs are Centrally Stored",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are centrally stored.",
                "last_run": "2026-07-01T18:27:24.000Z",
                "test_definition_id": 109,
                "enabled": true
              },
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              },
              {
                "test_id": 135,
                "name": "Threat Detection in Place",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has Threat Detection in place to detect unauthorized file additions within the cloud environment, server instances, and application containers.",
                "last_run": "2026-07-01T18:28:45.000Z",
                "test_definition_id": 105,
                "enabled": true
              },
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              },
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 59,
                "name": "Contractor Background Checks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that all new contractors had completed background checks upon hire.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 50,
                "enabled": true
              },
              {
                "test_id": 58,
                "name": "Contractors Acknowledge the Acceptable Use Policy",
                "status": "PASSED",
                "description": "Drata confirmed that assigned contractors have acknowledged the Acceptable Use Policy.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 49,
                "enabled": true
              },
              {
                "test_id": 57,
                "name": "Contractors Acknowledge The Code of Conduct",
                "status": "PASSED",
                "description": "Drata confirmed that assigned contractors have acknowledged the Code of Conduct.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 48,
                "enabled": true
              },
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              },
              {
                "test_id": 106,
                "name": "Only Authorized Employees Change Code",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that approved employees can make changes to the code on a branch to which they have approval.",
                "last_run": "2026-07-01T18:29:19.000Z",
                "test_definition_id": 7,
                "enabled": true
              },
              {
                "test_id": 105,
                "name": "Only Authorized Employees Access Version Control",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that the users of the tool were all authenticated to the company's account.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 6,
                "enabled": true
              },
              {
                "test_id": 104,
                "name": "A Version Control System is being Used",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed it is being used",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 5,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-80",
              "DCF-79",
              "DCF-87",
              "DCF-71",
              "DCF-10",
              "DCF-40",
              "DCF-31",
              "DCF-4",
              "DCF-11",
              "DCF-160"
            ]
          }
        },
        {
          "control_id": "DCF-80",
          "control_name": "Log Management System",
          "control_description": "Sustainment Technologies Inc uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.779Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 151,
              "name": "DataDog Security alerts sample",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/151_DataDog Security alerts sample.csv",
              "updated_at": "2026-03-02T15:57:18.424Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.145091+00:00",
                "status": "hashed",
                "sha256": "3a6f138a1019b8d39d01a2e02dc11e84fa1a8b504f306fadf42619746948a934",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/151_DataDog Security alerts sample.csv",
                "filename": "151_DataDog Security alerts sample.csv",
                "size_bytes": 82445,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-80-owner",
              "name": "Assigned Control Owner - Log Management System (DCF-80)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.145185+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-80-monitoring",
              "name": "Continuous Monitoring - Log Management System (DCF-80)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.145191+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 123,
          "explanation": "This Drata control satisfies KSI-CMT-LMC by demonstrating continuous monitoring of the cloud service offering through its Log Management System. The system's alerts to personnel for modifications (captured via logs - AU-2) enable timely corrective action, fulfilling the FedRAMP requirement to *log and monitor* those changes. Essentially, it proves they *know* when the system changes and can *react* accordingly.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-79",
          "control_name": "Logs Centrally Stored",
          "control_description": "Sustainment Technologies Inc uses a system that collects and stores server logs in a central location. The system can be queried in an ad hoc fashion by authorized users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.775Z",
          "updated_at": "2026-06-30T12:57:13.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 13,
              "name": "Logs Centrally Stored",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/13_Logs Centrally Stored.csv",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.145357+00:00",
                "status": "hashed",
                "sha256": "bb85025771956bff33f960b28f614e1447bd02e93a2f0ba842f12abe7e375706",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/13_Logs Centrally Stored.csv",
                "filename": "13_Logs Centrally Stored.csv",
                "size_bytes": 145,
                "modified_at": "2026-07-02T13:17:00+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-79-owner",
              "name": "Assigned Control Owner - Logs Centrally Stored (DCF-79)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-30T12:57:13.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.145386+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-79-monitoring",
              "name": "Continuous Monitoring - Logs Centrally Stored (DCF-79)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-30T12:57:13.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.145392+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 122,
          "explanation": "Drata's \"Logs Centrally Stored\" control satisfies KSI-CMT-LMC by demonstrating the capability to **record and retain modification events** occurring within the cloud service offering Ã¢â‚¬â€œ a core component of monitoring changes as required by FedRAMP. Centralized log storage, coupled with query access, allows for **auditability and investigation** of these modifications, proving ongoing monitoring and fulfilling the KSI requirement. This aligns with NIST AU-2 which covers audit event logging.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:24.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 140,
                "name": "Only Authorized Users can Access Log Sinks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of the system that collects and stores server logs and confirmed that it only accepts connections from authorized users.",
                "last_run": "2026-07-01T18:27:22.000Z",
                "test_definition_id": 110,
                "enabled": true
              },
              {
                "test_id": 139,
                "name": "Logs are Centrally Stored",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are centrally stored.",
                "last_run": "2026-07-01T18:27:24.000Z",
                "test_definition_id": 109,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-87",
          "control_name": "Logging/Monitoring",
          "control_description": "Sustainment Technologies Inc has infrastructure logging configured to monitor web traffic and suspicious activity. When anomalous traffic activity is identified, alerts are automatically created, sent to appropriate personnel and resolved, as necessary.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.217Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:21.976Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 161,
              "name": "DCF87 Testing Results History",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/161_DCF87 Testing Results History.png",
              "updated_at": "2026-06-17T22:38:41.159Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.145558+00:00",
                "status": "hashed",
                "sha256": "297e5a03cc7fa8c4f1a971f581eae381efbbf3eb5e9b6ec8f5a4f498073de962",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/161_DCF87 Testing Results History.png",
                "filename": "161_DCF87 Testing Results History.png",
                "size_bytes": 195440,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 160,
              "name": "Silent Log Sources - Crowdstrike",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/160_Silent Log Sources - Crowdstrike.png",
              "updated_at": "2026-06-17T22:10:26.030Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.145873+00:00",
                "status": "hashed",
                "sha256": "4355516d11f210c6981374184d617ae5fe381cdce7b22a19795747db92d14581",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/160_Silent Log Sources - Crowdstrike.png",
                "filename": "160_Silent Log Sources - Crowdstrike.png",
                "size_bytes": 239901,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-87-owner",
              "name": "Assigned Control Owner - Logging/Monitoring (DCF-87)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146067+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 118,
          "explanation": "This Drata control satisfies KSI-CMT-LMC by demonstrating continuous monitoring of the cloud service through infrastructure logging of web traffic and activity Ã¢â‚¬â€œ fulfilling the requirement to *log* modifications and potential changes. The automated alerting and resolution process further ensures identified anomalies (which could indicate unauthorized modification) are addressed, proving active *monitoring* as mandated by FedRAMP. This aligns with NIST AU-2's focus on audit event logging and review.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:45.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              },
              {
                "test_id": 135,
                "name": "Threat Detection in Place",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has Threat Detection in place to detect unauthorized file additions within the cloud environment, server instances, and application containers.",
                "last_run": "2026-07-01T18:28:45.000Z",
                "test_definition_id": 105,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-71",
          "control_name": "Unique Accounts Used",
          "control_description": "Access to corporate network, production machines, network devices, and support tools requires a unique ID.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.769Z",
          "updated_at": "2026-06-15T13:35:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-71-evidence",
              "name": "Unique Accounts Used (DCF-71)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146073+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-owner",
              "name": "Assigned Control Owner - Unique Accounts Used (DCF-71)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146080+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-monitoring",
              "name": "Continuous Monitoring - Unique Accounts Used (DCF-71)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146086+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 98,
          "explanation": "Drata's \"Unique Accounts Used\" control helps satisfy KSI-CMT-LMC by establishing accountability for changes. Requiring unique IDs for access means modifications to the cloud service offering can be directly linked to a specific individual, enabling effective logging and monitoring of those changes as mandated by the FedRAMP requirement. This directly supports traceability needed for audit purposes and incident response.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146092+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146098+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146104+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-40",
          "control_name": "Contractor Requirements",
          "control_description": "Sustainment Technologies Inc requires its contractors to read and acknowledge the Code of Conduct, read and acknowledge the Acceptable Use Policy, and pass a background check.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.179Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:36.841Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-40-owner",
              "name": "Assigned Control Owner - Contractor Requirements (DCF-40)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146110+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-40-monitoring",
              "name": "Continuous Monitoring - Contractor Requirements (DCF-40)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146126+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-40-policy",
              "name": "Policy Documentation - Contractor Requirements (DCF-40)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146133+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 42,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 59,
                "name": "Contractor Background Checks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that all new contractors had completed background checks upon hire.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 50,
                "enabled": true
              },
              {
                "test_id": 58,
                "name": "Contractors Acknowledge the Acceptable Use Policy",
                "status": "PASSED",
                "description": "Drata confirmed that assigned contractors have acknowledged the Acceptable Use Policy.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 49,
                "enabled": true
              },
              {
                "test_id": 57,
                "name": "Contractors Acknowledge The Code of Conduct",
                "status": "PASSED",
                "description": "Drata confirmed that assigned contractors have acknowledged the Code of Conduct.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 48,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-31",
          "control_name": "Software Development Life Cycle Policy",
          "control_description": "Sustainment Technologies Inc has developed policies and procedures governing the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.156Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:31:00.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-31-owner",
              "name": "Assigned Control Owner - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146140+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-monitoring",
              "name": "Continuous Monitoring - Software Development Life Cycle Policy (DCF-31)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146146+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-policy",
              "name": "Policy Documentation - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146152+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 129,
          "explanation": "The Software Development Life Cycle (SDLC) Policy directly addresses KSI-CMT-LMC by establishing a documented process for managing changes to the cloud service. This processÃ¢â‚¬â€covering tracking, testing, approval, and validationÃ¢â‚¬â€ensures all modifications are logged and monitored, demonstrating compliance with the FedRAMP requirement to observe and record alterations to the offering. This aligns with NIST CM-3, which focuses on configuration management and change control.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-4",
          "control_name": "Version Control System",
          "control_description": "Sustainment Technologies Inc uses a version control system to manage source code, documentation, release labeling, and other change management tasks. Access to the system must be approved by a system admin.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.731Z",
          "updated_at": "2026-06-22T12:35:26.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-4-evidence",
              "name": "Version Control System (DCF-4)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:26.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146159+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-4-owner",
              "name": "Assigned Control Owner - Version Control System (DCF-4)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:26.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146165+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-4-monitoring",
              "name": "Continuous Monitoring - Version Control System (DCF-4)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:26.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146170+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 92,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 106,
                "name": "Only Authorized Employees Change Code",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that approved employees can make changes to the code on a branch to which they have approval.",
                "last_run": "2026-07-01T18:29:19.000Z",
                "test_definition_id": 7,
                "enabled": true
              },
              {
                "test_id": 105,
                "name": "Only Authorized Employees Access Version Control",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that the users of the tool were all authenticated to the company's account.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 6,
                "enabled": true
              },
              {
                "test_id": 104,
                "name": "A Version Control System is being Used",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed it is being used",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 5,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-11",
          "control_name": "Annual Access Control Review",
          "control_description": "Sustainment Technologies Inc performs annual access control reviews.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.537Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 150,
              "name": "User Access Review",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/150_User Access Review.xlsx",
              "updated_at": "2026-03-02T15:28:18.965Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146334+00:00",
                "status": "hashed",
                "sha256": "a83b78e92bd554ebc59378b2f58c3b86c8dfac37b561ea9ddea944b69ab811d9",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/150_User Access Review.xlsx",
                "filename": "150_User Access Review.xlsx",
                "size_bytes": 115456,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-11-owner",
              "name": "Assigned Control Owner - Annual Access Control Review (DCF-11)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146447+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-11-policy",
              "name": "Policy Documentation - Annual Access Control Review (DCF-11)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146454+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 89,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-160",
          "control_name": "Continuous Control Monitoring",
          "control_description": "Sustainment Technologies Inc conducts continuous monitoring of security controls using Drata, and addresses issues in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.170Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 160,
              "name": "Silent Log Sources - Crowdstrike",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/160_Silent Log Sources - Crowdstrike.png",
              "updated_at": "2026-06-17T22:10:26.030Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146618+00:00",
                "status": "hashed",
                "sha256": "4355516d11f210c6981374184d617ae5fe381cdce7b22a19795747db92d14581",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/160_Silent Log Sources - Crowdstrike.png",
                "filename": "160_Silent Log Sources - Crowdstrike.png",
                "size_bytes": 239901,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-160-owner",
              "name": "Assigned Control Owner - Continuous Control Monitoring (DCF-160)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146803+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-160-policy",
              "name": "Policy Documentation - Continuous Control Monitoring (DCF-160)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146809+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 70,
          "explanation": "Drata's Continuous Control Monitoring directly satisfies KSI-CMT-LMC by automatically and continuously logging changes to the system's configuration Ã¢â‚¬â€œ effectively monitoring modifications to the cloud service offering. This ongoing monitoring, mapped to NIST AU-2, provides evidence of detected changes and demonstrates timely remediation, fulfilling the FedRAMP requirement for logging *and* addressing those modifications.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' Software Development Life Cycle Policy requires all modifications to the cloud service offering to be logged and monitored. This is implemented through a centralized log management system that captures changes in version control, enforces unique account usage for attribution, and stores logs in a tamper-resistant central repository. Drata continuously monitors these controls Ã¢â‚¬â€ validating that logging is active, access reviews are current, and system access policies are enforced Ã¢â‚¬â€ providing persistent assurance that all changes are tracked and auditable.\n### Key Controls\n- [OK] Log Management System (DCF-80)\n- [OK] Logs Centrally Stored (DCF-79)\n- [OK] Logging/Monitoring (DCF-87)\n- [OK] Unique Accounts Used (DCF-71)\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Contractor Requirements (DCF-40)\n- [OK] Software Development Life Cycle Policy (DCF-31)\n- [OK] Version Control System (DCF-4)\n- [OK] Annual Access Control Review (DCF-11)\n- [OK] Continuous Control Monitoring (DCF-160)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:55.797793+00:00",
      "ksi_name": "Logging Changes",
      "category": "CMT",
      "statement": "Log and monitor modifications to the cloud service offering.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/change-management/",
      "nist_controls": [
        "AU-2",
        "CM-3",
        "CM-3.2",
        "CM-4.2",
        "CM-6",
        "CM-8.3",
        "MA-2"
      ],
      "failure_conditions": {
        "conditional_check": "All changes to the cloud service offering are logged, centrally stored, and continuously monitored through an active log management system with unique account attribution.",
        "failure_condition": "A gap in production change logging, failure to centrally store logs, or inability to attribute changes to unique user accounts will cause a failure of the test. Additionally, a log management system, logging/monitoring infrastructure, version control system, SDLC policy, and continuous control monitoring must be in place to ensure all modifications are tracked and auditable."
      },
      "outcome_metrics": [
        {
          "statement": "All production changes are logged with complete traceability to an approved request",
          "metric_name": "Coverage",
          "target_value": "100% of production changes have corresponding change log entry",
          "target_unit": "",
          "frequency": "Per deployment",
          "source": "CI/CD pipeline logs; change management system (tickets)",
          "notes": "Production change without corresponding log entry or change ticket"
        }
      ],
      "monitoring": {
        "total_tests": 16,
        "passed": 16,
        "failed": 0,
        "controls_with_monitoring": 8,
        "monitoring_coverage": 72.7,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-CMT-RMV",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:55.421905+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-31 (DCF-31)",
          "control_id": "DCF-31",
          "status": "Passing",
          "description": "Drata control status for DCF-31",
          "date": "2026-07-02T13:19:55.421905+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-34 (DCF-34)",
          "control_id": "DCF-34",
          "status": "Passing",
          "description": "Drata control status for DCF-34",
          "date": "2026-07-02T13:19:55.421905+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:19:55.421905+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-6 (DCF-6)",
          "control_id": "DCF-6",
          "status": "Passing",
          "description": "Drata control status for DCF-6",
          "date": "2026-07-02T13:19:55.421905+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-80 (DCF-80)",
          "control_id": "DCF-80",
          "status": "Passing",
          "description": "Drata control status for DCF-80",
          "date": "2026-07-02T13:19:55.421905+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-4 (DCF-4)",
          "control_id": "DCF-4",
          "status": "Passing",
          "description": "Drata control status for DCF-4",
          "date": "2026-07-02T13:19:55.421905+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-11 (DCF-11)",
          "control_id": "DCF-11",
          "status": "Passing",
          "description": "Drata control status for DCF-11",
          "date": "2026-07-02T13:19:55.421905+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-78 (DCF-78)",
          "control_id": "DCF-78",
          "status": "Passing",
          "description": "Drata control status for DCF-78",
          "date": "2026-07-02T13:19:55.421905+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-71 (DCF-71)",
          "control_id": "DCF-71",
          "status": "Passing",
          "description": "Drata control status for DCF-71",
          "date": "2026-07-02T13:19:55.421905+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-CMT-RMV",
          "control_name": "Custom Automated Check: KSI-CMT-RMV",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' SDLC Policy mandates that infrastructure changes are executed through redeployment of version-controlled, immutable resources rather than direct modification. This is implemented through version control systems, production code change restrictions, and versioned storage buckets Ã¢â‚¬â€ ensuring all changes are traceable and reproducible. Drata validates that production access is restricted, unique accounts are used for all operations, and the Security Steering Committee reviews change management practices to ensure immutable deployment patterns are followed.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:55.421905+00:00",
          "updated_at": "2026-07-02T13:19:55.421905+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:55.421905+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-31 (DCF-31)",
              "description": "Drata control status for DCF-31",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.421905+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146817+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-34 (DCF-34)",
              "description": "Drata control status for DCF-34",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.421905+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146823+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.421905+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146829+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-6 (DCF-6)",
              "description": "Drata control status for DCF-6",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.421905+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146836+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-80 (DCF-80)",
              "description": "Drata control status for DCF-80",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.421905+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146841+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-4 (DCF-4)",
              "description": "Drata control status for DCF-4",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.421905+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146847+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-11 (DCF-11)",
              "description": "Drata control status for DCF-11",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.421905+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146852+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-78 (DCF-78)",
              "description": "Drata control status for DCF-78",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.421905+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146858+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-71 (DCF-71)",
              "description": "Drata control status for DCF-71",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.421905+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146864+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 12,
            "passed": 12,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:54.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              },
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              },
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 144,
                "name": "Production Code Changes Restricted",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's version control tool and confirmed that only authorized personnel push or make changes to production code.",
                "last_run": "2026-07-01T18:29:54.000Z",
                "test_definition_id": 9,
                "enabled": true
              },
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              },
              {
                "test_id": 106,
                "name": "Only Authorized Employees Change Code",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that approved employees can make changes to the code on a branch to which they have approval.",
                "last_run": "2026-07-01T18:29:19.000Z",
                "test_definition_id": 7,
                "enabled": true
              },
              {
                "test_id": 105,
                "name": "Only Authorized Employees Access Version Control",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that the users of the tool were all authenticated to the company's account.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 6,
                "enabled": true
              },
              {
                "test_id": 104,
                "name": "A Version Control System is being Used",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed it is being used",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 5,
                "enabled": true
              },
              {
                "test_id": 39,
                "name": "Cloud Storage Buckets Versioned",
                "status": "PASSED",
                "description": "Drata validated that cloud storage buckets have versioning enabled.",
                "last_run": "2026-07-01T18:28:42.000Z",
                "test_definition_id": 108,
                "enabled": true
              },
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-31",
              "DCF-34",
              "DCF-10",
              "DCF-6",
              "DCF-80",
              "DCF-4",
              "DCF-11",
              "DCF-78",
              "DCF-71"
            ]
          }
        },
        {
          "control_id": "DCF-31",
          "control_name": "Software Development Life Cycle Policy",
          "control_description": "Sustainment Technologies Inc has developed policies and procedures governing the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.156Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:31:00.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-31-owner",
              "name": "Assigned Control Owner - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146870+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-monitoring",
              "name": "Continuous Monitoring - Software Development Life Cycle Policy (DCF-31)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146876+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-policy",
              "name": "Policy Documentation - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146882+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 129,
          "explanation": "Drata's Software Development Life Cycle (SDLC) Policy directly addresses KSI-CMT-RMV by demonstrating a structured change management process. This policy ensures changes are *tracked, tested, and approved* before implementation Ã¢â‚¬â€œ supporting the redeployment of version-controlled, immutable resources *instead of* direct modification, as required by the KSI. The related NIST controls (CM-7, CM-3, CM-5) further validate this formalized approach to configuration management and change control.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-34",
          "control_name": "Security Team/Steering Committee",
          "control_description": "Sustainment Technologies Inc has an assigned security team that is responsible for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.883Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:40.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-34-owner",
              "name": "Assigned Control Owner - Security Team/Steering Committee (DCF-34)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146889+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-monitoring",
              "name": "Continuous Monitoring - Security Team/Steering Committee (DCF-34)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146895+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-policy",
              "name": "Policy Documentation - Security Team/Steering Committee (DCF-34)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146901+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 49,
          "explanation": "While seemingly indirect, the Security Team/Steering Committee control supports KSI-CMT-RMV by establishing the governance needed to *enforce* immutable deployments. This team defines and reviews policies (CM-7, CM-2, CM-3) that mandate version control and discourage direct modification of production systems Ã¢â‚¬â€œ crucial for adhering to the requirement of redeploying immutable resources instead. Essentially, they ensure processes are in place to *make* redeployment the standard practice.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:18.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146907+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146913+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146919+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "explanation": "While seemingly unrelated, the System Access Control Policy supports KSI-CMT-RMV by ensuring *only authorized personnel* (verified through reviews & requests) can initiate changes to systems. This indirectly enforces redeployment over direct modification Ã¢â‚¬â€œ unauthorized individuals lacking access can't make those direct, risky changes, thus promoting the use of version-controlled, immutable deployments as the approved change method. Essentially, strong access control *limits* the opportunity for non-compliant changes.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-6",
          "control_name": "Production Code Changes Restricted",
          "control_description": "Only authorized Sustainment Technologies Inc personnel can push or make changes to production code.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.147Z",
          "updated_at": "2026-06-22T12:35:43.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-6-evidence",
              "name": "Production Code Changes Restricted (DCF-6)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:43.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146925+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-6-owner",
              "name": "Assigned Control Owner - Production Code Changes Restricted (DCF-6)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:43.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146930+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-6-monitoring",
              "name": "Continuous Monitoring - Production Code Changes Restricted (DCF-6)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:43.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.146936+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 127,
          "explanation": "Drata's \"Production Code Changes Restricted\" control directly addresses KSI-CMT-RMV by limiting who can alter production code, preventing unauthorized *direct modifications* to live systems. This enforced restriction necessitates changes are made through authorized, version-controlled processes (like redeployment), aligning with the requirement for immutable resource updates instead of in-place edits Ã¢â‚¬â€œ bolstering the integrity and auditability of the system. Essentially, it *forces* a redeployment workflow for changes.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:54.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 144,
                "name": "Production Code Changes Restricted",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's version control tool and confirmed that only authorized personnel push or make changes to production code.",
                "last_run": "2026-07-01T18:29:54.000Z",
                "test_definition_id": 9,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-80",
          "control_name": "Log Management System",
          "control_description": "Sustainment Technologies Inc uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.779Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 151,
              "name": "DataDog Security alerts sample",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/151_DataDog Security alerts sample.csv",
              "updated_at": "2026-03-02T15:57:18.424Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147094+00:00",
                "status": "hashed",
                "sha256": "3a6f138a1019b8d39d01a2e02dc11e84fa1a8b504f306fadf42619746948a934",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/151_DataDog Security alerts sample.csv",
                "filename": "151_DataDog Security alerts sample.csv",
                "size_bytes": 82445,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-80-owner",
              "name": "Assigned Control Owner - Log Management System (DCF-80)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147183+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-80-monitoring",
              "name": "Continuous Monitoring - Log Management System (DCF-80)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147189+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 123,
          "explanation": "While seemingly indirect, a robust Log Management System (LMS) *supports* KSI-CMT-RMV by providing audit trails to **verify** that changes are indeed occurring through redeployment (or identify deviations where direct modifications happen). If the logs show unauthorized direct modifications, it triggers corrective action, ensuring the system reverts to the intended immutable state Ã¢â‚¬â€œ thus upholding the spirit of the KSI requirement. Essentially, the LMS acts as a detective control confirming adherence to the redeployment practice.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-4",
          "control_name": "Version Control System",
          "control_description": "Sustainment Technologies Inc uses a version control system to manage source code, documentation, release labeling, and other change management tasks. Access to the system must be approved by a system admin.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.731Z",
          "updated_at": "2026-06-22T12:35:26.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-4-evidence",
              "name": "Version Control System (DCF-4)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:26.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147196+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-4-owner",
              "name": "Assigned Control Owner - Version Control System (DCF-4)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:26.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147202+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-4-monitoring",
              "name": "Continuous Monitoring - Version Control System (DCF-4)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:26.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147208+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 92,
          "explanation": "This Drata control directly addresses KSI-CMT-RMV by demonstrating a process for managing changes to system components via version control Ã¢â‚¬â€œ ensuring updates are tracked and deployed as new, immutable versions rather than direct modifications. By managing code & documentation changes this way, Sustainment Technologies Inc. minimizes risk and supports auditability, a core tenet of FedRAMP's configuration management requirements.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 106,
                "name": "Only Authorized Employees Change Code",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that approved employees can make changes to the code on a branch to which they have approval.",
                "last_run": "2026-07-01T18:29:19.000Z",
                "test_definition_id": 7,
                "enabled": true
              },
              {
                "test_id": 105,
                "name": "Only Authorized Employees Access Version Control",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that the users of the tool were all authenticated to the company's account.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 6,
                "enabled": true
              },
              {
                "test_id": 104,
                "name": "A Version Control System is being Used",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed it is being used",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 5,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-11",
          "control_name": "Annual Access Control Review",
          "control_description": "Sustainment Technologies Inc performs annual access control reviews.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.537Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 150,
              "name": "User Access Review",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/150_User Access Review.xlsx",
              "updated_at": "2026-03-02T15:28:18.965Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147366+00:00",
                "status": "hashed",
                "sha256": "a83b78e92bd554ebc59378b2f58c3b86c8dfac37b561ea9ddea944b69ab811d9",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/150_User Access Review.xlsx",
                "filename": "150_User Access Review.xlsx",
                "size_bytes": 115456,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-11-owner",
              "name": "Assigned Control Owner - Annual Access Control Review (DCF-11)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147477+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-11-policy",
              "name": "Policy Documentation - Annual Access Control Review (DCF-11)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147483+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 89,
          "explanation": "While seemingly unrelated, the Annual Access Control Review (ACI) supports KSI-CMT-RMV by ensuring *only authorized personnel* can modify systems Ã¢â‚¬â€œ reducing the risk of direct, uncontrolled changes. By verifying appropriate permissions are in place, the ACI helps enforce the principle of least privilege, bolstering the security needed to reliably deploy immutable resources as intended by the KSI requirement and preventing unauthorized direct modifications. Essentially, strong access control is a foundational element enabling secure redeployment practices.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-78",
          "control_name": "Storage Buckets are Versioned",
          "control_description": "Storage buckets that contain customer data are versioned.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.928Z",
          "updated_at": "2026-05-16T21:24:19.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-78-evidence",
              "name": "Storage Buckets are Versioned (DCF-78)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147490+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-78-owner",
              "name": "Assigned Control Owner - Storage Buckets are Versioned (DCF-78)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147496+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-78-monitoring",
              "name": "Continuous Monitoring - Storage Buckets are Versioned (DCF-78)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147502+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 26,
          "explanation": "Drata's \"Storage Buckets are Versioned\" control directly addresses KSI-CMT-RMV by enabling redeployment of immutable resources. Versioning ensures that changes aren't made *in-place* to customer data, instead requiring a new version/immutable resource to be deployed Ã¢â‚¬â€œ fulfilling the requirement for change control through redeployment rather than direct modification. This aligns with CM-2 by supporting configuration management and preventing unauthorized alterations to information.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:42.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 39,
                "name": "Cloud Storage Buckets Versioned",
                "status": "PASSED",
                "description": "Drata validated that cloud storage buckets have versioning enabled.",
                "last_run": "2026-07-01T18:28:42.000Z",
                "test_definition_id": 108,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-71",
          "control_name": "Unique Accounts Used",
          "control_description": "Access to corporate network, production machines, network devices, and support tools requires a unique ID.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.769Z",
          "updated_at": "2026-06-15T13:35:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-71-evidence",
              "name": "Unique Accounts Used (DCF-71)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147508+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-owner",
              "name": "Assigned Control Owner - Unique Accounts Used (DCF-71)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147514+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-monitoring",
              "name": "Continuous Monitoring - Unique Accounts Used (DCF-71)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147520+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 98,
          "explanation": "While seemingly unrelated, \"Unique Accounts Used\" supports KSI-CMT-RMV by limiting the blast radius of potential unauthorized changes. If a compromised account *cannot* directly modify systems, changes must occur through automated, version-controlled redeployments Ã¢â‚¬â€œ aligning with the KSI requirement for immutable resource updates instead of direct modification. This control enforces least privilege and auditability, crucial for verifying redeployments are the *only* method of change.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' SDLC Policy mandates that infrastructure changes are executed through redeployment of version-controlled, immutable resources rather than direct modification. This is implemented through version control systems, production code change restrictions, and versioned storage buckets Ã¢â‚¬â€ ensuring all changes are traceable and reproducible. Drata validates that production access is restricted, unique accounts are used for all operations, and the Security Steering Committee reviews change management practices to ensure immutable deployment patterns are followed.\n### Key Controls\n- [OK] Software Development Life Cycle Policy (DCF-31)\n- [OK] Security Team/Steering Committee (DCF-34)\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Production Code Changes Restricted (DCF-6)\n- [OK] Log Management System (DCF-80)\n- [OK] Version Control System (DCF-4)\n- [OK] Annual Access Control Review (DCF-11)\n- [OK] Storage Buckets are Versioned (DCF-78)\n- [OK] Unique Accounts Used (DCF-71)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:55.421905+00:00",
      "ksi_name": "Redeploying vs Modifying",
      "category": "CMT",
      "statement": "Execute changes to machine-based information resources through redeployment of version controlled immutable resources rather than direct modification wherever reasonable.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/change-management/",
      "nist_controls": [
        "CM-2",
        "CM-3",
        "CM-5",
        "CM-6",
        "CM-7",
        "CM-8.1",
        "SI-3"
      ],
      "failure_conditions": {
        "conditional_check": "All infrastructure changes within Sustainment's AWS environment are executed through redeployment of version-controlled, immutable resources rather than direct modification of production systems.",
        "failure_condition": "Direct modification to production resources bypassing version control or infrastructure-as-code processes will cause a failure of the test. Additionally, an SDLC policy, production code change restrictions, version control system, versioned storage, and access control policies must be in place to ensure changes follow an immutable redeployment model."
      },
      "outcome_metrics": [
        {
          "statement": "Immutable infrastructure policy applied; systems redeployed rather than patched in place",
          "metric_name": "Integrity",
          "target_value": "0 in-place modifications without corresponding redeploy record",
          "target_unit": "",
          "frequency": "Per deployment",
          "source": "CI/CD deployment logs; infrastructure-as-code diff records",
          "notes": "In-place modification detected without redeploy record"
        }
      ],
      "monitoring": {
        "total_tests": 12,
        "passed": 12,
        "failed": 0,
        "controls_with_monitoring": 8,
        "monitoring_coverage": 80.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-CMT-RVP",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:58.657677+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-31 (DCF-31)",
          "control_id": "DCF-31",
          "status": "Passing",
          "description": "Drata control status for DCF-31",
          "date": "2026-07-02T13:19:58.657677+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:19:58.657677+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-6 (DCF-6)",
          "control_id": "DCF-6",
          "status": "Passing",
          "description": "Drata control status for DCF-6",
          "date": "2026-07-02T13:19:58.657677+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-80 (DCF-80)",
          "control_id": "DCF-80",
          "status": "Passing",
          "description": "Drata control status for DCF-80",
          "date": "2026-07-02T13:19:58.657677+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-4 (DCF-4)",
          "control_id": "DCF-4",
          "status": "Passing",
          "description": "Drata control status for DCF-4",
          "date": "2026-07-02T13:19:58.657677+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-71 (DCF-71)",
          "control_id": "DCF-71",
          "status": "Passing",
          "description": "Drata control status for DCF-71",
          "date": "2026-07-02T13:19:58.657677+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-11 (DCF-11)",
          "control_id": "DCF-11",
          "status": "Passing",
          "description": "Drata control status for DCF-11",
          "date": "2026-07-02T13:19:58.657677+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-34 (DCF-34)",
          "control_id": "DCF-34",
          "status": "Passing",
          "description": "Drata control status for DCF-34",
          "date": "2026-07-02T13:19:58.657677+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-76 (DCF-76)",
          "control_id": "DCF-76",
          "status": "Passing",
          "description": "Drata control status for DCF-76",
          "date": "2026-07-02T13:19:58.657677+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-CMT-RVP",
          "control_name": "Custom Automated Check: KSI-CMT-RVP",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' SDLC Policy and Change Management policies define documented change management procedures governing all modifications to the cloud service offering. These procedures are implemented through production code change restrictions, version control requirements, critical change management workflows, and mandatory access reviews. Drata monitors compliance with these procedures Ã¢â‚¬â€ validating that unique accounts are used, code changes follow required workflows, and the Security Steering Committee persistently reviews change management effectiveness.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:58.657677+00:00",
          "updated_at": "2026-07-02T13:19:58.657677+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:58.657677+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-31 (DCF-31)",
              "description": "Drata control status for DCF-31",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.657677+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147526+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.657677+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147532+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-6 (DCF-6)",
              "description": "Drata control status for DCF-6",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.657677+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147538+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-80 (DCF-80)",
              "description": "Drata control status for DCF-80",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.657677+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147544+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-4 (DCF-4)",
              "description": "Drata control status for DCF-4",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.657677+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147550+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-71 (DCF-71)",
              "description": "Drata control status for DCF-71",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.657677+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147556+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-11 (DCF-11)",
              "description": "Drata control status for DCF-11",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.657677+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147561+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-34 (DCF-34)",
              "description": "Drata control status for DCF-34",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.657677+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147567+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-76 (DCF-76)",
              "description": "Drata control status for DCF-76",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.657677+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147573+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 11,
            "passed": 11,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:54.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              },
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 144,
                "name": "Production Code Changes Restricted",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's version control tool and confirmed that only authorized personnel push or make changes to production code.",
                "last_run": "2026-07-01T18:29:54.000Z",
                "test_definition_id": 9,
                "enabled": true
              },
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              },
              {
                "test_id": 106,
                "name": "Only Authorized Employees Change Code",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that approved employees can make changes to the code on a branch to which they have approval.",
                "last_run": "2026-07-01T18:29:19.000Z",
                "test_definition_id": 7,
                "enabled": true
              },
              {
                "test_id": 105,
                "name": "Only Authorized Employees Access Version Control",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that the users of the tool were all authenticated to the company's account.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 6,
                "enabled": true
              },
              {
                "test_id": 104,
                "name": "A Version Control System is being Used",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed it is being used",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 5,
                "enabled": true
              },
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              },
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-31",
              "DCF-10",
              "DCF-6",
              "DCF-80",
              "DCF-4",
              "DCF-71",
              "DCF-11",
              "DCF-34",
              "DCF-76"
            ]
          }
        },
        {
          "control_id": "DCF-31",
          "control_name": "Software Development Life Cycle Policy",
          "control_description": "Sustainment Technologies Inc has developed policies and procedures governing the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.156Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:31:00.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-31-owner",
              "name": "Assigned Control Owner - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147579+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-monitoring",
              "name": "Continuous Monitoring - Software Development Life Cycle Policy (DCF-31)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147585+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-policy",
              "name": "Policy Documentation - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147591+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 129,
          "explanation": "The Software Development Life Cycle (SDLC) Policy directly addresses KSI-CMT-RVP by establishing a structured process for managing changes to the system Ã¢â‚¬â€œ tracking, testing, approving, and validating them. This documented process, aligning with NIST CM controls, demonstrates persistent review and ensures changes are implemented *and* their effectiveness is considered, satisfying the FedRAMP requirement for ongoing review of change management procedures.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147597+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147603+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147609+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "explanation": "The System Access Control Policy satisfies KSI-CMT-RVP by demonstrating a *persistent review* of change management Ã¢â‚¬â€œ specifically, access changes Ã¢â‚¬â€œ through annual access control reviews. These reviews, coupled with required access request forms for personnel changes (new hires/transfers), verify that documented procedures for granting/revoking access are consistently followed and remain effective, fulfilling the FedRAMP requirement. This aligns with NIST CM-3 & CM-5 which cover configuration management and change control processes.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-6",
          "control_name": "Production Code Changes Restricted",
          "control_description": "Only authorized Sustainment Technologies Inc personnel can push or make changes to production code.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.147Z",
          "updated_at": "2026-06-22T12:35:43.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-6-evidence",
              "name": "Production Code Changes Restricted (DCF-6)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:43.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147615+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-6-owner",
              "name": "Assigned Control Owner - Production Code Changes Restricted (DCF-6)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:43.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147621+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-6-monitoring",
              "name": "Continuous Monitoring - Production Code Changes Restricted (DCF-6)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:43.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147627+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 127,
          "explanation": "Drata's \"Production Code Changes Restricted\" control directly satisfies KSI-CMT-RVP by demonstrating a key aspect of effective change management Ã¢â‚¬â€œ **restricting who can implement changes to production systems**. This limitation inherently forces a review process (via authorization requests) before changes are made, proving persistent review of change procedures and reducing unauthorized modifications, thus aligning with the FedRAMP requirement. The control also maps to CM-5, further solidifying its relevance to configuration management best practices.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:54.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 144,
                "name": "Production Code Changes Restricted",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's version control tool and confirmed that only authorized personnel push or make changes to production code.",
                "last_run": "2026-07-01T18:29:54.000Z",
                "test_definition_id": 9,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-80",
          "control_name": "Log Management System",
          "control_description": "Sustainment Technologies Inc uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.779Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 151,
              "name": "DataDog Security alerts sample",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/151_DataDog Security alerts sample.csv",
              "updated_at": "2026-03-02T15:57:18.424Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147787+00:00",
                "status": "hashed",
                "sha256": "3a6f138a1019b8d39d01a2e02dc11e84fa1a8b504f306fadf42619746948a934",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/151_DataDog Security alerts sample.csv",
                "filename": "151_DataDog Security alerts sample.csv",
                "size_bytes": 82445,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-80-owner",
              "name": "Assigned Control Owner - Log Management System (DCF-80)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147866+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-80-monitoring",
              "name": "Continuous Monitoring - Log Management System (DCF-80)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147872+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 123,
          "explanation": "This Drata control satisfies KSI-CMT-RVP by demonstrating ongoing monitoring of change management *effectiveness*. The log management system provides evidence of changes (and related alerts/corrective actions) allowing for persistent review Ã¢â‚¬â€œ confirming procedures are functioning as documented and identifying areas for improvement, thus meeting the FedRAMP requirement for continuous review.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-4",
          "control_name": "Version Control System",
          "control_description": "Sustainment Technologies Inc uses a version control system to manage source code, documentation, release labeling, and other change management tasks. Access to the system must be approved by a system admin.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.731Z",
          "updated_at": "2026-06-22T12:35:26.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-4-evidence",
              "name": "Version Control System (DCF-4)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:26.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147879+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-4-owner",
              "name": "Assigned Control Owner - Version Control System (DCF-4)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:26.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147885+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-4-monitoring",
              "name": "Continuous Monitoring - Version Control System (DCF-4)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:26.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147890+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 92,
          "explanation": "This Drata control satisfies KSI-CMT-RVP by demonstrating a persistent review mechanism *through* the version control system itself. The systemÃ¢â‚¬â„¢s tracking of changes to code & documentation (CM-3, CM-5) provides an audit trail proving procedures are followed and allows for ongoing effectiveness review Ã¢â‚¬â€œ fulfilling the requirement for persistently reviewing change management procedures. Essentially, the version control *is* the documented review process in action.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 106,
                "name": "Only Authorized Employees Change Code",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that approved employees can make changes to the code on a branch to which they have approval.",
                "last_run": "2026-07-01T18:29:19.000Z",
                "test_definition_id": 7,
                "enabled": true
              },
              {
                "test_id": 105,
                "name": "Only Authorized Employees Access Version Control",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that the users of the tool were all authenticated to the company's account.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 6,
                "enabled": true
              },
              {
                "test_id": 104,
                "name": "A Version Control System is being Used",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed it is being used",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 5,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-71",
          "control_name": "Unique Accounts Used",
          "control_description": "Access to corporate network, production machines, network devices, and support tools requires a unique ID.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.769Z",
          "updated_at": "2026-06-15T13:35:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-71-evidence",
              "name": "Unique Accounts Used (DCF-71)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147897+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-owner",
              "name": "Assigned Control Owner - Unique Accounts Used (DCF-71)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147903+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-monitoring",
              "name": "Continuous Monitoring - Unique Accounts Used (DCF-71)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.147908+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 98,
          "explanation": "Drata's \"Unique Accounts Used\" control helps satisfy KSI-CMT-RVP by ensuring accountability for changes Ã¢â‚¬â€œ if a change is made, itÃ¢â‚¬â„¢s traceable to a *specific* user account, not a shared one. This supports effective review of change management procedures because audit logs can definitively identify *who* implemented a change, allowing for validation of proper authorization and process adherence as required by FedRAMP. Essentially, unique accounts create a clear audit trail vital for persistent review.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-11",
          "control_name": "Annual Access Control Review",
          "control_description": "Sustainment Technologies Inc performs annual access control reviews.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.537Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 150,
              "name": "User Access Review",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/150_User Access Review.xlsx",
              "updated_at": "2026-03-02T15:28:18.965Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148063+00:00",
                "status": "hashed",
                "sha256": "a83b78e92bd554ebc59378b2f58c3b86c8dfac37b561ea9ddea944b69ab811d9",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/150_User Access Review.xlsx",
                "filename": "150_User Access Review.xlsx",
                "size_bytes": 115456,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-11-owner",
              "name": "Assigned Control Owner - Annual Access Control Review (DCF-11)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148170+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-11-policy",
              "name": "Policy Documentation - Annual Access Control Review (DCF-11)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148176+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 89,
          "explanation": "The Drata \"Annual Access Control Review\" directly addresses KSI-CMT-RVP by demonstrating ongoing validation of change management *procedures* Ã¢â‚¬â€œ specifically, how access (a key change vector) is managed and reviewed. Regularly verifying access rights ensures changes to those rights are appropriately authorized, implemented, and documented, proving the effectiveness of the overall change management process as required by FedRAMP. This aligns with NIST CM-3, which focuses on configuration management and change control processes.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-34",
          "control_name": "Security Team/Steering Committee",
          "control_description": "Sustainment Technologies Inc has an assigned security team that is responsible for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.883Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:40.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-34-owner",
              "name": "Assigned Control Owner - Security Team/Steering Committee (DCF-34)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148182+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-monitoring",
              "name": "Continuous Monitoring - Security Team/Steering Committee (DCF-34)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148189+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-policy",
              "name": "Policy Documentation - Security Team/Steering Committee (DCF-34)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148195+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 49,
          "explanation": "This Drata control satisfies KSI-CMT-RVP by demonstrating a dedicated security team actively *reviews* the organizationÃ¢â‚¬â„¢s security documentation Ã¢â‚¬â€œ including change management procedures Ã¢â‚¬â€œ as part of their ongoing management responsibilities. This persistent review process, linked to NIST CM-3, ensures procedures remain effective and aligned with evolving threats and system changes, fulfilling the FedRAMP requirement for continuous monitoring of change management.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:18.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-76",
          "control_name": "Critical Change Management",
          "control_description": "Sustainment Technologies Inc authorizes designated member(s) with the autonomy to validate, change, and release critical security patches and bug fixes, outside of the standard change management process, when absolutely necessary to ensure security standards and availability of the systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.448Z",
          "updated_at": "2025-11-24T13:51:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-76-evidence",
              "name": "Critical Change Management (DCF-76)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148201+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-76-owner",
              "name": "Assigned Control Owner - Critical Change Management (DCF-76)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148208+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-76-policy",
              "name": "Policy Documentation - Critical Change Management (DCF-76)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:37.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148213+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 9,
          "explanation": "This Drata control addresses KSI-CMT-RVP by demonstrating a process for *reviewing* the effectiveness of change management Ã¢â‚¬â€œ specifically, acknowledging a need for expedited handling of critical security changes. By outlining authorized personnel and a deviation from standard procedures for urgent security patches, it proves the system isnÃ¢â‚¬â„¢t rigidly bound by process to the detriment of security, and that effectiveness is considered even *during* changes. This aligns with FedRAMP's need to ensure change management doesnÃ¢â‚¬â„¢t hinder timely security updates and system availability.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' SDLC Policy and Change Management policies define documented change management procedures governing all modifications to the cloud service offering. These procedures are implemented through production code change restrictions, version control requirements, critical change management workflows, and mandatory access reviews. Drata monitors compliance with these procedures Ã¢â‚¬â€ validating that unique accounts are used, code changes follow required workflows, and the Security Steering Committee persistently reviews change management effectiveness.\n### Key Controls\n- [OK] Software Development Life Cycle Policy (DCF-31)\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Production Code Changes Restricted (DCF-6)\n- [OK] Log Management System (DCF-80)\n- [OK] Version Control System (DCF-4)\n- [OK] Unique Accounts Used (DCF-71)\n- [OK] Annual Access Control Review (DCF-11)\n- [OK] Security Team/Steering Committee (DCF-34)\n- [OK] Critical Change Management (DCF-76)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:58.657677+00:00",
      "ksi_name": "Reviewing Change Procedures",
      "category": "CMT",
      "statement": "Persistently review the effectiveness of documented change management procedures.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/change-management/",
      "nist_controls": [
        "CM-3",
        "CM-3.2",
        "CM-3.4",
        "CM-5",
        "CM-7.1",
        "CM-9"
      ],
      "failure_conditions": {
        "conditional_check": "Documented change management procedures governing all modifications to Sustainment's cloud service offering are reviewed, current, and enforced through production code restrictions, version control, and access controls.",
        "failure_condition": "Change management procedures not reviewed within the last 12 months, failure to enforce production code change restrictions, or absence of mandatory access reviews will cause a failure of the test. Additionally, an SDLC policy, version control system, critical change management workflow, and a security steering committee must be in place to ensure change procedures remain effective and current."
      },
      "outcome_metrics": [
        {
          "statement": "Change management procedures are reviewed and current",
          "metric_name": "Recency",
          "target_value": "Procedures reviewed within 12 months; changes approved by change board",
          "target_unit": "",
          "frequency": "Annually",
          "source": "Change procedure document revision log; change board meeting minutes",
          "notes": "Change procedures not reviewed within 12 months"
        }
      ],
      "monitoring": {
        "total_tests": 11,
        "passed": 11,
        "failed": 0,
        "controls_with_monitoring": 7,
        "monitoring_coverage": 70.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-CMT-VTD",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:20:00.305366+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-71 (DCF-71)",
          "control_id": "DCF-71",
          "status": "Passing",
          "description": "Drata control status for DCF-71",
          "date": "2026-07-02T13:20:00.305366+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:20:00.305366+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-31 (DCF-31)",
          "control_id": "DCF-31",
          "status": "Passing",
          "description": "Drata control status for DCF-31",
          "date": "2026-07-02T13:20:00.305366+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-152 (DCF-152)",
          "control_id": "DCF-152",
          "status": "Passing",
          "description": "Drata control status for DCF-152",
          "date": "2026-07-02T13:20:00.305366+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-51 (DCF-51)",
          "control_id": "DCF-51",
          "status": "Passing",
          "description": "Drata control status for DCF-51",
          "date": "2026-07-02T13:20:00.305366+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-4 (DCF-4)",
          "control_id": "DCF-4",
          "status": "Passing",
          "description": "Drata control status for DCF-4",
          "date": "2026-07-02T13:20:00.305366+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-11 (DCF-11)",
          "control_id": "DCF-11",
          "status": "Passing",
          "description": "Drata control status for DCF-11",
          "date": "2026-07-02T13:20:00.305366+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-24 (DCF-24)",
          "control_id": "DCF-24",
          "status": "Passing",
          "description": "Drata control status for DCF-24",
          "date": "2026-07-02T13:20:00.305366+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-34 (DCF-34)",
          "control_id": "DCF-34",
          "status": "Passing",
          "description": "Drata control status for DCF-34",
          "date": "2026-07-02T13:20:00.305366+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-76 (DCF-76)",
          "control_id": "DCF-76",
          "status": "Passing",
          "description": "Drata control status for DCF-76",
          "date": "2026-07-02T13:20:00.305366+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-CMT-VTD",
          "control_name": "Custom Automated Check: KSI-CMT-VTD",
          "control_description": "10/10 mapped controls passing; Sustainment Technologies' SDLC Policy requires automated testing and validation at each stage of the deployment pipeline. This is implemented through automated security patching, monthly OS patch validation, version-controlled deployments, and defined SLAs for security bug remediation. Drata continuously monitors test execution and patch compliance, while the Security Steering Committee reviews deployment validation practices and critical change management procedures to ensure testing remains comprehensive throughout the release process.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:20:00.305366+00:00",
          "updated_at": "2026-07-02T13:20:00.305366+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:20:00.305366+00:00",
          "requirements_updated_at": "",
          "evidence_count": 10,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-71 (DCF-71)",
              "description": "Drata control status for DCF-71",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.305366+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148220+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.305366+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148227+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-31 (DCF-31)",
              "description": "Drata control status for DCF-31",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.305366+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148232+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-152 (DCF-152)",
              "description": "Drata control status for DCF-152",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.305366+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148238+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-51 (DCF-51)",
              "description": "Drata control status for DCF-51",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.305366+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148244+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-4 (DCF-4)",
              "description": "Drata control status for DCF-4",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.305366+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148250+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-11 (DCF-11)",
              "description": "Drata control status for DCF-11",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.305366+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148255+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-24 (DCF-24)",
              "description": "Drata control status for DCF-24",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.305366+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148261+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-34 (DCF-34)",
              "description": "Drata control status for DCF-34",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.305366+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148267+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-76 (DCF-76)",
              "description": "Drata control status for DCF-76",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.305366+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148273+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 11,
            "passed": 11,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              },
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              },
              {
                "test_id": 134,
                "name": "Security Patches Auto-Applied on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices are configured to apply  system security patches automatically.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 65,
                "enabled": true
              },
              {
                "test_id": 106,
                "name": "Only Authorized Employees Change Code",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that approved employees can make changes to the code on a branch to which they have approval.",
                "last_run": "2026-07-01T18:29:19.000Z",
                "test_definition_id": 7,
                "enabled": true
              },
              {
                "test_id": 105,
                "name": "Only Authorized Employees Access Version Control",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that the users of the tool were all authenticated to the company's account.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 6,
                "enabled": true
              },
              {
                "test_id": 104,
                "name": "A Version Control System is being Used",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed it is being used",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 5,
                "enabled": true
              },
              {
                "test_id": 93,
                "name": "SLA for Security Bugs",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's procedure settings in Drata and determined that an SLA for P0 security bugs was set.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 27,
                "enabled": true
              },
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-71",
              "DCF-10",
              "DCF-31",
              "DCF-152",
              "DCF-51",
              "DCF-4",
              "DCF-11",
              "DCF-24",
              "DCF-34",
              "DCF-76"
            ]
          }
        },
        {
          "control_id": "DCF-71",
          "control_name": "Unique Accounts Used",
          "control_description": "Access to corporate network, production machines, network devices, and support tools requires a unique ID.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.769Z",
          "updated_at": "2026-06-15T13:35:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-71-evidence",
              "name": "Unique Accounts Used (DCF-71)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148279+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-owner",
              "name": "Assigned Control Owner - Unique Accounts Used (DCF-71)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148285+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-monitoring",
              "name": "Continuous Monitoring - Unique Accounts Used (DCF-71)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148291+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 98,
          "explanation": "The \"Unique Accounts Used\" control helps satisfy KSI-CMT-VTD by ensuring changes to systems are traceable to individual actors. Utilizing unique IDs allows for automated monitoring and auditing of who made what changes *throughout* the deployment pipeline, validating those changes against authorized personnel and processes Ã¢â‚¬â€œ a core component of persistent testing and validation required by FedRAMP. This directly supports CM-3 (Account Management) as a foundational security practice for change control.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148297+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148302+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148308+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "explanation": "While seemingly unrelated, the System Access Control Policy *supports* KSI-CMT-VTD by ensuring only authorized personnel can deploy changes. Annual reviews and formalized request processes validate that access permissions remain appropriate *before* changes are implemented, contributing to persistent validation of who can modify the system Ã¢â‚¬â€œ a key component of automated testing and validation of deployments under FedRAMP. This control establishes a foundational layer for secure change management, aligning with the intent of KSI-CMT-VTD even if it doesn't directly automate testing itself.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-31",
          "control_name": "Software Development Life Cycle Policy",
          "control_description": "Sustainment Technologies Inc has developed policies and procedures governing the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.156Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:31:00.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-31-owner",
              "name": "Assigned Control Owner - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148314+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-monitoring",
              "name": "Continuous Monitoring - Software Development Life Cycle Policy (DCF-31)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148320+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-policy",
              "name": "Policy Documentation - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148326+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 129,
          "explanation": "This Drata control satisfies KSI-CMT-VTD by establishing a formalized Software Development Life Cycle (SDLC) that *requires* documented testing and validation of all system changes. By tracking changes from development through deployment (as outlined in the policy), Sustainment Technologies Inc demonstrates automated, persistent validation Ã¢â‚¬â€œ fulfilling FedRAMP's need for continuous monitoring of the impact of updates. This aligns with NIST CM-3, emphasizing configuration management and change control.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-152",
          "control_name": "Virtual Machine OS are Patched Monthly",
          "control_description": "Sustainment Technologies Inc ensures that virtual machine OS patches are applied monthly.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.221Z",
          "updated_at": "2025-11-24T13:51:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-152-evidence",
              "name": "Virtual Machine OS are Patched Monthly (DCF-152)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148333+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-152-owner",
              "name": "Assigned Control Owner - Virtual Machine OS are Patched Monthly (DCF-152)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148339+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-152-policy",
              "name": "Policy Documentation - Virtual Machine OS are Patched Monthly (DCF-152)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:37.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148345+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 119,
          "explanation": "This Drata control directly addresses KSI-CMT-VTD by automating a key aspect of change validation Ã¢â‚¬â€œ ensuring OS security baselines remain consistent *after* deployment through monthly patching. Regularly patching VMs (as evidenced by this control) demonstrates persistent testing (vulnerability scans identify needed patches) and validation (patch application confirms successful change) throughout the system's lifecycle, satisfying the FedRAMP requirement for automated, ongoing validation of changes.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-51",
          "control_name": "Security Patches Automatically Applied",
          "control_description": "Sustainment Technologies Inc's workstations operating system (OS) security patches are applied automatically.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.213Z",
          "updated_at": "2026-05-27T19:01:28.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-51-evidence",
              "name": "Security Patches Automatically Applied (DCF-51)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148351+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-51-owner",
              "name": "Assigned Control Owner - Security Patches Automatically Applied (DCF-51)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148357+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-51-monitoring",
              "name": "Continuous Monitoring - Security Patches Automatically Applied (DCF-51)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148363+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 117,
          "explanation": "Drata's \"Security Patches Automatically Applied\" control directly addresses KSI-CMT-VTD by ensuring changes to the system (via security patches) are *persistently tested* (through vendor testing prior to release) and *validated* (by automated application post-release). This automation fulfills the FedRAMP requirement for continuous validation of the security posture throughout the deployment lifecycle, aligning with NIST SI-2Ã¢â‚¬â„¢s focus on timely security fixes.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 134,
                "name": "Security Patches Auto-Applied on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices are configured to apply  system security patches automatically.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 65,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-4",
          "control_name": "Version Control System",
          "control_description": "Sustainment Technologies Inc uses a version control system to manage source code, documentation, release labeling, and other change management tasks. Access to the system must be approved by a system admin.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.731Z",
          "updated_at": "2026-06-22T12:35:26.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-4-evidence",
              "name": "Version Control System (DCF-4)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:26.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148369+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-4-owner",
              "name": "Assigned Control Owner - Version Control System (DCF-4)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:26.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148375+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-4-monitoring",
              "name": "Continuous Monitoring - Version Control System (DCF-4)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:26.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148381+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 92,
          "explanation": "This Version Control System directly addresses KSI-CMT-VTD by providing a documented history of all changes to system components (code, documentation, etc.), enabling validation *of* those changes. By managing releases and requiring admin approval for access, it supports automated testing & validation throughout the deployment pipeline Ã¢â‚¬â€œ a core tenet of persistent change management for FedRAMP.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 106,
                "name": "Only Authorized Employees Change Code",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that approved employees can make changes to the code on a branch to which they have approval.",
                "last_run": "2026-07-01T18:29:19.000Z",
                "test_definition_id": 7,
                "enabled": true
              },
              {
                "test_id": 105,
                "name": "Only Authorized Employees Access Version Control",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that the users of the tool were all authenticated to the company's account.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 6,
                "enabled": true
              },
              {
                "test_id": 104,
                "name": "A Version Control System is being Used",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed it is being used",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 5,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-11",
          "control_name": "Annual Access Control Review",
          "control_description": "Sustainment Technologies Inc performs annual access control reviews.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.537Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 150,
              "name": "User Access Review",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/150_User Access Review.xlsx",
              "updated_at": "2026-03-02T15:28:18.965Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148547+00:00",
                "status": "hashed",
                "sha256": "a83b78e92bd554ebc59378b2f58c3b86c8dfac37b561ea9ddea944b69ab811d9",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/150_User Access Review.xlsx",
                "filename": "150_User Access Review.xlsx",
                "size_bytes": 115456,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-11-owner",
              "name": "Assigned Control Owner - Annual Access Control Review (DCF-11)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148649+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-11-policy",
              "name": "Policy Documentation - Annual Access Control Review (DCF-11)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148656+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 89,
          "explanation": "While seemingly disconnected, the Annual Access Control Review (CM-3) contributes to KSI-CMT-VTD by validating that *changes* to user permissions (a deployment change) are regularly tested and remain aligned with the system's security posture. This persistent validation ensures access controls function as intended *after* deployment, demonstrating automated testing of a critical change category Ã¢â‚¬â€œ who can access what Ã¢â‚¬â€œ fulfilling the spirit of the FedRAMP requirement. Essentially, it's a manual, but recurring, validation step supporting automated change management overall.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-24",
          "control_name": "SLA for Security Bugs",
          "control_description": "Sustainment Technologies Inc tracks security deficiencies through internal tools and closes them within an SLA that management has pre-specified.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.994Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:33:48.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-24-owner",
              "name": "Assigned Control Owner - SLA for Security Bugs (DCF-24)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148662+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-24-monitoring",
              "name": "Continuous Monitoring - SLA for Security Bugs (DCF-24)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148668+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-24-policy",
              "name": "Policy Documentation - SLA for Security Bugs (DCF-24)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148675+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 79,
          "explanation": "This Drata control satisfies KSI-CMT-VTD by demonstrating automated validation of changes *after* deployment. Tracking security bugs with defined SLAs (and thus, remediation timelines) proves a persistent testing process Ã¢â‚¬â€œ identifying issues arising from changes and validating their fix within a pre-defined timeframe, fulfilling the requirement for continuous validation throughout the deployment lifecycle. The related NIST SI-2 control reinforces this through systematic monitoring of security deficiencies.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 93,
                "name": "SLA for Security Bugs",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's procedure settings in Drata and determined that an SLA for P0 security bugs was set.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 27,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-34",
          "control_name": "Security Team/Steering Committee",
          "control_description": "Sustainment Technologies Inc has an assigned security team that is responsible for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.883Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:40.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-34-owner",
              "name": "Assigned Control Owner - Security Team/Steering Committee (DCF-34)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148681+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-monitoring",
              "name": "Continuous Monitoring - Security Team/Steering Committee (DCF-34)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148687+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-policy",
              "name": "Policy Documentation - Security Team/Steering Committee (DCF-34)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148693+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 49,
          "explanation": "This Drata control addresses KSI-CMT-VTD by establishing a dedicated security team responsible for *ongoing* security policy management (CM-3). This team inherently oversees the validation of changes to the system Ã¢â‚¬â€œ as changes necessitate policy/baseline updates Ã¢â‚¬â€œ ensuring persistent testing and validation throughout the deployment lifecycle, fulfilling the automation requirement through defined processes. Essentially, the team *is* the automation of review and approval for changes impacting security.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:18.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-76",
          "control_name": "Critical Change Management",
          "control_description": "Sustainment Technologies Inc authorizes designated member(s) with the autonomy to validate, change, and release critical security patches and bug fixes, outside of the standard change management process, when absolutely necessary to ensure security standards and availability of the systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.448Z",
          "updated_at": "2025-11-24T13:51:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-76-evidence",
              "name": "Critical Change Management (DCF-76)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148699+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-76-owner",
              "name": "Assigned Control Owner - Critical Change Management (DCF-76)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148705+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-76-policy",
              "name": "Policy Documentation - Critical Change Management (DCF-76)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:37.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148711+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 9,
          "explanation": "This Drata control addresses KSI-CMT-VTD by establishing a defined, *authorized* process for rapidly deploying critical security updates Ã¢â‚¬â€œ effectively automating validation of changes *through* a streamlined release path. While bypassing standard change management, the control ensures designated personnel validate these \"critical changes\" before deployment, fulfilling the requirement for persistent testing and validation throughout the deployment lifecycle, even for urgent security needs.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' SDLC Policy requires automated testing and validation at each stage of the deployment pipeline. This is implemented through automated security patching, monthly OS patch validation, version-controlled deployments, and defined SLAs for security bug remediation. Drata continuously monitors test execution and patch compliance, while the Security Steering Committee reviews deployment validation practices and critical change management procedures to ensure testing remains comprehensive throughout the release process.\n### Key Controls\n- [OK] Unique Accounts Used (DCF-71)\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Software Development Life Cycle Policy (DCF-31)\n- [OK] Virtual Machine OS are Patched Monthly (DCF-152)\n- [OK] Security Patches Automatically Applied (DCF-51)\n- [OK] Version Control System (DCF-4)\n- [OK] Annual Access Control Review (DCF-11)\n- [OK] SLA for Security Bugs (DCF-24)\n- [OK] Security Team/Steering Committee (DCF-34)\n- [OK] Critical Change Management (DCF-76)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:20:00.305366+00:00",
      "ksi_name": "Validating Throughout Deployment",
      "category": "CMT",
      "statement": "Automate persistent testing and validation of changes throughout deployment.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/change-management/",
      "nist_controls": [
        "CM-3",
        "CM-3.2",
        "CM-4.2",
        "SI-2"
      ],
      "failure_conditions": {
        "conditional_check": "All code and infrastructure changes within Sustainment's AWS environment pass automated testing and validation at each stage of the deployment pipeline before reaching production.",
        "failure_condition": "Code deployed without passing automated tests, bypassing the test pipeline, or failure to apply security patches within defined SLAs will cause a failure of the test. Additionally, an SDLC policy, version control system, automated security patching, monthly OS patch validation, and SLAs for security bug remediation must be in place to ensure changes are validated throughout deployment."
      },
      "outcome_metrics": [
        {
          "statement": "Automated tests pass at each deployment gate; no untested changes reach production",
          "metric_name": "Validation",
          "target_value": "100% of deployments pass all required automated checks; 0 test-bypassed deploys",
          "target_unit": "",
          "frequency": "Per deployment",
          "source": "CI/CD pipeline test results; deployment gate logs",
          "notes": "Deployment bypassing required test gate or failed test proceeding to production"
        }
      ],
      "monitoring": {
        "total_tests": 11,
        "passed": 11,
        "failed": 0,
        "controls_with_monitoring": 7,
        "monitoring_coverage": 63.6,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-CNA-DFP",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:55.231402+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-78 (DCF-78)",
          "control_id": "DCF-78",
          "status": "Passing",
          "description": "Drata control status for DCF-78",
          "date": "2026-07-02T13:19:55.231402+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-34 (DCF-34)",
          "control_id": "DCF-34",
          "status": "Passing",
          "description": "Drata control status for DCF-34",
          "date": "2026-07-02T13:19:55.231402+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-147 (DCF-147)",
          "control_id": "DCF-147",
          "status": "Passing",
          "description": "Drata control status for DCF-147",
          "date": "2026-07-02T13:19:55.231402+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-560 (DCF-560)",
          "control_id": "DCF-560",
          "status": "Passing",
          "description": "Drata control status for DCF-560",
          "date": "2026-07-02T13:19:55.231402+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-598 (DCF-598)",
          "control_id": "DCF-598",
          "status": "Passing",
          "description": "Drata control status for DCF-598",
          "date": "2026-07-02T13:19:55.231402+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-597 (DCF-597)",
          "control_id": "DCF-597",
          "status": "Passing",
          "description": "Drata control status for DCF-597",
          "date": "2026-07-02T13:19:55.231402+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-567 (DCF-567)",
          "control_id": "DCF-567",
          "status": "Passing",
          "description": "Drata control status for DCF-567",
          "date": "2026-07-02T13:19:55.231402+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-291 (DCF-291)",
          "control_id": "DCF-291",
          "status": "Passing",
          "description": "Drata control status for DCF-291",
          "date": "2026-07-02T13:19:55.231402+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-176 (DCF-176)",
          "control_id": "DCF-176",
          "status": "Passing",
          "description": "Drata control status for DCF-176",
          "date": "2026-07-02T13:19:55.231402+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-CNA-DFP",
          "control_name": "Custom Automated Check: KSI-CNA-DFP",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' Change Management Policy and baseline configuration standards strictly define the functionality and privileges allowed for all infrastructure and services. This is implemented through documented baseline configurations with version retention, anomalous behavior detection baselines, monitoring plans, and anti-virus controls that restrict unauthorized functionality. Drata validates that configurations remain within defined baselines and the Security Steering Committee reviews privilege definitions to ensure infrastructure operates within its intended scope.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:55.231402+00:00",
          "updated_at": "2026-07-02T13:19:55.231402+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:55.231402+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-78 (DCF-78)",
              "description": "Drata control status for DCF-78",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.231402+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148718+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-34 (DCF-34)",
              "description": "Drata control status for DCF-34",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.231402+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148724+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-147 (DCF-147)",
              "description": "Drata control status for DCF-147",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.231402+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148730+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-560 (DCF-560)",
              "description": "Drata control status for DCF-560",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.231402+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148735+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-598 (DCF-598)",
              "description": "Drata control status for DCF-598",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.231402+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148741+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-597 (DCF-597)",
              "description": "Drata control status for DCF-597",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.231402+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148747+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-567 (DCF-567)",
              "description": "Drata control status for DCF-567",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.231402+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148752+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-291 (DCF-291)",
              "description": "Drata control status for DCF-291",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.231402+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148758+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-176 (DCF-176)",
              "description": "Drata control status for DCF-176",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.231402+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148764+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 4,
            "passed": 4,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:42.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 39,
                "name": "Cloud Storage Buckets Versioned",
                "status": "PASSED",
                "description": "Drata validated that cloud storage buckets have versioning enabled.",
                "last_run": "2026-07-01T18:28:42.000Z",
                "test_definition_id": 108,
                "enabled": true
              },
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              },
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              },
              {
                "test_id": 133,
                "name": "Malware Detection Software Installed on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices have  antimalware software installed.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 64,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-78",
              "DCF-34",
              "DCF-147",
              "DCF-560",
              "DCF-598",
              "DCF-597",
              "DCF-567",
              "DCF-291",
              "DCF-176"
            ]
          }
        },
        {
          "control_id": "DCF-78",
          "control_name": "Storage Buckets are Versioned",
          "control_description": "Storage buckets that contain customer data are versioned.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.928Z",
          "updated_at": "2026-05-16T21:24:19.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-78-evidence",
              "name": "Storage Buckets are Versioned (DCF-78)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148770+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-78-owner",
              "name": "Assigned Control Owner - Storage Buckets are Versioned (DCF-78)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148776+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-78-monitoring",
              "name": "Continuous Monitoring - Storage Buckets are Versioned (DCF-78)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148782+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 26,
          "explanation": "Drata's \"Storage Buckets are Versioned\" control directly addresses KSI-CNA-DFP by limiting unintended data modification or deletion, thus defining a key functionality *and* restricting privileges related to data management. Versioning ensures a historical record of data, preventing unauthorized changes and supporting data recovery Ã¢â‚¬â€œ essential for maintaining defined service boundaries and protecting customer data integrity as required by FedRAMP. This aligns with CM-2 (Configuration Management) by establishing a baseline and tracking changes to critical infrastructure components.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:42.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 39,
                "name": "Cloud Storage Buckets Versioned",
                "status": "PASSED",
                "description": "Drata validated that cloud storage buckets have versioning enabled.",
                "last_run": "2026-07-01T18:28:42.000Z",
                "test_definition_id": 108,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-34",
          "control_name": "Security Team/Steering Committee",
          "control_description": "Sustainment Technologies Inc has an assigned security team that is responsible for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.883Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:40.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-34-owner",
              "name": "Assigned Control Owner - Security Team/Steering Committee (DCF-34)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148789+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-monitoring",
              "name": "Continuous Monitoring - Security Team/Steering Committee (DCF-34)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148795+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-policy",
              "name": "Policy Documentation - Security Team/Steering Committee (DCF-34)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.148800+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 49,
          "explanation": "The Security Team/Steering Committee control satisfies KSI-CNA-DFP by establishing a dedicated group responsible for *defining* security policies Ã¢â‚¬â€œ which inherently dictate the functionality and permitted actions within the system. This team's oversight of policies, standards, and baselines ensures consistent application of defined privileges across infrastructure and services, fulfilling the requirement for strictly defined functionality. Essentially, they *document* what the system is allowed to do and who can do it.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:18.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-147",
          "control_name": "Physical Access to Facilities is Protected",
          "control_description": "Sustainment Technologies Inc has security policies that have been approved by management and detail how physical access to the company's headquarters is maintained. These policies are accessible to all employees and contractors.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:39.180Z",
          "updated_at": "2026-06-29T18:42:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 140,
              "name": "No offices Memo",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/140_No offices Memo.pdf",
              "updated_at": "2026-01-09T13:34:01.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149010+00:00",
                "status": "not_hashed",
                "reason": "local_file_not_found",
                "source": "evidence/documents/140_No offices Memo.pdf"
              }
            },
            {
              "id": "DCF-147-owner",
              "name": "Assigned Control Owner - Physical Access to Facilities is Protected (DCF-147)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-29T18:42:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149019+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 104,
          "explanation": "This Drata control addresses KSI-CNA-DFP by demonstrating a defined process for *who* can access critical infrastructure (the facility housing systems) and implicitly, *what* they can access within. By documenting and communicating physical access policies, Sustainment Technologies Inc. establishes boundaries and privileges, ensuring only authorized personnel can reach systems supporting FedRAMP data Ã¢â‚¬â€œ a core tenet of the KSI requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-560",
          "control_name": "Baselines for Detecting Anomalous Behavior",
          "control_description": "Sustainment Technologies Inc has established baselines for normal behavior of networks, systems, and applications for the detection of anomalies.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:11.087Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-560-evidence",
              "name": "Baselines for Detecting Anomalous Behavior (DCF-560)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149026+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-560-monitoring",
              "name": "Continuous Monitoring - Baselines for Detecting Anomalous Behavior (DCF-560)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149032+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 584,
          "explanation": "Drata's \"Baselines for Detecting Anomalous Behavior\" control directly addresses KSI-CNA-DFP by establishing a clear understanding of *normal* system functionality. Deviations from these baselines indicate potentially unauthorized activity or privilege misuse, enabling Sustainment Technologies Inc. to identify and respond to behaviors outside defined, acceptable parameters Ã¢â‚¬â€œ thus demonstrating defined functionality and privilege control.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-598",
          "control_name": "Previous Baseline Configuration Versions Retained",
          "control_description": "Sustainment Technologies Inc retains previous versions of system and component configuration to support rollback.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:11.129Z",
          "updated_at": "2025-11-24T18:38:42.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-598-evidence",
              "name": "Previous Baseline Configuration Versions Retained (DCF-598)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T18:38:42.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149039+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-598-policy",
              "name": "Policy Documentation - Previous Baseline Configuration Versions Retained (DCF-598)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:42.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149046+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 587,
          "explanation": "This Drata control addresses KSI-CNA-DFP by demonstrating a defined capability to revert to known-good system states. Retaining previous baseline configurations allows Sustainment Technologies Inc. to quickly restore functionality if changes introduce issues, effectively limiting unintended privileges or functionality and supporting a secure, defined system operation Ã¢â‚¬â€œ a core tenet of FedRAMP KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-597",
          "control_name": "Baseline Configurations",
          "control_description": "Sustainment Technologies Inc uses automated tools to maintain completeness, currency, accuracy, and availability of baseline configurations.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:11.095Z",
          "updated_at": "2025-11-24T18:38:42.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-597-evidence",
              "name": "Baseline Configurations (DCF-597)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T18:38:42.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149052+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-597-policy",
              "name": "Policy Documentation - Baseline Configurations (DCF-597)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:42.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149058+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 586,
          "explanation": "Drata's Baseline Configurations control directly addresses KSI-CNA-DFP by ensuring systems are deployed with a *defined* and consistently applied security posture. Automating baseline maintenance guarantees these configurations remain current and accurate, effectively limiting functionality and privileges to approved settings Ã¢â‚¬â€œ a core tenet of FedRAMP's KSI requirement for controlled access and minimized attack surface. This aligns with NIST CM-2 (Configuration Management) by establishing and enforcing standardized configurations.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-567",
          "control_name": "Change Management Policy",
          "control_description": "Sustainment Technologies Inc has a defined Change Management Policy that covers policies and procedures to manage changes across the organization in a well-communicated, planned and predictable manner that minimizes unplanned outages and unforeseen system issues.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:11.091Z",
          "updated_at": "2025-11-24T18:38:44.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-567-policy",
              "name": "Policy Documentation - Change Management Policy (DCF-567)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:44.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149064+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 585,
          "explanation": "The Change Management Policy directly addresses KSI-CNA-DFP by ensuring changes to infrastructure and services are planned and authorized *before* implementation. This controlled process defines *how* functionality is altered (the \"what\") and who is responsible (privileges), minimizing unauthorized or disruptive changes that could impact system security and availability Ã¢â‚¬â€œ a core tenet of FedRAMP's KSI requirements. Essentially, it provides documented, predictable control over system modifications.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-291",
          "control_name": "Anti-Virus Capability",
          "control_description": "An anti-malware solution is deployed on all system components, except for those system components identified through periodic risk assessments that concludes the system components are not at risk from malware.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:46.112Z",
          "updated_at": "2026-06-24T20:54:45.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-291-monitoring",
              "name": "Continuous Monitoring - Anti-Virus Capability (DCF-291)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-24T20:54:45.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149070+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-291-policy",
              "name": "Policy Documentation - Anti-Virus Capability (DCF-291)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-24T20:54:45.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149077+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 201,
          "explanation": "Drata's Anti-Virus Capability control addresses KSI-CNA-DFP by limiting the *functionality* of system components Ã¢â‚¬â€œ preventing malicious code execution and unauthorized actions that could compromise system integrity. By deploying anti-malware (and strategically excluding components via risk assessment), the control defines acceptable *privileges* Ã¢â‚¬â€œ only allowing trusted software to operate, effectively restricting potentially harmful processes. This aligns with FedRAMP's need for clearly defined system behavior and access control.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 133,
                "name": "Malware Detection Software Installed on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices have  antimalware software installed.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 64,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-176",
          "control_name": "Monitoring Plan",
          "control_description": "Sustainment Technologies Inc has a defined process for evaluating information security performance and the effectiveness of its information security program.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:42.904Z",
          "updated_at": "2025-11-24T18:38:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-176-monitoring",
              "name": "Continuous Monitoring - Monitoring Plan (DCF-176)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T18:38:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149083+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-176-policy",
              "name": "Policy Documentation - Monitoring Plan (DCF-176)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149089+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 175,
          "explanation": "The Drata \"Monitoring Plan\" control addresses KSI-CNA-DFP by demonstrating ongoing assessment of system functionality and security Ã¢â‚¬â€œ effectively verifying that implemented privileges remain appropriate and aligned with defined services. Regular monitoring (as per CM-2) helps detect unauthorized changes or deviations from established baselines, ensuring functionality stays within defined, authorized limits required by FedRAMP. This proactive approach confirms sustained compliance with defined infrastructure and service privileges.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' Change Management Policy and baseline configuration standards strictly define the functionality and privileges allowed for all infrastructure and services. This is implemented through documented baseline configurations with version retention, anomalous behavior detection baselines, monitoring plans, and anti-virus controls that restrict unauthorized functionality. Drata validates that configurations remain within defined baselines and the Security Steering Committee reviews privilege definitions to ensure infrastructure operates within its intended scope.\n### Key Controls\n- [OK] Storage Buckets are Versioned (DCF-78)\n- [OK] Security Team/Steering Committee (DCF-34)\n- [OK] Physical Access to Facilities is Protected (DCF-147)\n- [OK] Baselines for Detecting Anomalous Behavior (DCF-560)\n- [OK] Previous Baseline Configuration Versions Retained (DCF-598)\n- [OK] Baseline Configurations (DCF-597)\n- [OK] Change Management Policy (DCF-567)\n- [OK] Anti-Virus Capability (DCF-291)\n- [OK] Monitoring Plan (DCF-176)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:55.231402+00:00",
      "ksi_name": "Defining Functionality and Privileges",
      "category": "CNA",
      "statement": "Strictly define the functionality and privileges for infrastructure and services.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/cloud-native-architecture/",
      "nist_controls": [
        "CM-2",
        "SI-3"
      ],
      "failure_conditions": {
        "conditional_check": "All infrastructure and services within Sustainment's AWS environment have strictly defined functionality and privileges enforced through documented baseline configurations and anomalous behavior detection.",
        "failure_condition": "Undefined or excessive privileges on infrastructure resources, deviation from baseline configurations, or failure to detect anomalous behavior will cause a failure of the test. Additionally, baseline configurations with version retention, a change management policy, monitoring plan, and anti-virus controls must be in place to ensure all functionality and privileges are defined and enforced."
      },
      "outcome_metrics": [
        {
          "statement": "Services run with least-privilege configurations and only required functionality enabled",
          "metric_name": "Integrity",
          "target_value": "100% of services have documented privilege definitions; 0 undocumented service accounts",
          "target_unit": "",
          "frequency": "Quarterly",
          "source": "IaC definitions; service account inventory; Drata configuration checks",
          "notes": "Service running with undocumented privileges or excessive permissions"
        }
      ],
      "monitoring": {
        "total_tests": 5,
        "passed": 5,
        "failed": 0,
        "controls_with_monitoring": 5,
        "monitoring_coverage": 50.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-CNA-EIS",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:57.390760+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-160 (DCF-160)",
          "control_id": "DCF-160",
          "status": "Passing",
          "description": "Drata control status for DCF-160",
          "date": "2026-07-02T13:19:57.390760+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-12 (DCF-12)",
          "control_id": "DCF-12",
          "status": "Passing",
          "description": "Drata control status for DCF-12",
          "date": "2026-07-02T13:19:57.390760+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-597 (DCF-597)",
          "control_id": "DCF-597",
          "status": "Passing",
          "description": "Drata control status for DCF-597",
          "date": "2026-07-02T13:19:57.390760+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-560 (DCF-560)",
          "control_id": "DCF-560",
          "status": "Passing",
          "description": "Drata control status for DCF-560",
          "date": "2026-07-02T13:19:57.390760+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-478 (DCF-478)",
          "control_id": "DCF-478",
          "status": "Passing",
          "description": "Drata control status for DCF-478",
          "date": "2026-07-02T13:19:57.390760+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-152 (DCF-152)",
          "control_id": "DCF-152",
          "status": "Passing",
          "description": "Drata control status for DCF-152",
          "date": "2026-07-02T13:19:57.390760+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-51 (DCF-51)",
          "control_id": "DCF-51",
          "status": "Passing",
          "description": "Drata control status for DCF-51",
          "date": "2026-07-02T13:19:57.390760+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-567 (DCF-567)",
          "control_id": "DCF-567",
          "status": "Passing",
          "description": "Drata control status for DCF-567",
          "date": "2026-07-02T13:19:57.390760+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-CNA-EIS",
          "control_name": "Custom Automated Check: KSI-CNA-EIS",
          "control_description": "8/8 mapped controls passing; Sustainment Technologies' Change Management Policy and baseline configuration standards establish the intended state for all machine-based information resources. This is implemented through documented baseline configurations, hardening standards, change detection mechanisms, automated security patching, and continuous control monitoring. Drata validates that configurations do not drift from their intended state by monitoring patch compliance, detecting unauthorized changes, and alerting on anomalous behavior relative to established baselines.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:57.390760+00:00",
          "updated_at": "2026-07-02T13:19:57.390760+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:57.390760+00:00",
          "requirements_updated_at": "",
          "evidence_count": 8,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-160 (DCF-160)",
              "description": "Drata control status for DCF-160",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.390760+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149096+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-12 (DCF-12)",
              "description": "Drata control status for DCF-12",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.390760+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149102+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-597 (DCF-597)",
              "description": "Drata control status for DCF-597",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.390760+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149108+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-560 (DCF-560)",
              "description": "Drata control status for DCF-560",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.390760+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149121+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-478 (DCF-478)",
              "description": "Drata control status for DCF-478",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.390760+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149131+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-152 (DCF-152)",
              "description": "Drata control status for DCF-152",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.390760+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149140+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-51 (DCF-51)",
              "description": "Drata control status for DCF-51",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.390760+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149149+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-567 (DCF-567)",
              "description": "Drata control status for DCF-567",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.390760+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149158+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-02T12:02:06.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              },
              {
                "test_id": 152,
                "name": "CloudTrail Log File Integrity Validation Enabled",
                "status": "PASSED",
                "description": "Drata confirmed that AWS CloudTrail log validation is enabled on all trails.",
                "last_run": "2026-07-02T12:02:06.000Z",
                "test_definition_id": 205,
                "enabled": true
              },
              {
                "test_id": 134,
                "name": "Security Patches Auto-Applied on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices are configured to apply  system security patches automatically.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 65,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-160",
              "DCF-12",
              "DCF-597",
              "DCF-560",
              "DCF-478",
              "DCF-152",
              "DCF-51",
              "DCF-567"
            ]
          }
        },
        {
          "control_id": "DCF-160",
          "control_name": "Continuous Control Monitoring",
          "control_description": "Sustainment Technologies Inc conducts continuous monitoring of security controls using Drata, and addresses issues in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.170Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 160,
              "name": "Silent Log Sources - Crowdstrike",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/160_Silent Log Sources - Crowdstrike.png",
              "updated_at": "2026-06-17T22:10:26.030Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149331+00:00",
                "status": "hashed",
                "sha256": "4355516d11f210c6981374184d617ae5fe381cdce7b22a19795747db92d14581",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/160_Silent Log Sources - Crowdstrike.png",
                "filename": "160_Silent Log Sources - Crowdstrike.png",
                "size_bytes": 239901,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-160-owner",
              "name": "Assigned Control Owner - Continuous Control Monitoring (DCF-160)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149531+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-160-policy",
              "name": "Policy Documentation - Continuous Control Monitoring (DCF-160)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149537+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 70,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-12",
          "control_name": "Baseline Configuration and Hardening Standards",
          "control_description": "Sustainment Technologies Inc has identified and documented baseline security configuration standards for all system components in accordance with industry-accepted hardening standards or vendor recommendations. These standards are reviewed periodically and updated as needed (e.g., when vulnerabiliti",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.743Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-12-evidence",
              "name": "Baseline Configuration and Hardening Standards (DCF-12)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149544+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-12-policy",
              "name": "Policy Documentation - Baseline Configuration and Hardening Standards (DCF-12)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149551+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 93,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-597",
          "control_name": "Baseline Configurations",
          "control_description": "Sustainment Technologies Inc uses automated tools to maintain completeness, currency, accuracy, and availability of baseline configurations.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:11.095Z",
          "updated_at": "2025-11-24T18:38:42.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-597-evidence",
              "name": "Baseline Configurations (DCF-597)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T18:38:42.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149558+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-597-policy",
              "name": "Policy Documentation - Baseline Configurations (DCF-597)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:42.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149564+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 586,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-560",
          "control_name": "Baselines for Detecting Anomalous Behavior",
          "control_description": "Sustainment Technologies Inc has established baselines for normal behavior of networks, systems, and applications for the detection of anomalies.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:11.087Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-560-evidence",
              "name": "Baselines for Detecting Anomalous Behavior (DCF-560)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149571+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-560-monitoring",
              "name": "Continuous Monitoring - Baselines for Detecting Anomalous Behavior (DCF-560)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149577+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 584,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-478",
          "control_name": "Change Detection Mechanism",
          "control_description": "Sustainment Technologies Inc has enabled file integrity monitoring or a change-detection mechanism to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, audit files, or content files to ensure critical data cannot be changed ",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:00.023Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-478-monitoring",
              "name": "Continuous Monitoring - Change Detection Mechanism (DCF-478)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149584+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-478-policy",
              "name": "Policy Documentation - Change Detection Mechanism (DCF-478)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149590+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 497,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-02T12:02:06.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 152,
                "name": "CloudTrail Log File Integrity Validation Enabled",
                "status": "PASSED",
                "description": "Drata confirmed that AWS CloudTrail log validation is enabled on all trails.",
                "last_run": "2026-07-02T12:02:06.000Z",
                "test_definition_id": 205,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-152",
          "control_name": "Virtual Machine OS are Patched Monthly",
          "control_description": "Sustainment Technologies Inc ensures that virtual machine OS patches are applied monthly.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.221Z",
          "updated_at": "2025-11-24T13:51:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-152-evidence",
              "name": "Virtual Machine OS are Patched Monthly (DCF-152)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149596+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-152-owner",
              "name": "Assigned Control Owner - Virtual Machine OS are Patched Monthly (DCF-152)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149602+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-152-policy",
              "name": "Policy Documentation - Virtual Machine OS are Patched Monthly (DCF-152)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:37.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149608+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 119,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-51",
          "control_name": "Security Patches Automatically Applied",
          "control_description": "Sustainment Technologies Inc's workstations operating system (OS) security patches are applied automatically.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.213Z",
          "updated_at": "2026-05-27T19:01:28.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-51-evidence",
              "name": "Security Patches Automatically Applied (DCF-51)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149615+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-51-owner",
              "name": "Assigned Control Owner - Security Patches Automatically Applied (DCF-51)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149621+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-51-monitoring",
              "name": "Continuous Monitoring - Security Patches Automatically Applied (DCF-51)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149627+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 117,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 134,
                "name": "Security Patches Auto-Applied on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices are configured to apply  system security patches automatically.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 65,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-567",
          "control_name": "Change Management Policy",
          "control_description": "Sustainment Technologies Inc has a defined Change Management Policy that covers policies and procedures to manage changes across the organization in a well-communicated, planned and predictable manner that minimizes unplanned outages and unforeseen system issues.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:11.091Z",
          "updated_at": "2025-11-24T18:38:44.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-567-policy",
              "name": "Policy Documentation - Change Management Policy (DCF-567)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:44.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149633+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 585,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' Change Management Policy and baseline configuration standards establish the intended state for all machine-based information resources. This is implemented through documented baseline configurations, hardening standards, change detection mechanisms, automated security patching, and continuous control monitoring. Drata validates that configurations do not drift from their intended state by monitoring patch compliance, detecting unauthorized changes, and alerting on anomalous behavior relative to established baselines.\n### Key Controls\n- [OK] Continuous Control Monitoring (DCF-160)\n- [OK] Baseline Configuration and Hardening Standards (DCF-12)\n- [OK] Baseline Configurations (DCF-597)\n- [OK] Baselines for Detecting Anomalous Behavior (DCF-560)\n- [OK] Change Detection Mechanism (DCF-478)\n- [OK] Virtual Machine OS are Patched Monthly (DCF-152)\n- [OK] Security Patches Automatically Applied (DCF-51)\n- [OK] Change Management Policy (DCF-567)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:57.390760+00:00",
      "ksi_name": "Enforcing Intended State",
      "category": "CNA",
      "statement": "Use automated services to persistently assess the security posture of all machine-based information resources and automatically enforce their intended operational state.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/cloud-native-architecture/",
      "nist_controls": [
        "CA-2.1",
        "CA-7.1"
      ],
      "failure_conditions": {
        "conditional_check": "All machine-based information resources within Sustainment's AWS environment maintain their intended configuration state through documented baselines, change detection, and automated patching.",
        "failure_condition": "Configuration drift from established baselines, failure of the change detection mechanism, or unpatched systems will cause a failure of the test. Additionally, baseline configurations, hardening standards, automated security patching, monthly OS patch validation, and continuous control monitoring must be in place to ensure the intended state is enforced and maintained."
      },
      "outcome_metrics": [
        {
          "statement": "Infrastructure matches declared IaC state with no drift",
          "metric_name": "Integrity",
          "target_value": "Configuration drift = 0; 100% of resources within approved state",
          "target_unit": "",
          "frequency": "Daily",
          "source": "IaC state comparison; cloud config drift detection tool",
          "notes": "Any configuration drift detected outside of approved change window"
        }
      ],
      "monitoring": {
        "total_tests": 3,
        "passed": 3,
        "failed": 0,
        "controls_with_monitoring": 3,
        "monitoring_coverage": 33.3,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-CNA-IBP",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:54.159843+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-78 (DCF-78)",
          "control_id": "DCF-78",
          "status": "Passing",
          "description": "Drata control status for DCF-78",
          "date": "2026-07-02T13:19:54.159843+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-13 (DCF-13)",
          "control_id": "DCF-13",
          "status": "Passing",
          "description": "Drata control status for DCF-13",
          "date": "2026-07-02T13:19:54.159843+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-34 (DCF-34)",
          "control_id": "DCF-34",
          "status": "Passing",
          "description": "Drata control status for DCF-34",
          "date": "2026-07-02T13:19:54.159843+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-147 (DCF-147)",
          "control_id": "DCF-147",
          "status": "Passing",
          "description": "Drata control status for DCF-147",
          "date": "2026-07-02T13:19:54.159843+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-12 (DCF-12)",
          "control_id": "DCF-12",
          "status": "Passing",
          "description": "Drata control status for DCF-12",
          "date": "2026-07-02T13:19:54.159843+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-153 (DCF-153)",
          "control_id": "DCF-153",
          "status": "Passing",
          "description": "Drata control status for DCF-153",
          "date": "2026-07-02T13:19:54.159843+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-560 (DCF-560)",
          "control_id": "DCF-560",
          "status": "Passing",
          "description": "Drata control status for DCF-560",
          "date": "2026-07-02T13:19:54.159843+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-598 (DCF-598)",
          "control_id": "DCF-598",
          "status": "Passing",
          "description": "Drata control status for DCF-598",
          "date": "2026-07-02T13:19:54.159843+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-597 (DCF-597)",
          "control_id": "DCF-597",
          "status": "Passing",
          "description": "Drata control status for DCF-597",
          "date": "2026-07-02T13:19:54.159843+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-CNA-IBP",
          "control_name": "Custom Automated Check: KSI-CNA-IBP",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' Information Security Policy requires that cloud-native resources are implemented following the host provider's best practices and documented guidance. This is implemented through baseline configurations aligned to provider recommendations, hardening standards, control self-assessments, and versioned storage buckets that follow cloud-native patterns. Drata monitors configuration compliance and the Security Steering Committee reviews adherence to provider best practices through regular self-assessments and anomalous behavior detection.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:54.159843+00:00",
          "updated_at": "2026-07-02T13:19:54.159843+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:54.159843+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-78 (DCF-78)",
              "description": "Drata control status for DCF-78",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.159843+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149640+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-13 (DCF-13)",
              "description": "Drata control status for DCF-13",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.159843+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149646+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-34 (DCF-34)",
              "description": "Drata control status for DCF-34",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.159843+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149652+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-147 (DCF-147)",
              "description": "Drata control status for DCF-147",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.159843+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149658+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-12 (DCF-12)",
              "description": "Drata control status for DCF-12",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.159843+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149664+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-153 (DCF-153)",
              "description": "Drata control status for DCF-153",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.159843+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149670+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-560 (DCF-560)",
              "description": "Drata control status for DCF-560",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.159843+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149675+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-598 (DCF-598)",
              "description": "Drata control status for DCF-598",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.159843+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149681+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-597 (DCF-597)",
              "description": "Drata control status for DCF-597",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.159843+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149686+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 4,
            "passed": 4,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:42.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 39,
                "name": "Cloud Storage Buckets Versioned",
                "status": "PASSED",
                "description": "Drata validated that cloud storage buckets have versioning enabled.",
                "last_run": "2026-07-01T18:28:42.000Z",
                "test_definition_id": 108,
                "enabled": true
              },
              {
                "test_id": 82,
                "name": "Information Security Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Information Security Policy and confirmed that it covers policies and procedures to support the functioning of internal control.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 16,
                "enabled": true
              },
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              },
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-78",
              "DCF-13",
              "DCF-34",
              "DCF-147",
              "DCF-12",
              "DCF-153",
              "DCF-560",
              "DCF-598",
              "DCF-597"
            ]
          }
        },
        {
          "control_id": "DCF-78",
          "control_name": "Storage Buckets are Versioned",
          "control_description": "Storage buckets that contain customer data are versioned.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.928Z",
          "updated_at": "2026-05-16T21:24:19.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-78-evidence",
              "name": "Storage Buckets are Versioned (DCF-78)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149693+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-78-owner",
              "name": "Assigned Control Owner - Storage Buckets are Versioned (DCF-78)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149699+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-78-monitoring",
              "name": "Continuous Monitoring - Storage Buckets are Versioned (DCF-78)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149705+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 26,
          "explanation": "DrataÃ¢â‚¬â„¢s \"Storage Buckets are Versioned\" control satisfies KSI-CNA-IBP by demonstrating adherence to a host provider's (AWS, Azure, GCP) best practice for data protection Ã¢â‚¬â€œ versioning helps prevent data loss and facilitates recovery, aligning with documented guidance. Enabling versioning inherently implements a secure configuration for cloud-native storage, proving consistent application of provider recommendations for information resources as required by FedRAMP.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:42.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 39,
                "name": "Cloud Storage Buckets Versioned",
                "status": "PASSED",
                "description": "Drata validated that cloud storage buckets have versioning enabled.",
                "last_run": "2026-07-01T18:28:42.000Z",
                "test_definition_id": 108,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-13",
          "control_name": "Information Security Policy",
          "control_description": "Sustainment Technologies Inc has a defined Information Security Policy that covers policies and procedures to support the functioning of internal control.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.144Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:39.174Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-13-owner",
              "name": "Assigned Control Owner - Information Security Policy (DCF-13)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149712+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-13-monitoring",
              "name": "Continuous Monitoring - Information Security Policy (DCF-13)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149718+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-13-policy",
              "name": "Policy Documentation - Information Security Policy (DCF-13)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149724+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 64,
          "explanation": "Drata's \"Information Security Policy\" satisfies KSI-CNA-IBP by demonstrating a foundational document outlining how Sustainment Technologies Inc. manages information security Ã¢â‚¬â€œ inherently including implementation aligned with host provider best practices. This policy (and its supporting procedures) provides documented guidance for cloud resource implementation, fulfilling the KSI requirement for persistent adherence to those best practices as referenced by NIST PL-10.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 82,
                "name": "Information Security Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Information Security Policy and confirmed that it covers policies and procedures to support the functioning of internal control.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 16,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-34",
          "control_name": "Security Team/Steering Committee",
          "control_description": "Sustainment Technologies Inc has an assigned security team that is responsible for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.883Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:40.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-34-owner",
              "name": "Assigned Control Owner - Security Team/Steering Committee (DCF-34)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149731+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-monitoring",
              "name": "Continuous Monitoring - Security Team/Steering Committee (DCF-34)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149736+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-policy",
              "name": "Policy Documentation - Security Team/Steering Committee (DCF-34)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149742+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 49,
          "explanation": "The Security Team/Steering Committee control satisfies KSI-CNA-IBP by demonstrating a dedicated, responsible body actively designs *and* reviews security implementations Ã¢â‚¬â€œ ensuring alignment with documented guidance (host provider best practices). This ongoing management, evidenced by policy/procedure creation (linked to NIST CM-2), persistently validates cloud resources are built & maintained according to established standards, fulfilling the KSI requirement for sustained best practice adherence.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:18.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-147",
          "control_name": "Physical Access to Facilities is Protected",
          "control_description": "Sustainment Technologies Inc has security policies that have been approved by management and detail how physical access to the company's headquarters is maintained. These policies are accessible to all employees and contractors.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:39.180Z",
          "updated_at": "2026-06-29T18:42:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 140,
              "name": "No offices Memo",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/140_No offices Memo.pdf",
              "updated_at": "2026-01-09T13:34:01.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149956+00:00",
                "status": "not_hashed",
                "reason": "local_file_not_found",
                "source": "evidence/documents/140_No offices Memo.pdf"
              }
            },
            {
              "id": "DCF-147-owner",
              "name": "Assigned Control Owner - Physical Access to Facilities is Protected (DCF-147)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-29T18:42:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149965+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 104,
          "explanation": "While seemingly unrelated, \"Physical Access to Facilities is Protected\" contributes to FedRAMP KSI-CNA-IBP by demonstrating a foundational security posture. Robust physical security Ã¢â‚¬â€œ a core \"best practice\" Ã¢â‚¬â€œ underpins the secure operation of the *infrastructure* hosting cloud resources, ensuring the host provider (Sustainment Technologies Inc) maintains a secure environment as outlined in their documented policies. This control helps establish trust that the underlying systems are protected, aligning with the KSI's intent to verify secure implementation based on provider guidance.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-12",
          "control_name": "Baseline Configuration and Hardening Standards",
          "control_description": "Sustainment Technologies Inc has identified and documented baseline security configuration standards for all system components in accordance with industry-accepted hardening standards or vendor recommendations. These standards are reviewed periodically and updated as needed (e.g., when vulnerabiliti",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.743Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-12-evidence",
              "name": "Baseline Configuration and Hardening Standards (DCF-12)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149972+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-12-policy",
              "name": "Policy Documentation - Baseline Configuration and Hardening Standards (DCF-12)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.149978+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 93,
          "explanation": "Drata's \"Baseline Configuration and Hardening Standards\" control directly satisfies KSI-CNA-IBP by demonstrating documented, regularly updated configurations for system components Ã¢â‚¬â€œ aligning with host provider (and industry) best practices. This proves STI persistently implements machine-based resources *based on* established guidance, fulfilling the requirement for ongoing adherence to secure configurations. Essentially, it's proof they aren't just setting things up initially, but *maintaining* a hardened state.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-153",
          "control_name": "Conduct Control Self-Assessments",
          "control_description": "Sustainment Technologies Inc performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.166Z",
          "updated_at": "2025-11-24T13:51:39.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 130,
              "name": "Control Self-Assessment Evidence",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/130_Control Self-Assessment Evidence.png",
              "updated_at": "2026-01-09T13:34:01.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150149+00:00",
                "status": "hashed",
                "sha256": "6c537556c07a6d8abcb4966f663c3c05c55028a52586b178a9e837973ec40d30",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/130_Control Self-Assessment Evidence.png",
                "filename": "130_Control Self-Assessment Evidence.png",
                "size_bytes": 420710,
                "modified_at": "2026-07-02T13:17:00+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-153-owner",
              "name": "Assigned Control Owner - Conduct Control Self-Assessments (DCF-153)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:39.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150516+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 69,
          "explanation": "DrataÃ¢â‚¬â„¢s Control Self-Assessments (CSAs) satisfy KSI-CNA-IBP by providing documented, recurring evidence that Sustainment Technologies Inc. is actively verifying its cloud infrastructure aligns with the host providerÃ¢â‚¬â„¢s best practices (as outlined in PL-10). The annual CSA process, including identified corrective actions, demonstrates persistent assurance of implementation and adherence to that guidance Ã¢â‚¬â€œ fulfilling the KSI requirement for ongoing validation.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-560",
          "control_name": "Baselines for Detecting Anomalous Behavior",
          "control_description": "Sustainment Technologies Inc has established baselines for normal behavior of networks, systems, and applications for the detection of anomalies.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:11.087Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-560-evidence",
              "name": "Baselines for Detecting Anomalous Behavior (DCF-560)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150524+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-560-monitoring",
              "name": "Continuous Monitoring - Baselines for Detecting Anomalous Behavior (DCF-560)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150530+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 584,
          "explanation": "This Drata control satisfies KSI-CNA-IBP by demonstrating a proactive approach to security configuration management. Establishing baselines for \"normal\" behavior (as outlined in the control description) allows Sustainment Technologies Inc. to identify deviations from the host providerÃ¢â‚¬â„¢s expected configurations Ã¢â‚¬â€œ effectively implementing and *persistently ensuring* adherence to best practices and documented guidance, as required by the KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-598",
          "control_name": "Previous Baseline Configuration Versions Retained",
          "control_description": "Sustainment Technologies Inc retains previous versions of system and component configuration to support rollback.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:11.129Z",
          "updated_at": "2025-11-24T18:38:42.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-598-evidence",
              "name": "Previous Baseline Configuration Versions Retained (DCF-598)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T18:38:42.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150537+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-598-policy",
              "name": "Policy Documentation - Previous Baseline Configuration Versions Retained (DCF-598)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:42.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150543+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 587,
          "explanation": "DrataÃ¢â‚¬â„¢s \"Previous Baseline Configuration Versions Retained\" control directly addresses KSI-CNA-IBP by demonstrating a capability to revert to known-good configurations Ã¢â‚¬â€œ aligning with host provider best practices for stability and recovery. Retaining these baselines ensures STI can quickly remediate deviations from secure configurations, effectively implementing and *maintaining* a secure, cloud-native environment as required by FedRAMP. This rollback capability supports documented guidance for consistent system implementation (CM-2).",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-597",
          "control_name": "Baseline Configurations",
          "control_description": "Sustainment Technologies Inc uses automated tools to maintain completeness, currency, accuracy, and availability of baseline configurations.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:11.095Z",
          "updated_at": "2025-11-24T18:38:42.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-597-evidence",
              "name": "Baseline Configurations (DCF-597)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T18:38:42.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150550+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-597-policy",
              "name": "Policy Documentation - Baseline Configurations (DCF-597)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:42.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150555+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 586,
          "explanation": "Drata's \"Baseline Configurations\" control directly addresses KSI-CNA-IBP by demonstrating a continuous process for implementing and *maintaining* secure configurations on cloud resources Ã¢â‚¬â€œ aligning with host provider best practices. The automated tools ensure configurations stay current and accurate, proving persistent adherence to documented guidance, as required by the FedRAMP KSI. This ties directly to NIST CM-2 (Configuration Management) which underpins secure system baselines.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' Information Security Policy requires that cloud-native resources are implemented following the host provider's best practices and documented guidance. This is implemented through baseline configurations aligned to provider recommendations, hardening standards, control self-assessments, and versioned storage buckets that follow cloud-native patterns. Drata monitors configuration compliance and the Security Steering Committee reviews adherence to provider best practices through regular self-assessments and anomalous behavior detection.\n### Key Controls\n- [OK] Storage Buckets are Versioned (DCF-78)\n- [OK] Information Security Policy (DCF-13)\n- [OK] Security Team/Steering Committee (DCF-34)\n- [OK] Physical Access to Facilities is Protected (DCF-147)\n- [OK] Baseline Configuration and Hardening Standards (DCF-12)\n- [OK] Conduct Control Self-Assessments (DCF-153)\n- [OK] Baselines for Detecting Anomalous Behavior (DCF-560)\n- [OK] Previous Baseline Configuration Versions Retained (DCF-598)\n- [OK] Baseline Configurations (DCF-597)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:54.159843+00:00",
      "ksi_name": "Implementing Best Practices",
      "category": "CNA",
      "statement": "Persistently ensure cloud-native machine-based information resources are implemented based on the host provider's best practices and documented guidance.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/cloud-native-architecture/",
      "nist_controls": [
        "AC-17.3",
        "CM-2",
        "PL-10"
      ],
      "failure_conditions": {
        "conditional_check": "All cloud-native resources within Sustainment's AWS environment are implemented following the host provider's best practices, documented hardening standards, and baseline configurations.",
        "failure_condition": "Resources deployed without following AWS best practices, deviation from documented hardening standards, or failure to maintain baseline configurations will cause a failure of the test. Additionally, an information security policy, baseline configurations with version retention, control self-assessments, and anomalous behavior detection must be in place to ensure cloud resources follow provider guidance."
      },
      "outcome_metrics": [
        {
          "statement": "Cloud resources meet CIS / FedRAMP hardening benchmarks",
          "metric_name": "Coverage",
          "target_value": ">= 95% of resources passing hardening benchmark checks",
          "target_unit": "",
          "frequency": "Weekly",
          "source": "Cloud security posture management (CSPM); Drata CIS checks",
          "notes": "Resource score below benchmark threshold or new benchmark failure"
        }
      ],
      "monitoring": {
        "total_tests": 4,
        "passed": 4,
        "failed": 0,
        "controls_with_monitoring": 4,
        "monitoring_coverage": 40.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-CNA-MAT",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:54.349186+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-488 (DCF-488)",
          "control_id": "DCF-488",
          "status": "Passing",
          "description": "Drata control status for DCF-488",
          "date": "2026-07-02T13:19:54.349186+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-180 (DCF-180)",
          "control_id": "DCF-180",
          "status": "Passing",
          "description": "Drata control status for DCF-180",
          "date": "2026-07-02T13:19:54.349186+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-110 (DCF-110)",
          "control_id": "DCF-110",
          "status": "Passing",
          "description": "Drata control status for DCF-110",
          "date": "2026-07-02T13:19:54.349186+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-62 (DCF-62)",
          "control_id": "DCF-62",
          "status": "Passing",
          "description": "Drata control status for DCF-62",
          "date": "2026-07-02T13:19:54.349186+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-181 (DCF-181)",
          "control_id": "DCF-181",
          "status": "Passing",
          "description": "Drata control status for DCF-181",
          "date": "2026-07-02T13:19:54.349186+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-CNA-MAT",
          "control_name": "Custom Automated Check: KSI-CNA-MAT",
          "control_description": "5/5 mapped controls passing; Sustainment Technologies' Encryption Policy and security configuration standards require that all machine-based resources maintain a minimal attack surface with controls to prevent lateral movement. This is implemented through automatic disconnection of inactive remote sessions, encrypted information transfer, session timeouts, and input validation on applications. Drata monitors encryption policy compliance, while these controls collectively ensure that if any single resource is compromised, the blast radius is contained through session controls, encryption, and network segmentation.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:54.349186+00:00",
          "updated_at": "2026-07-02T13:19:54.349186+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:54.349186+00:00",
          "requirements_updated_at": "",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-488 (DCF-488)",
              "description": "Drata control status for DCF-488",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.349186+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150562+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-180 (DCF-180)",
              "description": "Drata control status for DCF-180",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.349186+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150569+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-110 (DCF-110)",
              "description": "Drata control status for DCF-110",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.349186+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150574+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-62 (DCF-62)",
              "description": "Drata control status for DCF-62",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.349186+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150581+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-181 (DCF-181)",
              "description": "Drata control status for DCF-181",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.349186+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150587+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-488",
              "DCF-180",
              "DCF-110",
              "DCF-62",
              "DCF-181"
            ]
          }
        },
        {
          "control_id": "DCF-488",
          "control_name": "Automatic Disconnect of Inactive Remote-Access",
          "control_description": "Sustainment Technologies Inc has included automatic disconnect of sessions for remote-access technologies after a specific period of inactivity in critical technologies usage policy.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:00.379Z",
          "updated_at": "2025-11-24T13:51:27.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-488-evidence",
              "name": "Automatic Disconnect of Inactive Remote-Access (DCF-488)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:27.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150594+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-488-owner",
              "name": "Assigned Control Owner - Automatic Disconnect of Inactive Remote-Access (DCF-488)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:27.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150600+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 507,
          "explanation": "This Drata control addresses KSI-CNA-MAT by reducing the window of opportunity for attackers to exploit compromised remote access sessions. Automatically disconnecting inactive sessions limits lateral movement potential Ã¢â‚¬â€œ even if credentials are stolen, the access duration is constrained, minimizing the attack surface and impact of a breach. This aligns with SC-10 by enforcing session termination to protect information systems.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-180",
          "control_name": "Secure Information Transfer",
          "control_description": "Sustainment Technologies Inc has a defined process to ensure the secure transfer of information internally and externally.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:44.309Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-180-policy",
              "name": "Policy Documentation - Secure Information Transfer (DCF-180)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150606+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 183,
          "explanation": "Drata's \"Secure Information Transfer\" control addresses KSI-CNA-MAT by demonstrating a process for controlling *how* data moves, limiting potential pathways for attackers to exploit vulnerabilities and move laterally within the system. By securing information transfer, Sustainment Technologies Inc. reduces the attack surface exposed during communication and minimizes the blast radius of a potential compromise Ã¢â‚¬â€œ key tenets of the FedRAMP KSI requirement. This aligns with NIST SC-8 (Transmission Confidentiality and Integrity) and CA-9 (Security Architecture) which both emphasize secure communication practices.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-110",
          "control_name": "Application Edits",
          "control_description": "Sustainment Technologies Inc's application edits limit input to acceptable value ranges",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:42.081Z",
          "updated_at": "2026-04-30T18:13:26.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-110-evidence",
              "name": "Application Edits (DCF-110)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-30T18:13:26.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150612+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-110-owner",
              "name": "Assigned Control Owner - Application Edits (DCF-110)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-30T18:13:26.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150618+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 164,
          "explanation": "Drata's \"Application Edits\" control directly addresses KSI-CNA-MAT by reducing the attack surface of information resources. By limiting input to acceptable ranges, the control prevents malicious data from being processed Ã¢â‚¬â€œ minimizing potential vulnerabilities attackers could exploit for lateral movement *after* a compromise, as required by the KSI. This aligns with NIST SI-10's focus on restricting the types and amounts of information flow within a system.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-62",
          "control_name": "Inactivity and Browser Exit Logout",
          "control_description": "Sustainment Technologies Inc automatically logs users out after a predefined inactivity interval and/or closure of the internet browser, and requires users to reauthenticate",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:39.714Z",
          "updated_at": "2025-11-24T13:51:27.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:16:19.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-62-evidence",
              "name": "Inactivity and Browser Exit Logout (DCF-62)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:27.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150625+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-62-policy",
              "name": "Policy Documentation - Inactivity and Browser Exit Logout (DCF-62)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:27.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150631+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 106,
          "explanation": "DrataÃ¢â‚¬â„¢s Ã¢â‚¬Å“Inactivity and Browser Exit LogoutÃ¢â‚¬Â control directly addresses KSI-CNA-MAT by minimizing the window of opportunity for attackers to exploit compromised accounts. By automatically logging users out after inactivity or browser closure and requiring reauthentication, it limits lateral movement potential and reduces the attack surface exposed during prolonged, unattended sessions Ã¢â‚¬â€œ aligning with the requirement for a minimal attack surface and reduced compromise impact. This aligns with NIST SC-10 (Session Management) which details secure session handling practices.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-181",
          "control_name": "Encryption Policy",
          "control_description": "Sustainment Technologies Inc has a defined policy that establishes requirements for the use of cryptographic controls.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.777Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-181-owner",
              "name": "Assigned Control Owner - Encryption Policy (DCF-181)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150637+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-181-monitoring",
              "name": "Continuous Monitoring - Encryption Policy (DCF-181)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150642+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-181-policy",
              "name": "Policy Documentation - Encryption Policy (DCF-181)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150648+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 100,
          "explanation": "Drata's \"Encryption Policy\" satisfies KSI-CNA-MAT by demonstrating a foundational security practice to reduce the attack surface. Specifically, a defined encryption policy (aligned with NIST SC-8) ensures sensitive data is protected both in transit and at rest, hindering unauthorized access and limiting the blast radius of a potential compromise Ã¢â‚¬â€œ thus minimizing lateral movement. This directly addresses the KSI requirement for a minimal attack surface and constrained lateral movement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' Encryption Policy and security configuration standards require that all machine-based resources maintain a minimal attack surface with controls to prevent lateral movement. This is implemented through automatic disconnection of inactive remote sessions, encrypted information transfer, session timeouts, and input validation on applications. Drata monitors encryption policy compliance, while these controls collectively ensure that if any single resource is compromised, the blast radius is contained through session controls, encryption, and network segmentation.\n### Key Controls\n- [OK] Automatic Disconnect of Inactive Remote-Access (DCF-488)\n- [OK] Secure Information Transfer (DCF-180)\n- [OK] Application Edits (DCF-110)\n- [OK] Inactivity and Browser Exit Logout (DCF-62)\n- [OK] Encryption Policy (DCF-181)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:54.349186+00:00",
      "ksi_name": "Minimizing Attack Surface",
      "category": "CNA",
      "statement": "Persistently ensure machine-based information resources have a minimal attack surface and that lateral movement is minimized if compromised.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/cloud-native-architecture/",
      "nist_controls": [
        "AC-17.3",
        "AC-18.1",
        "AC-18.3",
        "AC-20.1",
        "CA-9",
        "SC-7.3",
        "SC-7.4",
        "SC-7.5",
        "SC-7.8",
        "SC-8",
        "SC-10",
        "SI-10",
        "SI-11",
        "SI-16"
      ],
      "failure_conditions": {
        "conditional_check": "All machine-based resources within Sustainment's AWS environment maintain a minimal attack surface with controls to prevent lateral movement, enforce session management, and protect data in transit.",
        "failure_condition": "New attack surface exposed without review, unencrypted information transfer, failure to disconnect inactive sessions, or absence of input validation on applications will cause a failure of the test. Additionally, encryption policies, session timeout controls, and secure information transfer mechanisms must be in place to ensure the attack surface is minimized and lateral movement is prevented. Datadog rules exist to ensure that any changes exposing new ports within our AWS environment or changing infrastructure will trigger alerts."
      },
      "outcome_metrics": [
        {
          "statement": "Exposed attack surface is inventoried and minimized to only required services and ports",
          "metric_name": "Coverage",
          "target_value": "0 unexpected open ports/services; 100% of public endpoints inventoried",
          "target_unit": "",
          "frequency": "Weekly",
          "source": "Network scan; cloud security group audit; attack surface dashboard",
          "notes": "Unexpected open port, service, or public endpoint detected"
        }
      ],
      "monitoring": {
        "total_tests": 1,
        "passed": 1,
        "failed": 0,
        "controls_with_monitoring": 1,
        "monitoring_coverage": 16.7,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-CNA-OFA",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:57.487522+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-166 (DCF-166)",
          "control_id": "DCF-166",
          "status": "Passing",
          "description": "Drata control status for DCF-166",
          "date": "2026-07-02T13:19:57.487522+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-77 (DCF-77)",
          "control_id": "DCF-77",
          "status": "Passing",
          "description": "Drata control status for DCF-77",
          "date": "2026-07-02T13:19:57.487522+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-100 (DCF-100)",
          "control_id": "DCF-100",
          "status": "Passing",
          "description": "Drata control status for DCF-100",
          "date": "2026-07-02T13:19:57.487522+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-95 (DCF-95)",
          "control_id": "DCF-95",
          "status": "Passing",
          "description": "Drata control status for DCF-95",
          "date": "2026-07-02T13:19:57.487522+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-169 (DCF-169)",
          "control_id": "DCF-169",
          "status": "Passing",
          "description": "Drata control status for DCF-169",
          "date": "2026-07-02T13:19:57.487522+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-26 (DCF-26)",
          "control_id": "DCF-26",
          "status": "Passing",
          "description": "Drata control status for DCF-26",
          "date": "2026-07-02T13:19:57.487522+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-CNA-OFA",
          "control_name": "Custom Automated Check: KSI-CNA-OFA",
          "control_description": "6/6 mapped controls passing; Sustainment Technologies' Business Continuity Plan and Backup Policy establish requirements for high availability and rapid recovery of all machine-based information resources. This is implemented through daily database backups with integrity verification, defined backup retention procedures, capacity monitoring, and annual BCP/DR testing. Drata monitors backup execution and capacity usage, while annual BCP/DR testing validates that recovery capabilities meet defined availability objectives.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:57.487522+00:00",
          "updated_at": "2026-07-02T13:19:57.487522+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:57.487522+00:00",
          "requirements_updated_at": "",
          "evidence_count": 6,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-166 (DCF-166)",
              "description": "Drata control status for DCF-166",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.487522+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150655+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-77 (DCF-77)",
              "description": "Drata control status for DCF-77",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.487522+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150661+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-100 (DCF-100)",
              "description": "Drata control status for DCF-100",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.487522+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150667+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-95 (DCF-95)",
              "description": "Drata control status for DCF-95",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.487522+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150673+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-169 (DCF-169)",
              "description": "Drata control status for DCF-169",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.487522+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150679+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-26 (DCF-26)",
              "description": "Drata control status for DCF-26",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.487522+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150685+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:47.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 16,
                "name": "Database Backups",
                "status": "PASSED",
                "description": "Drata validated database backup configurations from the cloud infrastructure provider and confirmed database backups are performed at least daily.",
                "last_run": "2026-07-01T18:27:41.000Z",
                "test_definition_id": 107,
                "enabled": true
              },
              {
                "test_id": 9,
                "name": "Capacity and Usage Monitoring",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's processing capacity and usage reports to determine that processing capacity and usage was monitored.",
                "last_run": "2026-07-01T18:27:47.000Z",
                "test_definition_id": 129,
                "enabled": true
              },
              {
                "test_id": 20,
                "name": "Has a Backup Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Backup Policy and confirmed it specified how often backups should be taken and for how long they should be retained.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 106,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-166",
              "DCF-77",
              "DCF-100",
              "DCF-95",
              "DCF-169",
              "DCF-26"
            ]
          }
        },
        {
          "control_id": "DCF-166",
          "control_name": "Business Continuity Plan",
          "control_description": "Sustainment Technologies Inc has a defined Business Continuity Plan that outlines the proper procedures to respond, recover, resume, and restore operations following a disruption or significant change.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.834Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-166-policy",
              "name": "Policy Documentation - Business Continuity Plan (DCF-166)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150692+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 91,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-77",
          "control_name": "Daily Database Backups",
          "control_description": "Sustainment Technologies Inc performs backups daily and retains them in accordance with a predefined schedule in the Backup Policy.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.886Z",
          "updated_at": "2026-05-16T21:24:19.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-77-owner",
              "name": "Assigned Control Owner - Daily Database Backups (DCF-77)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150698+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-77-monitoring",
              "name": "Continuous Monitoring - Daily Database Backups (DCF-77)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150705+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-77-policy",
              "name": "Policy Documentation - Daily Database Backups (DCF-77)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150711+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 13,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:41.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 16,
                "name": "Database Backups",
                "status": "PASSED",
                "description": "Drata validated database backup configurations from the cloud infrastructure provider and confirmed database backups are performed at least daily.",
                "last_run": "2026-07-01T18:27:41.000Z",
                "test_definition_id": 107,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-100",
          "control_name": "Backup Integrity and Completeness",
          "control_description": "Sustainment Technologies Inc tests the integrity and completeness of back-up information on an annual basis.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.984Z",
          "updated_at": "2025-11-24T13:51:34.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-100-owner",
              "name": "Assigned Control Owner - Backup Integrity and Completeness (DCF-100)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150718+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-100-monitoring",
              "name": "Continuous Monitoring - Backup Integrity and Completeness (DCF-100)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150724+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-100-policy",
              "name": "Policy Documentation - Backup Integrity and Completeness (DCF-100)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150730+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 17,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-95",
          "control_name": "Monitoring Processing Capacity and Usage",
          "control_description": "Sustainment Technologies Inc monitors its processing capacity and usage on a quarterly basis in order to appropriately manage capacity demand and to enable the implementation of additional capacity to meet availability commitments.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.435Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:22.235Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-95-evidence",
              "name": "Monitoring Processing Capacity and Usage (DCF-95)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150737+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-95-owner",
              "name": "Assigned Control Owner - Monitoring Processing Capacity and Usage (DCF-95)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150743+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-95-monitoring",
              "name": "Continuous Monitoring - Monitoring Processing Capacity and Usage (DCF-95)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150748+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 6,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:47.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 9,
                "name": "Capacity and Usage Monitoring",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's processing capacity and usage reports to determine that processing capacity and usage was monitored.",
                "last_run": "2026-07-01T18:27:47.000Z",
                "test_definition_id": 129,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-169",
          "control_name": "Backup Policy",
          "control_description": "Sustainment Technologies Inc has a defined backup policy that establishes the requirements for backup information, software and systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.900Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-169-owner",
              "name": "Assigned Control Owner - Backup Policy (DCF-169)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150755+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-169-monitoring",
              "name": "Continuous Monitoring - Backup Policy (DCF-169)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150761+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-169-policy",
              "name": "Policy Documentation - Backup Policy (DCF-169)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150767+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 16,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 20,
                "name": "Has a Backup Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Backup Policy and confirmed it specified how often backups should be taken and for how long they should be retained.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 106,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-26",
          "control_name": "BCP/DR Tests Conducted Annually",
          "control_description": "Sustainment Technologies Inc conducts annual BCP/DR tests and documents according to the BCDR Plan.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.875Z",
          "updated_at": "2025-11-24T13:51:33.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-26-evidence",
              "name": "BCP/DR Tests Conducted Annually (DCF-26)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:33.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150773+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-26-policy",
              "name": "Policy Documentation - BCP/DR Tests Conducted Annually (DCF-26)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:33.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150779+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 11,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' Business Continuity Plan and Backup Policy establish requirements for high availability and rapid recovery of all machine-based information resources. This is implemented through daily database backups with integrity verification, defined backup retention procedures, capacity monitoring, and annual BCP/DR testing. Drata monitors backup execution and capacity usage, while annual BCP/DR testing validates that recovery capabilities meet defined availability objectives.\n### Key Controls\n- [OK] Business Continuity Plan (DCF-166)\n- [OK] Daily Database Backups (DCF-77)\n- [OK] Backup Integrity and Completeness (DCF-100)\n- [OK] Monitoring Processing Capacity and Usage (DCF-95)\n- [OK] Backup Policy (DCF-169)\n- [OK] BCP/DR Tests Conducted Annually (DCF-26)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:57.487522+00:00",
      "ksi_name": "Optimizing for Availability",
      "category": "CNA",
      "statement": "Appropriately optimize machine-based information resources for high availability and rapid recovery.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/cloud-native-architecture/",
      "nist_controls": [],
      "failure_conditions": {
        "conditional_check": "All machine-based information resources within Sustainment's AWS environment are architected for high availability through automated backups with integrity verification and defined recovery procedures.",
        "failure_condition": "An availability SLA breach, recovery time exceeding defined RTO, failure to complete daily backups, or backup integrity verification failure will cause a failure of the test. Additionally, a business continuity plan, backup policy with retention procedures, capacity monitoring, and annual BCP/DR tests must be in place to ensure availability is optimized and recovery is achievable."
      },
      "outcome_metrics": [
        {
          "statement": "Services meet documented availability targets with validated redundancy",
          "metric_name": "Availability",
          "target_value": "Availability >= SLO target; 100% of critical services have redundancy",
          "target_unit": "",
          "frequency": "Monthly",
          "source": "Uptime monitoring; SLO dashboard; redundancy validation checks",
          "notes": "Availability below SLO or critical service without redundancy"
        }
      ],
      "monitoring": {
        "total_tests": 3,
        "passed": 3,
        "failed": 0,
        "controls_with_monitoring": 3,
        "monitoring_coverage": 42.9,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-CNA-RNT",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:59.520455+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-653 (DCF-653)",
          "control_id": "DCF-653",
          "status": "Passing",
          "description": "Drata control status for DCF-653",
          "date": "2026-07-02T13:19:59.520455+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-180 (DCF-180)",
          "control_id": "DCF-180",
          "status": "Passing",
          "description": "Drata control status for DCF-180",
          "date": "2026-07-02T13:19:59.520455+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-51 (DCF-51)",
          "control_id": "DCF-51",
          "status": "Passing",
          "description": "Drata control status for DCF-51",
          "date": "2026-07-02T13:19:59.520455+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-50 (DCF-50)",
          "control_id": "DCF-50",
          "status": "Passing",
          "description": "Drata control status for DCF-50",
          "date": "2026-07-02T13:19:59.520455+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-488 (DCF-488)",
          "control_id": "DCF-488",
          "status": "Passing",
          "description": "Drata control status for DCF-488",
          "date": "2026-07-02T13:19:59.520455+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-92 (DCF-92)",
          "control_id": "DCF-92",
          "status": "Passing",
          "description": "Drata control status for DCF-92",
          "date": "2026-07-02T13:19:59.520455+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-72 (DCF-72)",
          "control_id": "DCF-72",
          "status": "Passing",
          "description": "Drata control status for DCF-72",
          "date": "2026-07-02T13:19:59.520455+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-21 (DCF-21)",
          "control_id": "DCF-21",
          "status": "Passing",
          "description": "Drata control status for DCF-21",
          "date": "2026-07-02T13:19:59.520455+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-CNA-RNT",
          "control_name": "Custom Automated Check: KSI-CNA-RNT",
          "control_description": "8/8 mapped controls passing; Sustainment Technologies' security policies require all machine-based information resources to limit inbound and outbound network traffic to only what is necessary. This is implemented through spam protection, SSH key management, encrypted remote access, automatic disconnection of inactive sessions, malware detection, and automated security patching. Drata monitors patch compliance and malware detection status, while the architectural diagram documents allowed traffic flows to verify that network restrictions match the intended design.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:59.520455+00:00",
          "updated_at": "2026-07-02T13:19:59.520455+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:59.520455+00:00",
          "requirements_updated_at": "",
          "evidence_count": 8,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-653 (DCF-653)",
              "description": "Drata control status for DCF-653",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.520455+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150785+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-180 (DCF-180)",
              "description": "Drata control status for DCF-180",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.520455+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150791+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-51 (DCF-51)",
              "description": "Drata control status for DCF-51",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.520455+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150797+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-50 (DCF-50)",
              "description": "Drata control status for DCF-50",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.520455+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150803+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-488 (DCF-488)",
              "description": "Drata control status for DCF-488",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.520455+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150808+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-92 (DCF-92)",
              "description": "Drata control status for DCF-92",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.520455+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150815+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-72 (DCF-72)",
              "description": "Drata control status for DCF-72",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.520455+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150820+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-21 (DCF-21)",
              "description": "Drata control status for DCF-21",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.520455+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150826+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 134,
                "name": "Security Patches Auto-Applied on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices are configured to apply  system security patches automatically.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 65,
                "enabled": true
              },
              {
                "test_id": 133,
                "name": "Malware Detection Software Installed on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices have  antimalware software installed.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 64,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-653",
              "DCF-180",
              "DCF-51",
              "DCF-50",
              "DCF-488",
              "DCF-92",
              "DCF-72",
              "DCF-21"
            ]
          }
        },
        {
          "control_id": "DCF-653",
          "control_name": "Spam Protection",
          "control_description": "Sustainment Technologies Inc has spam protection at system entry and exit points to detect unsolicited messages.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:16.976Z",
          "updated_at": "2025-11-24T18:38:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-653-evidence",
              "name": "Spam Protection (DCF-653)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T18:38:51.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150833+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-653-policy",
              "name": "Policy Documentation - Spam Protection (DCF-653)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150839+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 615,
          "explanation": "Spam protection, while seemingly focused on email, inherently limits network traffic by blocking malicious or unwanted connections attempting to enter or leave the system Ã¢â‚¬â€œ directly addressing the KSI-CNA-RNT requirement. By filtering potentially harmful traffic at entry/exit points, this control helps ensure only authorized network communication occurs, contributing to a hardened network perimeter as FedRAMP demands. This aligns with NIST SI-8 (Network Security) by providing a boundary protection mechanism.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-180",
          "control_name": "Secure Information Transfer",
          "control_description": "Sustainment Technologies Inc has a defined process to ensure the secure transfer of information internally and externally.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:44.309Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-180-policy",
              "name": "Policy Documentation - Secure Information Transfer (DCF-180)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150845+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 183,
          "explanation": "Drata's \"Secure Information Transfer\" control addresses FedRAMP KSI-CNA-RNT by demonstrating a documented process for managing network traffic Ã¢â‚¬â€œ both in and out Ã¢â‚¬â€œ as part of routine information handling. This process, linked to NIST CA-9 (Security of Data Transmitted Internally and Externally), provides evidence of consistent configuration management to *limit* that traffic as the KSI requires, ensuring only authorized communication occurs. Essentially, it proves STI isnÃ¢â‚¬â„¢t just *capable* of secure transfer, but actively *maintains* it through defined procedures.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-51",
          "control_name": "Security Patches Automatically Applied",
          "control_description": "Sustainment Technologies Inc's workstations operating system (OS) security patches are applied automatically.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.213Z",
          "updated_at": "2026-05-27T19:01:28.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-51-evidence",
              "name": "Security Patches Automatically Applied (DCF-51)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150852+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-51-owner",
              "name": "Assigned Control Owner - Security Patches Automatically Applied (DCF-51)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150857+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-51-monitoring",
              "name": "Continuous Monitoring - Security Patches Automatically Applied (DCF-51)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150863+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 117,
          "explanation": "DrataÃ¢â‚¬â„¢s \"Security Patches Automatically Applied\" control directly addresses KSI-CNA-RNT by minimizing the attack surface of systems. Regularly patching ensures known vulnerabilities exploited by malicious network traffic are remediated, thus limiting both inbound *and* outbound communication pathways attackers could leverage. This aligns with the FedRAMP requirement for consistently configured systems to restrict unauthorized network access Ã¢â‚¬â€œ supported by NIST SI-8Ã¢â‚¬â„¢s focus on vulnerability remediation.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 134,
                "name": "Security Patches Auto-Applied on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices are configured to apply  system security patches automatically.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 65,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-50",
          "control_name": "Malware Detection Software Installed",
          "control_description": "Sustainment Technologies Inc requires antivirus software to be installed on workstations to protect the network against malware.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.207Z",
          "updated_at": "2026-06-24T20:54:45.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-50-owner",
              "name": "Assigned Control Owner - Malware Detection Software Installed (DCF-50)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-24T20:54:45.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150870+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-50-monitoring",
              "name": "Continuous Monitoring - Malware Detection Software Installed (DCF-50)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-24T20:54:45.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150876+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-50-policy",
              "name": "Policy Documentation - Malware Detection Software Installed (DCF-50)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-24T20:54:45.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150882+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 116,
          "explanation": "Malware Detection Software (antivirus) directly addresses KSI-CNA-RNT by actively blocking malicious network traffic Ã¢â‚¬â€œ both inbound (preventing infection) and outbound (stopping data exfiltration) Ã¢â‚¬â€œ that would otherwise bypass standard network controls. This persistent scanning and blocking capability ensures information resources are configured to *limit* unauthorized network communication, fulfilling the FedRAMP requirement. The control aligns with NIST SI-8 (Incident Planning) as malware detection is a key component of incident response and prevention.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 133,
                "name": "Malware Detection Software Installed on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices have  antimalware software installed.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 64,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-488",
          "control_name": "Automatic Disconnect of Inactive Remote-Access",
          "control_description": "Sustainment Technologies Inc has included automatic disconnect of sessions for remote-access technologies after a specific period of inactivity in critical technologies usage policy.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:00.379Z",
          "updated_at": "2025-11-24T13:51:27.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-488-evidence",
              "name": "Automatic Disconnect of Inactive Remote-Access (DCF-488)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:27.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150887+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-488-owner",
              "name": "Assigned Control Owner - Automatic Disconnect of Inactive Remote-Access (DCF-488)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:27.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150893+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 507,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-92",
          "control_name": "Encrypted Remote Production Access",
          "control_description": "Users can only access the production system remotely through the use of encrypted communication systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.934Z",
          "updated_at": "2025-11-24T13:51:26.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-92-evidence",
              "name": "Encrypted Remote Production Access (DCF-92)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150900+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-92-owner",
              "name": "Assigned Control Owner - Encrypted Remote Production Access (DCF-92)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150905+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-92-policy",
              "name": "Policy Documentation - Encrypted Remote Production Access (DCF-92)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150911+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 27,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-72",
          "control_name": "Unique SSH",
          "control_description": "SSH users use unique accounts to access production machines. Additionally, the use of the “Root” account is not allowed.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:39.720Z",
          "updated_at": "2026-04-29T16:53:43.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-72-evidence",
              "name": "Unique SSH (DCF-72)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150917+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-72-owner",
              "name": "Assigned Control Owner - Unique SSH (DCF-72)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150924+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-72-policy",
              "name": "Policy Documentation - Unique SSH (DCF-72)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150930+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 107,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-21",
          "control_name": "Architectural Diagram",
          "control_description": "Sustainment Technologies Inc maintains an accurate architectural diagram to document system boundaries to support the functioning of internal control.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.152Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-02-04T21:04:30.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-21-evidence",
              "name": "Architectural Diagram (DCF-21)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150936+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-21-owner",
              "name": "Assigned Control Owner - Architectural Diagram (DCF-21)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150943+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-21-policy",
              "name": "Policy Documentation - Architectural Diagram (DCF-21)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150949+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 66,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' security policies require all machine-based information resources to limit inbound and outbound network traffic to only what is necessary. This is implemented through spam protection, SSH key management, encrypted remote access, automatic disconnection of inactive sessions, malware detection, and automated security patching. Drata monitors patch compliance and malware detection status, while the architectural diagram documents allowed traffic flows to verify that network restrictions match the intended design.\n### Key Controls\n- [OK] Spam Protection (DCF-653)\n- [OK] Secure Information Transfer (DCF-180)\n- [OK] Security Patches Automatically Applied (DCF-51)\n- [OK] Malware Detection Software Installed (DCF-50)\n- [OK] Automatic Disconnect of Inactive Remote-Access (DCF-488)\n- [OK] Encrypted Remote Production Access (DCF-92)\n- [OK] Unique SSH (DCF-72)\n- [OK] Architectural Diagram (DCF-21)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:59.520455+00:00",
      "ksi_name": "Restricting Network Traffic",
      "category": "CNA",
      "statement": "Persistently ensure all machine-based information resources are configured to limit inbound and outbound network traffic.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/cloud-native-architecture/",
      "nist_controls": [
        "AC-17.3",
        "CA-9",
        "CM-7.1",
        "SC-7.5",
        "SI-8"
      ],
      "failure_conditions": {
        "conditional_check": "All machine-based information resources within Sustainment's AWS environment limit inbound and outbound network traffic to only what is necessary through encrypted access, SSH key management, and automated security controls.",
        "failure_condition": "Unauthorized inbound or outbound traffic, overly permissive firewall rules, unencrypted remote access, or failure to disconnect inactive sessions will cause a failure of the test. Additionally, spam protection, malware detection, automated security patching, unique SSH keys, encrypted remote production access, and a current architectural diagram must be in place to ensure network traffic is restricted to authorized flows only."
      },
      "outcome_metrics": [
        {
          "statement": "Network segmentation enforced; only approved traffic flows permitted between segments",
          "metric_name": "Integrity",
          "target_value": "0 unapproved traffic paths; 100% of segmentation rules match policy",
          "target_unit": "",
          "frequency": "Monthly",
          "source": "Network flow logs; firewall rule audit; IaC network policy",
          "notes": "Unapproved traffic path detected or segmentation rule out of policy"
        }
      ],
      "monitoring": {
        "total_tests": 2,
        "passed": 2,
        "failed": 0,
        "controls_with_monitoring": 2,
        "monitoring_coverage": 22.2,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-CNA-RVP",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:20:00.109937+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-653 (DCF-653)",
          "control_id": "DCF-653",
          "status": "Passing",
          "description": "Drata control status for DCF-653",
          "date": "2026-07-02T13:20:00.109937+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-214 (DCF-214)",
          "control_id": "DCF-214",
          "status": "Passing",
          "description": "Drata control status for DCF-214",
          "date": "2026-07-02T13:20:00.109937+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-154 (DCF-154)",
          "control_id": "DCF-154",
          "status": "Passing",
          "description": "Drata control status for DCF-154",
          "date": "2026-07-02T13:20:00.109937+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-51 (DCF-51)",
          "control_id": "DCF-51",
          "status": "Passing",
          "description": "Drata control status for DCF-51",
          "date": "2026-07-02T13:20:00.109937+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-50 (DCF-50)",
          "control_id": "DCF-50",
          "status": "Passing",
          "description": "Drata control status for DCF-50",
          "date": "2026-07-02T13:20:00.109937+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-166 (DCF-166)",
          "control_id": "DCF-166",
          "status": "Passing",
          "description": "Drata control status for DCF-166",
          "date": "2026-07-02T13:20:00.109937+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-159 (DCF-159)",
          "control_id": "DCF-159",
          "status": "Passing",
          "description": "Drata control status for DCF-159",
          "date": "2026-07-02T13:20:00.109937+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-26 (DCF-26)",
          "control_id": "DCF-26",
          "status": "Passing",
          "description": "Drata control status for DCF-26",
          "date": "2026-07-02T13:20:00.109937+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-25 (DCF-25)",
          "control_id": "DCF-25",
          "status": "Passing",
          "description": "Drata control status for DCF-25",
          "date": "2026-07-02T13:20:00.109937+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-CNA-RVP",
          "control_name": "Custom Automated Check: KSI-CNA-RVP",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' Incident Response Plan and Business Continuity Plan establish procedures for protecting against denial-of-service attacks and other unwanted activity. This is implemented through spam protection, network traffic denial controls, malware detection, automated patching, and a documented disaster recovery plan. Drata monitors the effectiveness of these protections through automated tests, while annual incident response exercises and BCP/DR testing validate the organization's ability to withstand and recover from attacks.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:20:00.109937+00:00",
          "updated_at": "2026-07-02T13:20:00.109937+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:20:00.109937+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-653 (DCF-653)",
              "description": "Drata control status for DCF-653",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.109937+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150956+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-214 (DCF-214)",
              "description": "Drata control status for DCF-214",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.109937+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150962+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-154 (DCF-154)",
              "description": "Drata control status for DCF-154",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.109937+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150967+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-51 (DCF-51)",
              "description": "Drata control status for DCF-51",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.109937+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150973+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-50 (DCF-50)",
              "description": "Drata control status for DCF-50",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.109937+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150979+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-166 (DCF-166)",
              "description": "Drata control status for DCF-166",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.109937+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150985+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-159 (DCF-159)",
              "description": "Drata control status for DCF-159",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.109937+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150991+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-26 (DCF-26)",
              "description": "Drata control status for DCF-26",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.109937+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.150997+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-25 (DCF-25)",
              "description": "Drata control status for DCF-25",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.109937+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151003+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 4,
            "passed": 4,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 134,
                "name": "Security Patches Auto-Applied on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices are configured to apply  system security patches automatically.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 65,
                "enabled": true
              },
              {
                "test_id": 133,
                "name": "Malware Detection Software Installed on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices have  antimalware software installed.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 64,
                "enabled": true
              },
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              },
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-653",
              "DCF-214",
              "DCF-154",
              "DCF-51",
              "DCF-50",
              "DCF-166",
              "DCF-159",
              "DCF-26",
              "DCF-25"
            ]
          }
        },
        {
          "control_id": "DCF-653",
          "control_name": "Spam Protection",
          "control_description": "Sustainment Technologies Inc has spam protection at system entry and exit points to detect unsolicited messages.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:16.976Z",
          "updated_at": "2025-11-24T18:38:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-653-evidence",
              "name": "Spam Protection (DCF-653)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T18:38:51.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151009+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-653-policy",
              "name": "Policy Documentation - Spam Protection (DCF-653)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151015+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 615,
          "explanation": "Drata's \"Spam Protection\" control addresses KSI-CNA-RVP by actively monitoring and filtering malicious traffic Ã¢â‚¬â€œ including potential DoS attack vectors disguised as unwanted messages Ã¢â‚¬â€œ at system boundaries. This persistent review and blocking of unsolicited activity demonstrates ongoing effectiveness in protecting against disruptive unwanted activity, fulfilling the FedRAMP requirement for continuous monitoring of protection measures. The control aligns with NIST SI-8 (Incident Reporting and Analysis) by helping identify and potentially prevent incidents before they escalate.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-214",
          "control_name": "Network Traffic Denial",
          "control_description": "Sustainment Technologies Inc ensures that all other inbound and outbound traffic is specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:52.059Z",
          "updated_at": "2026-06-26T19:38:06.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:29.244Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-214-evidence",
              "name": "Network Traffic Denial (DCF-214)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-26T19:38:06.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151021+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-214-policy",
              "name": "Policy Documentation - Network Traffic Denial (DCF-214)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-26T19:38:06.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151027+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 241,
          "explanation": "DrataÃ¢â‚¬â„¢s \"Network Traffic Denial\" control directly addresses KSI-CNA-RVP by establishing a baseline of *explicitly* blocked traffic, effectively limiting the attack surface and preventing unwanted activity like DoS attacks. This proactive, \"deny all\" approach ensures continuous monitoring and protection Ã¢â‚¬â€œ fulfilling the requirement for *persistent review* of effectiveness against disruptive events, as evidenced by alignment with NIST SC-5 (System and Communications Protection).",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-154",
          "control_name": "Annual Incident Response Test",
          "control_description": "Sustainment Technologies Inc ensures that incident response plan testing is performed on an annual basis.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.974Z",
          "updated_at": "2025-11-24T13:51:34.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-154-evidence",
              "name": "Annual Incident Response Test (DCF-154)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151034+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-154-policy",
              "name": "Policy Documentation - Annual Incident Response Test (DCF-154)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151040+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 126,
          "explanation": "Drata's Annual Incident Response Test satisfies KSI-CNA-RVP by demonstrating a proactive and *reviewed* capability to handle disruptive events like DoS attacks Ã¢â‚¬â€œ a key component of persistent monitoring for \"unwanted activity.\" Successfully completing and reviewing the test proves the organization can effectively *respond* to and mitigate attacks, verifying the effectiveness of existing protections as required by the FedRAMP KSI. This aligns with NIST SC-5 (Incident Response Planning) which underpins a robust defense against such threats.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-51",
          "control_name": "Security Patches Automatically Applied",
          "control_description": "Sustainment Technologies Inc's workstations operating system (OS) security patches are applied automatically.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.213Z",
          "updated_at": "2026-05-27T19:01:28.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-51-evidence",
              "name": "Security Patches Automatically Applied (DCF-51)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151046+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-51-owner",
              "name": "Assigned Control Owner - Security Patches Automatically Applied (DCF-51)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151052+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-51-monitoring",
              "name": "Continuous Monitoring - Security Patches Automatically Applied (DCF-51)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151058+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 117,
          "explanation": "Drata's \"Security Patches Automatically Applied\" control directly addresses KSI-CNA-RVP by proactively mitigating vulnerabilities often exploited in denial-of-service and unwanted activity attacks. Regularly patching systems closes security gaps, reducing the attack surface and ensuring systems are resilient against common exploits Ã¢â‚¬â€œ demonstrating persistent review and effectiveness of protection as required by FedRAMP. This aligns with NIST SI-8 (Vulnerability Scans) by automating a key component of vulnerability management.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 134,
                "name": "Security Patches Auto-Applied on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices are configured to apply  system security patches automatically.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 65,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-50",
          "control_name": "Malware Detection Software Installed",
          "control_description": "Sustainment Technologies Inc requires antivirus software to be installed on workstations to protect the network against malware.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.207Z",
          "updated_at": "2026-06-24T20:54:45.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-50-owner",
              "name": "Assigned Control Owner - Malware Detection Software Installed (DCF-50)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-24T20:54:45.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151064+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-50-monitoring",
              "name": "Continuous Monitoring - Malware Detection Software Installed (DCF-50)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-24T20:54:45.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151069+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-50-policy",
              "name": "Policy Documentation - Malware Detection Software Installed (DCF-50)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-24T20:54:45.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151075+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 116,
          "explanation": "This Drata control addresses KSI-CNA-RVP by proactively *reducing* the potential for successful denial-of-service attacks originating from malware-infected systems. By requiring antivirus software (SI-8), Sustainment Technologies Inc. mitigates a common vector used in DDoS and other unwanted activity, demonstrating a persistent review and protection mechanism as required by the FedRAMP KSI. Essentially, healthy endpoints are less likely to *participate* in attacks or become compromised and contribute to disruptions.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 133,
                "name": "Malware Detection Software Installed on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices have  antimalware software installed.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 64,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-166",
          "control_name": "Business Continuity Plan",
          "control_description": "Sustainment Technologies Inc has a defined Business Continuity Plan that outlines the proper procedures to respond, recover, resume, and restore operations following a disruption or significant change.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.834Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-166-policy",
              "name": "Policy Documentation - Business Continuity Plan (DCF-166)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151081+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 91,
          "explanation": "The Business Continuity Plan (BCP) addresses KSI-CNA-RVP by detailing recovery procedures following a disruption, which inherently includes scenarios like denial-of-service attacks Ã¢â‚¬â€œ ensuring operations can *resume* despite unwanted activity. Regularly reviewing and updating the BCP (as implied by \"persistently review\" in the KSI) demonstrates ongoing assessment of the effectiveness of protective measures and recovery capabilities, satisfying the requirement for proactive monitoring. This aligns with NIST SC-5 (Planning) which focuses on developing and implementing a business continuity plan.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-159",
          "control_name": "Incident Response Plan",
          "control_description": "Sustainment Technologies Inc has an established Incident Response Plan that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.576Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-159-evidence",
              "name": "Incident Response Plan (DCF-159)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151087+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-owner",
              "name": "Assigned Control Owner - Incident Response Plan (DCF-159)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151094+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-monitoring",
              "name": "Continuous Monitoring - Incident Response Plan (DCF-159)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151100+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 77,
          "explanation": "The Incident Response Plan (IRP) satisfies KSI-CNA-RVP by detailing procedures for identifying, containing, and recovering from incidents Ã¢â‚¬â€œ including DoS attacks Ã¢â‚¬â€œ demonstrating *review of effectiveness* through planned response and post-incident analysis. Annual testing of the IRP, as described, confirms the plan remains current and capable of addressing evolving threats, fulfilling the *persistent review* aspect of the requirement. This aligns with NIST SC-5 which covers incident handling.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-26",
          "control_name": "BCP/DR Tests Conducted Annually",
          "control_description": "Sustainment Technologies Inc conducts annual BCP/DR tests and documents according to the BCDR Plan.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.875Z",
          "updated_at": "2025-11-24T13:51:33.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-26-evidence",
              "name": "BCP/DR Tests Conducted Annually (DCF-26)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:33.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151106+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-26-policy",
              "name": "Policy Documentation - BCP/DR Tests Conducted Annually (DCF-26)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:33.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151112+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 11,
          "explanation": "Drata's \"BCP/DR Tests Conducted Annually\" control satisfies KSI-CNA-RVP by demonstrating a *proactive* and *documented* review of system resilience Ã¢â‚¬â€œ specifically, the ability to maintain availability during disruptive events like DDoS attacks (covered within BCP/DR scenarios). Regularly testing the Business Continuity and Disaster Recovery plan (and documenting results) proves ongoing effectiveness of protective measures against unwanted activity and ensures systems can recover, fulfilling the persistent review requirement of the KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-25",
          "control_name": "Disaster Recovery Plan",
          "control_description": "Sustainment Technologies Inc has an established Disaster Recovery Plan that outlines roles and responsibilities and detailed procedures for recovery of systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.870Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-25-owner",
              "name": "Assigned Control Owner - Disaster Recovery Plan (DCF-25)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151124+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-monitoring",
              "name": "Continuous Monitoring - Disaster Recovery Plan (DCF-25)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151131+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-policy",
              "name": "Policy Documentation - Disaster Recovery Plan (DCF-25)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151136+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 10,
          "explanation": "The Disaster Recovery Plan (DRP) addresses KSI-CNA-RVP by demonstrating a proactive approach to system resilience Ã¢â‚¬â€œ a key component of defending against disruptive attacks like DDoS. By outlining recovery procedures and responsibilities (related to NIST SC-5), the DRP ensures systems can be restored quickly following an incident, effectively mitigating the impact of denial-of-service or other unwanted activity and fulfilling the \"persistently review effectiveness\" requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' Incident Response Plan and Business Continuity Plan establish procedures for protecting against denial-of-service attacks and other unwanted activity. This is implemented through spam protection, network traffic denial controls, malware detection, automated patching, and a documented disaster recovery plan. Drata monitors the effectiveness of these protections through automated tests, while annual incident response exercises and BCP/DR testing validate the organization's ability to withstand and recover from attacks.\n### Key Controls\n- [OK] Spam Protection (DCF-653)\n- [OK] Network Traffic Denial (DCF-214)\n- [OK] Annual Incident Response Test (DCF-154)\n- [OK] Security Patches Automatically Applied (DCF-51)\n- [OK] Malware Detection Software Installed (DCF-50)\n- [OK] Business Continuity Plan (DCF-166)\n- [OK] Incident Response Plan (DCF-159)\n- [OK] BCP/DR Tests Conducted Annually (DCF-26)\n- [OK] Disaster Recovery Plan (DCF-25)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:20:00.109937+00:00",
      "ksi_name": "Reviewing Protections",
      "category": "CNA",
      "statement": "Persistently review the effectiveness of protection against denial of service attacks and other unwanted activity.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/cloud-native-architecture/",
      "nist_controls": [
        "SC-5",
        "SI-8",
        "SI-8.2"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment's AWS environment is protected against denial-of-service attacks and other unwanted activity through network traffic denial controls, malware detection, automated patching, and tested incident response and disaster recovery plans.",
        "failure_condition": "DDoS protection not active, network traffic denial controls disabled, malware detection not installed, or failure to apply security patches will cause a failure of the test. Additionally, an incident response plan, disaster recovery plan, business continuity plan, spam protection, and annual IR and BCP/DR testing must be in place to ensure protections are effective and recovery capabilities are validated."
      },
      "outcome_metrics": [
        {
          "statement": "Cloud native protections (WAF, DDoS, endpoint) are reviewed and validated",
          "metric_name": "Recency",
          "target_value": "All protective controls reviewed within 12 months; 0 lapsed protections",
          "target_unit": "",
          "frequency": "Quarterly",
          "source": "Protection review log; WAF/DDoS configuration audit",
          "notes": "Protective control not reviewed within 12 months or found disabled"
        }
      ],
      "monitoring": {
        "total_tests": 4,
        "passed": 4,
        "failed": 0,
        "controls_with_monitoring": 4,
        "monitoring_coverage": 40.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-CNA-ULN",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:55.609260+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-488 (DCF-488)",
          "control_id": "DCF-488",
          "status": "Passing",
          "description": "Drata control status for DCF-488",
          "date": "2026-07-02T13:19:55.609260+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-180 (DCF-180)",
          "control_id": "DCF-180",
          "status": "Passing",
          "description": "Drata control status for DCF-180",
          "date": "2026-07-02T13:19:55.609260+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-62 (DCF-62)",
          "control_id": "DCF-62",
          "status": "Passing",
          "description": "Drata control status for DCF-62",
          "date": "2026-07-02T13:19:55.609260+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-181 (DCF-181)",
          "control_id": "DCF-181",
          "status": "Passing",
          "description": "Drata control status for DCF-181",
          "date": "2026-07-02T13:19:55.609260+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-21 (DCF-21)",
          "control_id": "DCF-21",
          "status": "Passing",
          "description": "Drata control status for DCF-21",
          "date": "2026-07-02T13:19:55.609260+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-92 (DCF-92)",
          "control_id": "DCF-92",
          "status": "Passing",
          "description": "Drata control status for DCF-92",
          "date": "2026-07-02T13:19:55.609260+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-72 (DCF-72)",
          "control_id": "DCF-72",
          "status": "Passing",
          "description": "Drata control status for DCF-72",
          "date": "2026-07-02T13:19:55.609260+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-CNA-ULN",
          "control_name": "Custom Automated Check: KSI-CNA-ULN",
          "control_description": "7/7 mapped controls passing; Sustainment Technologies' Encryption Policy and network security standards require logical networking controls to enforce traffic flow between services. This is implemented through SSH key management, encrypted remote production access, session timeout controls, automatic disconnection of inactive sessions, and secure information transfer protocols. The architectural diagram documents the logical network topology, and Drata monitors encryption compliance to verify that traffic flow controls are enforced as designed.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:55.609260+00:00",
          "updated_at": "2026-07-02T13:19:55.609260+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:55.609260+00:00",
          "requirements_updated_at": "",
          "evidence_count": 7,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-488 (DCF-488)",
              "description": "Drata control status for DCF-488",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.609260+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151143+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-180 (DCF-180)",
              "description": "Drata control status for DCF-180",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.609260+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151149+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-62 (DCF-62)",
              "description": "Drata control status for DCF-62",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.609260+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151155+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-181 (DCF-181)",
              "description": "Drata control status for DCF-181",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.609260+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151161+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-21 (DCF-21)",
              "description": "Drata control status for DCF-21",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.609260+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151167+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-92 (DCF-92)",
              "description": "Drata control status for DCF-92",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.609260+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151173+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-72 (DCF-72)",
              "description": "Drata control status for DCF-72",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.609260+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151179+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-488",
              "DCF-180",
              "DCF-62",
              "DCF-181",
              "DCF-21",
              "DCF-92",
              "DCF-72"
            ]
          }
        },
        {
          "control_id": "DCF-488",
          "control_name": "Automatic Disconnect of Inactive Remote-Access",
          "control_description": "Sustainment Technologies Inc has included automatic disconnect of sessions for remote-access technologies after a specific period of inactivity in critical technologies usage policy.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:00.379Z",
          "updated_at": "2025-11-24T13:51:27.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-488-evidence",
              "name": "Automatic Disconnect of Inactive Remote-Access (DCF-488)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:27.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151184+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-488-owner",
              "name": "Assigned Control Owner - Automatic Disconnect of Inactive Remote-Access (DCF-488)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:27.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151190+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 507,
          "explanation": "This Drata control satisfies KSI-CNA-ULN by implementing a technical control (automatic disconnect) that limits the blast radius of compromised remote access sessions. By automatically terminating inactive sessions, it enforces traffic flow control Ã¢â‚¬â€œ preventing potentially malicious traffic from continuing even if credentials are stolen or a session is left unattended, thus aligning with the FedRAMP requirement for logical network enforcement. The control directly addresses NIST AC-12 (session management) and SC-10 (network segmentation) contributing to overall security posture.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-180",
          "control_name": "Secure Information Transfer",
          "control_description": "Sustainment Technologies Inc has a defined process to ensure the secure transfer of information internally and externally.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:44.309Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-180-policy",
              "name": "Policy Documentation - Secure Information Transfer (DCF-180)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151196+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 183,
          "explanation": "Drata's \"Secure Information Transfer\" control satisfies KSI-CNA-ULN by demonstrating a defined process for controlling *how* information flows Ã¢â‚¬â€œ both within the system and to/from external parties. This process inherently utilizes logical networking principles (like access controls and encryption) to enforce those traffic flow restrictions, fulfilling the requirement to manage and secure data in transit as FedRAMP dictates. Essentially, it proves STI isn't just *moving* data, but moving it *securely* with defined controls.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-62",
          "control_name": "Inactivity and Browser Exit Logout",
          "control_description": "Sustainment Technologies Inc automatically logs users out after a predefined inactivity interval and/or closure of the internet browser, and requires users to reauthenticate",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:39.714Z",
          "updated_at": "2025-11-24T13:51:27.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:16:19.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-62-evidence",
              "name": "Inactivity and Browser Exit Logout (DCF-62)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:27.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151202+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-62-policy",
              "name": "Policy Documentation - Inactivity and Browser Exit Logout (DCF-62)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:27.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151208+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 106,
          "explanation": "DrataÃ¢â‚¬â„¢s \"Inactivity and Browser Exit Logout\" control satisfies KSI-CNA-ULN by limiting exposure of authenticated sessions, effectively controlling traffic flow *to* sensitive data after a user is no longer actively engaging with the system. This forced reauthentication acts as a logical control, preventing unauthorized access that could occur if sessions remained active indefinitely Ã¢â‚¬â€œ aligning with the FedRAMP requirement to enforce traffic flow based on user activity. It maps to NIST SC-10 (Session Management) and AC-12 (Authentication) by establishing secure session handling practices.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-181",
          "control_name": "Encryption Policy",
          "control_description": "Sustainment Technologies Inc has a defined policy that establishes requirements for the use of cryptographic controls.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.777Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-181-owner",
              "name": "Assigned Control Owner - Encryption Policy (DCF-181)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151214+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-181-monitoring",
              "name": "Continuous Monitoring - Encryption Policy (DCF-181)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151220+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-181-policy",
              "name": "Policy Documentation - Encryption Policy (DCF-181)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151226+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 100,
          "explanation": "The Encryption Policy (satisfying SC-8) supports KSI-CNA-ULN by establishing *how* cryptographic controls are implemented, which are fundamental to securing traffic flow. Specifically, encryption *is* a key logical networking capability used to enforce traffic flow controls Ã¢â‚¬â€œ ensuring only authorized data traverses the network, thus meeting the FedRAMP requirement. Essentially, a strong encryption policy dictates *how* traffic is protected as it flows within the system.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-21",
          "control_name": "Architectural Diagram",
          "control_description": "Sustainment Technologies Inc maintains an accurate architectural diagram to document system boundaries to support the functioning of internal control.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.152Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-02-04T21:04:30.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-21-evidence",
              "name": "Architectural Diagram (DCF-21)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151233+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-21-owner",
              "name": "Assigned Control Owner - Architectural Diagram (DCF-21)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151238+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-21-policy",
              "name": "Policy Documentation - Architectural Diagram (DCF-21)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151244+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 66,
          "explanation": "The Architectural Diagram control satisfies KSI-CNA-ULN by visually documenting the network's logical boundaries and how traffic *should* flow. This documentation supports the implementation and verification of traffic flow controls Ã¢â‚¬â€œ a core element of enforcing logical networking as required by the FedRAMP KSI. By mapping system connections, it enables demonstrable proof of how network segmentation and access controls are applied.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-92",
          "control_name": "Encrypted Remote Production Access",
          "control_description": "Users can only access the production system remotely through the use of encrypted communication systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.934Z",
          "updated_at": "2025-11-24T13:51:26.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-92-evidence",
              "name": "Encrypted Remote Production Access (DCF-92)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151250+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-92-owner",
              "name": "Assigned Control Owner - Encrypted Remote Production Access (DCF-92)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151257+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-92-policy",
              "name": "Policy Documentation - Encrypted Remote Production Access (DCF-92)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151262+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 27,
          "explanation": "Drata's \"Encrypted Remote Production Access\" control satisfies KSI-CNA-ULN by establishing a secure, encrypted channel for all remote access to the production system Ã¢â‚¬â€œ effectively controlling traffic flow *to* that system. This encryption acts as a logical control, ensuring only authorized and encrypted traffic can reach production data, aligning with the FedRAMP requirement to enforce traffic flow controls via logical networking (and satisfying NIST SC-7's boundary protection focus).",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-72",
          "control_name": "Unique SSH",
          "control_description": "SSH users use unique accounts to access production machines. Additionally, the use of the “Root” account is not allowed.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:39.720Z",
          "updated_at": "2026-04-29T16:53:43.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-72-evidence",
              "name": "Unique SSH (DCF-72)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151269+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-72-owner",
              "name": "Assigned Control Owner - Unique SSH (DCF-72)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151275+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-72-policy",
              "name": "Policy Documentation - Unique SSH (DCF-72)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151280+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 107,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' Encryption Policy and network security standards require logical networking controls to enforce traffic flow between services. This is implemented through SSH key management, encrypted remote production access, session timeout controls, automatic disconnection of inactive sessions, and secure information transfer protocols. The architectural diagram documents the logical network topology, and Drata monitors encryption compliance to verify that traffic flow controls are enforced as designed.\n### Key Controls\n- [OK] Automatic Disconnect of Inactive Remote-Access (DCF-488)\n- [OK] Secure Information Transfer (DCF-180)\n- [OK] Inactivity and Browser Exit Logout (DCF-62)\n- [OK] Encryption Policy (DCF-181)\n- [OK] Architectural Diagram (DCF-21)\n- [OK] Encrypted Remote Production Access (DCF-92)\n- [OK] Unique SSH (DCF-72)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:55.609260+00:00",
      "ksi_name": "Using Logical Networking",
      "category": "CNA",
      "statement": "Use logical networking and related capabilities to enforce traffic flow controls.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/cloud-native-architecture/",
      "nist_controls": [
        "AC-12",
        "AC-17.3",
        "CA-9",
        "SC-4",
        "SC-7",
        "SC-7.7",
        "SC-8",
        "SC-10"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment's AWS environment enforces logical networking controls to manage traffic flow between services through encrypted access, SSH key management, session controls, and a documented network topology.",
        "failure_condition": "Network segmentation not enforced, traffic flowing between isolated segments, unencrypted remote access, or failure to disconnect inactive sessions will cause a failure of the test. Additionally, an encryption policy, unique SSH keys, encrypted remote production access, session timeout controls, secure information transfer protocols, and a current architectural diagram must be in place to ensure logical network boundaries are maintained."
      },
      "outcome_metrics": [
        {
          "statement": "Logical network boundaries (VPC/VNet, subnets) correctly isolate workloads",
          "metric_name": "Integrity",
          "target_value": "100% of workloads deployed in approved network segments; 0 boundary violations",
          "target_unit": "",
          "frequency": "Quarterly",
          "source": "IaC network definitions; cloud network topology audit",
          "notes": "Workload outside approved network segment or boundary violation detected"
        }
      ],
      "monitoring": {
        "total_tests": 1,
        "passed": 1,
        "failed": 0,
        "controls_with_monitoring": 1,
        "monitoring_coverage": 12.5,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-CED-DET",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:57.678081+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-503 (DCF-503)",
          "control_id": "DCF-503",
          "status": "Passing",
          "description": "Drata control status for DCF-503",
          "date": "2026-07-02T13:19:57.678081+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-312 (DCF-312)",
          "control_id": "DCF-312",
          "status": "Passing",
          "description": "Drata control status for DCF-312",
          "date": "2026-07-02T13:19:57.678081+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-36 (DCF-36)",
          "control_id": "DCF-36",
          "status": "Passing",
          "description": "Drata control status for DCF-36",
          "date": "2026-07-02T13:19:57.678081+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-568 (DCF-568)",
          "control_id": "DCF-568",
          "status": "Passing",
          "description": "Drata control status for DCF-568",
          "date": "2026-07-02T13:19:57.678081+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-327 (DCF-327)",
          "control_id": "DCF-327",
          "status": "Passing",
          "description": "Drata control status for DCF-327",
          "date": "2026-07-02T13:19:57.678081+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-CED-DET",
          "control_name": "Custom Automated Check: KSI-CED-DET",
          "control_description": "5/5 mapped controls passing; Sustainment Technologies maintains a direct training-and-review control set for development and engineering training effectiveness: developers complete periodic secure coding training, role-based security training is delivered and updated over time, and secure development expectations are embedded in both process and SDLC policy. Together, these controls provide direct evidence for persistent review of development and engineering training effectiveness.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:57.678081+00:00",
          "updated_at": "2026-07-02T13:19:57.678081+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:57.678081+00:00",
          "requirements_updated_at": "",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-503 (DCF-503)",
              "description": "Drata control status for DCF-503",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.678081+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151287+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-312 (DCF-312)",
              "description": "Drata control status for DCF-312",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.678081+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151293+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-36 (DCF-36)",
              "description": "Drata control status for DCF-36",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.678081+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151299+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-568 (DCF-568)",
              "description": "Drata control status for DCF-568",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.678081+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151304+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-327 (DCF-327)",
              "description": "Drata control status for DCF-327",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.678081+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151310+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 74,
                "name": "Security Awareness Training Completed",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security awareness training that all employees must complete on hire and confirmed that it provides information related to the tactics that hackers take that could compromise the security of the company and its customers' data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 43,
                "enabled": true
              },
              {
                "test_id": 73,
                "name": "Policies for Security Awareness Training",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that the security team is responsible for training all employees on security at the company.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 42,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-503",
              "DCF-312",
              "DCF-36",
              "DCF-568",
              "DCF-327"
            ]
          }
        },
        {
          "control_id": "DCF-503",
          "control_name": "Multiple Methods for Security Awareness",
          "control_description": "Sustainment Technologies Inc's security awareness program includes multiple methods of communicating awareness and educating personnel, such as newsletters, web-based training, in-person training, team meetings, phishing simulations, etc. Periodic security updates are provided to personnel through t",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:00.826Z",
          "updated_at": "2025-11-24T13:51:28.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-503-policy",
              "name": "Policy Documentation - Multiple Methods for Security Awareness (DCF-503)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:28.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151316+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 522,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-312",
          "control_name": "Periodic Secure Code Development Training",
          "control_description": "Developers are required to complete secure code development training at least once every 12 months, including training on software security relevant to their job function and development languages, secure software design and secure coding techniques, and how to use tools for detecting vulnerabilitie",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:55.227Z",
          "updated_at": "2025-11-24T13:51:28.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:28.204Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-312-evidence",
              "name": "Periodic Secure Code Development Training (DCF-312)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:28.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151323+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-312-policy",
              "name": "Policy Documentation - Periodic Secure Code Development Training (DCF-312)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:28.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151329+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 336,
          "explanation": "Periodic Secure Code Development Training is direct evidence that development and engineering personnel receive recurring training on secure coding practices relevant to their work.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-36",
          "control_name": "Security Training",
          "control_description": "Sustainment Technologies Inc has established training programs for privacy and information security to help employees understand their obligations and responsibilities to comply with Sustainment Technologies Inc's security policies and procedures, including the identification and reporting of incide",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:35.660Z",
          "updated_at": "2026-05-12T13:22:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-36-owner",
              "name": "Assigned Control Owner - Security Training (DCF-36)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-12T13:22:50.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151335+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-36-monitoring",
              "name": "Continuous Monitoring - Security Training (DCF-36)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-12T13:22:50.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151341+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-36-policy",
              "name": "Policy Documentation - Security Training (DCF-36)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-12T13:22:50.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151347+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 57,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 74,
                "name": "Security Awareness Training Completed",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security awareness training that all employees must complete on hire and confirmed that it provides information related to the tactics that hackers take that could compromise the security of the company and its customers' data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 43,
                "enabled": true
              },
              {
                "test_id": 73,
                "name": "Policies for Security Awareness Training",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that the security team is responsible for training all employees on security at the company.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 42,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-568",
          "control_name": "Records of Competence",
          "control_description": "Sustainment Technologies Inc maintains documentation of the necessary competence of personnel affecting its information security program.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:10.336Z",
          "updated_at": "2026-05-12T13:22:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:28.246Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-568-monitoring",
              "name": "Continuous Monitoring - Records of Competence (DCF-568)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-12T13:22:50.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151353+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 582,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 74,
                "name": "Security Awareness Training Completed",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security awareness training that all employees must complete on hire and confirmed that it provides information related to the tactics that hackers take that could compromise the security of the company and its customers' data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 43,
                "enabled": true
              },
              {
                "test_id": 73,
                "name": "Policies for Security Awareness Training",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that the security team is responsible for training all employees on security at the company.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 42,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-327",
          "control_name": "System Access Roles Defined",
          "control_description": "Sustainment Technologies Inc defines access needs for each role, including: System components and data resources that each role needs to access for their job function; Level of privilege required for accessing resources.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:55.642Z",
          "updated_at": "2026-06-26T13:50:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:14:39.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 146,
              "name": "Okta Engineering Roles",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/146_Okta Engineering Roles.png",
              "updated_at": "2026-02-06T17:57:22.802Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151541+00:00",
                "status": "hashed",
                "sha256": "5aa80399ba4663008fcce3c4b0653657e1a5a2250b72fd740c7082ee4db20dc1",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/146_Okta Engineering Roles.png",
                "filename": "146_Okta Engineering Roles.png",
                "size_bytes": 268240,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-327-policy",
              "name": "Policy Documentation - System Access Roles Defined (DCF-327)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-26T13:50:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151773+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 351,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies maintains a direct training-and-review control set for development and engineering training effectiveness: developers complete periodic secure coding training, role-based security training is delivered and updated over time, and secure development expectations are embedded in both process and SDLC policy. Together, these controls provide direct evidence for persistent review of development and engineering training effectiveness.\n### Key Controls\n- [OK] Multiple Methods for Security Awareness (DCF-503)\n- [OK] Periodic Secure Code Development Training (DCF-312)\n- [OK] Security Training (DCF-36)\n- [OK] Records of Competence (DCF-568)\n- [OK] System Access Roles Defined (DCF-327)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:57.678081+00:00",
      "ksi_name": "Reviewing Development and Engineering Training",
      "category": "CED",
      "statement": "Persistently review the effectiveness of role-specific training given to development and engineering staff that covers best practices for delivering secure software.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/cybersecurity-education/",
      "nist_controls": [
        "CP-3",
        "IR-2",
        "PS-6"
      ],
      "failure_conditions": {
        "conditional_check": "Development and engineering staff complete secure-development and role-specific security training, and the training program is reviewed through secure development process controls.",
        "failure_condition": "Failure to provide or refresh secure-development or role-specific training for development and engineering staff, failure to review and update role-based training content after significant changes, or absence of documented secure development process and SDLC policy controls will cause a failure of the test."
      },
      "outcome_metrics": [
        {
          "statement": "All developers and engineers complete required security training on schedule",
          "metric_name": "Completion",
          "target_value": "100% of in-scope dev/eng personnel complete training; avg time-to-train <= 14 days",
          "target_unit": "",
          "frequency": "Quarterly + at onboarding",
          "source": "Drata training completion report; LMS records",
          "notes": "Personnel overdue by more than 14 days or training content older than 12 months"
        }
      ],
      "monitoring": {
        "total_tests": 4,
        "passed": 4,
        "failed": 0,
        "controls_with_monitoring": 2,
        "monitoring_coverage": 33.3,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-CED-RGT",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:57.773469+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-568 (DCF-568)",
          "control_id": "DCF-568",
          "status": "Passing",
          "description": "Drata control status for DCF-568",
          "date": "2026-07-02T13:19:57.773469+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-503 (DCF-503)",
          "control_id": "DCF-503",
          "status": "Passing",
          "description": "Drata control status for DCF-503",
          "date": "2026-07-02T13:19:57.773469+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-36 (DCF-36)",
          "control_id": "DCF-36",
          "status": "Passing",
          "description": "Drata control status for DCF-36",
          "date": "2026-07-02T13:19:57.773469+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-742 (DCF-742)",
          "control_id": "DCF-742",
          "status": "Passing",
          "description": "Drata control status for DCF-742",
          "date": "2026-07-02T13:19:57.773469+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-684 (DCF-684)",
          "control_id": "DCF-684",
          "status": "Passing",
          "description": "Drata control status for DCF-684",
          "date": "2026-07-02T13:19:57.773469+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-CED-RGT",
          "control_name": "Custom Automated Check: KSI-CED-RGT",
          "control_description": "5/5 mapped controls passing; Sustainment Technologies maintains direct evidence for general employee security training through core annual security training, multiple awareness delivery methods, and tracked records of competence. Supporting policy and governance controls reinforce that all employees are trained on required security policies and procedures and that training effectiveness is maintained over time.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:57.773469+00:00",
          "updated_at": "2026-07-02T13:19:57.773469+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:57.773469+00:00",
          "requirements_updated_at": "",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-568 (DCF-568)",
              "description": "Drata control status for DCF-568",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.773469+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151780+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-503 (DCF-503)",
              "description": "Drata control status for DCF-503",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.773469+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151787+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-36 (DCF-36)",
              "description": "Drata control status for DCF-36",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.773469+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151793+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-742 (DCF-742)",
              "description": "Drata control status for DCF-742",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.773469+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151799+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-684 (DCF-684)",
              "description": "Drata control status for DCF-684",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.773469+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151804+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 74,
                "name": "Security Awareness Training Completed",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security awareness training that all employees must complete on hire and confirmed that it provides information related to the tactics that hackers take that could compromise the security of the company and its customers' data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 43,
                "enabled": true
              },
              {
                "test_id": 73,
                "name": "Policies for Security Awareness Training",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that the security team is responsible for training all employees on security at the company.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 42,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-568",
              "DCF-503",
              "DCF-36",
              "DCF-742",
              "DCF-684"
            ]
          }
        },
        {
          "control_id": "DCF-568",
          "control_name": "Records of Competence",
          "control_description": "Sustainment Technologies Inc maintains documentation of the necessary competence of personnel affecting its information security program.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:10.336Z",
          "updated_at": "2026-05-12T13:22:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:28.246Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-568-monitoring",
              "name": "Continuous Monitoring - Records of Competence (DCF-568)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-12T13:22:50.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151810+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 582,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 74,
                "name": "Security Awareness Training Completed",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security awareness training that all employees must complete on hire and confirmed that it provides information related to the tactics that hackers take that could compromise the security of the company and its customers' data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 43,
                "enabled": true
              },
              {
                "test_id": 73,
                "name": "Policies for Security Awareness Training",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that the security team is responsible for training all employees on security at the company.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 42,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-503",
          "control_name": "Multiple Methods for Security Awareness",
          "control_description": "Sustainment Technologies Inc's security awareness program includes multiple methods of communicating awareness and educating personnel, such as newsletters, web-based training, in-person training, team meetings, phishing simulations, etc. Periodic security updates are provided to personnel through t",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:00.826Z",
          "updated_at": "2025-11-24T13:51:28.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-503-policy",
              "name": "Policy Documentation - Multiple Methods for Security Awareness (DCF-503)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:28.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151816+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 522,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-36",
          "control_name": "Security Training",
          "control_description": "Sustainment Technologies Inc has established training programs for privacy and information security to help employees understand their obligations and responsibilities to comply with Sustainment Technologies Inc's security policies and procedures, including the identification and reporting of incide",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:35.660Z",
          "updated_at": "2026-05-12T13:22:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-36-owner",
              "name": "Assigned Control Owner - Security Training (DCF-36)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-12T13:22:50.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151822+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-36-monitoring",
              "name": "Continuous Monitoring - Security Training (DCF-36)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-12T13:22:50.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151828+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-36-policy",
              "name": "Policy Documentation - Security Training (DCF-36)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-12T13:22:50.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151834+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 57,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 74,
                "name": "Security Awareness Training Completed",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security awareness training that all employees must complete on hire and confirmed that it provides information related to the tactics that hackers take that could compromise the security of the company and its customers' data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 43,
                "enabled": true
              },
              {
                "test_id": 73,
                "name": "Policies for Security Awareness Training",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that the security team is responsible for training all employees on security at the company.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 42,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-742",
          "control_name": "Insider Threat Awareness and Training",
          "control_description": "Sustainment Technologies Inc provides periodic awareness training on recognizing and reporting potential indicators of insider to managers and employees as deemed necessary by the organization. Training topics include how to communicate employee and management concerns regarding potential indicators",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171"
          ],
          "created_at": "2024-09-05T23:20:44.655Z",
          "updated_at": "2025-02-04T19:00:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-06-24T19:13:14.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-742-policy",
              "name": "Policy Documentation - Insider Threat Awareness and Training (DCF-742)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-02-04T19:00:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151840+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 713,
          "stale_evidence_count": 1,
          "all_evidence_stale": true,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-684",
          "control_name": "Redundancy of Processing",
          "control_description": "Sustainment Technologies Inc has implemented redundancy strategies for equipment, systems and processes as deemed necessary per the business continuity plans meet availability requirements (e.g., redundancy in network components, production resources, supporting utilities, service providers, process",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [],
          "created_at": "2024-05-07T23:18:52.954Z",
          "updated_at": "2026-05-03T13:15:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2024-07-12T08:02:38.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-684-policy",
              "name": "Policy Documentation - Redundancy of Processing (DCF-684)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-03T13:15:21.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151846+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 680,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies maintains direct evidence for general employee security training through core annual security training, multiple awareness delivery methods, and tracked records of competence. Supporting policy and governance controls reinforce that all employees are trained on required security policies and procedures and that training effectiveness is maintained over time.\n### Key Controls\n- [OK] Records of Competence (DCF-568)\n- [OK] Multiple Methods for Security Awareness (DCF-503)\n- [OK] Security Training (DCF-36)\n- [OK] Insider Threat Awareness and Training (DCF-742)\n- [OK] Redundancy of Processing (DCF-684)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:57.773469+00:00",
      "ksi_name": "Reviewing General Training",
      "category": "CED",
      "statement": "Persistently review the effectiveness of training given to all employees on policies, procedures, and security-related topics.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/cybersecurity-education/",
      "nist_controls": [
        "AT-2",
        "AT-2.2",
        "AT-2.3",
        "AT-3.5",
        "AT-4",
        "IR-2.3"
      ],
      "failure_conditions": {
        "conditional_check": "All employees have completed general security awareness training covering organizational policies, procedures, and security-related topics.",
        "failure_condition": "Failure to complete training within the first two weeks of onboarding or failure to complete it on an annual basis will cause a failure of the test. Additionally, policies for acceptable use, security awareness delivery methods, and competency tracking must be in place to ensure an effective general security training program."
      },
      "outcome_metrics": [
        {
          "statement": "Security training should show up in day-to-day behavior, not just course completion",
          "metric_name": "Behavior Adoption",
          "target_value": "Post-training control checks or simulations meet or exceed baseline by 5%; no sustained decline over 2 quarters",
          "target_unit": "",
          "frequency": "Quarterly",
          "source": "Phishing simulation results; policy acknowledgment checks; spot audits; baseline comparison",
          "notes": "Use the prior 90-day period as baseline"
        },
        {
          "statement": "General security training should reduce policy violations over time",
          "metric_name": "Policy Violation Rate",
          "target_value": "Rolling 90-day violation rate <= baseline + 10%; 3-month average trends downward",
          "target_unit": "",
          "frequency": "Monthly + quarterly review",
          "source": "Policy violation log; security investigations; HR escalation records; baseline comparison",
          "notes": "Flag sustained increases instead of isolated outliers"
        },
        {
          "statement": "Recurring user-driven incidents should become rare after training and reinforcement",
          "metric_name": "Repeat Incident Rate",
          "target_value": "No more than 10% of users are involved in 2+ incidents of the same class within 90 days",
          "target_unit": "",
          "frequency": "Monthly",
          "source": "Incident tracker; ticketing system; recurring issue review; baseline comparison",
          "notes": "Repeat incidents after coaching suggest ineffective training or missing reinforcement"
        }
      ],
      "monitoring": {
        "total_tests": 4,
        "passed": 4,
        "failed": 0,
        "controls_with_monitoring": 2,
        "monitoring_coverage": 33.3,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-CED-RRT",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:59.230725+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-25 (DCF-25)",
          "control_id": "DCF-25",
          "status": "Passing",
          "description": "Drata control status for DCF-25",
          "date": "2026-07-02T13:19:59.230725+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-28 (DCF-28)",
          "control_id": "DCF-28",
          "status": "Passing",
          "description": "Drata control status for DCF-28",
          "date": "2026-07-02T13:19:59.230725+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-30 (DCF-30)",
          "control_id": "DCF-30",
          "status": "Passing",
          "description": "Drata control status for DCF-30",
          "date": "2026-07-02T13:19:59.230725+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-602 (DCF-602)",
          "control_id": "DCF-602",
          "status": "Passing",
          "description": "Drata control status for DCF-602",
          "date": "2026-07-02T13:19:59.230725+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-154 (DCF-154)",
          "control_id": "DCF-154",
          "status": "Passing",
          "description": "Drata control status for DCF-154",
          "date": "2026-07-02T13:19:59.230725+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-26 (DCF-26)",
          "control_id": "DCF-26",
          "status": "Passing",
          "description": "Drata control status for DCF-26",
          "date": "2026-07-02T13:19:59.230725+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-29 (DCF-29)",
          "control_id": "DCF-29",
          "status": "Passing",
          "description": "Drata control status for DCF-29",
          "date": "2026-07-02T13:19:59.230725+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-CED-RRT",
          "control_name": "Custom Automated Check: KSI-CED-RRT",
          "control_description": "7/7 mapped controls passing; Sustainment Technologies maintains direct response and recovery training evidence through role-based contingency training, dedicated incident response training, annual IR testing, and annual BCP/DR exercises. Plan controls and post-incident follow-up/lessons-learned controls provide a persistent feedback loop to review and improve response and recovery training effectiveness.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:59.230725+00:00",
          "updated_at": "2026-07-02T13:19:59.230725+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:59.230725+00:00",
          "requirements_updated_at": "",
          "evidence_count": 7,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-25 (DCF-25)",
              "description": "Drata control status for DCF-25",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.230725+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151853+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-28 (DCF-28)",
              "description": "Drata control status for DCF-28",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.230725+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151859+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-30 (DCF-30)",
              "description": "Drata control status for DCF-30",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.230725+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151864+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-602 (DCF-602)",
              "description": "Drata control status for DCF-602",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.230725+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151869+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-154 (DCF-154)",
              "description": "Drata control status for DCF-154",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.230725+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151875+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-26 (DCF-26)",
              "description": "Drata control status for DCF-26",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.230725+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151881+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-29 (DCF-29)",
              "description": "Drata control status for DCF-29",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.230725+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151887+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 5,
            "passed": 5,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              },
              {
                "test_id": 87,
                "name": "Policies for Tracking Security Items",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it included a section about tracking follow-ups after an incident.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 32,
                "enabled": true
              },
              {
                "test_id": 89,
                "name": "IRP Includes Lessons Learned",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it included a section about documenting \"Lessons Learned\" after incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 35,
                "enabled": true
              },
              {
                "test_id": 74,
                "name": "Security Awareness Training Completed",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security awareness training that all employees must complete on hire and confirmed that it provides information related to the tactics that hackers take that could compromise the security of the company and its customers' data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 43,
                "enabled": true
              },
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-25",
              "DCF-28",
              "DCF-30",
              "DCF-602",
              "DCF-154",
              "DCF-26",
              "DCF-29"
            ]
          }
        },
        {
          "control_id": "DCF-25",
          "control_name": "Disaster Recovery Plan",
          "control_description": "Sustainment Technologies Inc has an established Disaster Recovery Plan that outlines roles and responsibilities and detailed procedures for recovery of systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.870Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-25-owner",
              "name": "Assigned Control Owner - Disaster Recovery Plan (DCF-25)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151892+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-monitoring",
              "name": "Continuous Monitoring - Disaster Recovery Plan (DCF-25)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151898+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-policy",
              "name": "Policy Documentation - Disaster Recovery Plan (DCF-25)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151904+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 10,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-28",
          "control_name": "Follow-Ups Tracked",
          "control_description": "Sustainment Technologies Inc has implemented an Incident Response Plan that includes creating, prioritizing, assigning, and tracking follow-ups to completion and lend support to Business Continuity/Disaster Recovery.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.557Z",
          "updated_at": "2025-12-03T18:49:49.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-28-evidence",
              "name": "Follow-Ups Tracked (DCF-28)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151911+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-28-monitoring",
              "name": "Continuous Monitoring - Follow-Ups Tracked (DCF-28)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151918+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-28-policy",
              "name": "Policy Documentation - Follow-Ups Tracked (DCF-28)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.151924+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 73,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 87,
                "name": "Policies for Tracking Security Items",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it included a section about tracking follow-ups after an incident.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 32,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-30",
          "control_name": "Lessons Learned",
          "control_description": "Sustainment Technologies Inc has implemented an Incident Response Plan that includes documenting “Lessons Learned” and \"Root Cause Analysis\" after incidents and sharing them with the broader engineering team to support Business Continuity/Disaster Recovery.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.566Z",
          "updated_at": "2025-12-03T18:49:49.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 163,
              "name": "Sample IR Response + Lessons Learned",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/163_Sample IR Response  Lessons Learned.pdf",
              "updated_at": "2026-06-23T18:52:27.200Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152092+00:00",
                "status": "hashed",
                "sha256": "39e11bacf18fb01a18ac4565aa1866df90337e4976475988a98bce6ecd59a72f",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/163_Sample IR Response  Lessons Learned.pdf",
                "filename": "163_Sample IR Response  Lessons Learned.pdf",
                "size_bytes": 600019,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-30-monitoring",
              "name": "Continuous Monitoring - Lessons Learned (DCF-30)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152576+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-30-policy",
              "name": "Policy Documentation - Lessons Learned (DCF-30)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152583+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 75,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 89,
                "name": "IRP Includes Lessons Learned",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it included a section about documenting \"Lessons Learned\" after incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 35,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-602",
          "control_name": "Role-Based Contingency Training",
          "control_description": "Sustainment Technologies Inc provides up-to-date contingency training on specified intervals to users based on the users' roles and responsibilities.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:12.488Z",
          "updated_at": "2026-05-12T13:22:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:30.421Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 162,
              "name": "SecureFlag User Training Report",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/162_SecureFlag User Training Report.json",
              "updated_at": "2026-06-23T10:20:09.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152800+00:00",
                "status": "not_hashed",
                "reason": "local_file_not_found",
                "source": "evidence/documents/162_SecureFlag User Training Report.json"
              }
            },
            {
              "id": "DCF-602-monitoring",
              "name": "Continuous Monitoring - Role-Based Contingency Training (DCF-602)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-12T13:22:50.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152809+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-602-policy",
              "name": "Policy Documentation - Role-Based Contingency Training (DCF-602)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-12T13:22:50.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152815+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 593,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 74,
                "name": "Security Awareness Training Completed",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security awareness training that all employees must complete on hire and confirmed that it provides information related to the tactics that hackers take that could compromise the security of the company and its customers' data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 43,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-154",
          "control_name": "Annual Incident Response Test",
          "control_description": "Sustainment Technologies Inc ensures that incident response plan testing is performed on an annual basis.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.974Z",
          "updated_at": "2025-11-24T13:51:34.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-154-evidence",
              "name": "Annual Incident Response Test (DCF-154)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152822+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-154-policy",
              "name": "Policy Documentation - Annual Incident Response Test (DCF-154)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152828+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 126,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-26",
          "control_name": "BCP/DR Tests Conducted Annually",
          "control_description": "Sustainment Technologies Inc conducts annual BCP/DR tests and documents according to the BCDR Plan.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.875Z",
          "updated_at": "2025-11-24T13:51:33.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-26-evidence",
              "name": "BCP/DR Tests Conducted Annually (DCF-26)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:33.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152834+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-26-policy",
              "name": "Policy Documentation - BCP/DR Tests Conducted Annually (DCF-26)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:33.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152840+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 11,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-29",
          "control_name": "Incident Response Team",
          "control_description": "Sustainment Technologies Inc has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality at the company.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.562Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-29-evidence",
              "name": "Incident Response Team (DCF-29)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152846+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-owner",
              "name": "Assigned Control Owner - Incident Response Team (DCF-29)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152852+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-monitoring",
              "name": "Continuous Monitoring - Incident Response Team (DCF-29)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152858+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 74,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies maintains direct response and recovery training evidence through role-based contingency training, dedicated incident response training, annual IR testing, and annual BCP/DR exercises. Plan controls and post-incident follow-up/lessons-learned controls provide a persistent feedback loop to review and improve response and recovery training effectiveness.\n### Key Controls\n- [OK] Disaster Recovery Plan (DCF-25)\n- [OK] Follow-Ups Tracked (DCF-28)\n- [OK] Lessons Learned (DCF-30)\n- [OK] Role-Based Contingency Training (DCF-602)\n- [OK] Annual Incident Response Test (DCF-154)\n- [OK] BCP/DR Tests Conducted Annually (DCF-26)\n- [OK] Incident Response Team (DCF-29)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:59.230725+00:00",
      "ksi_name": "Reviewing Response and Recovery Training",
      "category": "CED",
      "statement": "Persistently review the effectiveness of role-specific training given to staff involved with incident response or disaster recovery.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/cybersecurity-education/",
      "nist_controls": [],
      "failure_conditions": {
        "conditional_check": "All incident response and disaster recovery staff have completed role-specific training and participated in exercises that validate their readiness.",
        "failure_condition": "Failure to conduct IR/DR exercises at least annually, failure to train assigned staff within 30 days of role assignment, or failure to document and act on lessons learned from exercises will cause a failure of the test. Additionally, a disaster recovery plan, follow-up tracking, and an annual incident response test must be in place to ensure an effective response and recovery training program."
      },
      "outcome_metrics": [
        {
          "statement": "Incident response and recovery training completed by all required roles",
          "metric_name": "Completion",
          "target_value": "100% of IR-assigned personnel trained; tabletop/exercise completed annually",
          "target_unit": "",
          "frequency": "Annually",
          "source": "LMS IR training records; exercise after-action reports",
          "notes": "IR personnel not trained or no exercise conducted in 12 months"
        }
      ],
      "monitoring": {
        "total_tests": 5,
        "passed": 5,
        "failed": 0,
        "controls_with_monitoring": 5,
        "monitoring_coverage": 62.5,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-CED-RST",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:54.540021+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-826 (DCF-826)",
          "control_id": "DCF-826",
          "status": "Passing",
          "description": "Drata control status for DCF-826",
          "date": "2026-07-02T13:19:54.540021+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-827 (DCF-827)",
          "control_id": "DCF-827",
          "status": "Passing",
          "description": "Drata control status for DCF-827",
          "date": "2026-07-02T13:19:54.540021+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-602 (DCF-602)",
          "control_id": "DCF-602",
          "status": "Passing",
          "description": "Drata control status for DCF-602",
          "date": "2026-07-02T13:19:54.540021+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-568 (DCF-568)",
          "control_id": "DCF-568",
          "status": "Passing",
          "description": "Drata control status for DCF-568",
          "date": "2026-07-02T13:19:54.540021+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-327 (DCF-327)",
          "control_id": "DCF-327",
          "status": "Passing",
          "description": "Drata control status for DCF-327",
          "date": "2026-07-02T13:19:54.540021+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-CED-RST",
          "control_name": "Custom Automated Check: KSI-CED-RST",
          "control_description": "5/5 mapped controls passing; Sustainment Technologies uses a direct role-specific training control set for high-risk and privileged roles: role-based security training, program updates, targeted secure coding/contingency training, role definition for privileged access scope, and competency tracking. Together these controls provide direct and reviewable evidence that role-specific training remains effective over time.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:54.540021+00:00",
          "updated_at": "2026-07-02T13:19:54.540021+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:54.540021+00:00",
          "requirements_updated_at": "",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-826 (DCF-826)",
              "description": "Drata control status for DCF-826",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.540021+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152865+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-827 (DCF-827)",
              "description": "Drata control status for DCF-827",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.540021+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152871+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-602 (DCF-602)",
              "description": "Drata control status for DCF-602",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.540021+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152876+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-568 (DCF-568)",
              "description": "Drata control status for DCF-568",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.540021+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152882+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-327 (DCF-327)",
              "description": "Drata control status for DCF-327",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.540021+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152887+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 74,
                "name": "Security Awareness Training Completed",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security awareness training that all employees must complete on hire and confirmed that it provides information related to the tactics that hackers take that could compromise the security of the company and its customers' data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 43,
                "enabled": true
              },
              {
                "test_id": 73,
                "name": "Policies for Security Awareness Training",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that the security team is responsible for training all employees on security at the company.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 42,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-826",
              "DCF-827",
              "DCF-602",
              "DCF-568",
              "DCF-327"
            ]
          }
        },
        {
          "control_id": "DCF-826",
          "control_name": "Role-Based Security Training",
          "control_description": "Sustainment Technologies Inc provides specialized information security training to all personnel with security-related duties, roles, and responsibilities are defined on specific security topics, skills, processes, or methodologies that must be followed for those individuals to perform their securit",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171"
          ],
          "created_at": "2024-09-05T23:20:45.101Z",
          "updated_at": "2025-02-04T19:00:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-06-24T19:13:13.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-826-evidence",
              "name": "Role-Based Security Training (DCF-826)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-02-04T19:00:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152893+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-826-policy",
              "name": "Policy Documentation - Role-Based Security Training (DCF-826)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-02-04T19:00:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152899+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 734,
          "explanation": "Role-Based Security Training is direct evidence that personnel with security-relevant responsibilities receive role-specific training appropriate to their assigned duties.",
          "stale_evidence_count": 2,
          "all_evidence_stale": true,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-827",
          "control_name": "Role-Based Security Training Program Updates",
          "control_description": "The role-based security training program and its contents are reviewed and updated at periodic intervals and after any events deemed significant by the organization (e.g., responses to actual incidents, assessment findings, changes in regulatory requirements, introduction of new tools, technologies,",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171"
          ],
          "created_at": "2024-09-05T23:20:45.106Z",
          "updated_at": "2025-02-04T19:00:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-06-24T19:13:13.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-827-evidence",
              "name": "Role-Based Security Training Program Updates (DCF-827)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-02-04T19:00:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152905+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-827-policy",
              "name": "Policy Documentation - Role-Based Security Training Program Updates (DCF-827)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-02-04T19:00:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.152911+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 735,
          "explanation": "Role-Based Security Training Program Updates directly supports persistent review by showing the role-specific training program is periodically reassessed and updated.",
          "stale_evidence_count": 2,
          "all_evidence_stale": true,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-602",
          "control_name": "Role-Based Contingency Training",
          "control_description": "Sustainment Technologies Inc provides up-to-date contingency training on specified intervals to users based on the users' roles and responsibilities.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:12.488Z",
          "updated_at": "2026-05-12T13:22:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:30.421Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 162,
              "name": "SecureFlag User Training Report",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/162_SecureFlag User Training Report.json",
              "updated_at": "2026-06-23T10:20:09.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.153126+00:00",
                "status": "not_hashed",
                "reason": "local_file_not_found",
                "source": "evidence/documents/162_SecureFlag User Training Report.json"
              }
            },
            {
              "id": "DCF-602-monitoring",
              "name": "Continuous Monitoring - Role-Based Contingency Training (DCF-602)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-12T13:22:50.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.153138+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-602-policy",
              "name": "Policy Documentation - Role-Based Contingency Training (DCF-602)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-12T13:22:50.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.153148+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 593,
          "explanation": "Role-Based Contingency Training provides targeted role-specific preparedness training for high-risk operational/security roles.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 74,
                "name": "Security Awareness Training Completed",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security awareness training that all employees must complete on hire and confirmed that it provides information related to the tactics that hackers take that could compromise the security of the company and its customers' data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 43,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-568",
          "control_name": "Records of Competence",
          "control_description": "Sustainment Technologies Inc maintains documentation of the necessary competence of personnel affecting its information security program.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:10.336Z",
          "updated_at": "2026-05-12T13:22:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:28.246Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-568-monitoring",
              "name": "Continuous Monitoring - Records of Competence (DCF-568)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-12T13:22:50.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.153158+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 582,
          "explanation": "Records of Competence provides auditable evidence that role-specific training completion and competency are tracked over time.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 74,
                "name": "Security Awareness Training Completed",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security awareness training that all employees must complete on hire and confirmed that it provides information related to the tactics that hackers take that could compromise the security of the company and its customers' data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 43,
                "enabled": true
              },
              {
                "test_id": 73,
                "name": "Policies for Security Awareness Training",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that the security team is responsible for training all employees on security at the company.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 42,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-327",
          "control_name": "System Access Roles Defined",
          "control_description": "Sustainment Technologies Inc defines access needs for each role, including: System components and data resources that each role needs to access for their job function; Level of privilege required for accessing resources.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:55.642Z",
          "updated_at": "2026-06-26T13:50:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:14:39.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 146,
              "name": "Okta Engineering Roles",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/146_Okta Engineering Roles.png",
              "updated_at": "2026-02-06T17:57:22.802Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.153325+00:00",
                "status": "hashed",
                "sha256": "5aa80399ba4663008fcce3c4b0653657e1a5a2250b72fd740c7082ee4db20dc1",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/146_Okta Engineering Roles.png",
                "filename": "146_Okta Engineering Roles.png",
                "size_bytes": 268240,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-327-policy",
              "name": "Policy Documentation - System Access Roles Defined (DCF-327)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-26T13:50:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.153564+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 351,
          "explanation": "System Access Roles Defined identifies privileged/high-risk role boundaries so training applicability and effectiveness can be reviewed by role.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies uses a direct role-specific training control set for high-risk and privileged roles: role-based security training, program updates, targeted secure coding/contingency training, role definition for privileged access scope, and competency tracking. Together these controls provide direct and reviewable evidence that role-specific training remains effective over time.\n### Key Controls\n- [OK] Role-Based Security Training (DCF-826)\n- [OK] Role-Based Security Training Program Updates (DCF-827)\n- [OK] Role-Based Contingency Training (DCF-602)\n- [OK] Records of Competence (DCF-568)\n- [OK] System Access Roles Defined (DCF-327)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:54.540021+00:00",
      "ksi_name": "Reviewing Role-Specific Training",
      "category": "CED",
      "statement": "Persistently review the effectiveness of role-specific training given to employees in high risk roles, including at least roles with privileged access.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/cybersecurity-education/",
      "nist_controls": [
        "AT-2",
        "AT-2.3",
        "AT-3",
        "SR-11.1"
      ],
      "failure_conditions": {
        "conditional_check": "All employees in high-risk roles, including those with privileged access, have completed role-specific security training appropriate to their elevated responsibilities.",
        "failure_condition": "Failure to complete role-specific training within the first two weeks of role assignment or failure to complete it on an annual basis will cause a failure of the test. Additionally, policies for secure code development training, multiple security awareness delivery methods, and defined system access roles must be in place to ensure an effective role-specific training program for privileged users."
      },
      "outcome_metrics": [
        {
          "statement": "Role-specific training completed by all high-risk and privileged access personnel",
          "metric_name": "Completion",
          "target_value": "100% of high-risk and privileged access personnel trained; role-specific training renewed annually",
          "target_unit": "",
          "frequency": "Annually",
          "source": "LMS role-specific training records; Drata DCF-826 / DCF-827 training completion reports",
          "notes": "Personnel in high-risk or privileged roles not trained within 2 weeks of role assignment or not renewed annually"
        }
      ],
      "monitoring": {
        "total_tests": 3,
        "passed": 3,
        "failed": 0,
        "controls_with_monitoring": 2,
        "monitoring_coverage": 33.3,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-IAM-AAM",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:57.581330+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-613 (DCF-613)",
          "control_id": "DCF-613",
          "status": "Passing",
          "description": "Drata control status for DCF-613",
          "date": "2026-07-02T13:19:57.581330+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-158 (DCF-158)",
          "control_id": "DCF-158",
          "status": "Passing",
          "description": "Drata control status for DCF-158",
          "date": "2026-07-02T13:19:57.581330+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-69 (DCF-69)",
          "control_id": "DCF-69",
          "status": "Passing",
          "description": "Drata control status for DCF-69",
          "date": "2026-07-02T13:19:57.581330+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-68 (DCF-68)",
          "control_id": "DCF-68",
          "status": "Passing",
          "description": "Drata control status for DCF-68",
          "date": "2026-07-02T13:19:57.581330+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-67 (DCF-67)",
          "control_id": "DCF-67",
          "status": "Passing",
          "description": "Drata control status for DCF-67",
          "date": "2026-07-02T13:19:57.581330+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-58 (DCF-58)",
          "control_id": "DCF-58",
          "status": "Passing",
          "description": "Drata control status for DCF-58",
          "date": "2026-07-02T13:19:57.581330+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-IAM-AAM",
          "control_name": "Custom Automated Check: KSI-IAM-AAM",
          "control_description": "6/6 mapped controls passing; Sustainment Technologies' System Access Control Policy requires secure, automated management of the full lifecycle of all accounts, roles, and groups. This is implemented through identity validation procedures, MFA enforcement for both internal and external users, automated password policy controls, and defined authentication protocols. Drata continuously monitors MFA enrollment and password policy compliance, ensuring that account provisioning, modification, and deprovisioning follow the established lifecycle process.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:57.581330+00:00",
          "updated_at": "2026-07-02T13:19:57.581330+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:57.581330+00:00",
          "requirements_updated_at": "",
          "evidence_count": 6,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-613 (DCF-613)",
              "description": "Drata control status for DCF-613",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.581330+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.153571+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-158 (DCF-158)",
              "description": "Drata control status for DCF-158",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.581330+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.153577+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-69 (DCF-69)",
              "description": "Drata control status for DCF-69",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.581330+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.153584+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-68 (DCF-68)",
              "description": "Drata control status for DCF-68",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.581330+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.153590+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-67 (DCF-67)",
              "description": "Drata control status for DCF-67",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.581330+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.153596+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-58 (DCF-58)",
              "description": "Drata control status for DCF-58",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.581330+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.153602+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 8,
            "passed": 8,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 59,
                "name": "Contractor Background Checks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that all new contractors had completed background checks upon hire.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 50,
                "enabled": true
              },
              {
                "test_id": 56,
                "name": "Employee Background Checks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that all new employees had completed background checks upon hire.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 47,
                "enabled": true
              },
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 63,
                "name": "Employees Acknowledge Data Protection Policy",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has established a Data Protection Policy and requires assigned employees to acknowledge it upon hire. Management monitors employees' acknowledgement of the policy.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 57,
                "enabled": true
              },
              {
                "test_id": 55,
                "name": "Employees Acknowledge the Acceptable Use Policy",
                "status": "PASSED",
                "description": "Drata confirmed that assigned employees have acknowledged the Acceptable Use Policy.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 45,
                "enabled": true
              },
              {
                "test_id": 34,
                "name": "Internal Password Policy for Employees",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's internal policy that governs the passwords employees set across services.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 89,
                "enabled": true
              },
              {
                "test_id": 33,
                "name": "MFA on Cloud Infrastructure",
                "status": "PASSED",
                "description": "Drata validated that each cloud infrastructure provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 88,
                "enabled": true
              },
              {
                "test_id": 31,
                "name": "MFA on Identity Provider",
                "status": "PASSED",
                "description": "Drata validated that each identity provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 86,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-613",
              "DCF-158",
              "DCF-69",
              "DCF-68",
              "DCF-67",
              "DCF-58"
            ]
          }
        },
        {
          "control_id": "DCF-613",
          "control_name": "Identity Evidence Validation and Verification Methods",
          "control_description": "Sustainment Technologies Inc has defined methods to validate and verify identity evidence consistent with system risks, roles, and privileges associated with the user account.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:07.970Z",
          "updated_at": "2025-11-24T18:38:39.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-613-monitoring",
              "name": "Continuous Monitoring - Identity Evidence Validation and Verification Methods (DCF-613)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T18:38:39.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.153609+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-613-policy",
              "name": "Policy Documentation - Identity Evidence Validation and Verification Methods (DCF-613)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:39.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.153615+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 569,
          "explanation": "This Drata control addresses KSI-IAM-AAM by demonstrating a process for confirming user identities *before* granting access, ensuring only authorized individuals receive system privileges. Validating identity evidence Ã¢â‚¬â€œ as outlined in the control description Ã¢â‚¬â€œ directly supports secure account lifecycle management and aligns with the automated privilege management required by FedRAMP, as evidenced by its link to NIST IA-12 (Identity Verification). Essentially, it proves STI isn't just *issuing* accounts, but verifying *who* is behind them.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 59,
                "name": "Contractor Background Checks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that all new contractors had completed background checks upon hire.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 50,
                "enabled": true
              },
              {
                "test_id": 56,
                "name": "Employee Background Checks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that all new employees had completed background checks upon hire.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 47,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-158",
          "control_name": "MFA Available for External Users",
          "control_description": "Sustainment Technologies Inc allows for external users to implement multi-factor authentication on their accounts in order to require two forms of authentication prior to authentication",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.967Z",
          "updated_at": "2025-11-24T13:51:26.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 3,
              "name": "MFA for external users",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/3_MFA for external users.png",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.153781+00:00",
                "status": "hashed",
                "sha256": "2fe9f3100c7247bbf490f2d77638913cc9c134f8b67c14344a98d1a1a87bf097",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/3_MFA for external users.png",
                "filename": "3_MFA for external users.png",
                "size_bytes": 271485,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 2,
              "name": "MFA on IDP accounts",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/2_MFA on IDP accounts.png",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.154180+00:00",
                "status": "hashed",
                "sha256": "2fe9f3100c7247bbf490f2d77638913cc9c134f8b67c14344a98d1a1a87bf097",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/2_MFA on IDP accounts.png",
                "filename": "2_MFA on IDP accounts.png",
                "size_bytes": 271485,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-158-owner",
              "name": "Assigned Control Owner - MFA Available for External Users (DCF-158)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.154427+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 33,
          "explanation": "Drata's \"MFA Available for External Users\" control directly supports FedRAMP KSI-IAM-AAM by strengthening account security Ã¢â‚¬â€œ a core component of lifecycle management. Requiring MFA adds an extra layer of verification *before* access is granted, effectively controlling privileges and reducing the risk of unauthorized access from external accounts, aligning with the automation aspect of the requirement through enforced security measures. This aligns with NIST IA-12's focus on identity and authentication controls.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-69",
          "control_name": "System Access Granted",
          "control_description": "Appropriate levels of access to infrastructure and code review tools are granted to new employees within one week of their start date.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.923Z",
          "updated_at": "2025-11-24T13:51:30.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-69-monitoring",
              "name": "Continuous Monitoring - System Access Granted (DCF-69)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:30.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.154435+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-69-policy",
              "name": "Policy Documentation - System Access Granted (DCF-69)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:30.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.154442+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 25,
          "explanation": "Drata's \"System Access Granted\" control directly addresses KSI-IAM-AAM by demonstrating automated provisioning of access *upon* employee onboarding Ã¢â‚¬â€œ fulfilling the lifecycle management aspect. Granting appropriate access within a defined timeframe (one week) proves timely privilege assignment, showcasing a secure and automated process for managing user access as required by FedRAMP KSI. This aligns with NIST IA-12 (Access Management) by establishing a defined process for granting and managing access rights.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 63,
                "name": "Employees Acknowledge Data Protection Policy",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has established a Data Protection Policy and requires assigned employees to acknowledge it upon hire. Management monitors employees' acknowledgement of the policy.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 57,
                "enabled": true
              },
              {
                "test_id": 55,
                "name": "Employees Acknowledge the Acceptable Use Policy",
                "status": "PASSED",
                "description": "Drata confirmed that assigned employees have acknowledged the Acceptable Use Policy.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 45,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-68",
          "control_name": "Password Policy",
          "control_description": "Sustainment Technologies Inc has established formal guidelines for passwords to govern the management and use of authentication mechanisms.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.917Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-68-owner",
              "name": "Assigned Control Owner - Password Policy (DCF-68)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.154450+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-68-monitoring",
              "name": "Continuous Monitoring - Password Policy (DCF-68)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.154462+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-68-policy",
              "name": "Policy Documentation - Password Policy (DCF-68)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.154470+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 24,
          "explanation": "The \"Password Policy\" control directly supports KSI-IAM-AAM by establishing rules for account security Ã¢â‚¬â€œ a foundational element of lifecycle management. Strong password requirements (complexity, rotation) enforced through policy *automate* a key aspect of privilege management, reducing risk associated with compromised credentials and aligning with FedRAMP's need for secure access control. This aligns with NIST IA-12, which covers identification and authentication controls.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 34,
                "name": "Internal Password Policy for Employees",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's internal policy that governs the passwords employees set across services.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 89,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-67",
          "control_name": "MFA on Accounts",
          "control_description": "Sustainment Technologies Inc requires two factor authentication to access sensitive systems and applications in the form of user ID, password, OTP and/or certificate.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.912Z",
          "updated_at": "2026-07-01T14:26:23.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 2,
              "name": "MFA on IDP accounts",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/2_MFA on IDP accounts.png",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.154647+00:00",
                "status": "hashed",
                "sha256": "2fe9f3100c7247bbf490f2d77638913cc9c134f8b67c14344a98d1a1a87bf097",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/2_MFA on IDP accounts.png",
                "filename": "2_MFA on IDP accounts.png",
                "size_bytes": 271485,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 1,
              "name": "MFA on VCS Accounts",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/1_MFA on VCS Accounts.png",
              "updated_at": "2026-04-29T13:20:19.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155035+00:00",
                "status": "hashed",
                "sha256": "51e20eaa89e609873b15e2573c717eea67ccfc037b2d8b791a336329dda9795f",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/1_MFA on VCS Accounts.png",
                "filename": "1_MFA on VCS Accounts.png",
                "size_bytes": 438374,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-67-owner",
              "name": "Assigned Control Owner - MFA on Accounts (DCF-67)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-07-01T14:26:23.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155419+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 23,
          "explanation": "This Drata control directly addresses KSI-IAM-AAM by automating a key aspect of secure account management Ã¢â‚¬â€œ authentication strength. Requiring MFA adds a second factor *beyond* just usernames and passwords, significantly reducing the risk of unauthorized access and bolstering the lifecycle security of accounts accessing sensitive FedRAMP data, as outlined in the KSI requirement for automated privilege management. The control aligns with NIST IA-12 (Authentication) which supports FedRAMP's identity and access management goals.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 33,
                "name": "MFA on Cloud Infrastructure",
                "status": "PASSED",
                "description": "Drata validated that each cloud infrastructure provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 88,
                "enabled": true
              },
              {
                "test_id": 31,
                "name": "MFA on Identity Provider",
                "status": "PASSED",
                "description": "Drata validated that each identity provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 86,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-58",
          "control_name": "Authentication Protocol",
          "control_description": "Username and password (password standard implemented) or SSO required to authenticate into application, MFA optional for external users, and MFA required for employee users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.899Z",
          "updated_at": "2025-11-24T13:51:26.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-58-evidence",
              "name": "Authentication Protocol (DCF-58)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155427+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-58-owner",
              "name": "Assigned Control Owner - Authentication Protocol (DCF-58)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155434+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-58-policy",
              "name": "Policy Documentation - Authentication Protocol (DCF-58)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155441+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 20,
          "explanation": "This Drata control addresses KSI-IAM-AAM by establishing a baseline for secure account access Ã¢â‚¬â€œ requiring strong authentication (username/password *or* SSO) and enforcing Multi-Factor Authentication (MFA) for privileged internal users. This automated authentication process directly supports lifecycle management and privilege control as defined by the FedRAMP requirement, ensuring only authorized individuals gain access with appropriate security layers. The NIST IA-12 mapping further validates its alignment with identity and access management best practices.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' System Access Control Policy requires secure, automated management of the full lifecycle of all accounts, roles, and groups. This is implemented through identity validation procedures, MFA enforcement for both internal and external users, automated password policy controls, and defined authentication protocols. Drata continuously monitors MFA enrollment and password policy compliance, ensuring that account provisioning, modification, and deprovisioning follow the established lifecycle process.\n### Key Controls\n- [OK] Identity Evidence Validation and Verification Methods (DCF-613)\n- [OK] MFA Available for External Users (DCF-158)\n- [OK] System Access Granted (DCF-69)\n- [OK] Password Policy (DCF-68)\n- [OK] MFA on Accounts (DCF-67)\n- [OK] Authentication Protocol (DCF-58)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:57.581330+00:00",
      "ksi_name": "Automating Account Management",
      "category": "IAM",
      "statement": "Securely manage the lifecycle and privileges of all accounts, roles, and groups, using automation.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/identity-and-access-management/",
      "nist_controls": [
        "AC-2.2",
        "AC-2.3",
        "AC-2.13",
        "AC-6.7",
        "IA-4.4",
        "IA-12",
        "IA-12.2",
        "IA-12.3",
        "IA-12.5"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment's identity and access management automates the full lifecycle of all accounts, roles, and groups through identity validation, MFA enforcement, password policy controls, and defined authentication protocols.",
        "failure_condition": "An orphaned account active more than 24 hours after separation, a stale account not deprovisioned, or failure to enforce MFA on any user account will cause a failure of the test. Additionally, identity evidence validation, MFA for both internal and external users, automated password policy enforcement, and defined authentication protocols must be in place to ensure account lifecycle management is secure and automated."
      },
      "outcome_metrics": [
        {
          "statement": "Account lifecycle (provisioning/deprovisioning) is automated with no manual gaps",
          "metric_name": "Recency",
          "target_value": "Accounts deprovisioned within 24 hours of termination; 0 orphaned accounts",
          "target_unit": "",
          "frequency": "Weekly",
          "source": "Identity provider (IdP) audit; Drata account management checks",
          "notes": "Terminated user with active account; orphaned account detected"
        }
      ],
      "monitoring": {
        "total_tests": 8,
        "passed": 8,
        "failed": 0,
        "controls_with_monitoring": 4,
        "monitoring_coverage": 57.1,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-IAM-APM",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:53.970642+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-71 (DCF-71)",
          "control_id": "DCF-71",
          "status": "Passing",
          "description": "Drata control status for DCF-71",
          "date": "2026-07-02T13:19:53.970642+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:19:53.970642+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-80 (DCF-80)",
          "control_id": "DCF-80",
          "status": "Passing",
          "description": "Drata control status for DCF-80",
          "date": "2026-07-02T13:19:53.970642+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-11 (DCF-11)",
          "control_id": "DCF-11",
          "status": "Passing",
          "description": "Drata control status for DCF-11",
          "date": "2026-07-02T13:19:53.970642+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-59 (DCF-59)",
          "control_id": "DCF-59",
          "status": "Passing",
          "description": "Drata control status for DCF-59",
          "date": "2026-07-02T13:19:53.970642+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-68 (DCF-68)",
          "control_id": "DCF-68",
          "status": "Passing",
          "description": "Drata control status for DCF-68",
          "date": "2026-07-02T13:19:53.970642+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-34 (DCF-34)",
          "control_id": "DCF-34",
          "status": "Passing",
          "description": "Drata control status for DCF-34",
          "date": "2026-07-02T13:19:53.970642+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-335 (DCF-335)",
          "control_id": "DCF-335",
          "status": "Passing",
          "description": "Drata control status for DCF-335",
          "date": "2026-07-02T13:19:53.970642+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-334 (DCF-334)",
          "control_id": "DCF-334",
          "status": "Passing",
          "description": "Drata control status for DCF-334",
          "date": "2026-07-02T13:19:53.970642+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-IAM-APM",
          "control_name": "Custom Automated Check: KSI-IAM-APM",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' System Access Control Policy and Password Policy require strong authentication methods, with passwordless approaches used where feasible and MFA enforced otherwise. This is implemented through automated removal of inactive accounts, privileged user authorization workflows, role-based security assignments, and enforced password complexity and rotation policies. Drata monitors account activity, validates MFA enrollment, tracks inactive account cleanup, and the Security Steering Committee reviews authentication standards to ensure they align with current best practices.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:53.970642+00:00",
          "updated_at": "2026-07-02T13:19:53.970642+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:53.970642+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-71 (DCF-71)",
              "description": "Drata control status for DCF-71",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.970642+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155448+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.970642+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155455+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-80 (DCF-80)",
              "description": "Drata control status for DCF-80",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.970642+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155468+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-11 (DCF-11)",
              "description": "Drata control status for DCF-11",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.970642+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155474+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-59 (DCF-59)",
              "description": "Drata control status for DCF-59",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.970642+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155481+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-68 (DCF-68)",
              "description": "Drata control status for DCF-68",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.970642+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155487+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-34 (DCF-34)",
              "description": "Drata control status for DCF-34",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.970642+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155493+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-335 (DCF-335)",
              "description": "Drata control status for DCF-335",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.970642+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155500+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-334 (DCF-334)",
              "description": "Drata control status for DCF-334",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.970642+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155506+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 9,
            "passed": 9,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-02T12:02:06.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              },
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              },
              {
                "test_id": 34,
                "name": "Internal Password Policy for Employees",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's internal policy that governs the passwords employees set across services.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 89,
                "enabled": true
              },
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              },
              {
                "test_id": 201,
                "name": "AWS IAM Unused Credentials",
                "status": "PASSED",
                "description": "Drata validated that all credentials (e.g., passwords, access keys) for IAM users have been used within the last 45 days.",
                "last_run": "2026-07-02T12:02:06.000Z",
                "test_definition_id": 229,
                "enabled": true
              },
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-71",
              "DCF-10",
              "DCF-80",
              "DCF-11",
              "DCF-59",
              "DCF-68",
              "DCF-34",
              "DCF-335",
              "DCF-334"
            ]
          }
        },
        {
          "control_id": "DCF-71",
          "control_name": "Unique Accounts Used",
          "control_description": "Access to corporate network, production machines, network devices, and support tools requires a unique ID.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.769Z",
          "updated_at": "2026-06-15T13:35:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-71-evidence",
              "name": "Unique Accounts Used (DCF-71)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155513+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-owner",
              "name": "Assigned Control Owner - Unique Accounts Used (DCF-71)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155520+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-monitoring",
              "name": "Continuous Monitoring - Unique Accounts Used (DCF-71)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155527+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 98,
          "explanation": "Drata's \"Unique Accounts Used\" control helps satisfy KSI-IAM-APM by establishing a foundational element for strong authentication Ã¢â‚¬â€œ ensuring each user has a distinct identity. This allows for the effective implementation of either passwordless methods *or* strong passwords *with* MFA, as authentication mechanisms are tied to individual, verifiable accounts, fulfilling the requirement's core intent of secure user access. Essentially, unique accounts are a prerequisite for enforcing *any* robust authentication method.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155534+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155540+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155546+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "explanation": "While the System Access Control Policy doesn't *directly* implement passwordless authentication, it satisfies KSI-IAM-APM by establishing a framework for enforcing strong authentication practices. The policy ensures access requests are reviewed (supporting strong password/MFA verification) and regular reviews maintain secure access Ã¢â‚¬â€œ a foundational element for *any* authentication method, including those leveraging MFA as required by the KSI. Essentially, it provides the governance needed to *manage* secure authentication, regardless of the specific technology used.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-80",
          "control_name": "Log Management System",
          "control_description": "Sustainment Technologies Inc uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.779Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 151,
              "name": "DataDog Security alerts sample",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/151_DataDog Security alerts sample.csv",
              "updated_at": "2026-03-02T15:57:18.424Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155733+00:00",
                "status": "hashed",
                "sha256": "3a6f138a1019b8d39d01a2e02dc11e84fa1a8b504f306fadf42619746948a934",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/151_DataDog Security alerts sample.csv",
                "filename": "151_DataDog Security alerts sample.csv",
                "size_bytes": 82445,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-80-owner",
              "name": "Assigned Control Owner - Log Management System (DCF-80)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155835+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-80-monitoring",
              "name": "Continuous Monitoring - Log Management System (DCF-80)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.155842+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 123,
          "explanation": "While a Log Management System doesn't *directly* implement passwordless or strong authentication, it **supports** KSI-IAM-APM by providing audit trails to detect and respond to compromised credentials or failed authentication attempts (covered by AC-2). This allows for timely investigation and corrective action if MFA fails or strong passwords are bypassed, demonstrating a layered security approach to meet the intent of secure access control outlined in the KSI requirement. Essentially, itÃ¢â‚¬â„¢s a detective control bolstering the preventative measures needed for compliance.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-11",
          "control_name": "Annual Access Control Review",
          "control_description": "Sustainment Technologies Inc performs annual access control reviews.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.537Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 150,
              "name": "User Access Review",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/150_User Access Review.xlsx",
              "updated_at": "2026-03-02T15:28:18.965Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156015+00:00",
                "status": "hashed",
                "sha256": "a83b78e92bd554ebc59378b2f58c3b86c8dfac37b561ea9ddea944b69ab811d9",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/150_User Access Review.xlsx",
                "filename": "150_User Access Review.xlsx",
                "size_bytes": 115456,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-11-owner",
              "name": "Assigned Control Owner - Annual Access Control Review (DCF-11)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156142+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-11-policy",
              "name": "Policy Documentation - Annual Access Control Review (DCF-11)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156149+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 89,
          "explanation": "The Annual Access Control Review (ACR) directly supports KSI-IAM-APM by verifying the ongoing effectiveness of implemented authentication methods Ã¢â‚¬â€œ including passwordless solutions *or* strong passwords with MFA Ã¢â‚¬â€œ as required by the standard. The ACR ensures access permissions align with current needs and that any compromised or inappropriate access (potentially indicating weak authentication practices) is identified and remediated, demonstrating continuous compliance with secure authentication requirements. Essentially, itÃ¢â‚¬â„¢s a check to confirm the *enforcement* of the KSI requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-59",
          "control_name": "Role-Based Security Implementation",
          "control_description": "Role-based security is in place for internal and external users, including super admin users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.904Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-59-evidence",
              "name": "Role-Based Security Implementation (DCF-59)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156157+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-owner",
              "name": "Assigned Control Owner - Role-Based Security Implementation (DCF-59)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156165+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-policy",
              "name": "Policy Documentation - Role-Based Security Implementation (DCF-59)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156172+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 21,
          "explanation": "Drata's Role-Based Security Implementation (while not *directly* passwordless) supports KSI-IAM-APM by enabling the *principle of least privilege* Ã¢â‚¬â€œ limiting user access based on defined roles. This inherently strengthens authentication by reducing the blast radius of compromised credentials, aligning with the spirit of strong authentication *and* supporting MFA implementation as roles dictate access to sensitive systems, fulfilling the \"otherwise\" clause of the requirement. Essentially, well-defined roles necessitate stronger authentication methods where privilege demands it.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-68",
          "control_name": "Password Policy",
          "control_description": "Sustainment Technologies Inc has established formal guidelines for passwords to govern the management and use of authentication mechanisms.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.917Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-68-owner",
              "name": "Assigned Control Owner - Password Policy (DCF-68)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156180+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-68-monitoring",
              "name": "Continuous Monitoring - Password Policy (DCF-68)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156186+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-68-policy",
              "name": "Policy Documentation - Password Policy (DCF-68)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156193+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 24,
          "explanation": "DrataÃ¢â‚¬â„¢s Ã¢â‚¬Å“Password PolicyÃ¢â‚¬Â control addresses KSI-IAM-APM by demonstrating a foundational element for *either* implementing secure passwordless methods (by outlining acceptable alternatives) *or* enforcing strong passwords as a fallback. Specifically, a formal password policy, linked to NIST AC-2, establishes requirements for password complexity, rotation, and account lockout Ã¢â‚¬â€œ all critical components when MFA is used with passwords to meet the KSI requirement for strong authentication.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 34,
                "name": "Internal Password Policy for Employees",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's internal policy that governs the passwords employees set across services.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 89,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-34",
          "control_name": "Security Team/Steering Committee",
          "control_description": "Sustainment Technologies Inc has an assigned security team that is responsible for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.883Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:40.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-34-owner",
              "name": "Assigned Control Owner - Security Team/Steering Committee (DCF-34)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156200+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-monitoring",
              "name": "Continuous Monitoring - Security Team/Steering Committee (DCF-34)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156207+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-policy",
              "name": "Policy Documentation - Security Team/Steering Committee (DCF-34)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156213+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 49,
          "explanation": "While seemingly indirect, the \"Security Team/Steering Committee\" control supports KSI-IAM-APM by establishing the *governance* needed to **define and enforce** passwordless/MFA policies. This team is responsible for creating the security standards (like those for authentication Ã¢â‚¬â€œ password complexity, MFA implementation, or passwordless rollout) that directly address the KSI requirement, and ensuring ongoing review & adaptation. Essentially, they *manage the process* to *meet* the technical authentication standard.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:18.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-335",
          "control_name": "Inactive User Accounts Removed",
          "control_description": "Sustainment Technologies Inc removes/disables inactive user accounts within 90 days.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:55.909Z",
          "updated_at": "2026-02-12T15:57:20.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.696Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-335-monitoring",
              "name": "Continuous Monitoring - Inactive User Accounts Removed (DCF-335)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-02-12T15:57:20.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156221+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-335-policy",
              "name": "Policy Documentation - Inactive User Accounts Removed (DCF-335)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-02-12T15:57:20.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156228+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 357,
          "explanation": "This Drata control addresses KSI-IAM-APM by reducing the attack surface associated with compromised credentials. Removing inactive accounts limits the potential for attackers to leverage stale, potentially weak or reused passwords Ã¢â‚¬â€œ even *with* MFA, fewer accounts minimize risk. While not directly passwordless, proactively managing account lifecycles strengthens overall authentication security as required by the KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-02T12:02:06.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 201,
                "name": "AWS IAM Unused Credentials",
                "status": "PASSED",
                "description": "Drata validated that all credentials (e.g., passwords, access keys) for IAM users have been used within the last 45 days.",
                "last_run": "2026-07-02T12:02:06.000Z",
                "test_definition_id": 229,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-334",
          "control_name": "Privileged and General User ID Authorization",
          "control_description": "Sustainment Technologies Inc controls addition, deletion, and modification of user IDs, credentials, and other identifier objects.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:55.855Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:14:39.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 145,
              "name": "DataDog Okta Alert",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/145_DataDog Okta Alert.png",
              "updated_at": "2026-02-06T17:33:16.132Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156406+00:00",
                "status": "hashed",
                "sha256": "e894be820e3fceeb2599272b9da2c4acaa661edfb039e074e65d8a91d8aebbe7",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/145_DataDog Okta Alert.png",
                "filename": "145_DataDog Okta Alert.png",
                "size_bytes": 237119,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-334-monitoring",
              "name": "Continuous Monitoring - Privileged and General User ID Authorization (DCF-334)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156635+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 356,
          "explanation": "This Drata control addresses KSI-IAM-APM by demonstrating foundational identity management practices. By controlling user ID lifecycle (creation, deletion, modification), Sustainment Technologies Inc. establishes a baseline for *how* authentication is applied Ã¢â‚¬â€œ enabling the implementation of either passwordless methods *or* the enforcement of strong passwords *with* MFA, as required by the KSI. Essentially, control over user IDs is a prerequisite for securely implementing *any* authentication method compliant with the FedRAMP requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' System Access Control Policy and Password Policy require strong authentication methods, with passwordless approaches used where feasible and MFA enforced otherwise. This is implemented through automated removal of inactive accounts, privileged user authorization workflows, role-based security assignments, and enforced password complexity and rotation policies. Drata monitors account activity, validates MFA enrollment, tracks inactive account cleanup, and the Security Steering Committee reviews authentication standards to ensure they align with current best practices.\n### Key Controls\n- [OK] Unique Accounts Used (DCF-71)\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Log Management System (DCF-80)\n- [OK] Annual Access Control Review (DCF-11)\n- [OK] Role-Based Security Implementation (DCF-59)\n- [OK] Password Policy (DCF-68)\n- [OK] Security Team/Steering Committee (DCF-34)\n- [OK] Inactive User Accounts Removed (DCF-335)\n- [OK] Privileged and General User ID Authorization (DCF-334)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:53.970642+00:00",
      "ksi_name": "Adopting Passwordless Methods",
      "category": "IAM",
      "statement": "Use secure passwordless methods for user authentication and authorization when feasible, otherwise enforce strong passwords with MFA for authentication.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/identity-and-access-management/",
      "nist_controls": [
        "AC-2",
        "AC-3",
        "IA-2.1",
        "IA-2.2",
        "IA-2.8",
        "IA-5.1",
        "IA-5.2",
        "IA-5.6",
        "IA-6"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment enforces strong authentication methods with MFA enforced across all accounts, backed by automated account management and role-based security assignments.",
        "failure_condition": "Password policy not enforced, weak passwords permitted, inactive accounts not removed, or failure to conduct annual access control reviews will cause a failure of the test. Additionally, unique account usage, role-based security implementation, privileged user authorization workflows, a log management system, and a security steering committee must be in place to ensure authentication methods are strong and consistently enforced."
      },
      "outcome_metrics": [
        {
          "statement": "Passwordless authentication adopted for all applicable systems",
          "metric_name": "Coverage",
          "target_value": "100% of applicable systems use passwordless or MFA; 0 password-only accounts",
          "target_unit": "",
          "frequency": "Quarterly",
          "source": "SSO/IdP configuration audit; Drata MFA/passwordless checks",
          "notes": "Password-only account or system not covered by passwordless/MFA"
        }
      ],
      "monitoring": {
        "total_tests": 9,
        "passed": 9,
        "failed": 0,
        "controls_with_monitoring": 7,
        "monitoring_coverage": 70.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-IAM-ELP",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:58.853272+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-67 (DCF-67)",
          "control_id": "DCF-67",
          "status": "Passing",
          "description": "Drata control status for DCF-67",
          "date": "2026-07-02T13:19:58.853272+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-71 (DCF-71)",
          "control_id": "DCF-71",
          "status": "Passing",
          "description": "Drata control status for DCF-71",
          "date": "2026-07-02T13:19:58.853272+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:19:58.853272+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-68 (DCF-68)",
          "control_id": "DCF-68",
          "status": "Passing",
          "description": "Drata control status for DCF-68",
          "date": "2026-07-02T13:19:58.853272+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-72 (DCF-72)",
          "control_id": "DCF-72",
          "status": "Passing",
          "description": "Drata control status for DCF-72",
          "date": "2026-07-02T13:19:58.853272+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-181 (DCF-181)",
          "control_id": "DCF-181",
          "status": "Passing",
          "description": "Drata control status for DCF-181",
          "date": "2026-07-02T13:19:58.853272+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-11 (DCF-11)",
          "control_id": "DCF-11",
          "status": "Passing",
          "description": "Drata control status for DCF-11",
          "date": "2026-07-02T13:19:58.853272+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-59 (DCF-59)",
          "control_id": "DCF-59",
          "status": "Passing",
          "description": "Drata control status for DCF-59",
          "date": "2026-07-02T13:19:58.853272+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-124 (DCF-124)",
          "control_id": "DCF-124",
          "status": "Passing",
          "description": "Drata control status for DCF-124",
          "date": "2026-07-02T13:19:58.853272+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-80 (DCF-80)",
          "control_id": "DCF-80",
          "status": "Passing",
          "description": "Drata control status for DCF-80",
          "date": "2026-07-02T13:19:58.853272+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-IAM-ELP",
          "control_name": "Custom Automated Check: KSI-IAM-ELP",
          "control_description": "10/10 mapped controls passing; Sustainment Technologies' System Access Control Policy establishes the principle of least privilege for all user and device access. This is implemented through role-based security assignments, mandatory authentication for all access, unique SSH keys, annual access reviews, MFA enforcement, and encryption of data in transit. Drata continuously monitors that accounts maintain only necessary permissions, password policies are enforced, and MFA is active Ã¢â‚¬â€ while annual access reviews validate that privileges have not accumulated beyond what each user requires.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:58.853272+00:00",
          "updated_at": "2026-07-02T13:19:58.853272+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:58.853272+00:00",
          "requirements_updated_at": "",
          "evidence_count": 10,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-67 (DCF-67)",
              "description": "Drata control status for DCF-67",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.853272+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156644+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-71 (DCF-71)",
              "description": "Drata control status for DCF-71",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.853272+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156652+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.853272+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156658+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-68 (DCF-68)",
              "description": "Drata control status for DCF-68",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.853272+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156665+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-72 (DCF-72)",
              "description": "Drata control status for DCF-72",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.853272+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156672+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-181 (DCF-181)",
              "description": "Drata control status for DCF-181",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.853272+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156678+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-11 (DCF-11)",
              "description": "Drata control status for DCF-11",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.853272+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156684+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-59 (DCF-59)",
              "description": "Drata control status for DCF-59",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.853272+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156690+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-124 (DCF-124)",
              "description": "Drata control status for DCF-124",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.853272+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156697+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-80 (DCF-80)",
              "description": "Drata control status for DCF-80",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.853272+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156703+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 9,
            "passed": 9,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 33,
                "name": "MFA on Cloud Infrastructure",
                "status": "PASSED",
                "description": "Drata validated that each cloud infrastructure provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 88,
                "enabled": true
              },
              {
                "test_id": 31,
                "name": "MFA on Identity Provider",
                "status": "PASSED",
                "description": "Drata validated that each identity provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 86,
                "enabled": true
              },
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              },
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 34,
                "name": "Internal Password Policy for Employees",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's internal policy that governs the passwords employees set across services.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 89,
                "enabled": true
              },
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              },
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-67",
              "DCF-71",
              "DCF-10",
              "DCF-68",
              "DCF-72",
              "DCF-181",
              "DCF-11",
              "DCF-59",
              "DCF-124",
              "DCF-80"
            ]
          }
        },
        {
          "control_id": "DCF-67",
          "control_name": "MFA on Accounts",
          "control_description": "Sustainment Technologies Inc requires two factor authentication to access sensitive systems and applications in the form of user ID, password, OTP and/or certificate.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.912Z",
          "updated_at": "2026-07-01T14:26:23.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 2,
              "name": "MFA on IDP accounts",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/2_MFA on IDP accounts.png",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.156879+00:00",
                "status": "hashed",
                "sha256": "2fe9f3100c7247bbf490f2d77638913cc9c134f8b67c14344a98d1a1a87bf097",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/2_MFA on IDP accounts.png",
                "filename": "2_MFA on IDP accounts.png",
                "size_bytes": 271485,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 1,
              "name": "MFA on VCS Accounts",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/1_MFA on VCS Accounts.png",
              "updated_at": "2026-04-29T13:20:19.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157305+00:00",
                "status": "hashed",
                "sha256": "51e20eaa89e609873b15e2573c717eea67ccfc037b2d8b791a336329dda9795f",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/1_MFA on VCS Accounts.png",
                "filename": "1_MFA on VCS Accounts.png",
                "size_bytes": 438374,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-67-owner",
              "name": "Assigned Control Owner - MFA on Accounts (DCF-67)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-07-01T14:26:23.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157690+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 23,
          "explanation": "DrataÃ¢â‚¬â„¢s Ã¢â‚¬Å“MFA on AccountsÃ¢â‚¬Â control directly satisfies KSI-IAM-ELP by enforcing the principle of least privilege. Requiring multi-factor authentication (ID, password *plus* another factor) verifies user identity *before* granting access, ensuring only authorized individuals can reach sensitive resources Ã¢â‚¬â€œ aligning with FedRAMP's need to limit access to only what's necessary. This layered security approach demonstrably reduces the risk of unauthorized access, fulfilling the KSI requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 33,
                "name": "MFA on Cloud Infrastructure",
                "status": "PASSED",
                "description": "Drata validated that each cloud infrastructure provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 88,
                "enabled": true
              },
              {
                "test_id": 31,
                "name": "MFA on Identity Provider",
                "status": "PASSED",
                "description": "Drata validated that each identity provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 86,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-71",
          "control_name": "Unique Accounts Used",
          "control_description": "Access to corporate network, production machines, network devices, and support tools requires a unique ID.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.769Z",
          "updated_at": "2026-06-15T13:35:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-71-evidence",
              "name": "Unique Accounts Used (DCF-71)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157698+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-owner",
              "name": "Assigned Control Owner - Unique Accounts Used (DCF-71)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157705+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-monitoring",
              "name": "Continuous Monitoring - Unique Accounts Used (DCF-71)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157711+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 98,
          "explanation": "Drata's \"Unique Accounts Used\" control directly addresses the FedRAMP KSI-IAM-ELP requirement by enforcing the principle of least privilege. Requiring a unique ID for each user/device ensures accountability and prevents shared accounts, limiting access to *only* the resources authorized for that specific identity Ã¢â‚¬â€œ fulfilling the need for granular access control. This aligns with NIST controls focused on identification, authentication, and access enforcement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157718+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157725+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157731+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "explanation": "The System Access Control Policy directly addresses KSI-IAM-ELP by establishing a process for regularly reviewing and granting access based on need (annual reviews & request forms). This ensures only authorized users/devices gain access to specific resources, fulfilling the requirement for least privilege and persistent access control Ã¢â‚¬â€œ a core tenet of FedRAMPÃ¢â‚¬â„¢s KSI framework. The related NIST controls further validate this implementation through defined access management standards.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-68",
          "control_name": "Password Policy",
          "control_description": "Sustainment Technologies Inc has established formal guidelines for passwords to govern the management and use of authentication mechanisms.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.917Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-68-owner",
              "name": "Assigned Control Owner - Password Policy (DCF-68)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157738+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-68-monitoring",
              "name": "Continuous Monitoring - Password Policy (DCF-68)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157745+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-68-policy",
              "name": "Policy Documentation - Password Policy (DCF-68)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157751+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 24,
          "explanation": "Drata's \"Password Policy\" control helps satisfy FedRAMP KSI-IAM-ELP by establishing a foundational element of least privilege. Strong password requirements (complexity, rotation, etc.) reduce the risk of unauthorized access, ensuring only authenticated *and* appropriately secured users can attempt to access resources Ã¢â‚¬â€œ a key component of limiting access to only what's needed. This aligns with NIST controls focused on identity authentication and access enforcement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 34,
                "name": "Internal Password Policy for Employees",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's internal policy that governs the passwords employees set across services.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 89,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-72",
          "control_name": "Unique SSH",
          "control_description": "SSH users use unique accounts to access production machines. Additionally, the use of the “Root” account is not allowed.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:39.720Z",
          "updated_at": "2026-04-29T16:53:43.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-72-evidence",
              "name": "Unique SSH (DCF-72)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157758+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-72-owner",
              "name": "Assigned Control Owner - Unique SSH (DCF-72)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157764+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-72-policy",
              "name": "Policy Documentation - Unique SSH (DCF-72)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157770+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 107,
          "explanation": "Drata's \"Unique SSH\" control directly addresses the FedRAMP KSI-IAM-ELP requirement by enforcing the principle of least privilege. Requiring unique SSH accountsÃ¢â‚¬â€and prohibiting the shared \"Root\" accountÃ¢â‚¬â€ensures users can *only* access systems with permissions tied to *their* specific account, limiting potential blast radius and fulfilling the need for granular access control. This aligns with NIST controls focused on identity authentication and access restrictions.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-181",
          "control_name": "Encryption Policy",
          "control_description": "Sustainment Technologies Inc has a defined policy that establishes requirements for the use of cryptographic controls.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.777Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-181-owner",
              "name": "Assigned Control Owner - Encryption Policy (DCF-181)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157778+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-181-monitoring",
              "name": "Continuous Monitoring - Encryption Policy (DCF-181)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157784+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-181-policy",
              "name": "Policy Documentation - Encryption Policy (DCF-181)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157790+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 100,
          "explanation": "Drata's \"Encryption Policy\" satisfies KSI-IAM-ELP by demonstrating a foundational security practice that *limits data exposure* Ã¢â‚¬â€œ a key component of least privilege. By mandating encryption, the policy helps ensure that even if unauthorized access *occurs*, the data remains unusable, effectively restricting access to only those with decryption keys (and therefore, authorized access based on IAM policies). This aligns with FedRAMPÃ¢â‚¬â„¢s need to control access to sensitive federal data at a granular level.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-11",
          "control_name": "Annual Access Control Review",
          "control_description": "Sustainment Technologies Inc performs annual access control reviews.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.537Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 150,
              "name": "User Access Review",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/150_User Access Review.xlsx",
              "updated_at": "2026-03-02T15:28:18.965Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.157969+00:00",
                "status": "hashed",
                "sha256": "a83b78e92bd554ebc59378b2f58c3b86c8dfac37b561ea9ddea944b69ab811d9",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/150_User Access Review.xlsx",
                "filename": "150_User Access Review.xlsx",
                "size_bytes": 115456,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-11-owner",
              "name": "Assigned Control Owner - Annual Access Control Review (DCF-11)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158089+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-11-policy",
              "name": "Policy Documentation - Annual Access Control Review (DCF-11)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158096+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 89,
          "explanation": "Drata's \"Annual Access Control Review\" directly addresses the FedRAMP KSI-IAM-ELP requirement by demonstrating a *persistent* process to validate user access rights. This review verifies that individuals and devices *only* have access to the resources necessary for their roles Ã¢â‚¬â€œ aligning with the principle of least privilege as evidenced by the related NIST controls (AC-4, AC-6 specifically). Essentially, it proves ongoing enforcement of appropriate access limitations, not just initial configuration.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-59",
          "control_name": "Role-Based Security Implementation",
          "control_description": "Role-based security is in place for internal and external users, including super admin users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.904Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-59-evidence",
              "name": "Role-Based Security Implementation (DCF-59)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158104+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-owner",
              "name": "Assigned Control Owner - Role-Based Security Implementation (DCF-59)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158110+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-policy",
              "name": "Policy Documentation - Role-Based Security Implementation (DCF-59)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158127+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 21,
          "explanation": "Drata's \"Role-Based Security Implementation\" directly satisfies KSI-IAM-ELP by demonstrating a system where access is granted based on pre-defined roles, limiting user/device capabilities to only what's necessary for their function. This aligns with the FedRAMP requirement for least privilege, ensuring no user can exceed their authorized access scope Ã¢â‚¬â€œ as evidenced by the related NIST controls focusing on access enforcement and restrictions. Essentially, it *proves* access is constrained to only needed resources through defined roles.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-124",
          "control_name": "Require Authentication for Access",
          "control_description": "Users accessing their personal information through Sustainment Technologies Inc's application must be authenticated with a username and password.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.639Z",
          "updated_at": "2025-11-24T13:51:25.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-124-evidence",
              "name": "Require Authentication for Access (DCF-124)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:25.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158135+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-124-owner",
              "name": "Assigned Control Owner - Require Authentication for Access (DCF-124)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:25.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158141+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-124-policy",
              "name": "Policy Documentation - Require Authentication for Access (DCF-124)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:25.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158148+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 145,
          "explanation": "This Drata control directly addresses KSI-IAM-ELP by implementing a fundamental access control measure Ã¢â‚¬â€œ requiring user authentication before granting access to resources. By mandating usernames and passwords, Sustainment Technologies Inc. ensures only authenticated users (and therefore, authorized individuals) can access personal information, fulfilling the \"need-to-know\" principle outlined in the FedRAMP requirement. The related NIST controls further validate this approach as a baseline identity and access management practice.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-80",
          "control_name": "Log Management System",
          "control_description": "Sustainment Technologies Inc uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.779Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 151,
              "name": "DataDog Security alerts sample",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/151_DataDog Security alerts sample.csv",
              "updated_at": "2026-03-02T15:57:18.424Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158325+00:00",
                "status": "hashed",
                "sha256": "3a6f138a1019b8d39d01a2e02dc11e84fa1a8b504f306fadf42619746948a934",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/151_DataDog Security alerts sample.csv",
                "filename": "151_DataDog Security alerts sample.csv",
                "size_bytes": 82445,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-80-owner",
              "name": "Assigned Control Owner - Log Management System (DCF-80)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158422+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-80-monitoring",
              "name": "Continuous Monitoring - Log Management System (DCF-80)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158429+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 123,
          "explanation": "The Log Management System satisfies KSI-IAM-ELP by providing audit trails of user access attempts and resource utilization, enabling detection of unauthorized access. These logs, and subsequent alerts/corrective actions, demonstrate ongoing monitoring to *ensure* users are only accessing authorized resources Ã¢â‚¬â€œ fulfilling the \"persistently ensure\" aspect of the FedRAMP requirement. This aligns with NIST AC-17 which focuses on audit and accountability of access events.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' System Access Control Policy establishes the principle of least privilege for all user and device access. This is implemented through role-based security assignments, mandatory authentication for all access, unique SSH keys, annual access reviews, MFA enforcement, and encryption of data in transit. Drata continuously monitors that accounts maintain only necessary permissions, password policies are enforced, and MFA is active Ã¢â‚¬â€ while annual access reviews validate that privileges have not accumulated beyond what each user requires.\n### Key Controls\n- [OK] MFA on Accounts (DCF-67)\n- [OK] Unique Accounts Used (DCF-71)\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Password Policy (DCF-68)\n- [OK] Unique SSH (DCF-72)\n- [OK] Encryption Policy (DCF-181)\n- [OK] Annual Access Control Review (DCF-11)\n- [OK] Role-Based Security Implementation (DCF-59)\n- [OK] Require Authentication for Access (DCF-124)\n- [OK] Log Management System (DCF-80)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:58.853272+00:00",
      "ksi_name": "Ensuring Least Privilege",
      "category": "IAM",
      "statement": "Persistently ensure that identity and access management employs measures to ensure each user or device can only access the resources they need.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/identity-and-access-management/",
      "nist_controls": [
        "AC-2.5",
        "AC-2.6",
        "AC-3",
        "AC-4",
        "AC-6",
        "AC-12",
        "AC-14",
        "AC-17",
        "AC-17.1",
        "AC-17.2",
        "AC-17.3",
        "AC-20",
        "AC-20.1",
        "CM-2.7",
        "CM-9",
        "IA-2",
        "IA-3",
        "IA-4",
        "IA-4.4",
        "IA-5.2",
        "IA-5.6",
        "IA-11",
        "PS-2",
        "PS-3",
        "PS-4",
        "PS-5",
        "PS-6",
        "SC-4",
        "SC-20",
        "SC-21",
        "SC-22",
        "SC-23",
        "SC-39",
        "SI-3"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment enforces the principle of least privilege for all user and device access through role-based security assignments, mandatory authentication, unique credentials, and annual access reviews.",
        "failure_condition": "Failure to complete an annual access review, failure to have MFA enabled, failure to have unique SSH keys, failure to comply with the password policy, or a log management system not in place will cause a failure of the test."
      },
      "outcome_metrics": [
        {
          "statement": "Accounts hold only permissions required for current role; privilege creep = 0",
          "metric_name": "Coverage",
          "target_value": "100% of accounts reviewed for least privilege; 0 excess permissions outstanding > 30 days",
          "target_unit": "",
          "frequency": "Quarterly",
          "source": "Access review results; IAM permission scan; Drata access review",
          "notes": "Excess permissions found during review or permission not revoked within 30 days"
        }
      ],
      "monitoring": {
        "total_tests": 9,
        "passed": 9,
        "failed": 0,
        "controls_with_monitoring": 6,
        "monitoring_coverage": 54.5,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-IAM-JIT",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:57.866945+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-67 (DCF-67)",
          "control_id": "DCF-67",
          "status": "Passing",
          "description": "Drata control status for DCF-67",
          "date": "2026-07-02T13:19:57.866945+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-80 (DCF-80)",
          "control_id": "DCF-80",
          "status": "Passing",
          "description": "Drata control status for DCF-80",
          "date": "2026-07-02T13:19:57.866945+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-71 (DCF-71)",
          "control_id": "DCF-71",
          "status": "Passing",
          "description": "Drata control status for DCF-71",
          "date": "2026-07-02T13:19:57.866945+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:19:57.866945+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-68 (DCF-68)",
          "control_id": "DCF-68",
          "status": "Passing",
          "description": "Drata control status for DCF-68",
          "date": "2026-07-02T13:19:57.866945+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-31 (DCF-31)",
          "control_id": "DCF-31",
          "status": "Passing",
          "description": "Drata control status for DCF-31",
          "date": "2026-07-02T13:19:57.866945+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-72 (DCF-72)",
          "control_id": "DCF-72",
          "status": "Passing",
          "description": "Drata control status for DCF-72",
          "date": "2026-07-02T13:19:57.866945+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-11 (DCF-11)",
          "control_id": "DCF-11",
          "status": "Passing",
          "description": "Drata control status for DCF-11",
          "date": "2026-07-02T13:19:57.866945+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-34 (DCF-34)",
          "control_id": "DCF-34",
          "status": "Passing",
          "description": "Drata control status for DCF-34",
          "date": "2026-07-02T13:19:57.866945+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-59 (DCF-59)",
          "control_id": "DCF-59",
          "status": "Passing",
          "description": "Drata control status for DCF-59",
          "date": "2026-07-02T13:19:57.866945+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-IAM-JIT",
          "control_name": "Custom Automated Check: KSI-IAM-JIT",
          "control_description": "10/10 mapped controls passing; Sustainment Technologies' System Access Control Policy and SDLC Policy mandate a least-privileged, role-based, and just-in-time authorization model for all user and non-user accounts. This is implemented through role-based security assignments, unique account enforcement, SSH key management, MFA requirements, and production code change restrictions that prevent standing privileged access. Drata monitors active sessions and account privileges, the Security Steering Committee reviews access patterns, and annual access reviews validate that just-in-time principles are being followed.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:57.866945+00:00",
          "updated_at": "2026-07-02T13:19:57.866945+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:57.866945+00:00",
          "requirements_updated_at": "",
          "evidence_count": 10,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-67 (DCF-67)",
              "description": "Drata control status for DCF-67",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.866945+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158437+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-80 (DCF-80)",
              "description": "Drata control status for DCF-80",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.866945+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158444+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-71 (DCF-71)",
              "description": "Drata control status for DCF-71",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.866945+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158451+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.866945+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158462+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-68 (DCF-68)",
              "description": "Drata control status for DCF-68",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.866945+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158469+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-31 (DCF-31)",
              "description": "Drata control status for DCF-31",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.866945+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158476+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-72 (DCF-72)",
              "description": "Drata control status for DCF-72",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.866945+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158482+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-11 (DCF-11)",
              "description": "Drata control status for DCF-11",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.866945+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158488+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-34 (DCF-34)",
              "description": "Drata control status for DCF-34",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.866945+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158495+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-59 (DCF-59)",
              "description": "Drata control status for DCF-59",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.866945+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158501+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 10,
            "passed": 10,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 33,
                "name": "MFA on Cloud Infrastructure",
                "status": "PASSED",
                "description": "Drata validated that each cloud infrastructure provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 88,
                "enabled": true
              },
              {
                "test_id": 31,
                "name": "MFA on Identity Provider",
                "status": "PASSED",
                "description": "Drata validated that each identity provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 86,
                "enabled": true
              },
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              },
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              },
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 34,
                "name": "Internal Password Policy for Employees",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's internal policy that governs the passwords employees set across services.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 89,
                "enabled": true
              },
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              },
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-67",
              "DCF-80",
              "DCF-71",
              "DCF-10",
              "DCF-68",
              "DCF-31",
              "DCF-72",
              "DCF-11",
              "DCF-34",
              "DCF-59"
            ]
          }
        },
        {
          "control_id": "DCF-67",
          "control_name": "MFA on Accounts",
          "control_description": "Sustainment Technologies Inc requires two factor authentication to access sensitive systems and applications in the form of user ID, password, OTP and/or certificate.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.912Z",
          "updated_at": "2026-07-01T14:26:23.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 2,
              "name": "MFA on IDP accounts",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/2_MFA on IDP accounts.png",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.158677+00:00",
                "status": "hashed",
                "sha256": "2fe9f3100c7247bbf490f2d77638913cc9c134f8b67c14344a98d1a1a87bf097",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/2_MFA on IDP accounts.png",
                "filename": "2_MFA on IDP accounts.png",
                "size_bytes": 271485,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 1,
              "name": "MFA on VCS Accounts",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/1_MFA on VCS Accounts.png",
              "updated_at": "2026-04-29T13:20:19.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159071+00:00",
                "status": "hashed",
                "sha256": "51e20eaa89e609873b15e2573c717eea67ccfc037b2d8b791a336329dda9795f",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/1_MFA on VCS Accounts.png",
                "filename": "1_MFA on VCS Accounts.png",
                "size_bytes": 438374,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-67-owner",
              "name": "Assigned Control Owner - MFA on Accounts (DCF-67)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-07-01T14:26:23.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159435+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 23,
          "explanation": "Drata's \"MFA on Accounts\" control directly supports FedRAMP KSI-IAM-JIT by enforcing a critical layer of access control *before* granting system access Ã¢â‚¬â€œ a key component of just-in-time authorization. Requiring MFA (multiple factors like password *and* OTP) limits the impact of compromised credentials, aligning with the least-privilege principle by verifying user identity *each time* before access is granted, rather than relying solely on static permissions.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 33,
                "name": "MFA on Cloud Infrastructure",
                "status": "PASSED",
                "description": "Drata validated that each cloud infrastructure provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 88,
                "enabled": true
              },
              {
                "test_id": 31,
                "name": "MFA on Identity Provider",
                "status": "PASSED",
                "description": "Drata validated that each identity provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 86,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-80",
          "control_name": "Log Management System",
          "control_description": "Sustainment Technologies Inc uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.779Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 151,
              "name": "DataDog Security alerts sample",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/151_DataDog Security alerts sample.csv",
              "updated_at": "2026-03-02T15:57:18.424Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159619+00:00",
                "status": "hashed",
                "sha256": "3a6f138a1019b8d39d01a2e02dc11e84fa1a8b504f306fadf42619746948a934",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/151_DataDog Security alerts sample.csv",
                "filename": "151_DataDog Security alerts sample.csv",
                "size_bytes": 82445,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-80-owner",
              "name": "Assigned Control Owner - Log Management System (DCF-80)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159711+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-80-monitoring",
              "name": "Continuous Monitoring - Log Management System (DCF-80)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159719+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 123,
          "explanation": "While a Log Management System doesn't *directly* implement JIT access, it **supports** KSI-IAM-JIT by providing audit trails to *verify* least privilege and identify unauthorized access attempts. These logs allow for monitoring of user activity, enabling quick detection of privilege escalation or actions outside defined roles, and facilitating timely corrective actions Ã¢â‚¬â€œ essential for a JIT model's effectiveness. Essentially, logging provides the accountability needed to *ensure* the JIT access controls are functioning as intended.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-71",
          "control_name": "Unique Accounts Used",
          "control_description": "Access to corporate network, production machines, network devices, and support tools requires a unique ID.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.769Z",
          "updated_at": "2026-06-15T13:35:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-71-evidence",
              "name": "Unique Accounts Used (DCF-71)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159726+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-owner",
              "name": "Assigned Control Owner - Unique Accounts Used (DCF-71)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159733+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-monitoring",
              "name": "Continuous Monitoring - Unique Accounts Used (DCF-71)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159739+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 98,
          "explanation": "Drata's \"Unique Accounts Used\" control directly supports FedRAMP KSI-IAM-JIT by enforcing a foundational element of least privilege Ã¢â‚¬â€œ individual accountability. Requiring unique IDs ensures actions are traceable to a specific user, preventing shared account abuse and enabling granular permissioning necessary for just-in-time access based on roles and attributes, as outlined in the KSI requirement. This control helps limit the blast radius of potential compromises and supports attribute-based access control implementation.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159746+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159753+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159759+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "explanation": "Drata's \"System Access Control Policy\" helps satisfy KSI-IAM-JIT by demonstrating a process for *requesting* access (initial & transfers - addressing \"just-in-time\" needs) and *reviewing* that access annually Ã¢â‚¬â€œ supporting the principle of least privilege through ongoing validation. While not fully automated, the policy establishes the *foundation* for a role/attribute-based model by requiring documented justification for access requests, aligning with FedRAMPÃ¢â‚¬â„¢s authorization requirements.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-68",
          "control_name": "Password Policy",
          "control_description": "Sustainment Technologies Inc has established formal guidelines for passwords to govern the management and use of authentication mechanisms.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.917Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-68-owner",
              "name": "Assigned Control Owner - Password Policy (DCF-68)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159766+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-68-monitoring",
              "name": "Continuous Monitoring - Password Policy (DCF-68)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159773+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-68-policy",
              "name": "Policy Documentation - Password Policy (DCF-68)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159780+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 24,
          "explanation": "While seemingly unrelated, a strong Password Policy *supports* KSI-IAM-JIT by enforcing the \"least privilege\" principle Ã¢â‚¬â€œ weak/compromised passwords increase risk, necessitating tighter access controls elsewhere. By requiring complex, regularly-changed passwords (as NIST controls indicate), the organization minimizes the blast radius of potential unauthorized access, allowing JIT authorization to be more effective in limiting damage until access is revoked. Essentially, it's a foundational security layer enabling a more robust JIT implementation.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 34,
                "name": "Internal Password Policy for Employees",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's internal policy that governs the passwords employees set across services.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 89,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-31",
          "control_name": "Software Development Life Cycle Policy",
          "control_description": "Sustainment Technologies Inc has developed policies and procedures governing the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.156Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:31:00.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-31-owner",
              "name": "Assigned Control Owner - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159787+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-monitoring",
              "name": "Continuous Monitoring - Software Development Life Cycle Policy (DCF-31)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159794+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-policy",
              "name": "Policy Documentation - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159800+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 129,
          "explanation": "While seemingly indirect, a robust Software Development Life Cycle (SDLC) policy *supports* KSI-IAM-JIT by ensuring changes to access controls are managed as part of system modifications. This means any new feature or service requiring access is vetted through the SDLC, forcing consideration of least privilege and proper authorization *before* deployment Ã¢â‚¬â€œ aligning with the \"just-in-time\" aspect of granting access only when needed for a defined purpose. Essentially, the SDLC provides a framework to *implement* and *maintain* the JIT access model required by the KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-72",
          "control_name": "Unique SSH",
          "control_description": "SSH users use unique accounts to access production machines. Additionally, the use of the “Root” account is not allowed.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:39.720Z",
          "updated_at": "2026-04-29T16:53:43.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-72-evidence",
              "name": "Unique SSH (DCF-72)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159807+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-72-owner",
              "name": "Assigned Control Owner - Unique SSH (DCF-72)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159814+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-72-policy",
              "name": "Policy Documentation - Unique SSH (DCF-72)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159820+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 107,
          "explanation": "Drata's \"Unique SSH\" control directly addresses KSI-IAM-JIT by enforcing least privilege Ã¢â‚¬â€œ each user accesses production systems with a *unique* account, eliminating shared access and the overly permissive \"Root\" account. This aligns with just-in-time access as permissions are implicitly limited to what that individual account can perform, satisfying the requirement for role/attribute-based authorization through account specificity.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-11",
          "control_name": "Annual Access Control Review",
          "control_description": "Sustainment Technologies Inc performs annual access control reviews.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.537Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 150,
              "name": "User Access Review",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/150_User Access Review.xlsx",
              "updated_at": "2026-03-02T15:28:18.965Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.159995+00:00",
                "status": "hashed",
                "sha256": "a83b78e92bd554ebc59378b2f58c3b86c8dfac37b561ea9ddea944b69ab811d9",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/150_User Access Review.xlsx",
                "filename": "150_User Access Review.xlsx",
                "size_bytes": 115456,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-11-owner",
              "name": "Assigned Control Owner - Annual Access Control Review (DCF-11)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160106+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-11-policy",
              "name": "Policy Documentation - Annual Access Control Review (DCF-11)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160119+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 89,
          "explanation": "Drata's \"Annual Access Control Review\" directly supports FedRAMP KSI-IAM-JIT by verifying that established access controls (roles & attributes - AC-2, AC-6) remain aligned with the principle of least privilege (AC-4, AC-5). This annual review process helps ensure unnecessary permissions are identified and remediated, effectively implementing a just-in-time approach by confirming current access *should* be granted, not just that it *was* granted previously (meeting the spirit of JIT authorization).",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-34",
          "control_name": "Security Team/Steering Committee",
          "control_description": "Sustainment Technologies Inc has an assigned security team that is responsible for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.883Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:40.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-34-owner",
              "name": "Assigned Control Owner - Security Team/Steering Committee (DCF-34)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160128+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-monitoring",
              "name": "Continuous Monitoring - Security Team/Steering Committee (DCF-34)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160135+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-policy",
              "name": "Policy Documentation - Security Team/Steering Committee (DCF-34)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160141+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 49,
          "explanation": "While seemingly indirect, the Security Team/Steering Committee control *supports* KSI-IAM-JIT by establishing the governance necessary to **design and enforce** a JIT access model. This team defines the policies (via AC-3, CM-7, AC-6) dictating *how* least privilege and attribute-based access are implemented and regularly reviewed Ã¢â‚¬â€œ the foundational elements for a compliant JIT system, even if they don't directly *perform* the JIT provisioning. Essentially, they ensure the framework for JIT access exists and is maintained.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:18.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-59",
          "control_name": "Role-Based Security Implementation",
          "control_description": "Role-based security is in place for internal and external users, including super admin users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.904Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-59-evidence",
              "name": "Role-Based Security Implementation (DCF-59)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160149+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-owner",
              "name": "Assigned Control Owner - Role-Based Security Implementation (DCF-59)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160156+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-policy",
              "name": "Policy Documentation - Role-Based Security Implementation (DCF-59)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160162+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 21,
          "explanation": "Drata's \"Role-Based Security Implementation\" directly addresses KSI-IAM-JIT by demonstrating a system where access is granted based on pre-defined roles, inherently limiting privileges. This aligns with the \"least-privileged\" and \"role-based\" aspects of the requirement, and while not explicitly \"just-in-time\" in the description, role-based access *enables* the implementation of JIT through further controls (like temporary access grants) built on this foundation. Essentially, it's a foundational element for achieving the full KSI-IAM-JIT intent.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' System Access Control Policy and SDLC Policy mandate a least-privileged, role-based, and just-in-time authorization model for all user and non-user accounts. This is implemented through role-based security assignments, unique account enforcement, SSH key management, MFA requirements, and production code change restrictions that prevent standing privileged access. Drata monitors active sessions and account privileges, the Security Steering Committee reviews access patterns, and annual access reviews validate that just-in-time principles are being followed.\n### Key Controls\n- [OK] MFA on Accounts (DCF-67)\n- [OK] Log Management System (DCF-80)\n- [OK] Unique Accounts Used (DCF-71)\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Password Policy (DCF-68)\n- [OK] Software Development Life Cycle Policy (DCF-31)\n- [OK] Unique SSH (DCF-72)\n- [OK] Annual Access Control Review (DCF-11)\n- [OK] Security Team/Steering Committee (DCF-34)\n- [OK] Role-Based Security Implementation (DCF-59)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:57.866945+00:00",
      "ksi_name": "Authorizing Just-in-Time",
      "category": "IAM",
      "statement": "Use a least-privileged, role and attribute-based, and just-in-time security authorization model for all user and non-user accounts and services.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/identity-and-access-management/",
      "nist_controls": [
        "AC-2",
        "AC-2.1",
        "AC-2.2",
        "AC-2.3",
        "AC-2.4",
        "AC-2.6",
        "AC-3",
        "AC-4",
        "AC-5",
        "AC-6",
        "AC-6.1",
        "AC-6.2",
        "AC-6.5",
        "AC-6.7",
        "AC-6.9",
        "AC-6.10",
        "AC-7",
        "AC-20.1",
        "AC-17",
        "AU-9.4",
        "CM-5",
        "CM-7",
        "CM-7.2",
        "CM-7.5",
        "CM-9",
        "IA-4",
        "IA-4.4",
        "IA-7",
        "PS-2",
        "PS-3",
        "PS-4",
        "PS-5",
        "PS-6",
        "PS-9",
        "RA-5.5",
        "SC-2",
        "SC-23",
        "SC-39"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment limits privileged access through unique accounts, role-based security assignments, and restrictive access controls that minimize standing permissions across all systems.",
        "failure_condition": "Failure to use unique accounts, excessive standing permissions beyond role requirements, or failure to conduct annual access reviews will cause a failure of the test. Additionally, MFA enforcement, unique SSH keys, password policy compliance, production code change restrictions, and a log management system must be in place to ensure access is limited to only what is necessary."
      },
      "outcome_metrics": [
        {
          "statement": "Privileged access granted only when needed and revoked after session",
          "metric_name": "Recency",
          "target_value": "100% of privileged sessions via JIT; session duration <= approved window",
          "target_unit": "",
          "frequency": "Per session + weekly audit",
          "source": "PAM/JIT system logs; session duration audit",
          "notes": "Privileged access granted outside JIT process or session not revoked on time"
        }
      ],
      "monitoring": {
        "total_tests": 10,
        "passed": 10,
        "failed": 0,
        "controls_with_monitoring": 7,
        "monitoring_coverage": 63.6,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-IAM-MFA",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:55.136860+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-67 (DCF-67)",
          "control_id": "DCF-67",
          "status": "Passing",
          "description": "Drata control status for DCF-67",
          "date": "2026-07-02T13:19:55.136860+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-68 (DCF-68)",
          "control_id": "DCF-68",
          "status": "Passing",
          "description": "Drata control status for DCF-68",
          "date": "2026-07-02T13:19:55.136860+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-158 (DCF-158)",
          "control_id": "DCF-158",
          "status": "Passing",
          "description": "Drata control status for DCF-158",
          "date": "2026-07-02T13:19:55.136860+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-93 (DCF-93)",
          "control_id": "DCF-93",
          "status": "Passing",
          "description": "Drata control status for DCF-93",
          "date": "2026-07-02T13:19:55.136860+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-71 (DCF-71)",
          "control_id": "DCF-71",
          "status": "Passing",
          "description": "Drata control status for DCF-71",
          "date": "2026-07-02T13:19:55.136860+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-72 (DCF-72)",
          "control_id": "DCF-72",
          "status": "Passing",
          "description": "Drata control status for DCF-72",
          "date": "2026-07-02T13:19:55.136860+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:19:55.136860+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-11 (DCF-11)",
          "control_id": "DCF-11",
          "status": "Passing",
          "description": "Drata control status for DCF-11",
          "date": "2026-07-02T13:19:55.136860+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-59 (DCF-59)",
          "control_id": "DCF-59",
          "status": "Passing",
          "description": "Drata control status for DCF-59",
          "date": "2026-07-02T13:19:55.136860+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-IAM-MFA",
          "control_name": "Custom Automated Check: KSI-IAM-MFA",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' System Access Control Policy requires phishing-resistant multi-factor authentication for all user authentication across the cloud service offering. This is implemented through enforced MFA on all accounts (including external users), managed credential keys, unique SSH authentication, role-based access controls, and password policies as a secondary factor. Drata continuously monitors MFA enrollment and credential management status, while annual access reviews verify that no accounts bypass MFA requirements.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:55.136860+00:00",
          "updated_at": "2026-07-02T13:19:55.136860+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:55.136860+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-67 (DCF-67)",
              "description": "Drata control status for DCF-67",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.136860+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160170+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-68 (DCF-68)",
              "description": "Drata control status for DCF-68",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.136860+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160177+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-158 (DCF-158)",
              "description": "Drata control status for DCF-158",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.136860+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160183+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-93 (DCF-93)",
              "description": "Drata control status for DCF-93",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.136860+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160189+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-71 (DCF-71)",
              "description": "Drata control status for DCF-71",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.136860+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160196+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-72 (DCF-72)",
              "description": "Drata control status for DCF-72",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.136860+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160202+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.136860+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160208+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-11 (DCF-11)",
              "description": "Drata control status for DCF-11",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.136860+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160215+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-59 (DCF-59)",
              "description": "Drata control status for DCF-59",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.136860+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160221+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 8,
            "passed": 8,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 33,
                "name": "MFA on Cloud Infrastructure",
                "status": "PASSED",
                "description": "Drata validated that each cloud infrastructure provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 88,
                "enabled": true
              },
              {
                "test_id": 31,
                "name": "MFA on Identity Provider",
                "status": "PASSED",
                "description": "Drata validated that each identity provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 86,
                "enabled": true
              },
              {
                "test_id": 34,
                "name": "Internal Password Policy for Employees",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's internal policy that governs the passwords employees set across services.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 89,
                "enabled": true
              },
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              },
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              },
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-67",
              "DCF-68",
              "DCF-158",
              "DCF-93",
              "DCF-71",
              "DCF-72",
              "DCF-10",
              "DCF-11",
              "DCF-59"
            ]
          }
        },
        {
          "control_id": "DCF-67",
          "control_name": "MFA on Accounts",
          "control_description": "Sustainment Technologies Inc requires two factor authentication to access sensitive systems and applications in the form of user ID, password, OTP and/or certificate.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.912Z",
          "updated_at": "2026-07-01T14:26:23.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 2,
              "name": "MFA on IDP accounts",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/2_MFA on IDP accounts.png",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160399+00:00",
                "status": "hashed",
                "sha256": "2fe9f3100c7247bbf490f2d77638913cc9c134f8b67c14344a98d1a1a87bf097",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/2_MFA on IDP accounts.png",
                "filename": "2_MFA on IDP accounts.png",
                "size_bytes": 271485,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 1,
              "name": "MFA on VCS Accounts",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/1_MFA on VCS Accounts.png",
              "updated_at": "2026-04-29T13:20:19.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.160796+00:00",
                "status": "hashed",
                "sha256": "51e20eaa89e609873b15e2573c717eea67ccfc037b2d8b791a336329dda9795f",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/1_MFA on VCS Accounts.png",
                "filename": "1_MFA on VCS Accounts.png",
                "size_bytes": 438374,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-67-owner",
              "name": "Assigned Control Owner - MFA on Accounts (DCF-67)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-07-01T14:26:23.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.161165+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 23,
          "explanation": "This Drata control satisfies KSI-IAM-MFA by demonstrating the implementation of multi-factor authentication Ã¢â‚¬â€œ specifically utilizing a combination of something you know (password), something you have (OTP/certificate) Ã¢â‚¬â€œ for access to sensitive systems. This layered approach fulfills the FedRAMP requirement for MFA methods resistant to common phishing attacks and unauthorized access, aligning with NIST IA-2 & IA-5's focus on identity and access management.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 33,
                "name": "MFA on Cloud Infrastructure",
                "status": "PASSED",
                "description": "Drata validated that each cloud infrastructure provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 88,
                "enabled": true
              },
              {
                "test_id": 31,
                "name": "MFA on Identity Provider",
                "status": "PASSED",
                "description": "Drata validated that each identity provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 86,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-68",
          "control_name": "Password Policy",
          "control_description": "Sustainment Technologies Inc has established formal guidelines for passwords to govern the management and use of authentication mechanisms.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.917Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-68-owner",
              "name": "Assigned Control Owner - Password Policy (DCF-68)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.161177+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-68-monitoring",
              "name": "Continuous Monitoring - Password Policy (DCF-68)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.161185+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-68-policy",
              "name": "Policy Documentation - Password Policy (DCF-68)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.161191+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 24,
          "explanation": "While seemingly counterintuitive, a strong Password Policy *supports* KSI-IAM-MFA by establishing a baseline security foundation. It ensures users aren't relying on easily compromised passwords *in addition* to MFA, reducing the attack surface even with phishing-resistant MFA enabled. This control indirectly strengthens the overall authentication process required by the FedRAMP KSI, making MFA more effective.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 34,
                "name": "Internal Password Policy for Employees",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's internal policy that governs the passwords employees set across services.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 89,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-158",
          "control_name": "MFA Available for External Users",
          "control_description": "Sustainment Technologies Inc allows for external users to implement multi-factor authentication on their accounts in order to require two forms of authentication prior to authentication",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.967Z",
          "updated_at": "2025-11-24T13:51:26.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 3,
              "name": "MFA for external users",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/3_MFA for external users.png",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.161377+00:00",
                "status": "hashed",
                "sha256": "2fe9f3100c7247bbf490f2d77638913cc9c134f8b67c14344a98d1a1a87bf097",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/3_MFA for external users.png",
                "filename": "3_MFA for external users.png",
                "size_bytes": 271485,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 2,
              "name": "MFA on IDP accounts",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/2_MFA on IDP accounts.png",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.161802+00:00",
                "status": "hashed",
                "sha256": "2fe9f3100c7247bbf490f2d77638913cc9c134f8b67c14344a98d1a1a87bf097",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/2_MFA on IDP accounts.png",
                "filename": "2_MFA on IDP accounts.png",
                "size_bytes": 271485,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-158-owner",
              "name": "Assigned Control Owner - MFA Available for External Users (DCF-158)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162011+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 33,
          "explanation": "This Drata control directly addresses KSI-IAM-MFA by enabling a critical component of phishing-resistant MFA Ã¢â‚¬â€œ the *availability* of MFA for all external users. While not enforcing it universally (a stronger control), offering MFA allows users to *activate* a second factor, moving towards meeting the requirement of needing two forms of authentication and bolstering security against compromised credentials, aligning with NIST IA-5's access control standards. Essentially, it's a foundational step towards full MFA enforcement needed for FedRAMP compliance.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-93",
          "control_name": "Credential Keys Managed",
          "control_description": "Sustainment Technologies Inc has an established key management process in place to support the organization's use of cryptographic techniques.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.773Z",
          "updated_at": "2026-04-30T19:27:08.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-93-evidence",
              "name": "Credential Keys Managed (DCF-93)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-30T19:27:08.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162018+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-93-owner",
              "name": "Assigned Control Owner - Credential Keys Managed (DCF-93)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-30T19:27:08.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162025+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-93-monitoring",
              "name": "Continuous Monitoring - Credential Keys Managed (DCF-93)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-30T19:27:08.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162031+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 99,
          "explanation": "The \"Credential Keys Managed\" control directly supports KSI-IAM-MFA by establishing the foundational process for securely generating, storing, and rotating the cryptographic keys *used by* phishing-resistant MFA methods (like FIDO2/WebAuthn). Without robust key management (IA-2, IA-5), the security of those MFA factors is compromised, failing to meet the FedRAMP requirement for difficult-to-intercept authentication. Essentially, this control ensures the *how* of securely enabling strong MFA.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-71",
          "control_name": "Unique Accounts Used",
          "control_description": "Access to corporate network, production machines, network devices, and support tools requires a unique ID.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.769Z",
          "updated_at": "2026-06-15T13:35:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-71-evidence",
              "name": "Unique Accounts Used (DCF-71)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162038+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-owner",
              "name": "Assigned Control Owner - Unique Accounts Used (DCF-71)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162044+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-monitoring",
              "name": "Continuous Monitoring - Unique Accounts Used (DCF-71)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162050+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 98,
          "explanation": "While not *directly* enforcing MFA, \"Unique Accounts Used\" supports FedRAMP KSI-IAM-MFA by establishing a foundational security practice. Unique accounts are a prerequisite for effectively *implementing* and *managing* MFA Ã¢â‚¬â€œ you can't apply MFA to a shared account. This control ensures accountability and allows for granular MFA application per individual, bolstering the effectiveness of phishing-resistant MFA methods when layered on top.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-72",
          "control_name": "Unique SSH",
          "control_description": "SSH users use unique accounts to access production machines. Additionally, the use of the “Root” account is not allowed.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:39.720Z",
          "updated_at": "2026-04-29T16:53:43.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-72-evidence",
              "name": "Unique SSH (DCF-72)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162056+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-72-owner",
              "name": "Assigned Control Owner - Unique SSH (DCF-72)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162062+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-72-policy",
              "name": "Policy Documentation - Unique SSH (DCF-72)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162068+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 107,
          "explanation": "While not *directly* phishing-resistant MFA, Unique SSH contributes to FedRAMP KSI-IAM-MFA by strengthening authentication practices. By eliminating shared \"Root\" accounts and enforcing unique user accounts for SSH access, it reduces the blast radius of compromised credentials Ã¢â‚¬â€œ a key principle in minimizing successful impersonation attempts, and a foundational step *towards* implementing stronger MFA solutions. This control supports the overall goal of secure authentication as part of a comprehensive FedRAMP security posture.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162075+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162081+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162087+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "explanation": "While the System Access Control Policy *addresses* access control, it **doesn't directly satisfy the KSI-IAM-MFA requirement.** The policy outlines *how* access is managed, but doesn't demonstrate *enforcement* of phishing-resistant MFA. To satisfy the requirement, Drata needs evidence showing MFA is *technically implemented and required* for all user logins Ã¢â‚¬â€œ the policy simply sets the stage for that implementation.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-11",
          "control_name": "Annual Access Control Review",
          "control_description": "Sustainment Technologies Inc performs annual access control reviews.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.537Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 150,
              "name": "User Access Review",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/150_User Access Review.xlsx",
              "updated_at": "2026-03-02T15:28:18.965Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162267+00:00",
                "status": "hashed",
                "sha256": "a83b78e92bd554ebc59378b2f58c3b86c8dfac37b561ea9ddea944b69ab811d9",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/150_User Access Review.xlsx",
                "filename": "150_User Access Review.xlsx",
                "size_bytes": 115456,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-11-owner",
              "name": "Assigned Control Owner - Annual Access Control Review (DCF-11)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162374+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-11-policy",
              "name": "Policy Documentation - Annual Access Control Review (DCF-11)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162380+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 89,
          "explanation": "While seemingly unrelated, the Annual Access Control Review (as a sustaining activity) *verifies* the ongoing effectiveness of MFA implementation required by KSI-IAM-MFA. By regularly reviewing user access, the control confirms MFA is still enforced for *all* users, and identifies/removes accounts where it isn't Ã¢â‚¬â€œ ensuring continued compliance with the phishing-resistant MFA requirement. This demonstrates a proactive approach to maintaining a key security control, satisfying FedRAMP's need for sustained IAM practices.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-59",
          "control_name": "Role-Based Security Implementation",
          "control_description": "Role-based security is in place for internal and external users, including super admin users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.904Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-59-evidence",
              "name": "Role-Based Security Implementation (DCF-59)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162387+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-owner",
              "name": "Assigned Control Owner - Role-Based Security Implementation (DCF-59)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162394+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-policy",
              "name": "Policy Documentation - Role-Based Security Implementation (DCF-59)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162400+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 21,
          "explanation": "While not *directly* proving MFA, Drata's \"Role-Based Security Implementation\" control supports FedRAMP KSI-IAM-MFA by demonstrating a foundational access control system. This system allows for the *enforcement* of MFA policies Ã¢â‚¬â€œ specifically, it ensures that different roles (including privileged ones) can be *required* to utilize phishing-resistant MFA methods, fulfilling the KSI requirement's intent of securing all user authentication. Essentially, it proves the *ability* to implement and manage MFA effectively based on user roles.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' System Access Control Policy requires phishing-resistant multi-factor authentication for all user authentication across the cloud service offering. This is implemented through enforced MFA on all accounts (including external users), managed credential keys, unique SSH authentication, role-based access controls, and password policies as a secondary factor. Drata continuously monitors MFA enrollment and credential management status, while annual access reviews verify that no accounts bypass MFA requirements.\n### Key Controls\n- [OK] MFA on Accounts (DCF-67)\n- [OK] Password Policy (DCF-68)\n- [OK] MFA Available for External Users (DCF-158)\n- [OK] Credential Keys Managed (DCF-93)\n- [OK] Unique Accounts Used (DCF-71)\n- [OK] Unique SSH (DCF-72)\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Annual Access Control Review (DCF-11)\n- [OK] Role-Based Security Implementation (DCF-59)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:55.136860+00:00",
      "ksi_name": "Enforcing Phishing-Resistant MFA",
      "category": "IAM",
      "statement": "Enforce multi-factor authentication (MFA) using methods that are difficult to intercept or impersonate (phishing-resistant MFA) for all user authentication.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/identity-and-access-management/",
      "nist_controls": [
        "AC-2",
        "IA-2",
        "IA-2.1",
        "IA-2.2",
        "IA-2.8",
        "IA-5",
        "IA-8",
        "SC-23"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment requires multi-factor authentication for all user authentication across the cloud service offering, including both internal and external users, with managed credential keys and unique SSH authentication.",
        "failure_condition": "Any user account without MFA enabled, an MFA bypass detected, or failure to manage credential keys will cause a failure of the test. Additionally, MFA for external users, unique account usage, unique SSH keys, password policy enforcement, role-based security implementation, and annual access reviews must be in place to ensure phishing-resistant MFA is enforced across all accounts."
      },
      "outcome_metrics": [
        {
          "statement": "Phishing-resistant MFA enforced for all user accounts on all in-scope systems",
          "metric_name": "Coverage",
          "target_value": "100% MFA coverage; 0 accounts with non-phishing-resistant MFA on in-scope systems",
          "target_unit": "",
          "frequency": "Weekly",
          "source": "IdP/SSO MFA enforcement audit; Drata MFA checks",
          "notes": "Account without phishing-resistant MFA; MFA bypass detected"
        }
      ],
      "monitoring": {
        "total_tests": 8,
        "passed": 8,
        "failed": 0,
        "controls_with_monitoring": 5,
        "monitoring_coverage": 50.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-IAM-SNU",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:54.065687+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:19:54.065687+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-11 (DCF-11)",
          "control_id": "DCF-11",
          "status": "Passing",
          "description": "Drata control status for DCF-11",
          "date": "2026-07-02T13:19:54.065687+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-71 (DCF-71)",
          "control_id": "DCF-71",
          "status": "Passing",
          "description": "Drata control status for DCF-71",
          "date": "2026-07-02T13:19:54.065687+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-68 (DCF-68)",
          "control_id": "DCF-68",
          "status": "Passing",
          "description": "Drata control status for DCF-68",
          "date": "2026-07-02T13:19:54.065687+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-80 (DCF-80)",
          "control_id": "DCF-80",
          "status": "Passing",
          "description": "Drata control status for DCF-80",
          "date": "2026-07-02T13:19:54.065687+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-102 (DCF-102)",
          "control_id": "DCF-102",
          "status": "Passing",
          "description": "Drata control status for DCF-102",
          "date": "2026-07-02T13:19:54.065687+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-59 (DCF-59)",
          "control_id": "DCF-59",
          "status": "Passing",
          "description": "Drata control status for DCF-59",
          "date": "2026-07-02T13:19:54.065687+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-2 (DCF-2)",
          "control_id": "DCF-2",
          "status": "Passing",
          "description": "Drata control status for DCF-2",
          "date": "2026-07-02T13:19:54.065687+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-181 (DCF-181)",
          "control_id": "DCF-181",
          "status": "Passing",
          "description": "Drata control status for DCF-181",
          "date": "2026-07-02T13:19:54.065687+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-IAM-SNU",
          "control_name": "Custom Automated Check: KSI-IAM-SNU",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' System Access Control Policy and Encryption Policy require secure authentication methods for all non-user accounts and services. This is implemented through managed credential keys, enforced password policies for service accounts, data classification-based access controls, role-based security assignments, and least-privileged access policies for sensitive data. Drata monitors service account authentication configurations and validates that non-user accounts follow the same security standards as user accounts, including regular access reviews.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:54.065687+00:00",
          "updated_at": "2026-07-02T13:19:54.065687+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:54.065687+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.065687+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162407+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-11 (DCF-11)",
              "description": "Drata control status for DCF-11",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.065687+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162413+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-71 (DCF-71)",
              "description": "Drata control status for DCF-71",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.065687+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162419+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-68 (DCF-68)",
              "description": "Drata control status for DCF-68",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.065687+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162425+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-80 (DCF-80)",
              "description": "Drata control status for DCF-80",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.065687+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162431+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-102 (DCF-102)",
              "description": "Drata control status for DCF-102",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.065687+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162437+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-59 (DCF-59)",
              "description": "Drata control status for DCF-59",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.065687+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162442+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-2 (DCF-2)",
              "description": "Drata control status for DCF-2",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.065687+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162448+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-181 (DCF-181)",
              "description": "Drata control status for DCF-181",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.065687+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162454+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 9,
            "passed": 9,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              },
              {
                "test_id": 34,
                "name": "Internal Password Policy for Employees",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's internal policy that governs the passwords employees set across services.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 89,
                "enabled": true
              },
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              },
              {
                "test_id": 42,
                "name": "Data Classification Policy",
                "status": "PASSED",
                "description": "Drata inspected and confirmed that Sustainment Technologies Inc has a Data Classification Policy in order to identify the types of confidential information possessed by the entity and types of protection that were required.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 137,
                "enabled": true
              },
              {
                "test_id": 81,
                "name": "Least Privilege Policy for Customer Data Access",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's security policies and confirmed that they require that employees may only access the customer data they need in order to complete their jobs.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 3,
                "enabled": true
              },
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-10",
              "DCF-11",
              "DCF-71",
              "DCF-68",
              "DCF-80",
              "DCF-102",
              "DCF-59",
              "DCF-2",
              "DCF-181"
            ]
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162465+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162472+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162478+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "explanation": "This Drata control satisfies KSI-IAM-SNU by establishing a formal process for managing access to systems, including non-user accounts (via reviews) and ensuring appropriate authorization before granting access Ã¢â‚¬â€œ a key element of secure authentication. The annual reviews and request forms demonstrate ongoing monitoring and enforcement of access controls, aligning with FedRAMPÃ¢â‚¬â„¢s need to verify only authorized access is permitted. Essentially, it proves STI actively *controls* who and what can access the system securely.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-11",
          "control_name": "Annual Access Control Review",
          "control_description": "Sustainment Technologies Inc performs annual access control reviews.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.537Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 150,
              "name": "User Access Review",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/150_User Access Review.xlsx",
              "updated_at": "2026-03-02T15:28:18.965Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162639+00:00",
                "status": "hashed",
                "sha256": "a83b78e92bd554ebc59378b2f58c3b86c8dfac37b561ea9ddea944b69ab811d9",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/150_User Access Review.xlsx",
                "filename": "150_User Access Review.xlsx",
                "size_bytes": 115456,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-11-owner",
              "name": "Assigned Control Owner - Annual Access Control Review (DCF-11)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162742+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-11-policy",
              "name": "Policy Documentation - Annual Access Control Review (DCF-11)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162748+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 89,
          "explanation": "Drata's \"Annual Access Control Review\" satisfies KSI-IAM-SNU by demonstrating a regular, documented process to identify and validate the necessity of non-user accounts (service accounts, etc.). This review ensures these accounts adhere to least privilege and are still required, effectively enforcing secure authentication methods as mandated by FedRAMP's KSI requirement and related NIST controls. Essentially, it proves ongoing monitoring & validation of these potentially vulnerable access points.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-71",
          "control_name": "Unique Accounts Used",
          "control_description": "Access to corporate network, production machines, network devices, and support tools requires a unique ID.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.769Z",
          "updated_at": "2026-06-15T13:35:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-71-evidence",
              "name": "Unique Accounts Used (DCF-71)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162754+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-owner",
              "name": "Assigned Control Owner - Unique Accounts Used (DCF-71)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162760+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-monitoring",
              "name": "Continuous Monitoring - Unique Accounts Used (DCF-71)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162767+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 98,
          "explanation": "Drata's \"Unique Accounts Used\" control directly addresses KSI-IAM-SNU by ensuring service and non-user accounts arenÃ¢â‚¬â„¢t sharing credentials with individual users. This segregation, mapped to NIST AC-4 & AC-2, enforces stronger authentication and accountability Ã¢â‚¬â€œ a core tenet of FedRAMPÃ¢â‚¬â„¢s security baseline for protecting data accessed by automated processes. Essentially, it prevents privilege escalation and unauthorized access through compromised individual user accounts.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-68",
          "control_name": "Password Policy",
          "control_description": "Sustainment Technologies Inc has established formal guidelines for passwords to govern the management and use of authentication mechanisms.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.917Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-68-owner",
              "name": "Assigned Control Owner - Password Policy (DCF-68)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162773+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-68-monitoring",
              "name": "Continuous Monitoring - Password Policy (DCF-68)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162778+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-68-policy",
              "name": "Policy Documentation - Password Policy (DCF-68)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162784+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 24,
          "explanation": "Drata's \"Password Policy\" control addresses FedRAMP KSI-IAM-SNU by demonstrating a defined process for securing *authentication mechanisms* Ã¢â‚¬â€œ a key component of non-user/service account access. By establishing formal password guidelines (complexity, rotation, etc.), Sustainment Technologies Inc. enforces secure methods for these accounts, mitigating the risk of unauthorized access as required by the KSI. This aligns with NIST AC-2 (Account Management) and IA-3 (User Authentication) which underpin secure authentication practices.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 34,
                "name": "Internal Password Policy for Employees",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's internal policy that governs the passwords employees set across services.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 89,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-80",
          "control_name": "Log Management System",
          "control_description": "Sustainment Technologies Inc uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.779Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 151,
              "name": "DataDog Security alerts sample",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/151_DataDog Security alerts sample.csv",
              "updated_at": "2026-03-02T15:57:18.424Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.162943+00:00",
                "status": "hashed",
                "sha256": "3a6f138a1019b8d39d01a2e02dc11e84fa1a8b504f306fadf42619746948a934",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/151_DataDog Security alerts sample.csv",
                "filename": "151_DataDog Security alerts sample.csv",
                "size_bytes": 82445,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-80-owner",
              "name": "Assigned Control Owner - Log Management System (DCF-80)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163023+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-80-monitoring",
              "name": "Continuous Monitoring - Log Management System (DCF-80)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163030+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 123,
          "explanation": "The Log Management System satisfies KSI-IAM-SNU by providing audit trails of activity from non-user accounts and services, enabling detection of unauthorized or anomalous behavior. These alerts allow for timely investigation and corrective action (as described), ensuring secure authentication isnÃ¢â‚¬â„¢t bypassed Ã¢â‚¬â€œ fulfilling the requirement to *enforce* secure methods even for automated accounts. This aligns with AC-2 (Account Management) by providing accountability and monitoring of system access.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-102",
          "control_name": "Data Classification",
          "control_description": "Sustainment Technologies Inc has established a data classification policy in order to identify the types of confidential information possessed by the entity and types of protection that are required.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.943Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-102-owner",
              "name": "Assigned Control Owner - Data Classification (DCF-102)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163037+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-102-monitoring",
              "name": "Continuous Monitoring - Data Classification (DCF-102)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163043+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-102-policy",
              "name": "Policy Documentation - Data Classification (DCF-102)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163049+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 29,
          "explanation": "Data Classification (KSI-IAM-SNU) supports the FedRAMP KSI requirement by identifying sensitive data accessed by non-user accounts/services, allowing for the application of appropriately strong authentication *based on risk*. Knowing *what* these accounts access (via classification) dictates the necessary security controls Ã¢â‚¬â€œ stronger authentication for higher-risk data, fulfilling the \"appropriately secure\" aspect of the requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 42,
                "name": "Data Classification Policy",
                "status": "PASSED",
                "description": "Drata inspected and confirmed that Sustainment Technologies Inc has a Data Classification Policy in order to identify the types of confidential information possessed by the entity and types of protection that were required.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 137,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-59",
          "control_name": "Role-Based Security Implementation",
          "control_description": "Role-based security is in place for internal and external users, including super admin users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.904Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-59-evidence",
              "name": "Role-Based Security Implementation (DCF-59)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163055+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-owner",
              "name": "Assigned Control Owner - Role-Based Security Implementation (DCF-59)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163061+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-policy",
              "name": "Policy Documentation - Role-Based Security Implementation (DCF-59)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163067+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 21,
          "explanation": "Drata's Role-Based Security Implementation satisfies KSI-IAM-SNU by ensuring least privilege access is applied to *all* accounts Ã¢â‚¬â€œ including service and non-user accounts Ã¢â‚¬â€œ limiting their capabilities based on defined roles. This directly addresses the requirement for secure authentication methods by restricting what these accounts can access and do, preventing unauthorized actions and bolstering overall system security. The related NIST controls (AC-4, AC-2) further validate this approach to access control.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-2",
          "control_name": "Least-Privileged Policy for Sensitive Data Access",
          "control_description": "Sustainment Technologies Inc authorizes access to information resources, including data and the systems that store or process sensitive data, based on the principle of least privilege.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.139Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-2-monitoring",
              "name": "Continuous Monitoring - Least-Privileged Policy for Sensitive Data Access (DCF-2)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163073+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-2-policy",
              "name": "Policy Documentation - Least-Privileged Policy for Sensitive Data Access (DCF-2)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163079+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 63,
          "explanation": "This Drata control satisfies KSI-IAM-SNU by ensuring non-user accounts (services) only receive the *minimum* necessary permissions to function Ã¢â‚¬â€œ a core tenet of secure authentication. Limiting access via least privilege reduces the potential blast radius if a service account is compromised, effectively enforcing secure methods as required by the FedRAMP KSI. Essentially, it's not just *about* authentication, but *how much* access is granted *after* authentication for these non-human accounts.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 81,
                "name": "Least Privilege Policy for Customer Data Access",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's security policies and confirmed that they require that employees may only access the customer data they need in order to complete their jobs.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 3,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-181",
          "control_name": "Encryption Policy",
          "control_description": "Sustainment Technologies Inc has a defined policy that establishes requirements for the use of cryptographic controls.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.777Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-181-owner",
              "name": "Assigned Control Owner - Encryption Policy (DCF-181)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163086+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-181-monitoring",
              "name": "Continuous Monitoring - Encryption Policy (DCF-181)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163092+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-181-policy",
              "name": "Policy Documentation - Encryption Policy (DCF-181)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163098+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 100,
          "explanation": "Drata's \"Encryption Policy\" satisfies KSI-IAM-SNU by demonstrating a foundational security practice necessary for securing non-user accounts and services. The policy likely outlines requirements for key management and strong cryptography, ensuring sensitive credentials and communications used by these accounts are protected from unauthorized access Ã¢â‚¬â€œ a core tenet of secure authentication as required by FedRAMP. This aligns with NIST IA-3, which covers protecting information at rest, a crucial aspect of securing service accounts.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' System Access Control Policy and Encryption Policy require secure authentication methods for all non-user accounts and services. This is implemented through managed credential keys, enforced password policies for service accounts, data classification-based access controls, role-based security assignments, and least-privileged access policies for sensitive data. Drata monitors service account authentication configurations and validates that non-user accounts follow the same security standards as user accounts, including regular access reviews.\n### Key Controls\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Annual Access Control Review (DCF-11)\n- [OK] Unique Accounts Used (DCF-71)\n- [OK] Password Policy (DCF-68)\n- [OK] Log Management System (DCF-80)\n- [OK] Data Classification (DCF-102)\n- [OK] Role-Based Security Implementation (DCF-59)\n- [OK] Least-Privileged Policy for Sensitive Data Access (DCF-2)\n- [OK] Encryption Policy (DCF-181)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:54.065687+00:00",
      "ksi_name": "Securing Non-User Authentication",
      "category": "IAM",
      "statement": "Enforce appropriately secure authentication methods for non-user accounts and services.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/identity-and-access-management/",
      "nist_controls": [
        "AC-2",
        "AC-2.2",
        "AC-4",
        "AC-6.5",
        "IA-3",
        "IA-5.2",
        "RA-5.5"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment secures all non-user accounts and services through managed credential keys, enforced password policies, data classification-based access controls, and role-based least-privileged access.",
        "failure_condition": "A non-user account or service account with excessive privileges, API keys not rotated within the policy period, or unused credentials not removed will cause a failure of the test. Additionally, unique account usage, data classification controls, role-based security implementation, least-privileged access for sensitive data, encryption policies, and a log management system must be in place to ensure non-user authentication is secure and managed."
      },
      "outcome_metrics": [
        {
          "statement": "Service accounts and API keys use short-lived credentials and are inventoried",
          "metric_name": "Integrity",
          "target_value": "100% of service accounts inventoried; 0 long-lived static credentials in use",
          "target_unit": "",
          "frequency": "Monthly",
          "source": "Service account inventory; secrets manager audit; Drata checks",
          "notes": "Static long-lived credential found or undocumented service account detected"
        }
      ],
      "monitoring": {
        "total_tests": 9,
        "passed": 9,
        "failed": 0,
        "controls_with_monitoring": 7,
        "monitoring_coverage": 70.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-IAM-SUS",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:57.964246+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:19:57.964246+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-68 (DCF-68)",
          "control_id": "DCF-68",
          "status": "Passing",
          "description": "Drata control status for DCF-68",
          "date": "2026-07-02T13:19:57.964246+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-67 (DCF-67)",
          "control_id": "DCF-67",
          "status": "Passing",
          "description": "Drata control status for DCF-67",
          "date": "2026-07-02T13:19:57.964246+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-80 (DCF-80)",
          "control_id": "DCF-80",
          "status": "Passing",
          "description": "Drata control status for DCF-80",
          "date": "2026-07-02T13:19:57.964246+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-71 (DCF-71)",
          "control_id": "DCF-71",
          "status": "Passing",
          "description": "Drata control status for DCF-71",
          "date": "2026-07-02T13:19:57.964246+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-11 (DCF-11)",
          "control_id": "DCF-11",
          "status": "Passing",
          "description": "Drata control status for DCF-11",
          "date": "2026-07-02T13:19:57.964246+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-59 (DCF-59)",
          "control_id": "DCF-59",
          "status": "Passing",
          "description": "Drata control status for DCF-59",
          "date": "2026-07-02T13:19:57.964246+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-IAM-SUS",
          "control_name": "Custom Automated Check: KSI-IAM-SUS",
          "control_description": "7/7 mapped controls passing; Sustainment Technologies' System Access Control Policy requires automatic response to suspicious activity on privileged accounts, including disabling or securing compromised credentials. This is implemented through centralized log management that detects anomalous account behavior, enforced MFA and password policies, unique account attribution, and role-based access controls that limit the impact of compromised accounts. Drata monitors account activity and access patterns, while annual access reviews ensure that privileged accounts maintain appropriate controls for rapid response to suspicious events.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:57.964246+00:00",
          "updated_at": "2026-07-02T13:19:57.964246+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:57.964246+00:00",
          "requirements_updated_at": "",
          "evidence_count": 7,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.964246+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163105+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-68 (DCF-68)",
              "description": "Drata control status for DCF-68",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.964246+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163111+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-67 (DCF-67)",
              "description": "Drata control status for DCF-67",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.964246+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163123+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-80 (DCF-80)",
              "description": "Drata control status for DCF-80",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.964246+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163130+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-71 (DCF-71)",
              "description": "Drata control status for DCF-71",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.964246+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163135+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-11 (DCF-11)",
              "description": "Drata control status for DCF-11",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.964246+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163141+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-59 (DCF-59)",
              "description": "Drata control status for DCF-59",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.964246+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163147+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 8,
            "passed": 8,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 34,
                "name": "Internal Password Policy for Employees",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's internal policy that governs the passwords employees set across services.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 89,
                "enabled": true
              },
              {
                "test_id": 33,
                "name": "MFA on Cloud Infrastructure",
                "status": "PASSED",
                "description": "Drata validated that each cloud infrastructure provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 88,
                "enabled": true
              },
              {
                "test_id": 31,
                "name": "MFA on Identity Provider",
                "status": "PASSED",
                "description": "Drata validated that each identity provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 86,
                "enabled": true
              },
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              },
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-10",
              "DCF-68",
              "DCF-67",
              "DCF-80",
              "DCF-71",
              "DCF-11",
              "DCF-59"
            ]
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163153+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163159+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163165+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "explanation": "While the described control doesn't *directly* automate disabling accounts upon suspicious activity, the annual access reviews (AC-2) and formalized access request process (AC-7) enable quick identification of anomalous access Ã¢â‚¬â€œ a prerequisite for timely disabling/securing of compromised privileged accounts (addressing KSI-IAM-SUS). By regularly verifying access rights and having a documented process for changes, the organization can efficiently respond to and remediate suspicious activity impacting privileged access, fulfilling the *intent* of the FedRAMP requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-68",
          "control_name": "Password Policy",
          "control_description": "Sustainment Technologies Inc has established formal guidelines for passwords to govern the management and use of authentication mechanisms.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.917Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-68-owner",
              "name": "Assigned Control Owner - Password Policy (DCF-68)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163171+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-68-monitoring",
              "name": "Continuous Monitoring - Password Policy (DCF-68)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163177+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-68-policy",
              "name": "Policy Documentation - Password Policy (DCF-68)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163183+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 24,
          "explanation": "While seemingly unrelated, a strong Password Policy (AC-2, AC-7) *supports* KSI-IAM-SUS by enforcing regular password changes and complexity. This reduces the lifespan of potentially compromised credentials, limiting the window of opportunity for attackers to exploit privileged access *before* suspicious activity is detected and accounts are disabled Ã¢â‚¬â€œ fulfilling the intent of rapidly securing access in response to threats. Essentially, it's a foundational preventative measure bolstering the reactive control needed for FedRAMP compliance.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 34,
                "name": "Internal Password Policy for Employees",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's internal policy that governs the passwords employees set across services.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 89,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-67",
          "control_name": "MFA on Accounts",
          "control_description": "Sustainment Technologies Inc requires two factor authentication to access sensitive systems and applications in the form of user ID, password, OTP and/or certificate.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.912Z",
          "updated_at": "2026-07-01T14:26:23.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 2,
              "name": "MFA on IDP accounts",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/2_MFA on IDP accounts.png",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163344+00:00",
                "status": "hashed",
                "sha256": "2fe9f3100c7247bbf490f2d77638913cc9c134f8b67c14344a98d1a1a87bf097",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/2_MFA on IDP accounts.png",
                "filename": "2_MFA on IDP accounts.png",
                "size_bytes": 271485,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 1,
              "name": "MFA on VCS Accounts",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/1_MFA on VCS Accounts.png",
              "updated_at": "2026-04-29T13:20:19.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.163707+00:00",
                "status": "hashed",
                "sha256": "51e20eaa89e609873b15e2573c717eea67ccfc037b2d8b791a336329dda9795f",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/1_MFA on VCS Accounts.png",
                "filename": "1_MFA on VCS Accounts.png",
                "size_bytes": 438374,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-67-owner",
              "name": "Assigned Control Owner - MFA on Accounts (DCF-67)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-07-01T14:26:23.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164033+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 23,
          "explanation": "Drata's \"MFA on Accounts\" control directly addresses KSI-IAM-SUS by adding a critical layer of security to privileged access. Requiring MFA (like OTP or certificates) significantly reduces the risk of unauthorized access even if credentials are compromised due to suspicious activity, effectively securing those accounts Ã¢â‚¬â€œ fulfilling the FedRAMP requirement for automatic account security in response to threats. This aligns with NIST AC-7's focus on access enforcement through multi-factor authentication.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 33,
                "name": "MFA on Cloud Infrastructure",
                "status": "PASSED",
                "description": "Drata validated that each cloud infrastructure provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 88,
                "enabled": true
              },
              {
                "test_id": 31,
                "name": "MFA on Identity Provider",
                "status": "PASSED",
                "description": "Drata validated that each identity provider account has MFA enabled.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 86,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-80",
          "control_name": "Log Management System",
          "control_description": "Sustainment Technologies Inc uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.779Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 151,
              "name": "DataDog Security alerts sample",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/151_DataDog Security alerts sample.csv",
              "updated_at": "2026-03-02T15:57:18.424Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164198+00:00",
                "status": "hashed",
                "sha256": "3a6f138a1019b8d39d01a2e02dc11e84fa1a8b504f306fadf42619746948a934",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/151_DataDog Security alerts sample.csv",
                "filename": "151_DataDog Security alerts sample.csv",
                "size_bytes": 82445,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-80-owner",
              "name": "Assigned Control Owner - Log Management System (DCF-80)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164282+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-80-monitoring",
              "name": "Continuous Monitoring - Log Management System (DCF-80)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164289+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 123,
          "explanation": "This Drata control satisfies KSI-IAM-SUS by providing the *detection* component of responding to suspicious activity Ã¢â‚¬â€œ the logging system alerts personnel to potential issues with privileged accounts (meeting AC-2). While the control description doesn't *automatically* disable, it states \"corrective actions are performed,\" demonstrating a process to secure those accounts upon alert, fulfilling the requirement to disable or secure them in response to suspicious behavior. Essentially, itÃ¢â‚¬â„¢s a monitored process enabling timely response, rather than fully automated disabling.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-71",
          "control_name": "Unique Accounts Used",
          "control_description": "Access to corporate network, production machines, network devices, and support tools requires a unique ID.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.769Z",
          "updated_at": "2026-06-15T13:35:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-71-evidence",
              "name": "Unique Accounts Used (DCF-71)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164295+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-owner",
              "name": "Assigned Control Owner - Unique Accounts Used (DCF-71)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164301+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-monitoring",
              "name": "Continuous Monitoring - Unique Accounts Used (DCF-71)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164307+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 98,
          "explanation": "Drata's \"Unique Accounts Used\" control helps satisfy KSI-IAM-SUS by ensuring clear accountability and facilitating rapid response to suspicious activity. Because each user has a distinct ID, compromised accounts can be *specifically* disabled or secured without impacting other users sharing a generic account Ã¢â‚¬â€œ a key element of the FedRAMP requirement. This aligns with AC-2 by enforcing individualized access control and enabling effective incident response.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-11",
          "control_name": "Annual Access Control Review",
          "control_description": "Sustainment Technologies Inc performs annual access control reviews.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.537Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 150,
              "name": "User Access Review",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/150_User Access Review.xlsx",
              "updated_at": "2026-03-02T15:28:18.965Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164469+00:00",
                "status": "hashed",
                "sha256": "a83b78e92bd554ebc59378b2f58c3b86c8dfac37b561ea9ddea944b69ab811d9",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/150_User Access Review.xlsx",
                "filename": "150_User Access Review.xlsx",
                "size_bytes": 115456,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-11-owner",
              "name": "Assigned Control Owner - Annual Access Control Review (DCF-11)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164573+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-11-policy",
              "name": "Policy Documentation - Annual Access Control Review (DCF-11)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164579+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 89,
          "explanation": "While an *annual* review isn't directly automated, it satisfies KSI-IAM-SUS by identifying potentially compromised or inappropriately privileged accounts Ã¢â‚¬â€œ a form of \"suspicious activity.\" This review process allows Sustainment Technologies Inc. to *then* disable or remediate access for those accounts, fulfilling the requirement for a response to suspicious activity, and aligns with AC-2Ã¢â‚¬â„¢s focus on access rights management. It's a detective control feeding into a corrective action.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-59",
          "control_name": "Role-Based Security Implementation",
          "control_description": "Role-based security is in place for internal and external users, including super admin users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.904Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-59-evidence",
              "name": "Role-Based Security Implementation (DCF-59)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164586+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-owner",
              "name": "Assigned Control Owner - Role-Based Security Implementation (DCF-59)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164592+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-policy",
              "name": "Policy Documentation - Role-Based Security Implementation (DCF-59)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164598+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 21,
          "explanation": "Drata's Role-Based Security Implementation directly addresses KSI-IAM-SUS by enabling rapid response to suspicious activity through privilege reduction. By assigning least-privilege access via roles, compromised accounts are limited in scope, and administrators can quickly revoke or disable role access Ã¢â‚¬â€œ effectively securing those accounts Ã¢â‚¬â€œ as part of incident response. This aligns with AC-2's focus on access enforcement and satisfies the FedRAMP requirement for securing privileged accounts upon detection of suspicious behavior.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' System Access Control Policy requires automatic response to suspicious activity on privileged accounts, including disabling or securing compromised credentials. This is implemented through centralized log management that detects anomalous account behavior, enforced MFA and password policies, unique account attribution, and role-based access controls that limit the impact of compromised accounts. Drata monitors account activity and access patterns, while annual access reviews ensure that privileged accounts maintain appropriate controls for rapid response to suspicious events.\n### Key Controls\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Password Policy (DCF-68)\n- [OK] MFA on Accounts (DCF-67)\n- [OK] Log Management System (DCF-80)\n- [OK] Unique Accounts Used (DCF-71)\n- [OK] Annual Access Control Review (DCF-11)\n- [OK] Role-Based Security Implementation (DCF-59)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:57.964246+00:00",
      "ksi_name": "Responding to Suspicious Activity",
      "category": "IAM",
      "statement": "Automatically disable or otherwise secure accounts with privileged access in response to suspicious activity.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/identity-and-access-management/",
      "nist_controls": [
        "AC-2",
        "AC-2.1",
        "AC-2.3",
        "AC-2.13",
        "AC-7",
        "PS-4",
        "PS-8"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment automatically responds to suspicious activity on privileged accounts through centralized log management, anomalous behavior detection, enforced MFA, and unique account attribution.",
        "failure_condition": "Suspicious activity not triggering an account disable within the defined SLA, failure to detect anomalous account behavior, or inability to attribute activity to unique accounts will cause a failure of the test. Additionally, MFA enforcement, password policy compliance, role-based security implementation, annual access reviews, and a centralized log management system must be in place to ensure suspicious activity is detected and responded to promptly."
      },
      "outcome_metrics": [
        {
          "statement": "Suspicious account activity triggers automated detection and timely response",
          "metric_name": "Detection",
          "target_value": "100% of suspicious-activity policies active; mean-time-to-alert <= 15 min",
          "target_unit": "",
          "frequency": "Monthly",
          "source": "SIEM alert rules; IdP anomaly detection; incident response records",
          "notes": "Suspicious activity not alerted within 15 minutes or alert policy inactive"
        }
      ],
      "monitoring": {
        "total_tests": 8,
        "passed": 8,
        "failed": 0,
        "controls_with_monitoring": 5,
        "monitoring_coverage": 62.5,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-INR-AAR",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:57.100723+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-29 (DCF-29)",
          "control_id": "DCF-29",
          "status": "Passing",
          "description": "Drata control status for DCF-29",
          "date": "2026-07-02T13:19:57.100723+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-159 (DCF-159)",
          "control_id": "DCF-159",
          "status": "Passing",
          "description": "Drata control status for DCF-159",
          "date": "2026-07-02T13:19:57.100723+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-25 (DCF-25)",
          "control_id": "DCF-25",
          "status": "Passing",
          "description": "Drata control status for DCF-25",
          "date": "2026-07-02T13:19:57.100723+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-131 (DCF-131)",
          "control_id": "DCF-131",
          "status": "Passing",
          "description": "Drata control status for DCF-131",
          "date": "2026-07-02T13:19:57.100723+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-154 (DCF-154)",
          "control_id": "DCF-154",
          "status": "Passing",
          "description": "Drata control status for DCF-154",
          "date": "2026-07-02T13:19:57.100723+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-51 (DCF-51)",
          "control_id": "DCF-51",
          "status": "Passing",
          "description": "Drata control status for DCF-51",
          "date": "2026-07-02T13:19:57.100723+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-30 (DCF-30)",
          "control_id": "DCF-30",
          "status": "Passing",
          "description": "Drata control status for DCF-30",
          "date": "2026-07-02T13:19:57.100723+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-28 (DCF-28)",
          "control_id": "DCF-28",
          "status": "Passing",
          "description": "Drata control status for DCF-28",
          "date": "2026-07-02T13:19:57.100723+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-INR-AAR",
          "control_name": "Custom Automated Check: KSI-INR-AAR",
          "control_description": "8/8 mapped controls passing; Sustainment Technologies' Incident Response Plan requires the generation of after-action reports following every security incident, with lessons learned incorporated into future procedures. This is implemented through a structured incident report template, a dedicated incident response team, tracked follow-up items, prioritized security issue remediation, and annual incident response testing. Drata monitors that follow-ups are completed, patches are applied, and the Security Steering Committee reviews lessons learned to drive continuous improvement in incident handling.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:57.100723+00:00",
          "updated_at": "2026-07-02T13:19:57.100723+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:57.100723+00:00",
          "requirements_updated_at": "",
          "evidence_count": 8,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-29 (DCF-29)",
              "description": "Drata control status for DCF-29",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.100723+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164605+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-159 (DCF-159)",
              "description": "Drata control status for DCF-159",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.100723+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164611+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-25 (DCF-25)",
              "description": "Drata control status for DCF-25",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.100723+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164617+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-131 (DCF-131)",
              "description": "Drata control status for DCF-131",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.100723+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164623+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-154 (DCF-154)",
              "description": "Drata control status for DCF-154",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.100723+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164629+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-51 (DCF-51)",
              "description": "Drata control status for DCF-51",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.100723+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164635+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-30 (DCF-30)",
              "description": "Drata control status for DCF-30",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.100723+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164640+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-28 (DCF-28)",
              "description": "Drata control status for DCF-28",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.100723+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164646+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 6,
            "passed": 6,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              },
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              },
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              },
              {
                "test_id": 134,
                "name": "Security Patches Auto-Applied on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices are configured to apply  system security patches automatically.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 65,
                "enabled": true
              },
              {
                "test_id": 89,
                "name": "IRP Includes Lessons Learned",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it included a section about documenting \"Lessons Learned\" after incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 35,
                "enabled": true
              },
              {
                "test_id": 87,
                "name": "Policies for Tracking Security Items",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it included a section about tracking follow-ups after an incident.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 32,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-29",
              "DCF-159",
              "DCF-25",
              "DCF-131",
              "DCF-154",
              "DCF-51",
              "DCF-30",
              "DCF-28"
            ]
          }
        },
        {
          "control_id": "DCF-29",
          "control_name": "Incident Response Team",
          "control_description": "Sustainment Technologies Inc has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality at the company.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.562Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-29-evidence",
              "name": "Incident Response Team (DCF-29)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164653+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-owner",
              "name": "Assigned Control Owner - Incident Response Team (DCF-29)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164659+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-monitoring",
              "name": "Continuous Monitoring - Incident Response Team (DCF-29)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164665+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 74,
          "explanation": "This Drata control addresses KSI-INR-AAR by demonstrating a dedicated team actively *monitoring* incidents (fulfilling reporting needs) and, through quantification, providing data for *after-action reviews*. The existence of this team and their incident handling process inherently supports the persistent incorporation of lessons learned to improve future responses Ã¢â‚¬â€œ a core tenet of the FedRAMP KSI requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-159",
          "control_name": "Incident Response Plan",
          "control_description": "Sustainment Technologies Inc has an established Incident Response Plan that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.576Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-159-evidence",
              "name": "Incident Response Plan (DCF-159)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164671+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-owner",
              "name": "Assigned Control Owner - Incident Response Plan (DCF-159)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164677+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-monitoring",
              "name": "Continuous Monitoring - Incident Response Plan (DCF-159)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164683+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 77,
          "explanation": "The Drata control \"Incident Response Plan\" satisfies KSI-INR-AAR by demonstrating a defined process for analyzing incidents *after* they occur Ã¢â‚¬â€œ a key component of after-action reporting. The annual testing aspect ensures the plan is reviewed and updated with lessons learned, fulfilling the requirement for persistent incorporation of improvements into incident handling procedures. This directly supports FedRAMP's need for continuous improvement in security incident management.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-25",
          "control_name": "Disaster Recovery Plan",
          "control_description": "Sustainment Technologies Inc has an established Disaster Recovery Plan that outlines roles and responsibilities and detailed procedures for recovery of systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.870Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-25-owner",
              "name": "Assigned Control Owner - Disaster Recovery Plan (DCF-25)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164689+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-monitoring",
              "name": "Continuous Monitoring - Disaster Recovery Plan (DCF-25)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164695+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-policy",
              "name": "Policy Documentation - Disaster Recovery Plan (DCF-25)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164701+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 10,
          "explanation": "The Disaster Recovery Plan (DRP) satisfies KSI-INR-AAR by detailing procedures to *restore* systems after an incident Ã¢â‚¬â€œ forming the basis for an \"after-action\" review. Analyzing deviations from the DRP during a recovery exercise or actual incident generates lessons learned, which, if incorporated into future DRP updates (as implied by plan sustainment), fulfills the requirement for persistent incorporation of those lessons. This aligns with NIST IR-8's focus on incident handling and improvement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-131",
          "control_name": "Incident Report Template and Process",
          "control_description": "Sustainment Technologies Inc has incident management procedures that include detailed instructions on how to escalate a suspected incident to the Information Security Team and, when necessary, to the Privacy or Legal department. Sustainment Technologies Inc has a standard incident report template th",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.797Z",
          "updated_at": "2025-11-24T13:51:34.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-131-owner",
              "name": "Assigned Control Owner - Incident Report Template and Process (DCF-131)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164707+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-131-policy",
              "name": "Policy Documentation - Incident Report Template and Process (DCF-131)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164713+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 152,
          "explanation": "Drata's \"Incident Report Template and Process\" satisfies KSI-INR-AAR by demonstrating a formalized system for documenting incidents *after* they occur Ã¢â‚¬â€œ fulfilling the \"generate incident after action reports\" portion. The detailed template and escalation procedures inherently facilitate capturing lessons learned from each incident, enabling persistent incorporation of those learnings into future prevention and response efforts, thus meeting the requirement for continuous improvement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-154",
          "control_name": "Annual Incident Response Test",
          "control_description": "Sustainment Technologies Inc ensures that incident response plan testing is performed on an annual basis.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.974Z",
          "updated_at": "2025-11-24T13:51:34.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-154-evidence",
              "name": "Annual Incident Response Test (DCF-154)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164720+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-154-policy",
              "name": "Policy Documentation - Annual Incident Response Test (DCF-154)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164726+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 126,
          "explanation": "Drata's \"Annual Incident Response Test\" satisfies KSI-INR-AAR by demonstrating a periodic review of the incident response plan *after* simulated incidents Ã¢â‚¬â€œ effectively generating an \"after action report\" through test results and identified gaps. This testing process, aligned with NIST IR controls, ensures lessons learned from these exercises are documented and incorporated for continuous improvement of the incident response capability, fulfilling the persistent learning requirement of FedRAMP KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-51",
          "control_name": "Security Patches Automatically Applied",
          "control_description": "Sustainment Technologies Inc's workstations operating system (OS) security patches are applied automatically.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.213Z",
          "updated_at": "2026-05-27T19:01:28.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-51-evidence",
              "name": "Security Patches Automatically Applied (DCF-51)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164733+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-51-owner",
              "name": "Assigned Control Owner - Security Patches Automatically Applied (DCF-51)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164739+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-51-monitoring",
              "name": "Continuous Monitoring - Security Patches Automatically Applied (DCF-51)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164745+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 117,
          "explanation": "While seemingly unrelated, automated patching (this control) directly supports KSI-INR-AAR by *reducing* the frequency & severity of incidents requiring after-action reports. Fewer, less impactful incidents mean focused lessons learned, and a robust patching process demonstrates a commitment to preventative measures Ã¢â‚¬â€œ a key component of incorporating those lessons back into security practices, fulfilling the persistent improvement aspect of the requirement. Essentially, it lowers incident volume allowing for more effective post-incident analysis and remediation.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 134,
                "name": "Security Patches Auto-Applied on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices are configured to apply  system security patches automatically.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 65,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-30",
          "control_name": "Lessons Learned",
          "control_description": "Sustainment Technologies Inc has implemented an Incident Response Plan that includes documenting “Lessons Learned” and \"Root Cause Analysis\" after incidents and sharing them with the broader engineering team to support Business Continuity/Disaster Recovery.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.566Z",
          "updated_at": "2025-12-03T18:49:49.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 163,
              "name": "Sample IR Response + Lessons Learned",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/163_Sample IR Response  Lessons Learned.pdf",
              "updated_at": "2026-06-23T18:52:27.200Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.164908+00:00",
                "status": "hashed",
                "sha256": "39e11bacf18fb01a18ac4565aa1866df90337e4976475988a98bce6ecd59a72f",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/163_Sample IR Response  Lessons Learned.pdf",
                "filename": "163_Sample IR Response  Lessons Learned.pdf",
                "size_bytes": 600019,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-30-monitoring",
              "name": "Continuous Monitoring - Lessons Learned (DCF-30)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165388+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-30-policy",
              "name": "Policy Documentation - Lessons Learned (DCF-30)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165395+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 75,
          "explanation": "This Drata control satisfies KSI-INR-AAR by demonstrating a process for documenting insights *after* security incidents Ã¢â‚¬â€œ the \"Lessons Learned\" and Root Cause Analysis directly address the requirement to generate after-action reports. Sharing these findings with the engineering team ensures these learnings are *persistently incorporated* to improve future incident response and overall system resilience, fulfilling the continuous improvement aspect of the FedRAMP control.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 89,
                "name": "IRP Includes Lessons Learned",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it included a section about documenting \"Lessons Learned\" after incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 35,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-28",
          "control_name": "Follow-Ups Tracked",
          "control_description": "Sustainment Technologies Inc has implemented an Incident Response Plan that includes creating, prioritizing, assigning, and tracking follow-ups to completion and lend support to Business Continuity/Disaster Recovery.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.557Z",
          "updated_at": "2025-12-03T18:49:49.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-28-evidence",
              "name": "Follow-Ups Tracked (DCF-28)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165402+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-28-monitoring",
              "name": "Continuous Monitoring - Follow-Ups Tracked (DCF-28)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165409+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-28-policy",
              "name": "Policy Documentation - Follow-Ups Tracked (DCF-28)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165415+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 73,
          "explanation": "DrataÃ¢â‚¬â„¢s Ã¢â‚¬Å“Follow-Ups TrackedÃ¢â‚¬Â control directly addresses KSI-INR-AAR by demonstrating a formalized process for capturing actions identified *after* security incidents (via the Incident Response Plan). Tracking these follow-ups to completion Ã¢â‚¬â€œ and linking them to BCDR Ã¢â‚¬â€œ proves lessons learned are not just documented, but *persistently incorporated* into ongoing improvements, fulfilling the FedRAMP requirement for continuous learning and adaptation.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 87,
                "name": "Policies for Tracking Security Items",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it included a section about tracking follow-ups after an incident.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 32,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' Incident Response Plan requires the generation of after-action reports following every security incident, with lessons learned incorporated into future procedures. This is implemented through a structured incident report template, a dedicated incident response team, tracked follow-up items, prioritized security issue remediation, and annual incident response testing. Drata monitors that follow-ups are completed, patches are applied, and the Security Steering Committee reviews lessons learned to drive continuous improvement in incident handling.\n### Key Controls\n- [OK] Incident Response Team (DCF-29)\n- [OK] Incident Response Plan (DCF-159)\n- [OK] Disaster Recovery Plan (DCF-25)\n- [OK] Incident Report Template and Process (DCF-131)\n- [OK] Annual Incident Response Test (DCF-154)\n- [OK] Security Patches Automatically Applied (DCF-51)\n- [OK] Lessons Learned (DCF-30)\n- [OK] Follow-Ups Tracked (DCF-28)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:57.100723+00:00",
      "ksi_name": "Generating After Action Reports",
      "category": "INR",
      "statement": "Generate incident after action reports and persistently incorporate lessons learned.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/incident-response/",
      "nist_controls": [
        "IR-3",
        "IR-4",
        "IR-4.1",
        "IR-8"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment generates after-action reports following every security incident, with lessons learned documented and incorporated into future incident response procedures.",
        "failure_condition": "An incident closed without an after-action report, lessons learned not documented, or follow-up items not tracked to resolution will cause a failure of the test. Additionally, an incident response plan, incident report template, incident response team, disaster recovery plan, prioritized security issue remediation, and annual incident response testing must be in place to ensure after-action reporting is thorough and actionable."
      },
      "outcome_metrics": [
        {
          "statement": "After-action reports completed for every qualifying incident within required SLA",
          "metric_name": "Completion",
          "target_value": "100% of qualifying incidents have AAR; AAR completed within 5 business days",
          "target_unit": "",
          "frequency": "Per incident",
          "source": "Incident management system; AAR document register",
          "notes": "Qualifying incident without AAR or AAR not completed within 5 business days"
        }
      ],
      "monitoring": {
        "total_tests": 6,
        "passed": 6,
        "failed": 0,
        "controls_with_monitoring": 6,
        "monitoring_coverage": 66.7,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-INR-RIR",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:57.290448+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-159 (DCF-159)",
          "control_id": "DCF-159",
          "status": "Passing",
          "description": "Drata control status for DCF-159",
          "date": "2026-07-02T13:19:57.290448+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-29 (DCF-29)",
          "control_id": "DCF-29",
          "status": "Passing",
          "description": "Drata control status for DCF-29",
          "date": "2026-07-02T13:19:57.290448+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-25 (DCF-25)",
          "control_id": "DCF-25",
          "status": "Passing",
          "description": "Drata control status for DCF-25",
          "date": "2026-07-02T13:19:57.290448+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-18 (DCF-18)",
          "control_id": "DCF-18",
          "status": "Passing",
          "description": "Drata control status for DCF-18",
          "date": "2026-07-02T13:19:57.290448+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-131 (DCF-131)",
          "control_id": "DCF-131",
          "status": "Passing",
          "description": "Drata control status for DCF-131",
          "date": "2026-07-02T13:19:57.290448+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-30 (DCF-30)",
          "control_id": "DCF-30",
          "status": "Passing",
          "description": "Drata control status for DCF-30",
          "date": "2026-07-02T13:19:57.290448+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-28 (DCF-28)",
          "control_id": "DCF-28",
          "status": "Passing",
          "description": "Drata control status for DCF-28",
          "date": "2026-07-02T13:19:57.290448+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-81 (DCF-81)",
          "control_id": "DCF-81",
          "status": "Passing",
          "description": "Drata control status for DCF-81",
          "date": "2026-07-02T13:19:57.290448+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-27 (DCF-27)",
          "control_id": "DCF-27",
          "status": "Passing",
          "description": "Drata control status for DCF-27",
          "date": "2026-07-02T13:19:57.290448+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-INR-RIR",
          "control_name": "Custom Automated Check: KSI-INR-RIR",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' Incident Response Plan establishes documented procedures for detecting, responding to, and recovering from security incidents. These procedures are implemented by a dedicated incident response team using structured report templates, tracked follow-ups, lessons learned processes, and quarterly vulnerability scans that inform procedure updates. Drata continuously monitors incident response readiness across multiple controls, and the Security Steering Committee reviews procedure effectiveness to ensure response capabilities keep pace with the evolving threat landscape.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:57.290448+00:00",
          "updated_at": "2026-07-02T13:19:57.290448+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:57.290448+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-159 (DCF-159)",
              "description": "Drata control status for DCF-159",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.290448+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165422+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-29 (DCF-29)",
              "description": "Drata control status for DCF-29",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.290448+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165428+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-25 (DCF-25)",
              "description": "Drata control status for DCF-25",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.290448+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165434+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-18 (DCF-18)",
              "description": "Drata control status for DCF-18",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.290448+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165439+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-131 (DCF-131)",
              "description": "Drata control status for DCF-131",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.290448+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165445+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-30 (DCF-30)",
              "description": "Drata control status for DCF-30",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.290448+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165451+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-28 (DCF-28)",
              "description": "Drata control status for DCF-28",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.290448+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165461+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-81 (DCF-81)",
              "description": "Drata control status for DCF-81",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.290448+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165468+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-27 (DCF-27)",
              "description": "Drata control status for DCF-27",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.290448+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165474+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 10,
            "passed": 10,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:02.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              },
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              },
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              },
              {
                "test_id": 66,
                "name": "Vulnerability Scanning",
                "status": "PASSED",
                "description": "Drata validated that a vulnerability scanning system is connected to Drata.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 21,
                "enabled": true
              },
              {
                "test_id": 89,
                "name": "IRP Includes Lessons Learned",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it included a section about documenting \"Lessons Learned\" after incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 35,
                "enabled": true
              },
              {
                "test_id": 87,
                "name": "Policies for Tracking Security Items",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it included a section about tracking follow-ups after an incident.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 32,
                "enabled": true
              },
              {
                "test_id": 3,
                "name": "Database Read I/O Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that read I/O is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 114,
                "enabled": true
              },
              {
                "test_id": 2,
                "name": "Database Free Storage Space Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that free storage space is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 113,
                "enabled": true
              },
              {
                "test_id": 1,
                "name": "Database CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 112,
                "enabled": true
              },
              {
                "test_id": 14,
                "name": "Zone Redundancy",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's infrastructure configurations and confirmed that multiple availability zones are utilized.",
                "last_run": "2026-07-01T18:28:01.000Z",
                "test_definition_id": 30,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-159",
              "DCF-29",
              "DCF-25",
              "DCF-18",
              "DCF-131",
              "DCF-30",
              "DCF-28",
              "DCF-81",
              "DCF-27"
            ]
          }
        },
        {
          "control_id": "DCF-159",
          "control_name": "Incident Response Plan",
          "control_description": "Sustainment Technologies Inc has an established Incident Response Plan that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.576Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-159-evidence",
              "name": "Incident Response Plan (DCF-159)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165480+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-owner",
              "name": "Assigned Control Owner - Incident Response Plan (DCF-159)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165486+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-monitoring",
              "name": "Continuous Monitoring - Incident Response Plan (DCF-159)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165492+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 77,
          "explanation": "This Drata control satisfies KSI-INR-RIR by demonstrating a *documented* and *actively maintained* Incident Response Plan Ã¢â‚¬â€œ fulfilling the requirement for established procedures. The annual testing component proves **persistent review** of the plan's effectiveness, showing it's not just a static document but a regularly validated process for incident handling, as FedRAMP KSI demands.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-29",
          "control_name": "Incident Response Team",
          "control_description": "Sustainment Technologies Inc has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality at the company.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.562Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-29-evidence",
              "name": "Incident Response Team (DCF-29)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165498+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-owner",
              "name": "Assigned Control Owner - Incident Response Team (DCF-29)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165504+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-monitoring",
              "name": "Continuous Monitoring - Incident Response Team (DCF-29)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165510+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 74,
          "explanation": "This Drata control satisfies KSI-INR-RIR by demonstrating ongoing review of incident response effectiveness. Having a dedicated Incident Response Team actively *quantifies and monitors* incidents (as stated in the description) inherently involves reviewing past responses to identify areas for improvement Ã¢â‚¬â€œ fulfilling the \"persistently review\" requirement. The related NIST controls (IR-7, IR-4, etc.) further solidify this by outlining specific activities within incident handling *and* program improvement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-25",
          "control_name": "Disaster Recovery Plan",
          "control_description": "Sustainment Technologies Inc has an established Disaster Recovery Plan that outlines roles and responsibilities and detailed procedures for recovery of systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.870Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-25-owner",
              "name": "Assigned Control Owner - Disaster Recovery Plan (DCF-25)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165517+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-monitoring",
              "name": "Continuous Monitoring - Disaster Recovery Plan (DCF-25)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165523+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-policy",
              "name": "Policy Documentation - Disaster Recovery Plan (DCF-25)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165528+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 10,
          "explanation": "The Disaster Recovery Plan satisfies KSI-INR-RIR by demonstrating a documented process for system recovery, which is a *component* of incident response. Regularly maintaining and testing this plan (implied by \"established\" and related NIST controls IR-7 & IR-8) proves persistent review of incident response *procedures* Ã¢â‚¬â€œ ensuring they remain effective for restoring services after a disruptive event, aligning with the FedRAMP requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-18",
          "control_name": "Quarterly Vulnerability Scan",
          "control_description": "Sustainment Technologies Inc engages with third-party to conduct vulnerability scans of the production environment at least quarterly. Results are reviewed by management and high priority findings are tracked to resolution.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.858Z",
          "updated_at": "2026-05-11T12:55:17.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:22.000Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 149,
              "name": "Vulnerability scanning - historical scans.",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/149_Vulnerability scanning - historical scans..zip",
              "updated_at": "2026-03-02T14:54:37.097Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.165708+00:00",
                "status": "hashed",
                "sha256": "1bca3af621b9ac72ecaf5ccb180f7c18cc49f95a24e05a54e8c83a05fa411b37",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/149_Vulnerability scanning - historical scans..zip",
                "filename": "149_Vulnerability scanning - historical scans..zip",
                "size_bytes": 629615,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 148,
              "name": "Vulnerability Scan Report repository (screenshot)",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/148_Vulnerability Scan Report repository (screenshot).png",
              "updated_at": "2026-03-02T14:51:39.054Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.166346+00:00",
                "status": "hashed",
                "sha256": "cbd856d7f75726db39106a98e93d3f94d3574bb28b0bc44483de3aa2a36f063e",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/148_Vulnerability Scan Report repository (screenshot).png",
                "filename": "148_Vulnerability Scan Report repository (screenshot).png",
                "size_bytes": 307470,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-18-owner",
              "name": "Assigned Control Owner - Quarterly Vulnerability Scan (DCF-18)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-11T12:55:17.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.166600+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 46,
          "explanation": "This Drata control satisfies KSI-INR-RIR by demonstrating a proactive approach to identifying and remediating potential security incidents *before* they occur. Quarterly vulnerability scans, with management review and tracked remediation, provide evidence of regularly assessing the effectiveness of incident response preparation Ã¢â‚¬â€œ specifically, identifying weaknesses that could *trigger* an incident and ensuring systems are hardened. This aligns with the FedRAMP requirement for persistent review of incident response procedure effectiveness through continuous monitoring and improvement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 66,
                "name": "Vulnerability Scanning",
                "status": "PASSED",
                "description": "Drata validated that a vulnerability scanning system is connected to Drata.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 21,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-131",
          "control_name": "Incident Report Template and Process",
          "control_description": "Sustainment Technologies Inc has incident management procedures that include detailed instructions on how to escalate a suspected incident to the Information Security Team and, when necessary, to the Privacy or Legal department. Sustainment Technologies Inc has a standard incident report template th",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.797Z",
          "updated_at": "2025-11-24T13:51:34.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-131-owner",
              "name": "Assigned Control Owner - Incident Report Template and Process (DCF-131)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.166607+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-131-policy",
              "name": "Policy Documentation - Incident Report Template and Process (DCF-131)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.166613+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 152,
          "explanation": "This Drata control satisfies KSI-INR-RIR by demonstrating a *process* for handling incidents Ã¢â‚¬â€œ the template and escalation paths ensure incidents are reported and acted upon. Regularly using this template (as evidenced by incident reports) inherently provides a review mechanism to assess the *effectiveness* of the documented incident response procedures, fulfilling the persistent review requirement of the KSI. Essentially, the act of *using* the process *is* the review.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-30",
          "control_name": "Lessons Learned",
          "control_description": "Sustainment Technologies Inc has implemented an Incident Response Plan that includes documenting “Lessons Learned” and \"Root Cause Analysis\" after incidents and sharing them with the broader engineering team to support Business Continuity/Disaster Recovery.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.566Z",
          "updated_at": "2025-12-03T18:49:49.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 163,
              "name": "Sample IR Response + Lessons Learned",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/163_Sample IR Response  Lessons Learned.pdf",
              "updated_at": "2026-06-23T18:52:27.200Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.166775+00:00",
                "status": "hashed",
                "sha256": "39e11bacf18fb01a18ac4565aa1866df90337e4976475988a98bce6ecd59a72f",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/163_Sample IR Response  Lessons Learned.pdf",
                "filename": "163_Sample IR Response  Lessons Learned.pdf",
                "size_bytes": 600019,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-30-monitoring",
              "name": "Continuous Monitoring - Lessons Learned (DCF-30)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167246+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-30-policy",
              "name": "Policy Documentation - Lessons Learned (DCF-30)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167252+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 75,
          "explanation": "This Drata control satisfies KSI-INR-RIR by demonstrating a continuous review process of incident response effectiveness. Documenting \"Lessons Learned\" and \"Root Cause Analysis\" *after* incidents directly addresses the requirement for persistent review, identifying areas for improvement in procedures. Sharing these findings with the engineering team ensures knowledge is disseminated and incorporated into future incident handling, fulfilling the intent of sustained improvement for FedRAMP KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 89,
                "name": "IRP Includes Lessons Learned",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it included a section about documenting \"Lessons Learned\" after incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 35,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-28",
          "control_name": "Follow-Ups Tracked",
          "control_description": "Sustainment Technologies Inc has implemented an Incident Response Plan that includes creating, prioritizing, assigning, and tracking follow-ups to completion and lend support to Business Continuity/Disaster Recovery.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.557Z",
          "updated_at": "2025-12-03T18:49:49.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-28-evidence",
              "name": "Follow-Ups Tracked (DCF-28)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167259+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-28-monitoring",
              "name": "Continuous Monitoring - Follow-Ups Tracked (DCF-28)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167266+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-28-policy",
              "name": "Policy Documentation - Follow-Ups Tracked (DCF-28)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167271+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 73,
          "explanation": "DrataÃ¢â‚¬â„¢s Ã¢â‚¬Å“Follow-Ups TrackedÃ¢â‚¬Â control directly satisfies KSI-INR-RIR by demonstrating persistent review of incident response effectiveness. Tracking follow-up items to completion (as outlined in the Incident Response Plan) proves procedures arenÃ¢â‚¬â„¢t just *documented* but actively *used* and improved based on incident outcomes Ã¢â‚¬â€œ a core tenet of the FedRAMP requirement. This aligns with NIST controls focused on plan testing, analysis, and continuous improvement of incident handling.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 87,
                "name": "Policies for Tracking Security Items",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it included a section about tracking follow-ups after an incident.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 32,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-81",
          "control_name": "Databases Monitored and Alarmed",
          "control_description": "Sustainment Technologies Inc has implemented tools to monitor Sustainment Technologies Inc's databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.413Z",
          "updated_at": "2026-05-16T21:24:19.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-81-evidence",
              "name": "Databases Monitored and Alarmed (DCF-81)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167278+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-81-owner",
              "name": "Assigned Control Owner - Databases Monitored and Alarmed (DCF-81)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167285+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-81-monitoring",
              "name": "Continuous Monitoring - Databases Monitored and Alarmed (DCF-81)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167291+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 1,
          "explanation": "This Drata control satisfies KSI-INR-RIR by demonstrating ongoing monitoring of critical systems (databases) for security events Ã¢â‚¬â€œ a core component of effective incident response. The automated alerting and escalation process ensures incidents are *identified* and *acted upon*, fulfilling the requirement for persistently reviewing and validating the effectiveness of incident response procedures through real-world application and feedback. Essentially, it proves the procedures aren't just documented, but actively used and tested.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:02.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 3,
                "name": "Database Read I/O Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that read I/O is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 114,
                "enabled": true
              },
              {
                "test_id": 2,
                "name": "Database Free Storage Space Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that free storage space is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 113,
                "enabled": true
              },
              {
                "test_id": 1,
                "name": "Database CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 112,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-27",
          "control_name": "Multiple Availability Zones",
          "control_description": "Sustainment Technologies Inc utilizes multiple availability zones to replicate production data across different zones.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.880Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:34.176Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-27-owner",
              "name": "Assigned Control Owner - Multiple Availability Zones (DCF-27)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167297+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-27-monitoring",
              "name": "Continuous Monitoring - Multiple Availability Zones (DCF-27)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167303+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-27-policy",
              "name": "Policy Documentation - Multiple Availability Zones (DCF-27)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167309+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 12,
          "explanation": "While seemingly unrelated, Multiple Availability Zones directly supports KSI-INR-RIR by enhancing resilience and minimizing incident impact. By replicating data across zones, the system can continue operating during an incident affecting a single zone, allowing incident response procedures to be *effectively* executed without complete service disruption Ã¢â‚¬â€œ demonstrating a persistent review of their usability. This aligns with IR-7 (Incident Response Planning) as a functional capability enabled by the technical control.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:01.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 14,
                "name": "Zone Redundancy",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's infrastructure configurations and confirmed that multiple availability zones are utilized.",
                "last_run": "2026-07-01T18:28:01.000Z",
                "test_definition_id": 30,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' Incident Response Plan establishes documented procedures for detecting, responding to, and recovering from security incidents. These procedures are implemented by a dedicated incident response team using structured report templates, tracked follow-ups, lessons learned processes, and quarterly vulnerability scans that inform procedure updates. Drata continuously monitors incident response readiness across multiple controls, and the Security Steering Committee reviews procedure effectiveness to ensure response capabilities keep pace with the evolving threat landscape.\n### Key Controls\n- [OK] Incident Response Plan (DCF-159)\n- [OK] Incident Response Team (DCF-29)\n- [OK] Disaster Recovery Plan (DCF-25)\n- [OK] Quarterly Vulnerability Scan (DCF-18)\n- [OK] Incident Report Template and Process (DCF-131)\n- [OK] Lessons Learned (DCF-30)\n- [OK] Follow-Ups Tracked (DCF-28)\n- [OK] Databases Monitored and Alarmed (DCF-81)\n- [OK] Multiple Availability Zones (DCF-27)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:57.290448+00:00",
      "ksi_name": "Reviewing Incident Response Procedures",
      "category": "INR",
      "statement": "Persistently review the effectiveness of documented incident response procedures.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/incident-response/",
      "nist_controls": [
        "IR-4",
        "IR-4.1",
        "IR-6",
        "IR-6.1",
        "IR-6.3",
        "IR-7",
        "IR-7.1",
        "IR-8",
        "IR-8.1",
        "SI-4.5"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment maintains documented incident response procedures that are tested annually, reviewed for effectiveness, and updated based on lessons learned from exercises and real incidents.",
        "failure_condition": "Incident response procedures not tested within 12 months, failure to update procedures based on lessons learned, or follow-up items from tests not tracked to resolution will cause a failure of the test. Additionally, an incident response team, incident report template, disaster recovery plan, quarterly vulnerability scans, database monitoring, and a security steering committee must be in place to ensure incident response procedures are current and effective."
      },
      "outcome_metrics": [
        {
          "statement": "Incident response plan is reviewed, updated, and approved on schedule",
          "metric_name": "Recency",
          "target_value": "IR plan reviewed within 12 months; approved by designated authority",
          "target_unit": "",
          "frequency": "Annually + after major incident",
          "source": "IR plan revision log; approval record",
          "notes": "IR plan not reviewed within 12 months or lacking current approval"
        }
      ],
      "monitoring": {
        "total_tests": 10,
        "passed": 10,
        "failed": 0,
        "controls_with_monitoring": 8,
        "monitoring_coverage": 80.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-INR-RPI",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:58.754088+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-29 (DCF-29)",
          "control_id": "DCF-29",
          "status": "Passing",
          "description": "Drata control status for DCF-29",
          "date": "2026-07-02T13:19:58.754088+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-34 (DCF-34)",
          "control_id": "DCF-34",
          "status": "Passing",
          "description": "Drata control status for DCF-34",
          "date": "2026-07-02T13:19:58.754088+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-131 (DCF-131)",
          "control_id": "DCF-131",
          "status": "Passing",
          "description": "Drata control status for DCF-131",
          "date": "2026-07-02T13:19:58.754088+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-159 (DCF-159)",
          "control_id": "DCF-159",
          "status": "Passing",
          "description": "Drata control status for DCF-159",
          "date": "2026-07-02T13:19:58.754088+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-28 (DCF-28)",
          "control_id": "DCF-28",
          "status": "Passing",
          "description": "Drata control status for DCF-28",
          "date": "2026-07-02T13:19:58.754088+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-25 (DCF-25)",
          "control_id": "DCF-25",
          "status": "Passing",
          "description": "Drata control status for DCF-25",
          "date": "2026-07-02T13:19:58.754088+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-154 (DCF-154)",
          "control_id": "DCF-154",
          "status": "Passing",
          "description": "Drata control status for DCF-154",
          "date": "2026-07-02T13:19:58.754088+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-51 (DCF-51)",
          "control_id": "DCF-51",
          "status": "Passing",
          "description": "Drata control status for DCF-51",
          "date": "2026-07-02T13:19:58.754088+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-166 (DCF-166)",
          "control_id": "DCF-166",
          "status": "Passing",
          "description": "Drata control status for DCF-166",
          "date": "2026-07-02T13:19:58.754088+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-INR-RPI",
          "control_name": "Custom Automated Check: KSI-INR-RPI",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' Incident Response Plan requires regular review of past incidents to identify patterns, recurring vulnerabilities, and opportunities for improvement. This is implemented through incident report analysis, follow-up tracking, prioritized security issue remediation, automated patching of discovered vulnerabilities, and annual incident response testing that incorporates historical findings. Drata monitors remediation timelines and patch compliance, while the Security Steering Committee reviews incident patterns to drive proactive security improvements across the cloud service offering.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:58.754088+00:00",
          "updated_at": "2026-07-02T13:19:58.754088+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:58.754088+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-29 (DCF-29)",
              "description": "Drata control status for DCF-29",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.754088+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167317+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-34 (DCF-34)",
              "description": "Drata control status for DCF-34",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.754088+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167323+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-131 (DCF-131)",
              "description": "Drata control status for DCF-131",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.754088+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167329+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-159 (DCF-159)",
              "description": "Drata control status for DCF-159",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.754088+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167335+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-28 (DCF-28)",
              "description": "Drata control status for DCF-28",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.754088+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167340+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-25 (DCF-25)",
              "description": "Drata control status for DCF-25",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.754088+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167346+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-154 (DCF-154)",
              "description": "Drata control status for DCF-154",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.754088+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167351+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-51 (DCF-51)",
              "description": "Drata control status for DCF-51",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.754088+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167357+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-166 (DCF-166)",
              "description": "Drata control status for DCF-166",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.754088+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167363+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 6,
            "passed": 6,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              },
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              },
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              },
              {
                "test_id": 87,
                "name": "Policies for Tracking Security Items",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it included a section about tracking follow-ups after an incident.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 32,
                "enabled": true
              },
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              },
              {
                "test_id": 134,
                "name": "Security Patches Auto-Applied on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices are configured to apply  system security patches automatically.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 65,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-29",
              "DCF-34",
              "DCF-131",
              "DCF-159",
              "DCF-28",
              "DCF-25",
              "DCF-154",
              "DCF-51",
              "DCF-166"
            ]
          }
        },
        {
          "control_id": "DCF-29",
          "control_name": "Incident Response Team",
          "control_description": "Sustainment Technologies Inc has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality at the company.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.562Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-29-evidence",
              "name": "Incident Response Team (DCF-29)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167369+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-owner",
              "name": "Assigned Control Owner - Incident Response Team (DCF-29)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167375+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-monitoring",
              "name": "Continuous Monitoring - Incident Response Team (DCF-29)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167381+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 74,
          "explanation": "This Drata control satisfies KSI-INR-RPI by demonstrating a dedicated team actively *monitors* incidents Ã¢â‚¬â€œ fulfilling the \"review past incidents\" aspect. Quantifying and tracking incidents allows Sustainment Technologies Inc. to identify recurring issues and vulnerabilities, directly addressing the FedRAMP requirement for *pattern* and *vulnerability* analysis.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-34",
          "control_name": "Security Team/Steering Committee",
          "control_description": "Sustainment Technologies Inc has an assigned security team that is responsible for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.883Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:40.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-34-owner",
              "name": "Assigned Control Owner - Security Team/Steering Committee (DCF-34)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167387+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-monitoring",
              "name": "Continuous Monitoring - Security Team/Steering Committee (DCF-34)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167393+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-policy",
              "name": "Policy Documentation - Security Team/Steering Committee (DCF-34)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167399+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 49,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:18.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-131",
          "control_name": "Incident Report Template and Process",
          "control_description": "Sustainment Technologies Inc has incident management procedures that include detailed instructions on how to escalate a suspected incident to the Information Security Team and, when necessary, to the Privacy or Legal department. Sustainment Technologies Inc has a standard incident report template th",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.797Z",
          "updated_at": "2025-11-24T13:51:34.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-131-owner",
              "name": "Assigned Control Owner - Incident Report Template and Process (DCF-131)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167405+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-131-policy",
              "name": "Policy Documentation - Incident Report Template and Process (DCF-131)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167412+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 152,
          "explanation": "The \"Incident Report Template and Process\" satisfies KSI-INR-RPI by establishing a standardized method for documenting incidents (IR-5) which allows for consistent data collection crucial for retrospective analysis. This detailed reporting, coupled with escalation procedures (IR-4, IR-8), ensures incidents are tracked and reviewed, enabling the identification of recurring patterns and underlying vulnerabilities as required by the FedRAMP KSI. Essentially, good documentation *enables* the required pattern review.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-159",
          "control_name": "Incident Response Plan",
          "control_description": "Sustainment Technologies Inc has an established Incident Response Plan that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.576Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-159-evidence",
              "name": "Incident Response Plan (DCF-159)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167418+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-owner",
              "name": "Assigned Control Owner - Incident Response Plan (DCF-159)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167424+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-monitoring",
              "name": "Continuous Monitoring - Incident Response Plan (DCF-159)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167430+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 77,
          "explanation": "The Drata control, \"Incident Response Plan,\" satisfies KSI-INR-RPI by demonstrating a *proactive* process for handling security incidents Ã¢â‚¬â€œ a key component of identifying recurring patterns. Annual testing of the plan (as described) ensures consistent application and provides data points for reviewing past incidents to uncover vulnerabilities, directly addressing the FedRAMP requirement for persistent review and pattern identification.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-28",
          "control_name": "Follow-Ups Tracked",
          "control_description": "Sustainment Technologies Inc has implemented an Incident Response Plan that includes creating, prioritizing, assigning, and tracking follow-ups to completion and lend support to Business Continuity/Disaster Recovery.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.557Z",
          "updated_at": "2025-12-03T18:49:49.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-28-evidence",
              "name": "Follow-Ups Tracked (DCF-28)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167436+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-28-monitoring",
              "name": "Continuous Monitoring - Follow-Ups Tracked (DCF-28)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167441+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-28-policy",
              "name": "Policy Documentation - Follow-Ups Tracked (DCF-28)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-12-03T18:49:49.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167447+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 73,
          "explanation": "DrataÃ¢â‚¬â„¢s Ã¢â‚¬Å“Follow-Ups TrackedÃ¢â‚¬Â control directly addresses KSI-INR-RPI by demonstrating a process for actively reviewing past incidents. The control proves incident responses arenÃ¢â‚¬â„¢t just closed, but *followed up on* to identify recurring issues Ã¢â‚¬â€œ fulfilling the requirement to persistently review for patterns and vulnerabilities. This tracking, linked to NIST IR controls, provides documented evidence of continuous improvement based on incident history, a key FedRAMP expectation.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 87,
                "name": "Policies for Tracking Security Items",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it included a section about tracking follow-ups after an incident.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 32,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-25",
          "control_name": "Disaster Recovery Plan",
          "control_description": "Sustainment Technologies Inc has an established Disaster Recovery Plan that outlines roles and responsibilities and detailed procedures for recovery of systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.870Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-25-owner",
              "name": "Assigned Control Owner - Disaster Recovery Plan (DCF-25)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167453+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-monitoring",
              "name": "Continuous Monitoring - Disaster Recovery Plan (DCF-25)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167464+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-policy",
              "name": "Policy Documentation - Disaster Recovery Plan (DCF-25)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167471+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 10,
          "explanation": "The Disaster Recovery Plan (DRP) satisfies KSI-INR-RPI by documenting procedures to *restore* systems after an incident, enabling a review of *how* incidents were handled and identifying potential weaknesses in response. Analyzing recovery efforts outlined in the DRP Ã¢â‚¬â€œ including timelines, challenges, and effectiveness Ã¢â‚¬â€œ directly supports the persistent review of past incidents for recurring patterns or vulnerabilities as required by FedRAMP KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-154",
          "control_name": "Annual Incident Response Test",
          "control_description": "Sustainment Technologies Inc ensures that incident response plan testing is performed on an annual basis.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.974Z",
          "updated_at": "2025-11-24T13:51:34.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-154-evidence",
              "name": "Annual Incident Response Test (DCF-154)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167477+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-154-policy",
              "name": "Policy Documentation - Annual Incident Response Test (DCF-154)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167483+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 126,
          "explanation": "Drata's \"Annual Incident Response Test\" satisfies KSI-INR-RPI by demonstrating a *review of past incident handling* through a simulated exercise. This testing proactively identifies weaknesses in the incident response plan, allowing Sustainment Technologies Inc. to uncover patterns and vulnerabilities *before* they are exploited Ã¢â‚¬â€œ fulfilling the requirement for persistent review and improvement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-51",
          "control_name": "Security Patches Automatically Applied",
          "control_description": "Sustainment Technologies Inc's workstations operating system (OS) security patches are applied automatically.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.213Z",
          "updated_at": "2026-05-27T19:01:28.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-51-evidence",
              "name": "Security Patches Automatically Applied (DCF-51)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167490+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-51-owner",
              "name": "Assigned Control Owner - Security Patches Automatically Applied (DCF-51)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167496+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-51-monitoring",
              "name": "Continuous Monitoring - Security Patches Automatically Applied (DCF-51)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167502+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 117,
          "explanation": "Drata's \"Security Patches Automatically Applied\" control directly addresses KSI-INR-RPI by proactively *preventing* incidents that could reveal patterns of vulnerability. Automated patching reduces the window of exploit, minimizing the number & severity of incidents needing review Ã¢â‚¬â€œ effectively lessening the \"past incidents\" needing analysis to identify systemic weaknesses, as required by the FedRAMP KSI. This aligns with NIST IR-3 (Vulnerability Management) by establishing a continuous process for remediation.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 134,
                "name": "Security Patches Auto-Applied on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices are configured to apply  system security patches automatically.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 65,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-166",
          "control_name": "Business Continuity Plan",
          "control_description": "Sustainment Technologies Inc has a defined Business Continuity Plan that outlines the proper procedures to respond, recover, resume, and restore operations following a disruption or significant change.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.834Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-166-policy",
              "name": "Policy Documentation - Business Continuity Plan (DCF-166)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167509+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 91,
          "explanation": "The Business Continuity Plan (BCP) satisfies KSI-INR-RPI by detailing post-incident *response* and *recovery* procedures Ã¢â‚¬â€œ inherently requiring review of past incidents to improve those plans. Analyzing disruptions documented within the BCP (as per IR-8, IR-5, IR-3) allows Sustainment Technologies Inc. to identify recurring patterns and address underlying vulnerabilities, fulfilling the persistent review requirement of the KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' Incident Response Plan requires regular review of past incidents to identify patterns, recurring vulnerabilities, and opportunities for improvement. This is implemented through incident report analysis, follow-up tracking, prioritized security issue remediation, automated patching of discovered vulnerabilities, and annual incident response testing that incorporates historical findings. Drata monitors remediation timelines and patch compliance, while the Security Steering Committee reviews incident patterns to drive proactive security improvements across the cloud service offering.\n### Key Controls\n- [OK] Incident Response Team (DCF-29)\n- [OK] Security Team/Steering Committee (DCF-34)\n- [OK] Incident Report Template and Process (DCF-131)\n- [OK] Incident Response Plan (DCF-159)\n- [OK] Follow-Ups Tracked (DCF-28)\n- [OK] Disaster Recovery Plan (DCF-25)\n- [OK] Annual Incident Response Test (DCF-154)\n- [OK] Security Patches Automatically Applied (DCF-51)\n- [OK] Business Continuity Plan (DCF-166)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:58.754088+00:00",
      "ksi_name": "Reviewing Past Incidents",
      "category": "INR",
      "statement": "Persistently review past incidents for patterns or vulnerabilities.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/incident-response/",
      "nist_controls": [
        "IR-3",
        "IR-4",
        "IR-4.1",
        "IR-5",
        "IR-8"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment regularly reviews past incidents to identify patterns, recurring vulnerabilities, and opportunities for improvement through structured incident analysis and prioritized remediation.",
        "failure_condition": "A recurring incident pattern not identified or addressed after 3 occurrences, failure to prioritize security issues from past incidents, or follow-up items not tracked to resolution will cause a failure of the test. Additionally, an incident response team, incident report template, annual incident response testing, automated security patching, and a business continuity plan must be in place to ensure past incidents drive continuous improvement."
      },
      "outcome_metrics": [
        {
          "statement": "Lessons learned from past incidents incorporated into procedures and controls",
          "metric_name": "Completion",
          "target_value": "100% of closed incidents have lessons-learned review; recurring issues trending down",
          "target_unit": "",
          "frequency": "Quarterly",
          "source": "AAR action item tracker; incident recurrence metrics",
          "notes": "Incident closed without lessons-learned review; recurring incident type not addressed"
        }
      ],
      "monitoring": {
        "total_tests": 6,
        "passed": 6,
        "failed": 0,
        "controls_with_monitoring": 6,
        "monitoring_coverage": 60.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-MLA-ALA",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:55.041283+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-596 (DCF-596)",
          "control_id": "DCF-596",
          "status": "Passing",
          "description": "Drata control status for DCF-596",
          "date": "2026-07-02T13:19:55.041283+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-80 (DCF-80)",
          "control_id": "DCF-80",
          "status": "Passing",
          "description": "Drata control status for DCF-80",
          "date": "2026-07-02T13:19:55.041283+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-79 (DCF-79)",
          "control_id": "DCF-79",
          "status": "Passing",
          "description": "Drata control status for DCF-79",
          "date": "2026-07-02T13:19:55.041283+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-87 (DCF-87)",
          "control_id": "DCF-87",
          "status": "Passing",
          "description": "Drata control status for DCF-87",
          "date": "2026-07-02T13:19:55.041283+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:19:55.041283+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-59 (DCF-59)",
          "control_id": "DCF-59",
          "status": "Passing",
          "description": "Drata control status for DCF-59",
          "date": "2026-07-02T13:19:55.041283+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-71 (DCF-71)",
          "control_id": "DCF-71",
          "status": "Passing",
          "description": "Drata control status for DCF-71",
          "date": "2026-07-02T13:19:55.041283+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-177 (DCF-177)",
          "control_id": "DCF-177",
          "status": "Passing",
          "description": "Drata control status for DCF-177",
          "date": "2026-07-02T13:19:55.041283+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-MLA-ALA",
          "control_name": "Custom Automated Check: KSI-MLA-ALA",
          "control_description": "8/8 mapped controls passing; Sustainment Technologies' System Access Control Policy and log management standards restrict access to audit logs to authorized personnel only. This is implemented through role-based log modification controls, unique account enforcement, centralized log storage with access restrictions, and defined event logging policies. Drata monitors that log access remains restricted to authorized users, unique accounts are enforced for log operations, and system access policies prevent unauthorized log modification or deletion.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:55.041283+00:00",
          "updated_at": "2026-07-02T13:19:55.041283+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:55.041283+00:00",
          "requirements_updated_at": "",
          "evidence_count": 8,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-596 (DCF-596)",
              "description": "Drata control status for DCF-596",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.041283+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167516+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-80 (DCF-80)",
              "description": "Drata control status for DCF-80",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.041283+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167522+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-79 (DCF-79)",
              "description": "Drata control status for DCF-79",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.041283+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167528+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-87 (DCF-87)",
              "description": "Drata control status for DCF-87",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.041283+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167534+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.041283+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167539+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-59 (DCF-59)",
              "description": "Drata control status for DCF-59",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.041283+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167545+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-71 (DCF-71)",
              "description": "Drata control status for DCF-71",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.041283+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167552+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-177 (DCF-177)",
              "description": "Drata control status for DCF-177",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.041283+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167558+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 9,
            "passed": 9,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:45.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              },
              {
                "test_id": 140,
                "name": "Only Authorized Users can Access Log Sinks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of the system that collects and stores server logs and confirmed that it only accepts connections from authorized users.",
                "last_run": "2026-07-01T18:27:22.000Z",
                "test_definition_id": 110,
                "enabled": true
              },
              {
                "test_id": 139,
                "name": "Logs are Centrally Stored",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are centrally stored.",
                "last_run": "2026-07-01T18:27:24.000Z",
                "test_definition_id": 109,
                "enabled": true
              },
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              },
              {
                "test_id": 135,
                "name": "Threat Detection in Place",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has Threat Detection in place to detect unauthorized file additions within the cloud environment, server instances, and application containers.",
                "last_run": "2026-07-01T18:28:45.000Z",
                "test_definition_id": 105,
                "enabled": true
              },
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-596",
              "DCF-80",
              "DCF-79",
              "DCF-87",
              "DCF-10",
              "DCF-59",
              "DCF-71",
              "DCF-177"
            ]
          }
        },
        {
          "control_id": "DCF-596",
          "control_name": "Authorized to Modify Logs",
          "control_description": "Sustainment Technologies Inc only allows authorized personnel to modify log settings/configurations.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [],
          "created_at": "2023-03-21T16:43:06.738Z",
          "updated_at": "2025-11-24T18:38:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2023-03-21T16:43:06.751Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-596-policy",
              "name": "Policy Documentation - Authorized to Modify Logs (DCF-596)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:38.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167564+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 558,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-80",
          "control_name": "Log Management System",
          "control_description": "Sustainment Technologies Inc uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.779Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 151,
              "name": "DataDog Security alerts sample",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/151_DataDog Security alerts sample.csv",
              "updated_at": "2026-03-02T15:57:18.424Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167735+00:00",
                "status": "hashed",
                "sha256": "3a6f138a1019b8d39d01a2e02dc11e84fa1a8b504f306fadf42619746948a934",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/151_DataDog Security alerts sample.csv",
                "filename": "151_DataDog Security alerts sample.csv",
                "size_bytes": 82445,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-80-owner",
              "name": "Assigned Control Owner - Log Management System (DCF-80)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167821+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-80-monitoring",
              "name": "Continuous Monitoring - Log Management System (DCF-80)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167828+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 123,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-79",
          "control_name": "Logs Centrally Stored",
          "control_description": "Sustainment Technologies Inc uses a system that collects and stores server logs in a central location. The system can be queried in an ad hoc fashion by authorized users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.775Z",
          "updated_at": "2026-06-30T12:57:13.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 13,
              "name": "Logs Centrally Stored",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/13_Logs Centrally Stored.csv",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.167983+00:00",
                "status": "hashed",
                "sha256": "bb85025771956bff33f960b28f614e1447bd02e93a2f0ba842f12abe7e375706",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/13_Logs Centrally Stored.csv",
                "filename": "13_Logs Centrally Stored.csv",
                "size_bytes": 145,
                "modified_at": "2026-07-02T13:17:00+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-79-owner",
              "name": "Assigned Control Owner - Logs Centrally Stored (DCF-79)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-30T12:57:13.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.168011+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-79-monitoring",
              "name": "Continuous Monitoring - Logs Centrally Stored (DCF-79)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-30T12:57:13.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.168017+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 122,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:24.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 140,
                "name": "Only Authorized Users can Access Log Sinks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of the system that collects and stores server logs and confirmed that it only accepts connections from authorized users.",
                "last_run": "2026-07-01T18:27:22.000Z",
                "test_definition_id": 110,
                "enabled": true
              },
              {
                "test_id": 139,
                "name": "Logs are Centrally Stored",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are centrally stored.",
                "last_run": "2026-07-01T18:27:24.000Z",
                "test_definition_id": 109,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-87",
          "control_name": "Logging/Monitoring",
          "control_description": "Sustainment Technologies Inc has infrastructure logging configured to monitor web traffic and suspicious activity. When anomalous traffic activity is identified, alerts are automatically created, sent to appropriate personnel and resolved, as necessary.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.217Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:21.976Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 161,
              "name": "DCF87 Testing Results History",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/161_DCF87 Testing Results History.png",
              "updated_at": "2026-06-17T22:38:41.159Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.168183+00:00",
                "status": "hashed",
                "sha256": "297e5a03cc7fa8c4f1a971f581eae381efbbf3eb5e9b6ec8f5a4f498073de962",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/161_DCF87 Testing Results History.png",
                "filename": "161_DCF87 Testing Results History.png",
                "size_bytes": 195440,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 160,
              "name": "Silent Log Sources - Crowdstrike",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/160_Silent Log Sources - Crowdstrike.png",
              "updated_at": "2026-06-17T22:10:26.030Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.168504+00:00",
                "status": "hashed",
                "sha256": "4355516d11f210c6981374184d617ae5fe381cdce7b22a19795747db92d14581",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/160_Silent Log Sources - Crowdstrike.png",
                "filename": "160_Silent Log Sources - Crowdstrike.png",
                "size_bytes": 239901,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-87-owner",
              "name": "Assigned Control Owner - Logging/Monitoring (DCF-87)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.168698+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 118,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:45.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              },
              {
                "test_id": 135,
                "name": "Threat Detection in Place",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has Threat Detection in place to detect unauthorized file additions within the cloud environment, server instances, and application containers.",
                "last_run": "2026-07-01T18:28:45.000Z",
                "test_definition_id": 105,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.168705+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.168711+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.168717+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-59",
          "control_name": "Role-Based Security Implementation",
          "control_description": "Role-based security is in place for internal and external users, including super admin users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.904Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-59-evidence",
              "name": "Role-Based Security Implementation (DCF-59)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.168724+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-owner",
              "name": "Assigned Control Owner - Role-Based Security Implementation (DCF-59)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.168730+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-policy",
              "name": "Policy Documentation - Role-Based Security Implementation (DCF-59)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.168737+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 21,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-71",
          "control_name": "Unique Accounts Used",
          "control_description": "Access to corporate network, production machines, network devices, and support tools requires a unique ID.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.769Z",
          "updated_at": "2026-06-15T13:35:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-71-evidence",
              "name": "Unique Accounts Used (DCF-71)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.168743+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-owner",
              "name": "Assigned Control Owner - Unique Accounts Used (DCF-71)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.168750+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-monitoring",
              "name": "Continuous Monitoring - Unique Accounts Used (DCF-71)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.168756+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 98,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-177",
          "control_name": "Event Logging",
          "control_description": "Sustainment Technologies Inc has a defined plan for event logging that establishes the required criteria for logs, protection of logged information, clock synchronization.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:44.114Z",
          "updated_at": "2025-11-24T18:38:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 160,
              "name": "Silent Log Sources - Crowdstrike",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/160_Silent Log Sources - Crowdstrike.png",
              "updated_at": "2026-06-17T22:10:26.030Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.168913+00:00",
                "status": "hashed",
                "sha256": "4355516d11f210c6981374184d617ae5fe381cdce7b22a19795747db92d14581",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/160_Silent Log Sources - Crowdstrike.png",
                "filename": "160_Silent Log Sources - Crowdstrike.png",
                "size_bytes": 239901,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-177-policy",
              "name": "Policy Documentation - Event Logging (DCF-177)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:50.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169094+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 182,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' System Access Control Policy and log management standards restrict access to audit logs to authorized personnel only. This is implemented through role-based log modification controls, unique account enforcement, centralized log storage with access restrictions, and defined event logging policies. Drata monitors that log access remains restricted to authorized users, unique accounts are enforced for log operations, and system access policies prevent unauthorized log modification or deletion.\n### Key Controls\n- [OK] Authorized to Modify Logs (DCF-596)\n- [OK] Log Management System (DCF-80)\n- [OK] Logs Centrally Stored (DCF-79)\n- [OK] Logging/Monitoring (DCF-87)\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Role-Based Security Implementation (DCF-59)\n- [OK] Unique Accounts Used (DCF-71)\n- [OK] Event Logging (DCF-177)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:55.041283+00:00",
      "ksi_name": "Authorizing Log Access",
      "category": "MLA",
      "statement": "Use a least-privileged, role and attribute-based, and just-in-time access authorization model for access to log data based on organizationally defined data sensitivity.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/monitoring-logging-and-auditing/",
      "nist_controls": [
        "SI-11"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment restricts access to audit logs to authorized personnel only through role-based controls, unique account enforcement, and centralized log storage with access restrictions.",
        "failure_condition": "Unauthorized user accessing log data, log access not restricted by role, or failure to enforce unique account attribution for log access will cause a failure of the test. Additionally, authorized log modification controls, a log management system, centralized log storage, logging/monitoring infrastructure, and event logging must be in place to ensure audit log integrity and access control."
      },
      "outcome_metrics": [
        {
          "statement": "Log access restricted to authorized personnel; access reviewed periodically",
          "metric_name": "Coverage",
          "target_value": "100% of log storage with access controls; 0 unauthorized log access events",
          "target_unit": "",
          "frequency": "Quarterly",
          "source": "Log system IAM audit; access review records; SIEM alerts",
          "notes": "Unauthorized log access event; log storage without access controls"
        }
      ],
      "monitoring": {
        "total_tests": 9,
        "passed": 9,
        "failed": 0,
        "controls_with_monitoring": 5,
        "monitoring_coverage": 55.6,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-MLA-EVC",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:20:00.499903+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-40 (DCF-40)",
          "control_id": "DCF-40",
          "status": "Passing",
          "description": "Drata control status for DCF-40",
          "date": "2026-07-02T13:20:00.499903+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-176 (DCF-176)",
          "control_id": "DCF-176",
          "status": "Passing",
          "description": "Drata control status for DCF-176",
          "date": "2026-07-02T13:20:00.499903+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-34 (DCF-34)",
          "control_id": "DCF-34",
          "status": "Passing",
          "description": "Drata control status for DCF-34",
          "date": "2026-07-02T13:20:00.499903+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-567 (DCF-567)",
          "control_id": "DCF-567",
          "status": "Passing",
          "description": "Drata control status for DCF-567",
          "date": "2026-07-02T13:20:00.499903+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-478 (DCF-478)",
          "control_id": "DCF-478",
          "status": "Passing",
          "description": "Drata control status for DCF-478",
          "date": "2026-07-02T13:20:00.499903+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-12 (DCF-12)",
          "control_id": "DCF-12",
          "status": "Passing",
          "description": "Drata control status for DCF-12",
          "date": "2026-07-02T13:20:00.499903+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-560 (DCF-560)",
          "control_id": "DCF-560",
          "status": "Passing",
          "description": "Drata control status for DCF-560",
          "date": "2026-07-02T13:20:00.499903+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-MLA-EVC",
          "control_name": "Custom Automated Check: KSI-MLA-EVC",
          "control_description": "7/7 mapped controls passing; Sustainment Technologies' Change Management Policy requires persistent evaluation and testing of machine-based resource configurations, with emphasis on infrastructure as code. This is implemented through baseline configuration standards, change detection mechanisms, anomalous behavior detection, and a documented monitoring plan that defines what configurations are evaluated. Drata monitors configuration baselines for drift, and the Security Steering Committee reviews evaluation results to ensure configuration testing remains comprehensive and effective.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:20:00.499903+00:00",
          "updated_at": "2026-07-02T13:20:00.499903+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:20:00.499903+00:00",
          "requirements_updated_at": "",
          "evidence_count": 7,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-40 (DCF-40)",
              "description": "Drata control status for DCF-40",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.499903+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169103+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-176 (DCF-176)",
              "description": "Drata control status for DCF-176",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.499903+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169109+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-34 (DCF-34)",
              "description": "Drata control status for DCF-34",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.499903+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169165+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-567 (DCF-567)",
              "description": "Drata control status for DCF-567",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.499903+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169177+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-478 (DCF-478)",
              "description": "Drata control status for DCF-478",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.499903+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169187+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-12 (DCF-12)",
              "description": "Drata control status for DCF-12",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.499903+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169196+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-560 (DCF-560)",
              "description": "Drata control status for DCF-560",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.499903+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169206+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 6,
            "passed": 6,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-02T12:02:06.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 59,
                "name": "Contractor Background Checks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that all new contractors had completed background checks upon hire.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 50,
                "enabled": true
              },
              {
                "test_id": 58,
                "name": "Contractors Acknowledge the Acceptable Use Policy",
                "status": "PASSED",
                "description": "Drata confirmed that assigned contractors have acknowledged the Acceptable Use Policy.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 49,
                "enabled": true
              },
              {
                "test_id": 57,
                "name": "Contractors Acknowledge The Code of Conduct",
                "status": "PASSED",
                "description": "Drata confirmed that assigned contractors have acknowledged the Code of Conduct.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 48,
                "enabled": true
              },
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              },
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              },
              {
                "test_id": 152,
                "name": "CloudTrail Log File Integrity Validation Enabled",
                "status": "PASSED",
                "description": "Drata confirmed that AWS CloudTrail log validation is enabled on all trails.",
                "last_run": "2026-07-02T12:02:06.000Z",
                "test_definition_id": 205,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-40",
              "DCF-176",
              "DCF-34",
              "DCF-567",
              "DCF-478",
              "DCF-12",
              "DCF-560"
            ]
          }
        },
        {
          "control_id": "DCF-40",
          "control_name": "Contractor Requirements",
          "control_description": "Sustainment Technologies Inc requires its contractors to read and acknowledge the Code of Conduct, read and acknowledge the Acceptable Use Policy, and pass a background check.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.179Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:36.841Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-40-owner",
              "name": "Assigned Control Owner - Contractor Requirements (DCF-40)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169216+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-40-monitoring",
              "name": "Continuous Monitoring - Contractor Requirements (DCF-40)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169223+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-40-policy",
              "name": "Policy Documentation - Contractor Requirements (DCF-40)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169229+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 42,
          "explanation": "While seemingly indirect, this Drata control supports KSI-MLA-EVC by establishing a baseline of security awareness and trustworthiness for those *implementing* and *maintaining* infrastructure as code. By vetting contractors, Sustainment Technologies Inc. reduces the risk of malicious or negligent configuration changes impacting the security of machine-based resources Ã¢â‚¬â€œ a key component of persistent evaluation and testing. Essentially, it addresses *who* is touching the infrastructure, contributing to overall configuration security.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 59,
                "name": "Contractor Background Checks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that all new contractors had completed background checks upon hire.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 50,
                "enabled": true
              },
              {
                "test_id": 58,
                "name": "Contractors Acknowledge the Acceptable Use Policy",
                "status": "PASSED",
                "description": "Drata confirmed that assigned contractors have acknowledged the Acceptable Use Policy.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 49,
                "enabled": true
              },
              {
                "test_id": 57,
                "name": "Contractors Acknowledge The Code of Conduct",
                "status": "PASSED",
                "description": "Drata confirmed that assigned contractors have acknowledged the Code of Conduct.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 48,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-176",
          "control_name": "Monitoring Plan",
          "control_description": "Sustainment Technologies Inc has a defined process for evaluating information security performance and the effectiveness of its information security program.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:42.904Z",
          "updated_at": "2025-11-24T18:38:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-176-monitoring",
              "name": "Continuous Monitoring - Monitoring Plan (DCF-176)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T18:38:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169236+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-176-policy",
              "name": "Policy Documentation - Monitoring Plan (DCF-176)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169243+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 175,
          "explanation": "The Drata \"Monitoring Plan\" control satisfies KSI-MLA-EVC by demonstrating a *defined, ongoing process* for evaluating security performance Ã¢â‚¬â€œ including configurations Ã¢â‚¬â€œ which directly addresses the FedRAMP requirement for persistent assessment of machine resources. This process, linked to NIST controls for configuration management (CM-6, CM-2) and assessment (CA-7), proves Sustainment Technologies Inc. isn't just *initially* configuring securely, but *continuously* verifying that configuration remains secure, especially in dynamic environments like those using Infrastructure as Code.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-34",
          "control_name": "Security Team/Steering Committee",
          "control_description": "Sustainment Technologies Inc has an assigned security team that is responsible for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.883Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:40.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-34-owner",
              "name": "Assigned Control Owner - Security Team/Steering Committee (DCF-34)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169250+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-monitoring",
              "name": "Continuous Monitoring - Security Team/Steering Committee (DCF-34)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169256+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-policy",
              "name": "Policy Documentation - Security Team/Steering Committee (DCF-34)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169261+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 49,
          "explanation": "The Security Team/Steering Committee control satisfies KSI-MLA-EVC by establishing a dedicated group responsible for *reviewing* security baselines Ã¢â‚¬â€œ including those for infrastructure as code Ã¢â‚¬â€œ ensuring configurations align with policy. This ongoing review process fulfills the \"persistently evaluate and test\" requirement of the KSI, helping to identify and remediate misconfigurations before they become vulnerabilities. Essentially, the team provides the governance *around* consistent configuration management and testing.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:18.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-567",
          "control_name": "Change Management Policy",
          "control_description": "Sustainment Technologies Inc has a defined Change Management Policy that covers policies and procedures to manage changes across the organization in a well-communicated, planned and predictable manner that minimizes unplanned outages and unforeseen system issues.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:11.091Z",
          "updated_at": "2025-11-24T18:38:44.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-567-policy",
              "name": "Policy Documentation - Change Management Policy (DCF-567)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:44.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169268+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 585,
          "explanation": "Drata's Change Management Policy satisfies KSI-MLA-EVC by demonstrating a structured process for evaluating and approving changes *before* theyÃ¢â‚¬â„¢re implemented in the environment Ã¢â‚¬â€œ including infrastructure as code. This proactive evaluation helps ensure configurations remain secure and aligned with established baselines, fulfilling the requirement for persistent testing and configuration management of machine resources. Essentially, planned changes are vetted to minimize risks associated with misconfigurations.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-478",
          "control_name": "Change Detection Mechanism",
          "control_description": "Sustainment Technologies Inc has enabled file integrity monitoring or a change-detection mechanism to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, audit files, or content files to ensure critical data cannot be changed ",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:00.023Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-478-monitoring",
              "name": "Continuous Monitoring - Change Detection Mechanism (DCF-478)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169275+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-478-policy",
              "name": "Policy Documentation - Change Detection Mechanism (DCF-478)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169281+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 497,
          "explanation": "Drata's Change Detection Mechanism directly addresses KSI-MLA-EVC by providing continuous monitoring of critical system and configuration files Ã¢â‚¬â€œ including those defined in infrastructure as code Ã¢â‚¬â€œ for unauthorized changes. This persistent evaluation and alerting on modifications demonstrates ongoing configuration testing, fulfilling the FedRAMP requirement to ensure the integrity of machine-based information resources. Essentially, it *detects* drift from approved configurations, a key element of consistent evaluation.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-02T12:02:06.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 152,
                "name": "CloudTrail Log File Integrity Validation Enabled",
                "status": "PASSED",
                "description": "Drata confirmed that AWS CloudTrail log validation is enabled on all trails.",
                "last_run": "2026-07-02T12:02:06.000Z",
                "test_definition_id": 205,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-12",
          "control_name": "Baseline Configuration and Hardening Standards",
          "control_description": "Sustainment Technologies Inc has identified and documented baseline security configuration standards for all system components in accordance with industry-accepted hardening standards or vendor recommendations. These standards are reviewed periodically and updated as needed (e.g., when vulnerabiliti",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.743Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-12-evidence",
              "name": "Baseline Configuration and Hardening Standards (DCF-12)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169287+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-12-policy",
              "name": "Policy Documentation - Baseline Configuration and Hardening Standards (DCF-12)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169293+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 93,
          "explanation": "Drata's \"Baseline Configuration and Hardening Standards\" control directly addresses KSI-MLA-EVC by demonstrating consistent application of secure configurations to system components Ã¢â‚¬â€œ including those defined in infrastructure as code. Documenting and *periodically reviewing* these baselines (as the description states) proves ongoing evaluation and testing of configurations against established security benchmarks, fulfilling the FedRAMP requirement for persistent assessment. This aligns with NIST CM-6/CM-2 by establishing and maintaining a documented configuration baseline.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-560",
          "control_name": "Baselines for Detecting Anomalous Behavior",
          "control_description": "Sustainment Technologies Inc has established baselines for normal behavior of networks, systems, and applications for the detection of anomalies.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:11.087Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-560-evidence",
              "name": "Baselines for Detecting Anomalous Behavior (DCF-560)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169299+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-560-monitoring",
              "name": "Continuous Monitoring - Baselines for Detecting Anomalous Behavior (DCF-560)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169306+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 584,
          "explanation": "Drata's \"Baselines for Detecting Anomalous Behavior\" control directly addresses KSI-MLA-EVC by establishing a known-good state for systems Ã¢â‚¬â€œ including infrastructure as code Ã¢â‚¬â€œ allowing for continuous monitoring and identification of configuration drifts. This persistent evaluation and anomaly detection fulfills the FedRAMP requirement to *test* configuration and identify deviations from approved settings, crucial for maintaining a secure and compliant environment. Essentially, it provides a mechanism to verify configurations haven't unintentionally changed, supporting ongoing compliance.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' Change Management Policy requires persistent evaluation and testing of machine-based resource configurations, with emphasis on infrastructure as code. This is implemented through baseline configuration standards, change detection mechanisms, anomalous behavior detection, and a documented monitoring plan that defines what configurations are evaluated. Drata monitors configuration baselines for drift, and the Security Steering Committee reviews evaluation results to ensure configuration testing remains comprehensive and effective.\n### Key Controls\n- [OK] Contractor Requirements (DCF-40)\n- [OK] Monitoring Plan (DCF-176)\n- [OK] Security Team/Steering Committee (DCF-34)\n- [OK] Change Management Policy (DCF-567)\n- [OK] Change Detection Mechanism (DCF-478)\n- [OK] Baseline Configuration and Hardening Standards (DCF-12)\n- [OK] Baselines for Detecting Anomalous Behavior (DCF-560)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:20:00.499903+00:00",
      "ksi_name": "Evaluating Configurations",
      "category": "MLA",
      "statement": "Persistently evaluate and test the configuration of machine-based information resources, especially infrastructure as code.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/monitoring-logging-and-auditing/",
      "nist_controls": [
        "CA-7",
        "CM-2",
        "CM-6",
        "SI-7.7"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment persistently evaluates and tests machine-based resource configurations within the AWS environment through baseline standards, change detection mechanisms, and anomalous behavior detection.",
        "failure_condition": "Configuration evaluation not run within 7 days, drift detection disabled, or failure to maintain baseline configurations will cause a failure of the test. Additionally, a change management policy, baseline configuration and hardening standards, anomalous behavior detection baselines, a monitoring plan, and a security steering committee must be in place to ensure configurations are continuously evaluated and validated."
      },
      "outcome_metrics": [
        {
          "statement": "Logging configurations are evaluated to confirm completeness and correctness",
          "metric_name": "Integrity",
          "target_value": "100% of required log sources validated; 0 misconfigured log sources",
          "target_unit": "",
          "frequency": "Quarterly",
          "source": "Log source inventory; logging config audit; SIEM source health",
          "notes": "Required log source missing or misconfigured; SIEM health alert"
        }
      ],
      "monitoring": {
        "total_tests": 7,
        "passed": 7,
        "failed": 0,
        "controls_with_monitoring": 5,
        "monitoring_coverage": 62.5,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-MLA-LET",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:59.133190+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-596 (DCF-596)",
          "control_id": "DCF-596",
          "status": "Passing",
          "description": "Drata control status for DCF-596",
          "date": "2026-07-02T13:19:59.133190+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-421 (DCF-421)",
          "control_id": "DCF-421",
          "status": "Passing",
          "description": "Drata control status for DCF-421",
          "date": "2026-07-02T13:19:59.133190+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-177 (DCF-177)",
          "control_id": "DCF-177",
          "status": "Passing",
          "description": "Drata control status for DCF-177",
          "date": "2026-07-02T13:19:59.133190+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-165 (DCF-165)",
          "control_id": "DCF-165",
          "status": "Passing",
          "description": "Drata control status for DCF-165",
          "date": "2026-07-02T13:19:59.133190+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-80 (DCF-80)",
          "control_id": "DCF-80",
          "status": "Passing",
          "description": "Drata control status for DCF-80",
          "date": "2026-07-02T13:19:59.133190+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-79 (DCF-79)",
          "control_id": "DCF-79",
          "status": "Passing",
          "description": "Drata control status for DCF-79",
          "date": "2026-07-02T13:19:59.133190+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-87 (DCF-87)",
          "control_id": "DCF-87",
          "status": "Passing",
          "description": "Drata control status for DCF-87",
          "date": "2026-07-02T13:19:59.133190+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-160 (DCF-160)",
          "control_id": "DCF-160",
          "status": "Passing",
          "description": "Drata control status for DCF-160",
          "date": "2026-07-02T13:19:59.133190+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-MLA-LET",
          "control_name": "Custom Automated Check: KSI-MLA-LET",
          "control_description": "8/8 mapped controls passing; Sustainment Technologies' logging policies maintain a defined list of information resources and event types that are logged, monitored, and audited. This is implemented through event logging configurations, authorized log modification controls, clock synchronization for accurate timestamps, centralized log storage, and continuous control monitoring. Drata validates that logging is active and properly configured across all defined event types, while independent assessments verify the completeness of the logging coverage.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:59.133190+00:00",
          "updated_at": "2026-07-02T13:19:59.133190+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:59.133190+00:00",
          "requirements_updated_at": "",
          "evidence_count": 8,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-596 (DCF-596)",
              "description": "Drata control status for DCF-596",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.133190+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169312+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-421 (DCF-421)",
              "description": "Drata control status for DCF-421",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.133190+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169318+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-177 (DCF-177)",
              "description": "Drata control status for DCF-177",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.133190+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169324+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-165 (DCF-165)",
              "description": "Drata control status for DCF-165",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.133190+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169329+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-80 (DCF-80)",
              "description": "Drata control status for DCF-80",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.133190+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169335+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-79 (DCF-79)",
              "description": "Drata control status for DCF-79",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.133190+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169341+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-87 (DCF-87)",
              "description": "Drata control status for DCF-87",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.133190+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169346+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-160 (DCF-160)",
              "description": "Drata control status for DCF-160",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.133190+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169352+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 5,
            "passed": 5,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:45.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              },
              {
                "test_id": 140,
                "name": "Only Authorized Users can Access Log Sinks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of the system that collects and stores server logs and confirmed that it only accepts connections from authorized users.",
                "last_run": "2026-07-01T18:27:22.000Z",
                "test_definition_id": 110,
                "enabled": true
              },
              {
                "test_id": 139,
                "name": "Logs are Centrally Stored",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are centrally stored.",
                "last_run": "2026-07-01T18:27:24.000Z",
                "test_definition_id": 109,
                "enabled": true
              },
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              },
              {
                "test_id": 135,
                "name": "Threat Detection in Place",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has Threat Detection in place to detect unauthorized file additions within the cloud environment, server instances, and application containers.",
                "last_run": "2026-07-01T18:28:45.000Z",
                "test_definition_id": 105,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-596",
              "DCF-421",
              "DCF-177",
              "DCF-165",
              "DCF-80",
              "DCF-79",
              "DCF-87",
              "DCF-160"
            ]
          }
        },
        {
          "control_id": "DCF-596",
          "control_name": "Authorized to Modify Logs",
          "control_description": "Sustainment Technologies Inc only allows authorized personnel to modify log settings/configurations.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [],
          "created_at": "2023-03-21T16:43:06.738Z",
          "updated_at": "2025-11-24T18:38:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2023-03-21T16:43:06.751Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-596-policy",
              "name": "Policy Documentation - Authorized to Modify Logs (DCF-596)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:38.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169358+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 558,
          "explanation": "The \"Authorized to Modify Logs\" control directly supports KSI-MLA-LET by ensuring the *integrity* of the logged data Ã¢â‚¬â€œ a foundational element of effective monitoring and auditing. By restricting log modification to authorized personnel (as defined in policy and enforced technically), Drata verifies that the list of logged information & event types (required by the KSI) isn't unintentionally or maliciously altered, maintaining a reliable audit trail for FedRAMP compliance. This aligns with NIST AU-12 which focuses on protecting audit logs from tampering.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-421",
          "control_name": "Clock Synchronization",
          "control_description": "Sustainment Technologies Inc synchronizes all critical system clocks and times using time-synchronization technology such as Network Time Protocol (NTP).",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:58.375Z",
          "updated_at": "2025-11-24T13:51:27.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:33:48.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-421-policy",
              "name": "Policy Documentation - Clock Synchronization (DCF-421)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:27.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169365+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 441,
          "explanation": "Drata's Clock Synchronization control directly supports KSI-MLA-LET by ensuring accurate timestamps on log events. Accurate timestamps are *essential* for correlating events across systems Ã¢â‚¬â€œ a core component of effective logging, monitoring, and auditing as required by the KSI. Without synchronized clocks, identifying and investigating security incidents from logs becomes significantly impaired, hindering compliance with FedRAMP's logging mandate.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-177",
          "control_name": "Event Logging",
          "control_description": "Sustainment Technologies Inc has a defined plan for event logging that establishes the required criteria for logs, protection of logged information, clock synchronization.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:44.114Z",
          "updated_at": "2025-11-24T18:38:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 160,
              "name": "Silent Log Sources - Crowdstrike",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/160_Silent Log Sources - Crowdstrike.png",
              "updated_at": "2026-06-17T22:10:26.030Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169545+00:00",
                "status": "hashed",
                "sha256": "4355516d11f210c6981374184d617ae5fe381cdce7b22a19795747db92d14581",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/160_Silent Log Sources - Crowdstrike.png",
                "filename": "160_Silent Log Sources - Crowdstrike.png",
                "size_bytes": 239901,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-177-policy",
              "name": "Policy Documentation - Event Logging (DCF-177)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:50.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169739+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 182,
          "explanation": "This Drata control directly addresses KSI-MLA-LET by demonstrating a documented plan for *what* events are logged (resource & event list), *how* they are protected (log protection), and ensures accurate timing (clock synchronization) Ã¢â‚¬â€œ fulfilling the \"maintain a list and then do so\" requirement. The related NIST controls (AU-12, AU-2) further validate the implementation of robust audit logging practices necessary for FedRAMP compliance.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-165",
          "control_name": "Independent Assessment",
          "control_description": "Sustainment Technologies Inc has an independent assessment (e.g., internal audit) process to ensure that its information security program is effectively implemented, maintained, and in conformance.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:42.954Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:22.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 123,
              "name": "SOC 2 Type II Report",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/123_SOC 2 Type II Report.pdf",
              "updated_at": "2026-05-05T19:19:56.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.169900+00:00",
                "status": "hashed",
                "sha256": "80b9c22a7fd79023d195fd5b3cee1556c72f836d49ceef3e42d37a60c00da22e",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/123_SOC 2 Type II Report.pdf",
                "filename": "123_SOC 2 Type II Report.pdf",
                "size_bytes": 564071,
                "modified_at": "2026-07-02T13:17:00+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-165-owner",
              "name": "Assigned Control Owner - Independent Assessment (DCF-165)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.170360+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 176,
          "explanation": "Drata's \"Independent Assessment\" control satisfies KSI-MLA-LET by demonstrating a periodic review confirms logging and monitoring activities are *actually happening* as defined in the system's documentation. The assessment verifies the established list of resources & event types (required by KSI-MLA-LET) is being consistently logged, monitored, and audited Ã¢â‚¬â€œ proving sustained compliance, aligning with AU-2's audit trail review. Essentially, it *proves* they're doing what they say they're logging.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-80",
          "control_name": "Log Management System",
          "control_description": "Sustainment Technologies Inc uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.779Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 151,
              "name": "DataDog Security alerts sample",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/151_DataDog Security alerts sample.csv",
              "updated_at": "2026-03-02T15:57:18.424Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.170536+00:00",
                "status": "hashed",
                "sha256": "3a6f138a1019b8d39d01a2e02dc11e84fa1a8b504f306fadf42619746948a934",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/151_DataDog Security alerts sample.csv",
                "filename": "151_DataDog Security alerts sample.csv",
                "size_bytes": 82445,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-80-owner",
              "name": "Assigned Control Owner - Log Management System (DCF-80)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.170622+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-80-monitoring",
              "name": "Continuous Monitoring - Log Management System (DCF-80)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.170629+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 123,
          "explanation": "This Drata control satisfies KSI-MLA-LET by demonstrating the *maintenance* of a logging capability Ã¢â‚¬â€œ the \"Log Management System\" actively records events (meeting the \"logged, monitored, and audited\" requirement). The alerts and corrective actions further prove that logged information is *used* for monitoring and responding to security events, fulfilling the \"do so\" portion of the KSI requirement, and aligns with NIST AU controls focused on audit event logging and review.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-79",
          "control_name": "Logs Centrally Stored",
          "control_description": "Sustainment Technologies Inc uses a system that collects and stores server logs in a central location. The system can be queried in an ad hoc fashion by authorized users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.775Z",
          "updated_at": "2026-06-30T12:57:13.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 13,
              "name": "Logs Centrally Stored",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/13_Logs Centrally Stored.csv",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.170788+00:00",
                "status": "hashed",
                "sha256": "bb85025771956bff33f960b28f614e1447bd02e93a2f0ba842f12abe7e375706",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/13_Logs Centrally Stored.csv",
                "filename": "13_Logs Centrally Stored.csv",
                "size_bytes": 145,
                "modified_at": "2026-07-02T13:17:00+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-79-owner",
              "name": "Assigned Control Owner - Logs Centrally Stored (DCF-79)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-30T12:57:13.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.170816+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-79-monitoring",
              "name": "Continuous Monitoring - Logs Centrally Stored (DCF-79)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-30T12:57:13.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.170822+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 122,
          "explanation": "This Drata control satisfies KSI-MLA-LET by demonstrating the \"do so\" portion of the requirement Ã¢â‚¬â€œ actually *maintaining* logs. Centralized log storage ensures all defined information resources (servers) are logged, and the ability to query them supports ongoing monitoring and auditability as mandated by FedRAMP's KSI. Essentially, it proves logs *are* being collected and retained for review, fulfilling the core intent of the control.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:24.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 140,
                "name": "Only Authorized Users can Access Log Sinks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of the system that collects and stores server logs and confirmed that it only accepts connections from authorized users.",
                "last_run": "2026-07-01T18:27:22.000Z",
                "test_definition_id": 110,
                "enabled": true
              },
              {
                "test_id": 139,
                "name": "Logs are Centrally Stored",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are centrally stored.",
                "last_run": "2026-07-01T18:27:24.000Z",
                "test_definition_id": 109,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-87",
          "control_name": "Logging/Monitoring",
          "control_description": "Sustainment Technologies Inc has infrastructure logging configured to monitor web traffic and suspicious activity. When anomalous traffic activity is identified, alerts are automatically created, sent to appropriate personnel and resolved, as necessary.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.217Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:21.976Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 161,
              "name": "DCF87 Testing Results History",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/161_DCF87 Testing Results History.png",
              "updated_at": "2026-06-17T22:38:41.159Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.170977+00:00",
                "status": "hashed",
                "sha256": "297e5a03cc7fa8c4f1a971f581eae381efbbf3eb5e9b6ec8f5a4f498073de962",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/161_DCF87 Testing Results History.png",
                "filename": "161_DCF87 Testing Results History.png",
                "size_bytes": 195440,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 160,
              "name": "Silent Log Sources - Crowdstrike",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/160_Silent Log Sources - Crowdstrike.png",
              "updated_at": "2026-06-17T22:10:26.030Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.171291+00:00",
                "status": "hashed",
                "sha256": "4355516d11f210c6981374184d617ae5fe381cdce7b22a19795747db92d14581",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/160_Silent Log Sources - Crowdstrike.png",
                "filename": "160_Silent Log Sources - Crowdstrike.png",
                "size_bytes": 239901,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-87-owner",
              "name": "Assigned Control Owner - Logging/Monitoring (DCF-87)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.171488+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 118,
          "explanation": "This Drata control satisfies KSI-MLA-LET by demonstrating the *maintenance* of a logged event type (anomalous traffic Ã¢â‚¬â€œ fulfilling the Ã¢â‚¬Å“listÃ¢â‚¬Â aspect) and the *actual monitoring & auditing* of that event type through automated alerts and resolution processes. The logging of web traffic and suspicious activity, coupled with alert response, proves Sustainment Technologies Inc. is actively observing and acting upon defined information resources as required by FedRAMP.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:45.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              },
              {
                "test_id": 135,
                "name": "Threat Detection in Place",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has Threat Detection in place to detect unauthorized file additions within the cloud environment, server instances, and application containers.",
                "last_run": "2026-07-01T18:28:45.000Z",
                "test_definition_id": 105,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-160",
          "control_name": "Continuous Control Monitoring",
          "control_description": "Sustainment Technologies Inc conducts continuous monitoring of security controls using Drata, and addresses issues in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.170Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 160,
              "name": "Silent Log Sources - Crowdstrike",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/160_Silent Log Sources - Crowdstrike.png",
              "updated_at": "2026-06-17T22:10:26.030Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.171646+00:00",
                "status": "hashed",
                "sha256": "4355516d11f210c6981374184d617ae5fe381cdce7b22a19795747db92d14581",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/160_Silent Log Sources - Crowdstrike.png",
                "filename": "160_Silent Log Sources - Crowdstrike.png",
                "size_bytes": 239901,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-160-owner",
              "name": "Assigned Control Owner - Continuous Control Monitoring (DCF-160)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.171828+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-160-policy",
              "name": "Policy Documentation - Continuous Control Monitoring (DCF-160)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.171835+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 70,
          "explanation": "Drata's Continuous Control Monitoring (CCM) directly satisfies KSI-MLA-LET by automatically and continuously verifying the logging and monitoring of defined information resources and event types Ã¢â‚¬â€œ essentially *doing* what the requirement mandates. The CCM functionality provides ongoing evidence of audit log activity (aligned with AU-2), demonstrating sustained monitoring and allowing for timely remediation of any gaps in logging coverage, fulfilling the \"maintain and do\" aspect of the KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' logging policies maintain a defined list of information resources and event types that are logged, monitored, and audited. This is implemented through event logging configurations, authorized log modification controls, clock synchronization for accurate timestamps, centralized log storage, and continuous control monitoring. Drata validates that logging is active and properly configured across all defined event types, while independent assessments verify the completeness of the logging coverage.\n### Key Controls\n- [OK] Authorized to Modify Logs (DCF-596)\n- [OK] Clock Synchronization (DCF-421)\n- [OK] Event Logging (DCF-177)\n- [OK] Independent Assessment (DCF-165)\n- [OK] Log Management System (DCF-80)\n- [OK] Logs Centrally Stored (DCF-79)\n- [OK] Logging/Monitoring (DCF-87)\n- [OK] Continuous Control Monitoring (DCF-160)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:59.133190+00:00",
      "ksi_name": "Logging Event Types",
      "category": "MLA",
      "statement": "Maintain a list of information resources and event types that will be logged, monitored, and audited, then do so.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/monitoring-logging-and-auditing/",
      "nist_controls": [
        "AC-2.4",
        "AC-6.9",
        "AC-17.1",
        "AC-20.1",
        "AU-2",
        "AU-7.1",
        "AU-12",
        "SI-4.4",
        "SI-4.5",
        "SI-7.7"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment maintains a defined list of information resources and event types that are logged, monitored, and audited with accurate timestamps through centralized log management and continuous control monitoring.",
        "failure_condition": "Required event types not being logged, a logging gap exceeding 24 hours, or clock synchronization failure causing inaccurate timestamps will cause a failure of the test. Additionally, event logging configurations, authorized log modification controls, centralized log storage, logging/monitoring infrastructure, and an independent assessment must be in place to ensure all required events are captured and auditable."
      },
      "outcome_metrics": [
        {
          "statement": "All required FedRAMP event types are captured in logs",
          "metric_name": "Coverage",
          "target_value": "100% of required event types logged with required fields",
          "target_unit": "",
          "frequency": "Monthly",
          "source": "SIEM event type coverage report; log schema validation",
          "notes": "Required event type not captured; mandatory log field missing"
        }
      ],
      "monitoring": {
        "total_tests": 5,
        "passed": 5,
        "failed": 0,
        "controls_with_monitoring": 3,
        "monitoring_coverage": 33.3,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-MLA-OSM",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:56.454333+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-80 (DCF-80)",
          "control_id": "DCF-80",
          "status": "Passing",
          "description": "Drata control status for DCF-80",
          "date": "2026-07-02T13:19:56.454333+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-79 (DCF-79)",
          "control_id": "DCF-79",
          "status": "Passing",
          "description": "Drata control status for DCF-79",
          "date": "2026-07-02T13:19:56.454333+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-86 (DCF-86)",
          "control_id": "DCF-86",
          "status": "Passing",
          "description": "Drata control status for DCF-86",
          "date": "2026-07-02T13:19:56.454333+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-87 (DCF-87)",
          "control_id": "DCF-87",
          "status": "Passing",
          "description": "Drata control status for DCF-87",
          "date": "2026-07-02T13:19:56.454333+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-177 (DCF-177)",
          "control_id": "DCF-177",
          "status": "Passing",
          "description": "Drata control status for DCF-177",
          "date": "2026-07-02T13:19:56.454333+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-95 (DCF-95)",
          "control_id": "DCF-95",
          "status": "Passing",
          "description": "Drata control status for DCF-95",
          "date": "2026-07-02T13:19:56.454333+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-406 (DCF-406)",
          "control_id": "DCF-406",
          "status": "Passing",
          "description": "Drata control status for DCF-406",
          "date": "2026-07-02T13:19:56.454333+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-165 (DCF-165)",
          "control_id": "DCF-165",
          "status": "Passing",
          "description": "Drata control status for DCF-165",
          "date": "2026-07-02T13:19:56.454333+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-MLA-OSM",
          "control_name": "Custom Automated Check: KSI-MLA-OSM",
          "control_description": "8/8 mapped controls passing; Sustainment Technologies operates a centralized SIEM capability for tamper-resistant logging of all security events, activities, and changes across the cloud service offering. This is implemented through centralized log management with audit logging, event logging pipelines, tamper-resistant log storage, and capacity monitoring to ensure the SIEM can handle event volume. Drata monitors SIEM health and logging coverage, operational audits validate log integrity, and independent assessments verify that the SIEM provides the centralized visibility required for effective security monitoring.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:56.454333+00:00",
          "updated_at": "2026-07-02T13:19:56.454333+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:56.454333+00:00",
          "requirements_updated_at": "",
          "evidence_count": 8,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-80 (DCF-80)",
              "description": "Drata control status for DCF-80",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.454333+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.171843+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-79 (DCF-79)",
              "description": "Drata control status for DCF-79",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.454333+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.171849+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-86 (DCF-86)",
              "description": "Drata control status for DCF-86",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.454333+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.171855+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-87 (DCF-87)",
              "description": "Drata control status for DCF-87",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.454333+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.171861+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-177 (DCF-177)",
              "description": "Drata control status for DCF-177",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.454333+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.171868+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-95 (DCF-95)",
              "description": "Drata control status for DCF-95",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.454333+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.171874+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-406 (DCF-406)",
              "description": "Drata control status for DCF-406",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.454333+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.171880+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-165 (DCF-165)",
              "description": "Drata control status for DCF-165",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.454333+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.171885+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 12,
            "passed": 12,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:45.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              },
              {
                "test_id": 140,
                "name": "Only Authorized Users can Access Log Sinks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of the system that collects and stores server logs and confirmed that it only accepts connections from authorized users.",
                "last_run": "2026-07-01T18:27:22.000Z",
                "test_definition_id": 110,
                "enabled": true
              },
              {
                "test_id": 139,
                "name": "Logs are Centrally Stored",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are centrally stored.",
                "last_run": "2026-07-01T18:27:24.000Z",
                "test_definition_id": 109,
                "enabled": true
              },
              {
                "test_id": 7,
                "name": "Infrastructure Instance CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's server monitoring and alerting configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:42.000Z",
                "test_definition_id": 118,
                "enabled": true
              },
              {
                "test_id": 6,
                "name": "NoSQL Cluster Storage Utilization Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's NoSQL cluster monitoring and alerting configurations and confirmed that storage utilization is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:50.000Z",
                "test_definition_id": 117,
                "enabled": true
              },
              {
                "test_id": 4,
                "name": "Messaging Queue Message Age Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's messaging queue monitoring configurations and confirmed that message age is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:59.000Z",
                "test_definition_id": 115,
                "enabled": true
              },
              {
                "test_id": 3,
                "name": "Database Read I/O Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that read I/O is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 114,
                "enabled": true
              },
              {
                "test_id": 2,
                "name": "Database Free Storage Space Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that free storage space is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 113,
                "enabled": true
              },
              {
                "test_id": 1,
                "name": "Database CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 112,
                "enabled": true
              },
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              },
              {
                "test_id": 135,
                "name": "Threat Detection in Place",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has Threat Detection in place to detect unauthorized file additions within the cloud environment, server instances, and application containers.",
                "last_run": "2026-07-01T18:28:45.000Z",
                "test_definition_id": 105,
                "enabled": true
              },
              {
                "test_id": 9,
                "name": "Capacity and Usage Monitoring",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's processing capacity and usage reports to determine that processing capacity and usage was monitored.",
                "last_run": "2026-07-01T18:27:47.000Z",
                "test_definition_id": 129,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-80",
              "DCF-79",
              "DCF-86",
              "DCF-87",
              "DCF-177",
              "DCF-95",
              "DCF-406",
              "DCF-165"
            ]
          }
        },
        {
          "control_id": "DCF-80",
          "control_name": "Log Management System",
          "control_description": "Sustainment Technologies Inc uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.779Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 151,
              "name": "DataDog Security alerts sample",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/151_DataDog Security alerts sample.csv",
              "updated_at": "2026-03-02T15:57:18.424Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.172047+00:00",
                "status": "hashed",
                "sha256": "3a6f138a1019b8d39d01a2e02dc11e84fa1a8b504f306fadf42619746948a934",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/151_DataDog Security alerts sample.csv",
                "filename": "151_DataDog Security alerts sample.csv",
                "size_bytes": 82445,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-80-owner",
              "name": "Assigned Control Owner - Log Management System (DCF-80)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.172138+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-80-monitoring",
              "name": "Continuous Monitoring - Log Management System (DCF-80)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.172145+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 123,
          "explanation": "This Drata control satisfies KSI-MLA-OSM by demonstrating the implementation of a logging system Ã¢â‚¬â€œ fulfilling the requirement for centralized, tamper-resistant log collection. The description confirms event monitoring *and* responsive action to those events (alerts & corrective actions), proving the system isnÃ¢â‚¬â„¢t just collecting data, but actively used for security oversight as FedRAMP requires. The related NIST controls further validate this aligns with established auditing best practices.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-79",
          "control_name": "Logs Centrally Stored",
          "control_description": "Sustainment Technologies Inc uses a system that collects and stores server logs in a central location. The system can be queried in an ad hoc fashion by authorized users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.775Z",
          "updated_at": "2026-06-30T12:57:13.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 13,
              "name": "Logs Centrally Stored",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/13_Logs Centrally Stored.csv",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.172300+00:00",
                "status": "hashed",
                "sha256": "bb85025771956bff33f960b28f614e1447bd02e93a2f0ba842f12abe7e375706",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/13_Logs Centrally Stored.csv",
                "filename": "13_Logs Centrally Stored.csv",
                "size_bytes": 145,
                "modified_at": "2026-07-02T13:17:00+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-79-owner",
              "name": "Assigned Control Owner - Logs Centrally Stored (DCF-79)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-30T12:57:13.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.172328+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-79-monitoring",
              "name": "Continuous Monitoring - Logs Centrally Stored (DCF-79)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-30T12:57:13.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.172334+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 122,
          "explanation": "DrataÃ¢â‚¬â„¢s Ã¢â‚¬Å“Logs Centrally StoredÃ¢â‚¬Â control satisfies KSI-MLA-OSM by demonstrating the collection and consolidation of server logs into a central repository Ã¢â‚¬â€œ a core component of a SIEM-like system. This centralized, queryable logging fulfills the FedRAMP requirement for tamper-resistant event recording, enabling detection and investigation of security incidents and changes within the system. The related NIST controls (AU-7, AU-2, AU-3) further validate the logging practices align with audit and accountability standards.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:24.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 140,
                "name": "Only Authorized Users can Access Log Sinks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of the system that collects and stores server logs and confirmed that it only accepts connections from authorized users.",
                "last_run": "2026-07-01T18:27:22.000Z",
                "test_definition_id": 110,
                "enabled": true
              },
              {
                "test_id": 139,
                "name": "Logs are Centrally Stored",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are centrally stored.",
                "last_run": "2026-07-01T18:27:24.000Z",
                "test_definition_id": 109,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-86",
          "control_name": "Operational Audit",
          "control_description": "Sustainment Technologies Inc's cloud infrastructure is monitored through an operational audit system that sends alerts to appropriate personnel",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.431Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:22.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-86-evidence",
              "name": "Operational Audit (DCF-86)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.172341+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-86-owner",
              "name": "Assigned Control Owner - Operational Audit (DCF-86)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.172347+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-86-monitoring",
              "name": "Continuous Monitoring - Operational Audit (DCF-86)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.172353+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 5,
          "explanation": "Drata's Operational Audit control directly satisfies KSI-MLA-OSM by demonstrating centralized, tamper-resistant logging of system events and activities Ã¢â‚¬â€œ a core function of a SIEM. The audit system's alert functionality ensures timely response to security-relevant events, fulfilling the requirement for *active* monitoring and enabling investigation of changes as mandated by FedRAMP. This aligns with NIST AU-3, which covers audit record review, analysis, and reporting.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 6,
            "passed": 6,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:02.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 7,
                "name": "Infrastructure Instance CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's server monitoring and alerting configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:42.000Z",
                "test_definition_id": 118,
                "enabled": true
              },
              {
                "test_id": 6,
                "name": "NoSQL Cluster Storage Utilization Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's NoSQL cluster monitoring and alerting configurations and confirmed that storage utilization is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:50.000Z",
                "test_definition_id": 117,
                "enabled": true
              },
              {
                "test_id": 4,
                "name": "Messaging Queue Message Age Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's messaging queue monitoring configurations and confirmed that message age is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:59.000Z",
                "test_definition_id": 115,
                "enabled": true
              },
              {
                "test_id": 3,
                "name": "Database Read I/O Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that read I/O is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 114,
                "enabled": true
              },
              {
                "test_id": 2,
                "name": "Database Free Storage Space Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that free storage space is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 113,
                "enabled": true
              },
              {
                "test_id": 1,
                "name": "Database CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 112,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-87",
          "control_name": "Logging/Monitoring",
          "control_description": "Sustainment Technologies Inc has infrastructure logging configured to monitor web traffic and suspicious activity. When anomalous traffic activity is identified, alerts are automatically created, sent to appropriate personnel and resolved, as necessary.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.217Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:21.976Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 161,
              "name": "DCF87 Testing Results History",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/161_DCF87 Testing Results History.png",
              "updated_at": "2026-06-17T22:38:41.159Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.172518+00:00",
                "status": "hashed",
                "sha256": "297e5a03cc7fa8c4f1a971f581eae381efbbf3eb5e9b6ec8f5a4f498073de962",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/161_DCF87 Testing Results History.png",
                "filename": "161_DCF87 Testing Results History.png",
                "size_bytes": 195440,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 160,
              "name": "Silent Log Sources - Crowdstrike",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/160_Silent Log Sources - Crowdstrike.png",
              "updated_at": "2026-06-17T22:10:26.030Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.172822+00:00",
                "status": "hashed",
                "sha256": "4355516d11f210c6981374184d617ae5fe381cdce7b22a19795747db92d14581",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/160_Silent Log Sources - Crowdstrike.png",
                "filename": "160_Silent Log Sources - Crowdstrike.png",
                "size_bytes": 239901,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-87-owner",
              "name": "Assigned Control Owner - Logging/Monitoring (DCF-87)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.173003+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 118,
          "explanation": "This Drata control satisfies KSI-MLA-OSM by demonstrating centralized logging of security-relevant events (web traffic, suspicious activity) Ã¢â‚¬â€œ a core component of FedRAMP's KSI requirement. The automated alerting and resolution process further ensures timely response to identified issues, proving the system isnÃ¢â‚¬â„¢t just *collecting* logs, but actively *using* them for security monitoring and incident management as FedRAMP dictates. This aligns with NIST AU-2Ã¢â‚¬â„¢s focus on audit event logging and review.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:45.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              },
              {
                "test_id": 135,
                "name": "Threat Detection in Place",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has Threat Detection in place to detect unauthorized file additions within the cloud environment, server instances, and application containers.",
                "last_run": "2026-07-01T18:28:45.000Z",
                "test_definition_id": 105,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-177",
          "control_name": "Event Logging",
          "control_description": "Sustainment Technologies Inc has a defined plan for event logging that establishes the required criteria for logs, protection of logged information, clock synchronization.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:44.114Z",
          "updated_at": "2025-11-24T18:38:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 160,
              "name": "Silent Log Sources - Crowdstrike",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/160_Silent Log Sources - Crowdstrike.png",
              "updated_at": "2026-06-17T22:10:26.030Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.173187+00:00",
                "status": "hashed",
                "sha256": "4355516d11f210c6981374184d617ae5fe381cdce7b22a19795747db92d14581",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/160_Silent Log Sources - Crowdstrike.png",
                "filename": "160_Silent Log Sources - Crowdstrike.png",
                "size_bytes": 239901,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-177-policy",
              "name": "Policy Documentation - Event Logging (DCF-177)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:50.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.173375+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 182,
          "explanation": "Drata's \"Event Logging\" control satisfies KSI-MLA-OSM by demonstrating a documented plan for collecting, securing, and maintaining tamper-resistant logs of system events Ã¢â‚¬â€œ a core requirement of FedRAMP's centralized logging mandate. This plan, aligning with NIST AU controls, proves Sustainment Technologies Inc. actively monitors and records activity for security investigations and incident response, fulfilling the need for comprehensive event visibility.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-95",
          "control_name": "Monitoring Processing Capacity and Usage",
          "control_description": "Sustainment Technologies Inc monitors its processing capacity and usage on a quarterly basis in order to appropriately manage capacity demand and to enable the implementation of additional capacity to meet availability commitments.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.435Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:22.235Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-95-evidence",
              "name": "Monitoring Processing Capacity and Usage (DCF-95)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.173383+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-95-owner",
              "name": "Assigned Control Owner - Monitoring Processing Capacity and Usage (DCF-95)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.173389+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-95-monitoring",
              "name": "Continuous Monitoring - Monitoring Processing Capacity and Usage (DCF-95)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.173395+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 6,
          "explanation": "While seemingly unrelated, Ã¢â‚¬Å“Monitoring Processing Capacity and UsageÃ¢â‚¬Â supports KSI-MLA-OSM by ensuring sufficient resources are available for the SIEM/logging system to function effectively *without* performance degradation. If capacity isn't monitored and maintained, the SIEM could fail to log events reliably, violating the tamper-resistant, centralized logging requirement of the KSI. This proactive capacity management helps guarantee the SIEM can consistently capture and retain necessary security data as outlined in AU-4.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:47.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 9,
                "name": "Capacity and Usage Monitoring",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's processing capacity and usage reports to determine that processing capacity and usage was monitored.",
                "last_run": "2026-07-01T18:27:47.000Z",
                "test_definition_id": 129,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-406",
          "control_name": "Audit Logging",
          "control_description": "Audit logs are enabled and active for all system components and sensitive data in accordance with company policies.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:57.966Z",
          "updated_at": "2025-11-24T13:51:22.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.697Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-406-policy",
              "name": "Policy Documentation - Audit Logging (DCF-406)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:22.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.173402+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 426,
          "explanation": "Drata's Audit Logging control directly satisfies KSI-MLA-OSM by demonstrating the continuous, active recording of system events and changes Ã¢â‚¬â€œ a core component of a SIEM-like function. By verifying logs are enabled across all components and for sensitive data, Drata proves the organization is capturing the tamper-resistant record of activity FedRAMP requires for security monitoring and incident response. This aligns with NIST AU controls focused on audit trails and accountability.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-165",
          "control_name": "Independent Assessment",
          "control_description": "Sustainment Technologies Inc has an independent assessment (e.g., internal audit) process to ensure that its information security program is effectively implemented, maintained, and in conformance.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:42.954Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:22.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 123,
              "name": "SOC 2 Type II Report",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/123_SOC 2 Type II Report.pdf",
              "updated_at": "2026-05-05T19:19:56.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.173573+00:00",
                "status": "hashed",
                "sha256": "80b9c22a7fd79023d195fd5b3cee1556c72f836d49ceef3e42d37a60c00da22e",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/123_SOC 2 Type II Report.pdf",
                "filename": "123_SOC 2 Type II Report.pdf",
                "size_bytes": 564071,
                "modified_at": "2026-07-02T13:17:00+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-165-owner",
              "name": "Assigned Control Owner - Independent Assessment (DCF-165)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174016+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 176,
          "explanation": "While not a *direct* SIEM implementation, the Drata \"Independent Assessment\" control satisfies KSI-MLA-OSM by demonstrating ongoing verification of the entire security program Ã¢â‚¬â€œ including logging practices. The assessment process confirms logs are *being* collected, reviewed, and acted upon as part of a broader security monitoring effort, proving the system functions as intended to detect and respond to events (fulfilling the intent of tamper-resistant, centralized logging). This aligns with AU-2 by providing assurance the audit trails (logs) are reliable and maintained.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies operates a centralized SIEM capability for tamper-resistant logging of all security events, activities, and changes across the cloud service offering. This is implemented through centralized log management with audit logging, event logging pipelines, tamper-resistant log storage, and capacity monitoring to ensure the SIEM can handle event volume. Drata monitors SIEM health and logging coverage, operational audits validate log integrity, and independent assessments verify that the SIEM provides the centralized visibility required for effective security monitoring.\n### Key Controls\n- [OK] Log Management System (DCF-80)\n- [OK] Logs Centrally Stored (DCF-79)\n- [OK] Operational Audit (DCF-86)\n- [OK] Logging/Monitoring (DCF-87)\n- [OK] Event Logging (DCF-177)\n- [OK] Monitoring Processing Capacity and Usage (DCF-95)\n- [OK] Audit Logging (DCF-406)\n- [OK] Independent Assessment (DCF-165)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:56.454333+00:00",
      "ksi_name": "Operating SIEM Capability",
      "category": "MLA",
      "statement": "Operate a Security Information and Event Management (SIEM) or similar system(s) for centralized, tamper-resistent logging of events, activities, and changes.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/monitoring-logging-and-auditing/",
      "nist_controls": [
        "AC-17.1",
        "AC-20.1",
        "AU-2",
        "AU-3",
        "AU-3.1",
        "AU-4",
        "AU-5",
        "AU-6.1",
        "AU-6.3",
        "AU-7",
        "AU-7.1",
        "AU-8",
        "AU-9",
        "AU-11",
        "IR-4.1",
        "SI-4.2",
        "SI-4.4",
        "SI-7.7"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment operates a centralized SIEM capability for tamper-resistant logging of all security events, activities, and changes across the cloud service offering.",
        "failure_condition": "SIEM not receiving logs, log ingestion pipeline down for more than 4 hours, or failure to maintain tamper-resistant log storage will cause a failure of the test. Additionally, a log management system, centralized log storage, audit logging, event logging pipelines, capacity monitoring, and an independent assessment must be in place to ensure the SIEM capability provides comprehensive and reliable security event visibility."
      },
      "outcome_metrics": [
        {
          "statement": "SIEM is operational with up-to-date rules and no major data gaps",
          "metric_name": "Availability",
          "target_value": "SIEM uptime >= 99.9%; all sources feeding; rules reviewed within 6 months",
          "target_unit": "",
          "frequency": "Monthly",
          "source": "SIEM health dashboard; source connectivity report; rule review log",
          "notes": "SIEM downtime > SLA; source not reporting; rules not reviewed in 6 months"
        }
      ],
      "monitoring": {
        "total_tests": 12,
        "passed": 12,
        "failed": 0,
        "controls_with_monitoring": 5,
        "monitoring_coverage": 55.6,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-MLA-RVL",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:20:00.401084+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-80 (DCF-80)",
          "control_id": "DCF-80",
          "status": "Passing",
          "description": "Drata control status for DCF-80",
          "date": "2026-07-02T13:20:00.401084+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-79 (DCF-79)",
          "control_id": "DCF-79",
          "status": "Passing",
          "description": "Drata control status for DCF-79",
          "date": "2026-07-02T13:20:00.401084+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-87 (DCF-87)",
          "control_id": "DCF-87",
          "status": "Passing",
          "description": "Drata control status for DCF-87",
          "date": "2026-07-02T13:20:00.401084+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-159 (DCF-159)",
          "control_id": "DCF-159",
          "status": "Passing",
          "description": "Drata control status for DCF-159",
          "date": "2026-07-02T13:20:00.401084+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-160 (DCF-160)",
          "control_id": "DCF-160",
          "status": "Passing",
          "description": "Drata control status for DCF-160",
          "date": "2026-07-02T13:20:00.401084+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-177 (DCF-177)",
          "control_id": "DCF-177",
          "status": "Passing",
          "description": "Drata control status for DCF-177",
          "date": "2026-07-02T13:20:00.401084+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-165 (DCF-165)",
          "control_id": "DCF-165",
          "status": "Passing",
          "description": "Drata control status for DCF-165",
          "date": "2026-07-02T13:20:00.401084+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-81 (DCF-81)",
          "control_id": "DCF-81",
          "status": "Passing",
          "description": "Drata control status for DCF-81",
          "date": "2026-07-02T13:20:00.401084+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-82 (DCF-82)",
          "control_id": "DCF-82",
          "status": "Passing",
          "description": "Drata control status for DCF-82",
          "date": "2026-07-02T13:20:00.401084+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-MLA-RVL",
          "control_name": "Custom Automated Check: KSI-MLA-RVL",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' security policies require persistent review and audit of all security-relevant logs. This is implemented through defined activity review procedures, centralized log storage, automated monitoring and alerting on databases and messaging queues, continuous control monitoring, and integration with the incident response plan for escalation. Drata monitors that log review controls remain active, independent assessments validate review effectiveness, and automated alerting ensures anomalies are detected and investigated promptly.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:20:00.401084+00:00",
          "updated_at": "2026-07-02T13:20:00.401084+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:20:00.401084+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-80 (DCF-80)",
              "description": "Drata control status for DCF-80",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.401084+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174024+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-79 (DCF-79)",
              "description": "Drata control status for DCF-79",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.401084+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174031+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-87 (DCF-87)",
              "description": "Drata control status for DCF-87",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.401084+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174037+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-159 (DCF-159)",
              "description": "Drata control status for DCF-159",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.401084+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174043+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-160 (DCF-160)",
              "description": "Drata control status for DCF-160",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.401084+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174049+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-177 (DCF-177)",
              "description": "Drata control status for DCF-177",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.401084+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174055+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-165 (DCF-165)",
              "description": "Drata control status for DCF-165",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.401084+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174060+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-81 (DCF-81)",
              "description": "Drata control status for DCF-81",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.401084+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174066+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-82 (DCF-82)",
              "description": "Drata control status for DCF-82",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.401084+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174072+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 10,
            "passed": 10,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:45.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              },
              {
                "test_id": 140,
                "name": "Only Authorized Users can Access Log Sinks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of the system that collects and stores server logs and confirmed that it only accepts connections from authorized users.",
                "last_run": "2026-07-01T18:27:22.000Z",
                "test_definition_id": 110,
                "enabled": true
              },
              {
                "test_id": 139,
                "name": "Logs are Centrally Stored",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are centrally stored.",
                "last_run": "2026-07-01T18:27:24.000Z",
                "test_definition_id": 109,
                "enabled": true
              },
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              },
              {
                "test_id": 135,
                "name": "Threat Detection in Place",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has Threat Detection in place to detect unauthorized file additions within the cloud environment, server instances, and application containers.",
                "last_run": "2026-07-01T18:28:45.000Z",
                "test_definition_id": 105,
                "enabled": true
              },
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              },
              {
                "test_id": 3,
                "name": "Database Read I/O Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that read I/O is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 114,
                "enabled": true
              },
              {
                "test_id": 2,
                "name": "Database Free Storage Space Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that free storage space is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 113,
                "enabled": true
              },
              {
                "test_id": 1,
                "name": "Database CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 112,
                "enabled": true
              },
              {
                "test_id": 4,
                "name": "Messaging Queue Message Age Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's messaging queue monitoring configurations and confirmed that message age is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:59.000Z",
                "test_definition_id": 115,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-80",
              "DCF-79",
              "DCF-87",
              "DCF-159",
              "DCF-160",
              "DCF-177",
              "DCF-165",
              "DCF-81",
              "DCF-82"
            ]
          }
        },
        {
          "control_id": "DCF-80",
          "control_name": "Log Management System",
          "control_description": "Sustainment Technologies Inc uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.779Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 151,
              "name": "DataDog Security alerts sample",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/151_DataDog Security alerts sample.csv",
              "updated_at": "2026-03-02T15:57:18.424Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174252+00:00",
                "status": "hashed",
                "sha256": "3a6f138a1019b8d39d01a2e02dc11e84fa1a8b504f306fadf42619746948a934",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/151_DataDog Security alerts sample.csv",
                "filename": "151_DataDog Security alerts sample.csv",
                "size_bytes": 82445,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-80-owner",
              "name": "Assigned Control Owner - Log Management System (DCF-80)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174339+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-80-monitoring",
              "name": "Continuous Monitoring - Log Management System (DCF-80)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174345+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 123,
          "explanation": "This Drata control satisfies KSI-MLA-RVL by demonstrating persistent log review through automated alerts triggered by the Log Management System. These alerts notify personnel to investigate events, ensuring timely corrective actions are taken Ã¢â‚¬â€œ fulfilling the FedRAMP requirement for ongoing audit and response to log data. The related NIST controls (AU-2, SI-4, AU-6) further validate the system's ability to generate, review, and act upon audit logs.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-79",
          "control_name": "Logs Centrally Stored",
          "control_description": "Sustainment Technologies Inc uses a system that collects and stores server logs in a central location. The system can be queried in an ad hoc fashion by authorized users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.775Z",
          "updated_at": "2026-06-30T12:57:13.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 13,
              "name": "Logs Centrally Stored",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/13_Logs Centrally Stored.csv",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174508+00:00",
                "status": "hashed",
                "sha256": "bb85025771956bff33f960b28f614e1447bd02e93a2f0ba842f12abe7e375706",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/13_Logs Centrally Stored.csv",
                "filename": "13_Logs Centrally Stored.csv",
                "size_bytes": 145,
                "modified_at": "2026-07-02T13:17:00+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-79-owner",
              "name": "Assigned Control Owner - Logs Centrally Stored (DCF-79)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-30T12:57:13.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174537+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-79-monitoring",
              "name": "Continuous Monitoring - Logs Centrally Stored (DCF-79)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-30T12:57:13.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174544+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 122,
          "explanation": "Drata's \"Logs Centrally Stored\" control satisfies KSI-MLA-RVL by demonstrating the capability to *persistently* collect and retain server logs in a single, accessible location Ã¢â‚¬â€œ a foundational element for effective log review and audit. This centralized storage, linked to NIST AU & SI controls, allows authorized personnel to readily *audit* logs for security events and compliance verification, fulfilling the FedRAMP requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:24.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 140,
                "name": "Only Authorized Users can Access Log Sinks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of the system that collects and stores server logs and confirmed that it only accepts connections from authorized users.",
                "last_run": "2026-07-01T18:27:22.000Z",
                "test_definition_id": 110,
                "enabled": true
              },
              {
                "test_id": 139,
                "name": "Logs are Centrally Stored",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are centrally stored.",
                "last_run": "2026-07-01T18:27:24.000Z",
                "test_definition_id": 109,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-87",
          "control_name": "Logging/Monitoring",
          "control_description": "Sustainment Technologies Inc has infrastructure logging configured to monitor web traffic and suspicious activity. When anomalous traffic activity is identified, alerts are automatically created, sent to appropriate personnel and resolved, as necessary.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.217Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:21.976Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 161,
              "name": "DCF87 Testing Results History",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/161_DCF87 Testing Results History.png",
              "updated_at": "2026-06-17T22:38:41.159Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.174701+00:00",
                "status": "hashed",
                "sha256": "297e5a03cc7fa8c4f1a971f581eae381efbbf3eb5e9b6ec8f5a4f498073de962",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/161_DCF87 Testing Results History.png",
                "filename": "161_DCF87 Testing Results History.png",
                "size_bytes": 195440,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 160,
              "name": "Silent Log Sources - Crowdstrike",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/160_Silent Log Sources - Crowdstrike.png",
              "updated_at": "2026-06-17T22:10:26.030Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.175004+00:00",
                "status": "hashed",
                "sha256": "4355516d11f210c6981374184d617ae5fe381cdce7b22a19795747db92d14581",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/160_Silent Log Sources - Crowdstrike.png",
                "filename": "160_Silent Log Sources - Crowdstrike.png",
                "size_bytes": 239901,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-87-owner",
              "name": "Assigned Control Owner - Logging/Monitoring (DCF-87)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.175197+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 118,
          "explanation": "This Drata control satisfies KSI-MLA-RVL by demonstrating persistent log review and audit capabilities. The infrastructure logging, coupled with automated alerting and resolution processes for anomalous activity, proves Sustained Technologies Inc. isnÃ¢â‚¬â„¢t just *collecting* logs, but actively *reviewing* them to identify and address potential security incidents Ã¢â‚¬â€œ fulfilling the FedRAMP requirement for ongoing monitoring and audit. This aligns with NIST AU-2, focusing on audit event logging and review.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:45.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              },
              {
                "test_id": 135,
                "name": "Threat Detection in Place",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has Threat Detection in place to detect unauthorized file additions within the cloud environment, server instances, and application containers.",
                "last_run": "2026-07-01T18:28:45.000Z",
                "test_definition_id": 105,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-159",
          "control_name": "Incident Response Plan",
          "control_description": "Sustainment Technologies Inc has an established Incident Response Plan that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.576Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-159-evidence",
              "name": "Incident Response Plan (DCF-159)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.175204+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-owner",
              "name": "Assigned Control Owner - Incident Response Plan (DCF-159)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.175210+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-monitoring",
              "name": "Continuous Monitoring - Incident Response Plan (DCF-159)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.175216+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 77,
          "explanation": "The Incident Response Plan (IRP) satisfies KSI-MLA-RVL by detailing procedures for investigating security incidents Ã¢â‚¬â€œ which *are* discovered through log review & audit (as the requirement states). The IRP ensures logs are *acted upon* when anomalies are detected, demonstrating persistent review isn't just about collection, but also analysis and response, fulfilling the FedRAMP KSI requirement. NIST SI-4 (Security Incident Handling) directly supports this by outlining the necessary processes for effective incident management.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-160",
          "control_name": "Continuous Control Monitoring",
          "control_description": "Sustainment Technologies Inc conducts continuous monitoring of security controls using Drata, and addresses issues in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.170Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 160,
              "name": "Silent Log Sources - Crowdstrike",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/160_Silent Log Sources - Crowdstrike.png",
              "updated_at": "2026-06-17T22:10:26.030Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.175376+00:00",
                "status": "hashed",
                "sha256": "4355516d11f210c6981374184d617ae5fe381cdce7b22a19795747db92d14581",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/160_Silent Log Sources - Crowdstrike.png",
                "filename": "160_Silent Log Sources - Crowdstrike.png",
                "size_bytes": 239901,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-160-owner",
              "name": "Assigned Control Owner - Continuous Control Monitoring (DCF-160)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.175564+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-160-policy",
              "name": "Policy Documentation - Continuous Control Monitoring (DCF-160)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.175570+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 70,
          "explanation": "Drata's Continuous Control Monitoring directly satisfies KSI-MLA-RVL by automating the persistent review of system logs and security control status. This automated monitoring, mapped to NIST AU-2 & SI-4, provides ongoing audit evidence of log review and flags issues for timely remediation Ã¢â‚¬â€œ fulfilling the FedRAMP requirement for consistent log analysis and action. Essentially, Drata *is* the persistent review and audit process.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-177",
          "control_name": "Event Logging",
          "control_description": "Sustainment Technologies Inc has a defined plan for event logging that establishes the required criteria for logs, protection of logged information, clock synchronization.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:44.114Z",
          "updated_at": "2025-11-24T18:38:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 160,
              "name": "Silent Log Sources - Crowdstrike",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/160_Silent Log Sources - Crowdstrike.png",
              "updated_at": "2026-06-17T22:10:26.030Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.175731+00:00",
                "status": "hashed",
                "sha256": "4355516d11f210c6981374184d617ae5fe381cdce7b22a19795747db92d14581",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/160_Silent Log Sources - Crowdstrike.png",
                "filename": "160_Silent Log Sources - Crowdstrike.png",
                "size_bytes": 239901,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-177-policy",
              "name": "Policy Documentation - Event Logging (DCF-177)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:50.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.175911+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 182,
          "explanation": "Drata's \"Event Logging\" control directly addresses KSI-MLA-RVL by demonstrating a *defined and sustained process* for generating and protecting audit logs Ã¢â‚¬â€œ a core component of persistent review and audit. The controlÃ¢â‚¬â„¢s focus on log criteria, protection, and clock synchronization ensures logs are reliable, accurate, and available for FedRAMP-required security investigations and reporting. This aligns with NIST controls AU-2, SI-4, and AU-6, which all emphasize robust audit logging practices.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-165",
          "control_name": "Independent Assessment",
          "control_description": "Sustainment Technologies Inc has an independent assessment (e.g., internal audit) process to ensure that its information security program is effectively implemented, maintained, and in conformance.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:42.954Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:22.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 123,
              "name": "SOC 2 Type II Report",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/123_SOC 2 Type II Report.pdf",
              "updated_at": "2026-05-05T19:19:56.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176069+00:00",
                "status": "hashed",
                "sha256": "80b9c22a7fd79023d195fd5b3cee1556c72f836d49ceef3e42d37a60c00da22e",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/123_SOC 2 Type II Report.pdf",
                "filename": "123_SOC 2 Type II Report.pdf",
                "size_bytes": 564071,
                "modified_at": "2026-07-02T13:17:00+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-165-owner",
              "name": "Assigned Control Owner - Independent Assessment (DCF-165)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176507+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 176,
          "explanation": "Drata's \"Independent Assessment\" control satisfies KSI-MLA-RVL by demonstrating a recurring, scheduled review of the systemÃ¢â‚¬â„¢s security implementation Ã¢â‚¬â€œ including log monitoring practices Ã¢â‚¬â€œ to verify effectiveness. This process inherently involves auditing logs as part of confirming the overall security program's conformance, fulfilling the persistent review and audit requirement of the FedRAMP KSI. The related NIST controls (AU-2, AU-6) specifically address audit logging and review, further solidifying this alignment.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-81",
          "control_name": "Databases Monitored and Alarmed",
          "control_description": "Sustainment Technologies Inc has implemented tools to monitor Sustainment Technologies Inc's databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.413Z",
          "updated_at": "2026-05-16T21:24:19.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-81-evidence",
              "name": "Databases Monitored and Alarmed (DCF-81)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176514+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-81-owner",
              "name": "Assigned Control Owner - Databases Monitored and Alarmed (DCF-81)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176521+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-81-monitoring",
              "name": "Continuous Monitoring - Databases Monitored and Alarmed (DCF-81)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176527+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 1,
          "explanation": "This Drata control directly satisfies KSI-MLA-RVL by demonstrating persistent log review and audit capabilities. The database monitoring and alerting system generates records of activity (logs) and proactively notifies personnel of potentially critical events Ã¢â‚¬â€œ fulfilling the requirement to *review* logs. Coupled with incident escalation policies, this ensures identified issues are also *audited* and addressed, proving ongoing monitoring isn't just passive collection.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:02.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 3,
                "name": "Database Read I/O Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that read I/O is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 114,
                "enabled": true
              },
              {
                "test_id": 2,
                "name": "Database Free Storage Space Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that free storage space is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 113,
                "enabled": true
              },
              {
                "test_id": 1,
                "name": "Database CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 112,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-82",
          "control_name": "Messaging Queues Monitored and Alarmed",
          "control_description": "Sustainment Technologies Inc has implemented tools to monitor Sustainment Technologies Inc's messaging queues and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.418Z",
          "updated_at": "2026-05-16T21:24:19.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-82-owner",
              "name": "Assigned Control Owner - Messaging Queues Monitored and Alarmed (DCF-82)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176533+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-82-monitoring",
              "name": "Continuous Monitoring - Messaging Queues Monitored and Alarmed (DCF-82)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176539+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 2,
          "explanation": "This Drata control satisfies KSI-MLA-RVL by demonstrating persistent log review and audit capabilities. Monitoring messaging queues generates logs of system activity, and the alarming/escalation process ensures these logs are *actively* reviewed for security events Ã¢â‚¬â€œ fulfilling the requirement to not just collect, but *act* on log data. The link to NIST SI-4 (System Monitoring) further validates this alignment with established security best practices.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:59.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 4,
                "name": "Messaging Queue Message Age Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's messaging queue monitoring configurations and confirmed that message age is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:59.000Z",
                "test_definition_id": 115,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' security policies require persistent review and audit of all security-relevant logs. This is implemented through defined activity review procedures, centralized log storage, automated monitoring and alerting on databases and messaging queues, continuous control monitoring, and integration with the incident response plan for escalation. Drata monitors that log review controls remain active, independent assessments validate review effectiveness, and automated alerting ensures anomalies are detected and investigated promptly.\n### Key Controls\n- [OK] Log Management System (DCF-80)\n- [OK] Logs Centrally Stored (DCF-79)\n- [OK] Logging/Monitoring (DCF-87)\n- [OK] Incident Response Plan (DCF-159)\n- [OK] Continuous Control Monitoring (DCF-160)\n- [OK] Event Logging (DCF-177)\n- [OK] Independent Assessment (DCF-165)\n- [OK] Databases Monitored and Alarmed (DCF-81)\n- [OK] Messaging Queues Monitored and Alarmed (DCF-82)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:20:00.401084+00:00",
      "ksi_name": "Reviewing Logs",
      "category": "MLA",
      "statement": "Persistently review and audit logs.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/monitoring-logging-and-auditing/",
      "nist_controls": [
        "AC-2.4",
        "AC-6.9",
        "AU-2",
        "AU-6",
        "AU-6.1",
        "SI-4",
        "SI-4.4"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment persistently reviews and audits all security-relevant events through defined activity review procedures, centralized log storage, automated monitoring and alerting, and continuous control monitoring.",
        "failure_condition": "Events not reviewed within 7 days, an alert backlog growing without triage, or failure to maintain activity review procedures will cause a failure of the test. Additionally, a log management system, centralized log storage, logging/monitoring infrastructure, event logging, database and messaging queue monitoring, an incident response plan, and an independent assessment must be in place to ensure event review is consistent and comprehensive."
      },
      "outcome_metrics": [
        {
          "statement": "Logs are reviewed at required cadence by authorized reviewers",
          "metric_name": "Recency",
          "target_value": "Log review completed per schedule; no review overdue by more than 24 hours",
          "target_unit": "",
          "frequency": "Daily / per schedule",
          "source": "Log review records; SIEM triage ticket log",
          "notes": "Log review missed; review ticket unresolved beyond triage SLA"
        }
      ],
      "monitoring": {
        "total_tests": 10,
        "passed": 10,
        "failed": 0,
        "controls_with_monitoring": 6,
        "monitoring_coverage": 60.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-PIY-GIV",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:56.262198+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-18 (DCF-18)",
          "control_id": "DCF-18",
          "status": "Passing",
          "description": "Drata control status for DCF-18",
          "date": "2026-07-02T13:19:56.262198+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-50 (DCF-50)",
          "control_id": "DCF-50",
          "status": "Passing",
          "description": "Drata control status for DCF-50",
          "date": "2026-07-02T13:19:56.262198+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-182 (DCF-182)",
          "control_id": "DCF-182",
          "status": "Passing",
          "description": "Drata control status for DCF-182",
          "date": "2026-07-02T13:19:56.262198+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-20 (DCF-20)",
          "control_id": "DCF-20",
          "status": "Passing",
          "description": "Drata control status for DCF-20",
          "date": "2026-07-02T13:19:56.262198+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-2 (DCF-2)",
          "control_id": "DCF-2",
          "status": "Passing",
          "description": "Drata control status for DCF-2",
          "date": "2026-07-02T13:19:56.262198+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-183 (DCF-183)",
          "control_id": "DCF-183",
          "status": "Passing",
          "description": "Drata control status for DCF-183",
          "date": "2026-07-02T13:19:56.262198+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-102 (DCF-102)",
          "control_id": "DCF-102",
          "status": "Passing",
          "description": "Drata control status for DCF-102",
          "date": "2026-07-02T13:19:56.262198+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-560 (DCF-560)",
          "control_id": "DCF-560",
          "status": "Passing",
          "description": "Drata control status for DCF-560",
          "date": "2026-07-02T13:19:56.262198+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-291 (DCF-291)",
          "control_id": "DCF-291",
          "status": "Passing",
          "description": "Drata control status for DCF-291",
          "date": "2026-07-02T13:19:56.262198+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-PIY-GIV",
          "control_name": "Custom Automated Check: KSI-PIY-GIV",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' Asset Management Policy requires real-time, automatically generated inventories of all information resources using authoritative sources. This is implemented through maintained asset inventories, anomalous behavior baselines that identify new resources, vulnerability management scanning, anti-virus and malware detection enrollment, and data classification of discovered assets. Drata monitors asset inventory completeness, quarterly vulnerability scans discover unmanaged resources, and least-privileged access policies ensure inventory data is protected from unauthorized modification.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:56.262198+00:00",
          "updated_at": "2026-07-02T13:19:56.262198+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:56.262198+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-18 (DCF-18)",
              "description": "Drata control status for DCF-18",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.262198+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176547+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-50 (DCF-50)",
              "description": "Drata control status for DCF-50",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.262198+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176553+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-182 (DCF-182)",
              "description": "Drata control status for DCF-182",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.262198+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176559+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-20 (DCF-20)",
              "description": "Drata control status for DCF-20",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.262198+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176566+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-2 (DCF-2)",
              "description": "Drata control status for DCF-2",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.262198+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176572+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-183 (DCF-183)",
              "description": "Drata control status for DCF-183",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.262198+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176578+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-102 (DCF-102)",
              "description": "Drata control status for DCF-102",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.262198+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176584+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-560 (DCF-560)",
              "description": "Drata control status for DCF-560",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.262198+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176590+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-291 (DCF-291)",
              "description": "Drata control status for DCF-291",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.262198+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176596+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 5,
            "passed": 5,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 66,
                "name": "Vulnerability Scanning",
                "status": "PASSED",
                "description": "Drata validated that a vulnerability scanning system is connected to Drata.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 21,
                "enabled": true
              },
              {
                "test_id": 133,
                "name": "Malware Detection Software Installed on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices have  antimalware software installed.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 64,
                "enabled": true
              },
              {
                "test_id": 81,
                "name": "Least Privilege Policy for Customer Data Access",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's security policies and confirmed that they require that employees may only access the customer data they need in order to complete their jobs.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 3,
                "enabled": true
              },
              {
                "test_id": 42,
                "name": "Data Classification Policy",
                "status": "PASSED",
                "description": "Drata inspected and confirmed that Sustainment Technologies Inc has a Data Classification Policy in order to identify the types of confidential information possessed by the entity and types of protection that were required.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 137,
                "enabled": true
              },
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-18",
              "DCF-50",
              "DCF-182",
              "DCF-20",
              "DCF-2",
              "DCF-183",
              "DCF-102",
              "DCF-560",
              "DCF-291"
            ]
          }
        },
        {
          "control_id": "DCF-18",
          "control_name": "Quarterly Vulnerability Scan",
          "control_description": "Sustainment Technologies Inc engages with third-party to conduct vulnerability scans of the production environment at least quarterly. Results are reviewed by management and high priority findings are tracked to resolution.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.858Z",
          "updated_at": "2026-05-11T12:55:17.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:22.000Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 149,
              "name": "Vulnerability scanning - historical scans.",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/149_Vulnerability scanning - historical scans..zip",
              "updated_at": "2026-03-02T14:54:37.097Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.176767+00:00",
                "status": "hashed",
                "sha256": "1bca3af621b9ac72ecaf5ccb180f7c18cc49f95a24e05a54e8c83a05fa411b37",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/149_Vulnerability scanning - historical scans..zip",
                "filename": "149_Vulnerability scanning - historical scans..zip",
                "size_bytes": 629615,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 148,
              "name": "Vulnerability Scan Report repository (screenshot)",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/148_Vulnerability Scan Report repository (screenshot).png",
              "updated_at": "2026-03-02T14:51:39.054Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177414+00:00",
                "status": "hashed",
                "sha256": "cbd856d7f75726db39106a98e93d3f94d3574bb28b0bc44483de3aa2a36f063e",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/148_Vulnerability Scan Report repository (screenshot).png",
                "filename": "148_Vulnerability Scan Report repository (screenshot).png",
                "size_bytes": 307470,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-18-owner",
              "name": "Assigned Control Owner - Quarterly Vulnerability Scan (DCF-18)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-11T12:55:17.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177670+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 46,
          "explanation": "This Drata control partially satisfies KSI-PIY-GIV by providing a recurring, automated technical assessment (vulnerability scan) that helps *identify* information resources currently present in the production environment. While not a full, real-time inventory, the quarterly scans offer a regularly updated snapshot contributing to resource discovery Ã¢â‚¬â€œ a key component of maintaining an accurate inventory as required by FedRAMP. The review & remediation process further validates the identified resources and associated risks.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 66,
                "name": "Vulnerability Scanning",
                "status": "PASSED",
                "description": "Drata validated that a vulnerability scanning system is connected to Drata.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 21,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-50",
          "control_name": "Malware Detection Software Installed",
          "control_description": "Sustainment Technologies Inc requires antivirus software to be installed on workstations to protect the network against malware.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.207Z",
          "updated_at": "2026-06-24T20:54:45.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-50-owner",
              "name": "Assigned Control Owner - Malware Detection Software Installed (DCF-50)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-24T20:54:45.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177677+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-50-monitoring",
              "name": "Continuous Monitoring - Malware Detection Software Installed (DCF-50)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-24T20:54:45.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177684+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-50-policy",
              "name": "Policy Documentation - Malware Detection Software Installed (DCF-50)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-24T20:54:45.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177690+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 116,
          "explanation": "While seemingly indirect, Malware Detection Software contributes to FedRAMP KSI-PIY-GIV by aiding in identifying *changes* to information resources. Detecting and flagging malicious software often indicates unauthorized or unexpected software installations (a type of information resource), triggering a need for inventory review and ensuring only authorized assets are present. This supports the \"real-time\" aspect of the requirement through continuous monitoring and potential alerts.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 133,
                "name": "Malware Detection Software Installed on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices have  antimalware software installed.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 64,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-182",
          "control_name": "Asset Management Policy",
          "control_description": "Sustainment Technologies Inc has a defined policy that establishes requirements for the proper management and tracking of organizational assets.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.174Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-02-04T21:04:30.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-182-owner",
              "name": "Assigned Control Owner - Asset Management Policy (DCF-182)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177697+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-182-policy",
              "name": "Policy Documentation - Asset Management Policy (DCF-182)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177703+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 71,
          "explanation": "Drata's Asset Management Policy satisfies KSI-PIY-GIV by demonstrating a documented process for identifying and tracking \"information resources\" Ã¢â‚¬â€œ a core component of a real-time inventory. This policy, linked to NIST CM controls, establishes the *foundation* for automated inventory generation, ensuring STI can reliably identify what assets exist when required for FedRAMP compliance. Essentially, it proves a defined system is *in place* to support ongoing, authoritative asset discovery.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-20",
          "control_name": "Maintains Asset Inventory",
          "control_description": "Sustainment Technologies Inc identifies, inventories, classifies, and assigns owners to IT assets.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.148Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-20-owner",
              "name": "Assigned Control Owner - Maintains Asset Inventory (DCF-20)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177709+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-20-policy",
              "name": "Policy Documentation - Maintains Asset Inventory (DCF-20)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177715+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 65,
          "explanation": "Drata's \"Maintains Asset Inventory\" control directly addresses KSI-PIY-GIV by demonstrating a continuous process for identifying and cataloging all IT assets Ã¢â‚¬â€œ the \"information resources\" required by the FedRAMP KSI. By classifying and assigning ownership, Sustainment Technologies Inc. establishes an authoritative source for generating accurate, real-time inventories as needed for audits or incident response, fulfilling the requirement for automated, on-demand resource visibility.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-2",
          "control_name": "Least-Privileged Policy for Sensitive Data Access",
          "control_description": "Sustainment Technologies Inc authorizes access to information resources, including data and the systems that store or process sensitive data, based on the principle of least privilege.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.139Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-2-monitoring",
              "name": "Continuous Monitoring - Least-Privileged Policy for Sensitive Data Access (DCF-2)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177721+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-2-policy",
              "name": "Policy Documentation - Least-Privileged Policy for Sensitive Data Access (DCF-2)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177727+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 63,
          "explanation": "While seemingly unrelated, the Least-Privileged Policy (KSI-PIY-GIV) *supports* FedRAMP's inventory requirement by ensuring only authorized personnel can access systems and data. This limits the scope of what needs to be inventoried Ã¢â‚¬â€œ only those with legitimate, documented access are considered \"in use\" resources, simplifying accurate, real-time inventory generation. Effectively, controlled access *enables* a more focused and manageable inventory process, aligning with the spirit of automated, authoritative resource discovery.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 81,
                "name": "Least Privilege Policy for Customer Data Access",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's security policies and confirmed that they require that employees may only access the customer data they need in order to complete their jobs.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 3,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-183",
          "control_name": "Vulnerability Management",
          "control_description": "Sustainment Technologies Inc has a defined policy that establishes requirements for vulnerability assessments and reporting.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.542Z",
          "updated_at": "2025-11-24T13:51:39.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:33:48.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-183-owner",
              "name": "Assigned Control Owner - Vulnerability Management (DCF-183)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:39.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177733+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-183-policy",
              "name": "Policy Documentation - Vulnerability Management (DCF-183)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:39.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177739+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 90,
          "explanation": "Vulnerability Management satisfies KSI-PIY-GIV by utilizing automated scanning tools (authoritative sources) to continuously discover and inventory information resources Ã¢â‚¬â€œ including hardware and software Ã¢â‚¬â€œ across the system. This real-time discovery feeds into vulnerability assessments, providing an up-to-date inventory *when needed* for security monitoring and incident response, fulfilling the KSI requirement. The related NIST CM-8 control reinforces configuration management, essential for maintaining accurate inventory data.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-102",
          "control_name": "Data Classification",
          "control_description": "Sustainment Technologies Inc has established a data classification policy in order to identify the types of confidential information possessed by the entity and types of protection that are required.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.943Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-102-owner",
              "name": "Assigned Control Owner - Data Classification (DCF-102)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177746+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-102-monitoring",
              "name": "Continuous Monitoring - Data Classification (DCF-102)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177752+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-102-policy",
              "name": "Policy Documentation - Data Classification (DCF-102)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177757+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 29,
          "explanation": "Data Classification (KSI-PIY-GIV) satisfies the FedRAMP KSI requirement by establishing the *types* of information resources (data) the system possesses. This classification, when integrated with automated discovery tools (implied by \"real-time inventories\"), allows for the automatic identification and tagging of those resources, fulfilling the need for authoritative, ongoing inventory generation. Essentially, knowing *what* data exists is the first step to knowing *all* data exists, as required by the KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 42,
                "name": "Data Classification Policy",
                "status": "PASSED",
                "description": "Drata inspected and confirmed that Sustainment Technologies Inc has a Data Classification Policy in order to identify the types of confidential information possessed by the entity and types of protection that were required.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 137,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-560",
          "control_name": "Baselines for Detecting Anomalous Behavior",
          "control_description": "Sustainment Technologies Inc has established baselines for normal behavior of networks, systems, and applications for the detection of anomalies.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:11.087Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-560-evidence",
              "name": "Baselines for Detecting Anomalous Behavior (DCF-560)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177764+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-560-monitoring",
              "name": "Continuous Monitoring - Baselines for Detecting Anomalous Behavior (DCF-560)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177770+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 584,
          "explanation": "This Drata control satisfies KSI-PIY-GIV by establishing a continuous monitoring capability. By defining \"normal\" behavior (baselines), the system can identify deviations Ã¢â‚¬â€œ effectively creating a real-time inventory of *changes* to information resources, which signals what isnÃ¢â‚¬â„¢t in the expected, authoritative state. This anomaly detection acts as an automated process to pinpoint resources needing investigation and thus fulfill the requirement for on-demand inventorying.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-291",
          "control_name": "Anti-Virus Capability",
          "control_description": "An anti-malware solution is deployed on all system components, except for those system components identified through periodic risk assessments that concludes the system components are not at risk from malware.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:46.112Z",
          "updated_at": "2026-06-24T20:54:45.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-291-monitoring",
              "name": "Continuous Monitoring - Anti-Virus Capability (DCF-291)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-24T20:54:45.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177777+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-291-policy",
              "name": "Policy Documentation - Anti-Virus Capability (DCF-291)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-24T20:54:45.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177783+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 201,
          "explanation": "Drata's Anti-Virus Capability satisfies KSI-PIY-GIV by providing continuous monitoring of system components Ã¢â‚¬â€œ effectively creating a real-time inventory of *protected* information resources. Detecting malware (or lack thereof via risk assessment exceptions) confirms the status and presence of these resources, fulfilling the requirement for automatically generated inventories when needed, as outlined in CM-8. This demonstrates awareness of what's actively being secured within the system.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 133,
                "name": "Malware Detection Software Installed on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices have  antimalware software installed.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 64,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' Asset Management Policy requires real-time, automatically generated inventories of all information resources using authoritative sources. This is implemented through maintained asset inventories, anomalous behavior baselines that identify new resources, vulnerability management scanning, anti-virus and malware detection enrollment, and data classification of discovered assets. Drata monitors asset inventory completeness, quarterly vulnerability scans discover unmanaged resources, and least-privileged access policies ensure inventory data is protected from unauthorized modification.\n### Key Controls\n- [OK] Quarterly Vulnerability Scan (DCF-18)\n- [OK] Malware Detection Software Installed (DCF-50)\n- [OK] Asset Management Policy (DCF-182)\n- [OK] Maintains Asset Inventory (DCF-20)\n- [OK] Least-Privileged Policy for Sensitive Data Access (DCF-2)\n- [OK] Vulnerability Management (DCF-183)\n- [OK] Data Classification (DCF-102)\n- [OK] Baselines for Detecting Anomalous Behavior (DCF-560)\n- [OK] Anti-Virus Capability (DCF-291)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:56.262198+00:00",
      "ksi_name": "Generating Inventories",
      "category": "PIY",
      "statement": "Use authoritative sources to automatically generate real-time inventories of all information resources when needed.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/policy-and-inventory/",
      "nist_controls": [
        "CM-2.2",
        "CM-7.5",
        "CM-8",
        "CM-8.1",
        "CM-12",
        "CM-12.1",
        "CP-2.8"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment maintains real-time, automatically generated inventories of all information resources within the AWS environment using authoritative sources and anomalous behavior detection.",
        "failure_condition": "Asset inventory not automatically generated, manual inventory more than 30 days stale, or failure to detect new unauthorized resources will cause a failure of the test. Additionally, an asset management policy, vulnerability management, data classification, malware detection, quarterly vulnerability scans, least-privileged access for sensitive data, and anomalous behavior baselines must be in place to ensure inventories are current and comprehensive."
      },
      "outcome_metrics": [
        {
          "statement": "Asset inventory is complete, accurate, and updated within required freshness window",
          "metric_name": "Coverage",
          "target_value": "100% of in-scope assets in inventory; inventory refreshed within 7 days",
          "target_unit": "",
          "frequency": "Weekly",
          "source": "Asset inventory system; Drata asset checks; cloud asset discovery",
          "notes": "Asset not in inventory; inventory stale > 7 days"
        }
      ],
      "monitoring": {
        "total_tests": 6,
        "passed": 6,
        "failed": 0,
        "controls_with_monitoring": 6,
        "monitoring_coverage": 60.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-PIY-RES",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:59.422661+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "Drata Control DCF-142: Quarterly Review of Privacy Compliance",
          "control_id": "DCF-142",
          "status": "Passing",
          "description": "Executive management quarterly compliance review tracked in Drata",
          "date": "2026-07-02T13:19:59.422635+00:00"
        }
      ],
      "notes": "Sustainment Technologies demonstrates persistent executive support for security objectives through quarterly privacy compliance reviews and documented executive sponsorship. This is validated through automated checks that verify executive engagement artifacts are current, and Drata tracks the quarterly review of privacy compliance to confirm ongoing executive involvement in security governance.\n### Key Controls\n- [OK] Quarterly Review of Privacy Compliance (DCF-142)\n- [OK] Risk Assessment Policy (DCF-15)\n- [OK] Information Security Policy (DCF-13)\n- [OK] Defined Management Roles & Responsibilities (DCF-42)\n- [OK] Security Team/Steering Committee (DCF-34)",
      "implementation_details": {
        "method": "drata-control",
        "tools": [
          "Drata Compliance Platform"
        ],
        "responsible_party": "Executive Management",
        "review_frequency": "quarterly"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:59.422661+00:00",
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-PIY-RES",
          "control_name": "Custom Automated Check: KSI-PIY-RES",
          "control_description": "Executive support review validated through DCF-142 (Quarterly Review of Privacy Compliance)",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:59.422661+00:00",
          "updated_at": "2026-07-02T13:19:59.422661+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:59.422661+00:00",
          "requirements_updated_at": "",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": null,
              "name": "Drata Control DCF-142: Quarterly Review of Privacy Compliance",
              "description": "Executive management quarterly compliance review tracked in Drata",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.422635+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177790+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 100,
                "name": "Risk Assessment Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Risk Assessment Policy and confirmed that it specifies risk tolerances and the process for evaluating risks based on identified threats and specified tolerances.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 18,
                "enabled": true
              },
              {
                "test_id": 82,
                "name": "Information Security Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Information Security Policy and confirmed that it covers policies and procedures to support the functioning of internal control.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 16,
                "enabled": true
              },
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-142",
              "DCF-15",
              "DCF-13",
              "DCF-42",
              "DCF-34"
            ]
          }
        },
        {
          "control_id": "DCF-142",
          "drata_control_id": 163,
          "control_name": "Quarterly Review of Privacy Compliance",
          "control_description": "Executive management meets on a quarterly basis to review compliance with privacy practices and privacy regulations.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "explanation": "This Drata control directly satisfies KSI-PIY-RES by demonstrating persistent executive-level review of security and privacy compliance. The quarterly executive management meetings to review compliance practices provide concrete evidence of ongoing executive support for achieving the organization's security objectives â€“ fulfilling the FedRAMP requirement for continuous monitoring of leadership engagement. This aligns with SOC 2 P8.1 requirements for monitoring compliance and reporting results to management, showing that executive review is institutionalized and recurring rather than ad-hoc.",
          "frameworks": [
            "SOC_2"
          ],
          "created_at": "2023-03-21T16:42:42.046Z",
          "updated_at": "2025-11-20T21:23:00.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2024-05-07T23:18:50.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 157,
              "name": "Quarterly Review of Privacy Compliance - Jira Log",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/157_Quarterly Review of Privacy Compliance - Jira Log.pdf",
              "updated_at": "2026-05-11T16:06:04.655Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.177961+00:00",
                "status": "hashed",
                "sha256": "ee38ee3e457f8174b1088b9a512092d09fe15623e5f4183f66c625f5cdd23105",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/157_Quarterly Review of Privacy Compliance - Jira Log.pdf",
                "filename": "157_Quarterly Review of Privacy Compliance - Jira Log.pdf",
                "size_bytes": 114241,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-142-policy",
              "name": "Policy Documentation - Quarterly Review of Privacy Compliance (DCF-142)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-20T21:23:00.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178084+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-15",
          "drata_control_id": 86,
          "control_name": "Risk Assessment Policy",
          "control_description": "Sustainment Technologies Inc has defined a formal risk management process that specifies risk tolerances and the process for evaluating risks based on identified threats and the specified tolerances.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "explanation": "",
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.142Z",
          "updated_at": "2025-12-03T18:49:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-15-monitoring",
              "name": "Continuous Monitoring - Risk Assessment Policy (DCF-15)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-12-03T18:49:50.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178092+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-15-policy",
              "name": "Policy Documentation - Risk Assessment Policy (DCF-15)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-12-03T18:49:50.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178098+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 100,
                "name": "Risk Assessment Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Risk Assessment Policy and confirmed that it specifies risk tolerances and the process for evaluating risks based on identified threats and specified tolerances.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 18,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-13",
          "drata_control_id": 64,
          "control_name": "Information Security Policy",
          "control_description": "Sustainment Technologies Inc has a defined Information Security Policy that covers policies and procedures to support the functioning of internal control.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "explanation": "",
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.144Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:39.174Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-13-owner",
              "name": "Assigned Control Owner - Information Security Policy (DCF-13)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178104+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-13-monitoring",
              "name": "Continuous Monitoring - Information Security Policy (DCF-13)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178110+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-13-policy",
              "name": "Policy Documentation - Information Security Policy (DCF-13)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178128+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 82,
                "name": "Information Security Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Information Security Policy and confirmed that it covers policies and procedures to support the functioning of internal control.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 16,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-42",
          "drata_control_id": 51,
          "control_name": "Defined Management Roles & Responsibilities",
          "control_description": "Management has established defined roles and responsibilities to oversee implementation of the information security policy across the organization.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "explanation": "",
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.898Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:36.912Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-42-owner",
              "name": "Assigned Control Owner - Defined Management Roles & Responsibilities (DCF-42)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178135+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-42-policy",
              "name": "Policy Documentation - Defined Management Roles & Responsibilities (DCF-42)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178141+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-34",
          "drata_control_id": 49,
          "control_name": "Security Team/Steering Committee",
          "control_description": "Sustainment Technologies Inc has an assigned security team that is responsible for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "explanation": "",
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.883Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:40.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-34-owner",
              "name": "Assigned Control Owner - Security Team/Steering Committee (DCF-34)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178147+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-monitoring",
              "name": "Continuous Monitoring - Security Team/Steering Committee (DCF-34)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178153+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-policy",
              "name": "Policy Documentation - Security Team/Steering Committee (DCF-34)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178159+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:18.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "ksi_name": "Reviewing Executive Support",
      "category": "PIY",
      "statement": "Persistently review executive support for achieving the organization's security objectives.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/policy-and-inventory/",
      "nist_controls": [],
      "failure_conditions": {
        "conditional_check": "Sustainment demonstrates persistent executive support for security objectives through quarterly privacy compliance reviews, documented executive sponsorship, and defined management roles and responsibilities.",
        "failure_condition": "Executive security review not conducted within 12 months, quarterly privacy compliance reviews lapsed, or failure to maintain defined management roles and responsibilities will cause a failure of the test. Additionally, an information security policy, a security steering committee, a risk assessment policy, and documented executive engagement artifacts must be in place to ensure executive support for security objectives is active and sustained."
      },
      "monitoring": {
        "total_tests": 3,
        "passed": 3,
        "failed": 0,
        "controls_with_monitoring": 3,
        "monitoring_coverage": 50.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-PIY-RIS",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:20:00.016572+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-86 (DCF-86)",
          "control_id": "DCF-86",
          "status": "Passing",
          "description": "Drata control status for DCF-86",
          "date": "2026-07-02T13:20:00.016572+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-18 (DCF-18)",
          "control_id": "DCF-18",
          "status": "Passing",
          "description": "Drata control status for DCF-18",
          "date": "2026-07-02T13:20:00.016572+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-71 (DCF-71)",
          "control_id": "DCF-71",
          "status": "Passing",
          "description": "Drata control status for DCF-71",
          "date": "2026-07-02T13:20:00.016572+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:20:00.016572+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-31 (DCF-31)",
          "control_id": "DCF-31",
          "status": "Passing",
          "description": "Drata control status for DCF-31",
          "date": "2026-07-02T13:20:00.016572+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-11 (DCF-11)",
          "control_id": "DCF-11",
          "status": "Passing",
          "description": "Drata control status for DCF-11",
          "date": "2026-07-02T13:20:00.016572+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-59 (DCF-59)",
          "control_id": "DCF-59",
          "status": "Passing",
          "description": "Drata control status for DCF-59",
          "date": "2026-07-02T13:20:00.016572+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-165 (DCF-165)",
          "control_id": "DCF-165",
          "status": "Passing",
          "description": "Drata control status for DCF-165",
          "date": "2026-07-02T13:20:00.016572+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-183 (DCF-183)",
          "control_id": "DCF-183",
          "status": "Passing",
          "description": "Drata control status for DCF-183",
          "date": "2026-07-02T13:20:00.016572+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-PIY-RIS",
          "control_name": "Custom Automated Check: KSI-PIY-RIS",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' security policies require persistent review of the organization's investments in achieving security objectives. This is implemented through independent assessments, SDLC investments in security tooling, vulnerability management programs, access control systems, and operational audits that measure security program effectiveness. Drata monitors control compliance across these investments, quarterly vulnerability scans validate that tools are producing results, and the role-based security program ensures investments are appropriately allocated to risk areas.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:20:00.016572+00:00",
          "updated_at": "2026-07-02T13:20:00.016572+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:20:00.016572+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-86 (DCF-86)",
              "description": "Drata control status for DCF-86",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.016572+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178166+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-18 (DCF-18)",
              "description": "Drata control status for DCF-18",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.016572+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178172+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-71 (DCF-71)",
              "description": "Drata control status for DCF-71",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.016572+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178178+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.016572+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178184+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-31 (DCF-31)",
              "description": "Drata control status for DCF-31",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.016572+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178190+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-11 (DCF-11)",
              "description": "Drata control status for DCF-11",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.016572+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178196+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-59 (DCF-59)",
              "description": "Drata control status for DCF-59",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.016572+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178202+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-165 (DCF-165)",
              "description": "Drata control status for DCF-165",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.016572+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178207+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-183 (DCF-183)",
              "description": "Drata control status for DCF-183",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.016572+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178213+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 12,
            "passed": 12,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:02.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 7,
                "name": "Infrastructure Instance CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's server monitoring and alerting configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:42.000Z",
                "test_definition_id": 118,
                "enabled": true
              },
              {
                "test_id": 6,
                "name": "NoSQL Cluster Storage Utilization Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's NoSQL cluster monitoring and alerting configurations and confirmed that storage utilization is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:50.000Z",
                "test_definition_id": 117,
                "enabled": true
              },
              {
                "test_id": 4,
                "name": "Messaging Queue Message Age Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's messaging queue monitoring configurations and confirmed that message age is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:59.000Z",
                "test_definition_id": 115,
                "enabled": true
              },
              {
                "test_id": 3,
                "name": "Database Read I/O Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that read I/O is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 114,
                "enabled": true
              },
              {
                "test_id": 2,
                "name": "Database Free Storage Space Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that free storage space is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 113,
                "enabled": true
              },
              {
                "test_id": 1,
                "name": "Database CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 112,
                "enabled": true
              },
              {
                "test_id": 66,
                "name": "Vulnerability Scanning",
                "status": "PASSED",
                "description": "Drata validated that a vulnerability scanning system is connected to Drata.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 21,
                "enabled": true
              },
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              },
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-86",
              "DCF-18",
              "DCF-71",
              "DCF-10",
              "DCF-31",
              "DCF-11",
              "DCF-59",
              "DCF-165",
              "DCF-183"
            ]
          }
        },
        {
          "control_id": "DCF-86",
          "control_name": "Operational Audit",
          "control_description": "Sustainment Technologies Inc's cloud infrastructure is monitored through an operational audit system that sends alerts to appropriate personnel",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.431Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:22.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-86-evidence",
              "name": "Operational Audit (DCF-86)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178219+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-86-owner",
              "name": "Assigned Control Owner - Operational Audit (DCF-86)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178225+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-86-monitoring",
              "name": "Continuous Monitoring - Operational Audit (DCF-86)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178231+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 5,
          "explanation": "Drata's Operational Audit control directly addresses KSI-PIY-RIS by providing continuous monitoring of system activity, demonstrating persistent review of security investment effectiveness. The alerts generated by the audit system signal whether security controls are functioning as intended Ã¢â‚¬â€œ a key indicator of achieving stated security objectives Ã¢â‚¬â€œ and trigger necessary action, fulfilling the requirement for ongoing assessment. This aligns with NIST CA-2 (Audit Review, Analysis, and Reporting) which emphasizes regular review of audit logs for security issues.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 6,
            "passed": 6,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:02.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 7,
                "name": "Infrastructure Instance CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's server monitoring and alerting configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:42.000Z",
                "test_definition_id": 118,
                "enabled": true
              },
              {
                "test_id": 6,
                "name": "NoSQL Cluster Storage Utilization Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's NoSQL cluster monitoring and alerting configurations and confirmed that storage utilization is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:50.000Z",
                "test_definition_id": 117,
                "enabled": true
              },
              {
                "test_id": 4,
                "name": "Messaging Queue Message Age Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's messaging queue monitoring configurations and confirmed that message age is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:59.000Z",
                "test_definition_id": 115,
                "enabled": true
              },
              {
                "test_id": 3,
                "name": "Database Read I/O Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that read I/O is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 114,
                "enabled": true
              },
              {
                "test_id": 2,
                "name": "Database Free Storage Space Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that free storage space is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 113,
                "enabled": true
              },
              {
                "test_id": 1,
                "name": "Database CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 112,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-18",
          "control_name": "Quarterly Vulnerability Scan",
          "control_description": "Sustainment Technologies Inc engages with third-party to conduct vulnerability scans of the production environment at least quarterly. Results are reviewed by management and high priority findings are tracked to resolution.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.858Z",
          "updated_at": "2026-05-11T12:55:17.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:22.000Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 149,
              "name": "Vulnerability scanning - historical scans.",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/149_Vulnerability scanning - historical scans..zip",
              "updated_at": "2026-03-02T14:54:37.097Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.178397+00:00",
                "status": "hashed",
                "sha256": "1bca3af621b9ac72ecaf5ccb180f7c18cc49f95a24e05a54e8c83a05fa411b37",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/149_Vulnerability scanning - historical scans..zip",
                "filename": "149_Vulnerability scanning - historical scans..zip",
                "size_bytes": 629615,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 148,
              "name": "Vulnerability Scan Report repository (screenshot)",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/148_Vulnerability Scan Report repository (screenshot).png",
              "updated_at": "2026-03-02T14:51:39.054Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179024+00:00",
                "status": "hashed",
                "sha256": "cbd856d7f75726db39106a98e93d3f94d3574bb28b0bc44483de3aa2a36f063e",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/148_Vulnerability Scan Report repository (screenshot).png",
                "filename": "148_Vulnerability Scan Report repository (screenshot).png",
                "size_bytes": 307470,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-18-owner",
              "name": "Assigned Control Owner - Quarterly Vulnerability Scan (DCF-18)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-11T12:55:17.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179269+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 46,
          "explanation": "This Drata control satisfies KSI-PIY-RIS by demonstrating ongoing assessment of security posture Ã¢â‚¬â€œ vulnerability scans identify weaknesses (risks) in the production environment. The quarterly cadence *and* management review/remediation tracking prove a persistent process to evaluate if security investments (scanning & fixes) are effectively reducing those risks and achieving stated security objectives, fulfilling the FedRAMP requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 66,
                "name": "Vulnerability Scanning",
                "status": "PASSED",
                "description": "Drata validated that a vulnerability scanning system is connected to Drata.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 21,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-71",
          "control_name": "Unique Accounts Used",
          "control_description": "Access to corporate network, production machines, network devices, and support tools requires a unique ID.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.769Z",
          "updated_at": "2026-06-15T13:35:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-71-evidence",
              "name": "Unique Accounts Used (DCF-71)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179276+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-owner",
              "name": "Assigned Control Owner - Unique Accounts Used (DCF-71)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179283+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-monitoring",
              "name": "Continuous Monitoring - Unique Accounts Used (DCF-71)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179289+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 98,
          "explanation": "The \"Unique Accounts Used\" control helps satisfy KSI-PIY-RIS by demonstrating a foundational security practice Ã¢â‚¬â€œ accountability. By requiring unique IDs for access, the organization can more effectively monitor and audit activity, allowing for persistent review of whether access controls (a security investment) are functioning as intended and achieving the objective of protecting systems and data Ã¢â‚¬â€œ a key component of FedRAMP's ongoing risk management.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179296+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179302+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179308+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "explanation": "The System Access Control Policy directly addresses KSI-PIY-RIS by demonstrating a *persistent review* of security investments Ã¢â‚¬â€œ specifically, access controls Ã¢â‚¬â€œ through annual reviews as outlined in AC-5. These reviews ensure continued alignment with security objectives and validate that access remains appropriate, proving ongoing effectiveness of a key security control. Essentially, regularly checking *who* has access is a concrete way to verify the value of security spending.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-31",
          "control_name": "Software Development Life Cycle Policy",
          "control_description": "Sustainment Technologies Inc has developed policies and procedures governing the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.156Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:31:00.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-31-owner",
              "name": "Assigned Control Owner - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179314+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-monitoring",
              "name": "Continuous Monitoring - Software Development Life Cycle Policy (DCF-31)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179320+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-policy",
              "name": "Policy Documentation - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179326+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 129,
          "explanation": "The Software Development Life Cycle (SDLC) Policy directly addresses KSI-PIY-RIS by demonstrating a *process* for consistently reviewing and validating security within system changes Ã¢â‚¬â€œ effectively measuring the ongoing effectiveness of security investments. Tracking, testing, and approving changes (as outlined in the policy) provides evidence of persistent review and ensures security objectives aren't eroded during system evolution, aligning with the FedRAMP requirement for continuous security assessment. This ties back to NIST SA-3 (System and Services Acquisition) which focuses on incorporating security into the development lifecycle.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-11",
          "control_name": "Annual Access Control Review",
          "control_description": "Sustainment Technologies Inc performs annual access control reviews.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.537Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 150,
              "name": "User Access Review",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/150_User Access Review.xlsx",
              "updated_at": "2026-03-02T15:28:18.965Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179496+00:00",
                "status": "hashed",
                "sha256": "a83b78e92bd554ebc59378b2f58c3b86c8dfac37b561ea9ddea944b69ab811d9",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/150_User Access Review.xlsx",
                "filename": "150_User Access Review.xlsx",
                "size_bytes": 115456,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-11-owner",
              "name": "Assigned Control Owner - Annual Access Control Review (DCF-11)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179605+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-11-policy",
              "name": "Policy Documentation - Annual Access Control Review (DCF-11)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179611+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 89,
          "explanation": "The Annual Access Control Review directly addresses KSI-PIY-RIS by demonstrating ongoing assessment of a *key* security investment Ã¢â‚¬â€œ access controls. Regularly reviewing who has access to what (via AC-5) proves STI is persistently evaluating whether those controls are *effectively* limiting risk and supporting stated security objectives, fulfilling the FedRAMP requirement for reviewing investment effectiveness.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-59",
          "control_name": "Role-Based Security Implementation",
          "control_description": "Role-based security is in place for internal and external users, including super admin users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.904Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-59-evidence",
              "name": "Role-Based Security Implementation (DCF-59)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179618+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-owner",
              "name": "Assigned Control Owner - Role-Based Security Implementation (DCF-59)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179624+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-policy",
              "name": "Policy Documentation - Role-Based Security Implementation (DCF-59)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179630+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 21,
          "explanation": "Drata's Role-Based Security Implementation satisfies KSI-PIY-RIS by demonstrating ongoing, practical application of security investments. By restricting access based on defined roles (AC-5), the organization actively *shows* it's managing risk and ensuring security controls are effective for different user groups Ã¢â‚¬â€œ a key component of persistently reviewing security objective achievement. This isnÃ¢â‚¬â„¢t just *planning* for security, but *doing* security aligned with defined needs.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-165",
          "control_name": "Independent Assessment",
          "control_description": "Sustainment Technologies Inc has an independent assessment (e.g., internal audit) process to ensure that its information security program is effectively implemented, maintained, and in conformance.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:42.954Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:22.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 123,
              "name": "SOC 2 Type II Report",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/123_SOC 2 Type II Report.pdf",
              "updated_at": "2026-05-05T19:19:56.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.179788+00:00",
                "status": "hashed",
                "sha256": "80b9c22a7fd79023d195fd5b3cee1556c72f836d49ceef3e42d37a60c00da22e",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/123_SOC 2 Type II Report.pdf",
                "filename": "123_SOC 2 Type II Report.pdf",
                "size_bytes": 564071,
                "modified_at": "2026-07-02T13:17:00+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-165-owner",
              "name": "Assigned Control Owner - Independent Assessment (DCF-165)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180211+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 176,
          "explanation": "This Drata control directly addresses KSI-PIY-RIS by demonstrating ongoing verification that security investments are *actually working*. The \"Independent Assessment\" provides objective evidence Ã¢â‚¬â€œ through audit Ã¢â‚¬â€œ that Sustainment Technologies Inc.Ã¢â‚¬â„¢s security program isnÃ¢â‚¬â„¢t just *in place*, but is *effectively* achieving its stated security objectives, fulfilling the persistent review requirement of the KSI. This aligns with NIST CA-2 which covers audit planning and reporting.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-183",
          "control_name": "Vulnerability Management",
          "control_description": "Sustainment Technologies Inc has a defined policy that establishes requirements for vulnerability assessments and reporting.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.542Z",
          "updated_at": "2025-11-24T13:51:39.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:33:48.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-183-owner",
              "name": "Assigned Control Owner - Vulnerability Management (DCF-183)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:39.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180219+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-183-policy",
              "name": "Policy Documentation - Vulnerability Management (DCF-183)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:39.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180225+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 90,
          "explanation": "Vulnerability Management directly addresses KSI-PIY-RIS by demonstrating ongoing assessment of security investments Ã¢â‚¬â€œ identifying weaknesses (vulnerabilities) reveals where current security efforts *aren't* fully effective. Regularly scanning for and remediating vulnerabilities proves a persistent review process is in place to ensure security objectives are being met and investments are yielding positive results, aligning with the FedRAMP requirement for continuous improvement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' security policies require persistent review of the organization's investments in achieving security objectives. This is implemented through independent assessments, SDLC investments in security tooling, vulnerability management programs, access control systems, and operational audits that measure security program effectiveness. Drata monitors control compliance across these investments, quarterly vulnerability scans validate that tools are producing results, and the role-based security program ensures investments are appropriately allocated to risk areas.\n### Key Controls\n- [OK] Operational Audit (DCF-86)\n- [OK] Quarterly Vulnerability Scan (DCF-18)\n- [OK] Unique Accounts Used (DCF-71)\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Software Development Life Cycle Policy (DCF-31)\n- [OK] Annual Access Control Review (DCF-11)\n- [OK] Role-Based Security Implementation (DCF-59)\n- [OK] Independent Assessment (DCF-165)\n- [OK] Vulnerability Management (DCF-183)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:20:00.016572+00:00",
      "ksi_name": "Reviewing Investments in Security",
      "category": "PIY",
      "statement": "Persistently review the effectiveness of the organization's investments in achieving security objectives.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/policy-and-inventory/",
      "nist_controls": [
        "AC-5",
        "CA-2",
        "CP-2.1",
        "CP-4.1",
        "IR-3.2",
        "PM-3",
        "SA-2",
        "SA-3",
        "SR-2.1"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment persistently reviews the organization's security posture through annual security reviews, independent assessments, vulnerability management programs, SDLC security tooling, and operational audits.",
        "failure_condition": "Annual security review not conducted within 12 months or failure to conduct independent assessments will cause a failure of the test. Additionally, quarterly vulnerability scans, an SDLC policy, access control systems, role-based security implementation, annual access reviews, and a vulnerability management program must be in place to ensure the security program is adequate and effective."
      },
      "outcome_metrics": [
        {
          "statement": "Security investments are reviewed and aligned to risk priorities annually",
          "metric_name": "Completion",
          "target_value": "Annual security investment review completed; risk-to-investment mapping documented",
          "target_unit": "",
          "frequency": "Annually",
          "source": "Security budget review; risk register alignment document",
          "notes": "Security review not completed annually or investment gaps not documented"
        }
      ],
      "monitoring": {
        "total_tests": 12,
        "passed": 12,
        "failed": 0,
        "controls_with_monitoring": 5,
        "monitoring_coverage": 50.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-PIY-RSD",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:58.946660+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-110 (DCF-110)",
          "control_id": "DCF-110",
          "status": "Passing",
          "description": "Drata control status for DCF-110",
          "date": "2026-07-02T13:19:58.946660+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-31 (DCF-31)",
          "control_id": "DCF-31",
          "status": "Passing",
          "description": "Drata control status for DCF-31",
          "date": "2026-07-02T13:19:58.946660+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-71 (DCF-71)",
          "control_id": "DCF-71",
          "status": "Passing",
          "description": "Drata control status for DCF-71",
          "date": "2026-07-02T13:19:58.946660+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-11 (DCF-11)",
          "control_id": "DCF-11",
          "status": "Passing",
          "description": "Drata control status for DCF-11",
          "date": "2026-07-02T13:19:58.946660+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:19:58.946660+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-5 (DCF-5)",
          "control_id": "DCF-5",
          "status": "Passing",
          "description": "Drata control status for DCF-5",
          "date": "2026-07-02T13:19:58.946660+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-6 (DCF-6)",
          "control_id": "DCF-6",
          "status": "Passing",
          "description": "Drata control status for DCF-6",
          "date": "2026-07-02T13:19:58.946660+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-155 (DCF-155)",
          "control_id": "DCF-155",
          "status": "Passing",
          "description": "Drata control status for DCF-155",
          "date": "2026-07-02T13:19:58.946660+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-4 (DCF-4)",
          "control_id": "DCF-4",
          "status": "Passing",
          "description": "Drata control status for DCF-4",
          "date": "2026-07-02T13:19:58.946660+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-PIY-RSD",
          "control_name": "Custom Automated Check: KSI-PIY-RSD",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' SDLC Policy requires security and privacy considerations to be built into every phase of the software development lifecycle, aligned with CISA Secure By Design principles. This is implemented through mandatory code reviews, automated code testing, production code change restrictions, version control requirements, application input validation, and least-privileged access to development environments. Drata continuously monitors that code review and testing controls are active, unique accounts are enforced for all development activity, and annual access reviews validate that SDLC security controls remain effective.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:58.946660+00:00",
          "updated_at": "2026-07-02T13:19:58.946660+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:58.946660+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-110 (DCF-110)",
              "description": "Drata control status for DCF-110",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.946660+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180233+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-31 (DCF-31)",
              "description": "Drata control status for DCF-31",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.946660+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180239+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-71 (DCF-71)",
              "description": "Drata control status for DCF-71",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.946660+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180245+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-11 (DCF-11)",
              "description": "Drata control status for DCF-11",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.946660+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180251+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.946660+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180256+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-5 (DCF-5)",
              "description": "Drata control status for DCF-5",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.946660+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180262+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-6 (DCF-6)",
              "description": "Drata control status for DCF-6",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.946660+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180268+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-155 (DCF-155)",
              "description": "Drata control status for DCF-155",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.946660+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180274+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-4 (DCF-4)",
              "description": "Drata control status for DCF-4",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.946660+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180280+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 10,
            "passed": 10,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:54.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              },
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              },
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 137,
                "name": "Formal Code Review Process",
                "status": "PASSED",
                "description": "Drata validated configurations for the version control system repositories and confirmed code reviews are enforced via branch restrictions.",
                "last_run": "2026-07-01T18:29:19.000Z",
                "test_definition_id": 8,
                "enabled": true
              },
              {
                "test_id": 144,
                "name": "Production Code Changes Restricted",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's version control tool and confirmed that only authorized personnel push or make changes to production code.",
                "last_run": "2026-07-01T18:29:54.000Z",
                "test_definition_id": 9,
                "enabled": true
              },
              {
                "test_id": 106,
                "name": "Only Authorized Employees Change Code",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that approved employees can make changes to the code on a branch to which they have approval.",
                "last_run": "2026-07-01T18:29:19.000Z",
                "test_definition_id": 7,
                "enabled": true
              },
              {
                "test_id": 105,
                "name": "Only Authorized Employees Access Version Control",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that the users of the tool were all authenticated to the company's account.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 6,
                "enabled": true
              },
              {
                "test_id": 104,
                "name": "A Version Control System is being Used",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed it is being used",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 5,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-110",
              "DCF-31",
              "DCF-71",
              "DCF-11",
              "DCF-10",
              "DCF-5",
              "DCF-6",
              "DCF-155",
              "DCF-4"
            ]
          }
        },
        {
          "control_id": "DCF-110",
          "control_name": "Application Edits",
          "control_description": "Sustainment Technologies Inc's application edits limit input to acceptable value ranges",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:42.081Z",
          "updated_at": "2026-04-30T18:13:26.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-110-evidence",
              "name": "Application Edits (DCF-110)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-30T18:13:26.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180286+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-110-owner",
              "name": "Assigned Control Owner - Application Edits (DCF-110)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-30T18:13:26.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180292+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 164,
          "explanation": "DrataÃ¢â‚¬â„¢s \"Application Edits\" control directly addresses KSI-PIY-RSD by demonstrating a proactive security practice *within* the SDLC Ã¢â‚¬â€œ specifically, input validation. By limiting acceptable input ranges, Sustainment Technologies Inc. is building in a security consideration (preventing injection attacks & data integrity issues) from the start, aligning with CISA's Secure By Design principles and proving persistent review of security throughout development. This ties to NIST SI-10 (Information Input Validation) as a foundational technical implementation.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-31",
          "control_name": "Software Development Life Cycle Policy",
          "control_description": "Sustainment Technologies Inc has developed policies and procedures governing the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.156Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:31:00.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-31-owner",
              "name": "Assigned Control Owner - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180299+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-monitoring",
              "name": "Continuous Monitoring - Software Development Life Cycle Policy (DCF-31)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180305+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-policy",
              "name": "Policy Documentation - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180310+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 129,
          "explanation": "This Drata control satisfies KSI-PIY-RSD by demonstrating a formalized Software Development Lifecycle (SDLC) with documented processes for change management Ã¢â‚¬â€œ crucial for *integrating* security and privacy considerations throughout development. The policy & procedures for tracking, testing, and approving changes directly address the requirement for *persistently reviewing* the effectiveness of security within the SDLC, aligning with CISA's Secure By Design principles through consistent validation. Essentially, it proves STI isn't just *planning* for security, but *actively building* it in.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-71",
          "control_name": "Unique Accounts Used",
          "control_description": "Access to corporate network, production machines, network devices, and support tools requires a unique ID.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.769Z",
          "updated_at": "2026-06-15T13:35:37.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-71-evidence",
              "name": "Unique Accounts Used (DCF-71)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180317+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-owner",
              "name": "Assigned Control Owner - Unique Accounts Used (DCF-71)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180323+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-71-monitoring",
              "name": "Continuous Monitoring - Unique Accounts Used (DCF-71)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-15T13:35:37.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180328+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 98,
          "explanation": "The \"Unique Accounts Used\" control directly supports KSI-PIY-RSD by bolstering secure development practices. Requiring unique IDs for all system access minimizes the blast radius of compromised credentials, a key \"Secure By Design\" principle Ã¢â‚¬â€œ preventing a single breach from escalating through the SDLC. This aligns with persistent review of security *within* the lifecycle by enforcing least privilege and accountability from the start.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 116,
                "name": "Employees have Unique Infrastructure Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its infrastructure provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 98,
                "enabled": true
              },
              {
                "test_id": 115,
                "name": "Employees have Unique Version Control Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its version control provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 97,
                "enabled": true
              },
              {
                "test_id": 114,
                "name": "Employees have Unique Email Accounts",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of its email provider and confirmed that employees have unique accounts on the service.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 96,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-11",
          "control_name": "Annual Access Control Review",
          "control_description": "Sustainment Technologies Inc performs annual access control reviews.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.537Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 150,
              "name": "User Access Review",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/150_User Access Review.xlsx",
              "updated_at": "2026-03-02T15:28:18.965Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180567+00:00",
                "status": "hashed",
                "sha256": "a83b78e92bd554ebc59378b2f58c3b86c8dfac37b561ea9ddea944b69ab811d9",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/150_User Access Review.xlsx",
                "filename": "150_User Access Review.xlsx",
                "size_bytes": 115456,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-11-owner",
              "name": "Assigned Control Owner - Annual Access Control Review (DCF-11)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180680+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-11-policy",
              "name": "Policy Documentation - Annual Access Control Review (DCF-11)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180686+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 89,
          "explanation": "Drata's \"Annual Access Control Review\" satisfies KSI-PIY-RSD by demonstrating a consistent, periodic review of a *critical* security control (access) *within* the SDLC. Regularly verifying who has access to systems and data ensures security & privacy are built-in, aligning with CISA's Secure By Design by proactively identifying and mitigating potential vulnerabilities stemming from inappropriate permissions Ã¢â‚¬â€œ a key aspect of secure development.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180693+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180699+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180705+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "explanation": "The System Access Control Policy directly supports KSI-PIY-RSD by demonstrating a persistent review of security considerations *within* the SDLC Ã¢â‚¬â€œ specifically, how access (a key security control) is managed throughout an employee's lifecycle (hire to transfer). Annual reviews and formalized request processes ensure access aligns with the principle of least privilege and ongoing security assessment, key tenets of CISA Secure By Design.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-5",
          "control_name": "Code Review Process",
          "control_description": "When Sustainment Technologies Inc's application code changes, code reviews and tests are performed by someone other than the person who made the code change.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.355Z",
          "updated_at": "2026-06-29T13:23:58.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:31:00.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-5-owner",
              "name": "Assigned Control Owner - Code Review Process (DCF-5)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-29T13:23:58.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180712+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-5-monitoring",
              "name": "Continuous Monitoring - Code Review Process (DCF-5)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-29T13:23:58.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180718+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-5-policy",
              "name": "Policy Documentation - Code Review Process (DCF-5)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-29T13:23:58.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180724+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 120,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 137,
                "name": "Formal Code Review Process",
                "status": "PASSED",
                "description": "Drata validated configurations for the version control system repositories and confirmed code reviews are enforced via branch restrictions.",
                "last_run": "2026-07-01T18:29:19.000Z",
                "test_definition_id": 8,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-6",
          "control_name": "Production Code Changes Restricted",
          "control_description": "Only authorized Sustainment Technologies Inc personnel can push or make changes to production code.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.147Z",
          "updated_at": "2026-06-22T12:35:43.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-6-evidence",
              "name": "Production Code Changes Restricted (DCF-6)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:43.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180730+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-6-owner",
              "name": "Assigned Control Owner - Production Code Changes Restricted (DCF-6)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:43.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180736+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-6-monitoring",
              "name": "Continuous Monitoring - Production Code Changes Restricted (DCF-6)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:43.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180742+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 127,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:54.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 144,
                "name": "Production Code Changes Restricted",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's version control tool and confirmed that only authorized personnel push or make changes to production code.",
                "last_run": "2026-07-01T18:29:54.000Z",
                "test_definition_id": 9,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-155",
          "control_name": "Code Changes are Tested",
          "control_description": "Sustainment Technologies Inc ensures that code changes are tested prior to deployment to ensure quality and security.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.161Z",
          "updated_at": "2026-06-29T13:23:58.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-155-evidence",
              "name": "Code Changes are Tested (DCF-155)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-29T13:23:58.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180749+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-155-monitoring",
              "name": "Continuous Monitoring - Code Changes are Tested (DCF-155)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-29T13:23:58.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180755+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-155-policy",
              "name": "Policy Documentation - Code Changes are Tested (DCF-155)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-29T13:23:58.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180761+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 130,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:54.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 144,
                "name": "Production Code Changes Restricted",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's version control tool and confirmed that only authorized personnel push or make changes to production code.",
                "last_run": "2026-07-01T18:29:54.000Z",
                "test_definition_id": 9,
                "enabled": true
              },
              {
                "test_id": 137,
                "name": "Formal Code Review Process",
                "status": "PASSED",
                "description": "Drata validated configurations for the version control system repositories and confirmed code reviews are enforced via branch restrictions.",
                "last_run": "2026-07-01T18:29:19.000Z",
                "test_definition_id": 8,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-4",
          "control_name": "Version Control System",
          "control_description": "Sustainment Technologies Inc uses a version control system to manage source code, documentation, release labeling, and other change management tasks. Access to the system must be approved by a system admin.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.731Z",
          "updated_at": "2026-06-22T12:35:26.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-4-evidence",
              "name": "Version Control System (DCF-4)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:26.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180767+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-4-owner",
              "name": "Assigned Control Owner - Version Control System (DCF-4)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:26.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180774+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-4-monitoring",
              "name": "Continuous Monitoring - Version Control System (DCF-4)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:26.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180779+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 92,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 106,
                "name": "Only Authorized Employees Change Code",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that approved employees can make changes to the code on a branch to which they have approval.",
                "last_run": "2026-07-01T18:29:19.000Z",
                "test_definition_id": 7,
                "enabled": true
              },
              {
                "test_id": 105,
                "name": "Only Authorized Employees Access Version Control",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed that the users of the tool were all authenticated to the company's account.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 6,
                "enabled": true
              },
              {
                "test_id": 104,
                "name": "A Version Control System is being Used",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's version control system and confirmed it is being used",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 5,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' SDLC Policy requires security and privacy considerations to be built into every phase of the software development lifecycle, aligned with CISA Secure By Design principles. This is implemented through mandatory code reviews, automated code testing, production code change restrictions, version control requirements, application input validation, and least-privileged access to development environments. Drata continuously monitors that code review and testing controls are active, unique accounts are enforced for all development activity, and annual access reviews validate that SDLC security controls remain effective.\n### Key Controls\n- [OK] Application Edits (DCF-110)\n- [OK] Software Development Life Cycle Policy (DCF-31)\n- [OK] Unique Accounts Used (DCF-71)\n- [OK] Annual Access Control Review (DCF-11)\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Code Review Process (DCF-5)\n- [OK] Production Code Changes Restricted (DCF-6)\n- [OK] Code Changes are Tested (DCF-155)\n- [OK] Version Control System (DCF-4)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:58.946660+00:00",
      "ksi_name": "Reviewing Security in the SDLC",
      "category": "PIY",
      "statement": "Persistently review the effectiveness of building security and privacy considerations into the Software Development Lifecycle and aligning with CISA Secure By Design principles.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/policy-and-inventory/",
      "nist_controls": [
        "AC-5",
        "AU-3.3",
        "CM-3.4",
        "PL-8",
        "PM-7",
        "SA-3",
        "SA-8",
        "SC-4",
        "SC-18",
        "SI-10",
        "SI-11",
        "SI-16"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment builds security and privacy considerations into every phase of the software development lifecycle through mandatory code reviews, automated testing, production code change restrictions, and version control.",
        "failure_condition": "SDLC security review not conducted for new releases, Secure By Design principles not followed, or code deployed without passing review and testing will cause a failure of the test. Additionally, an SDLC policy, code review process, production code change restrictions, automated code testing, version control, unique account usage, and annual access reviews must be in place to ensure security is embedded throughout the development lifecycle."
      },
      "outcome_metrics": [
        {
          "statement": "Security is integrated at all SDLC phases with documented reviews",
          "metric_name": "Completion",
          "target_value": "100% of releases pass security review gate; SDLC security checklist complete",
          "target_unit": "",
          "frequency": "Per release",
          "source": "SDLC security review records; CI/CD security gate results",
          "notes": "Release without security review gate; open critical findings at release"
        }
      ],
      "monitoring": {
        "total_tests": 12,
        "passed": 12,
        "failed": 0,
        "controls_with_monitoring": 7,
        "monitoring_coverage": 70.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-PIY-RVD",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:54.445960+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "Drata Control DCF-8: Disclosure Process for Customers",
          "control_id": "DCF-8",
          "status": "Passing",
          "description": "External vulnerability disclosure process implementing RA-5(11) Public Disclosure Program",
          "date": "2026-07-02T13:19:54.445934+00:00"
        }
      ],
      "notes": "Sustainment Technologies maintains a vulnerability disclosure program with a documented process for customers and external researchers to report security issues. This is implemented through a public disclosure process and validated by automated checks that confirm the program remains accessible and operational. Drata monitors the disclosure process control to ensure the program meets its defined response commitments.\n### Key Controls\n- [OK] Security Issues are Prioritized (DCF-23)\n- [OK] Vulnerability Management (DCF-183)\n- [OK] SLA for Security Bugs (DCF-24)\n- [OK] Disclosure Process for Customers (DCF-8)\n- [OK] Employee Disclosure Process (DCF-9)\n- [OK] Quarterly Vulnerability Scan (DCF-18)",
      "implementation_details": {
        "method": "drata-control",
        "tools": [
          "Drata Compliance Platform",
          "Vulnerability Disclosure Platform"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "quarterly"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:54.445960+00:00",
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-PIY-RVD",
          "control_name": "Custom Automated Check: KSI-PIY-RVD",
          "control_description": "Vulnerability disclosure program effectiveness validated through DCF-8 (Disclosure Process for Customers) which implements RA-5(11) Public Disclosure Program",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:54.445960+00:00",
          "updated_at": "2026-07-02T13:19:54.445960+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:54.445960+00:00",
          "requirements_updated_at": "",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": null,
              "name": "Drata Control DCF-8: Disclosure Process for Customers",
              "description": "External vulnerability disclosure process implementing RA-5(11) Public Disclosure Program",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.445934+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180786+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 5,
            "passed": 5,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:35.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 138,
                "name": "Security Issues are Prioritized",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's task tracking system and confirmed that security issues are being tagged and prioritized accordingly.",
                "last_run": "2026-07-01T18:27:35.000Z",
                "test_definition_id": 26,
                "enabled": true
              },
              {
                "test_id": 93,
                "name": "SLA for Security Bugs",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's procedure settings in Drata and determined that an SLA for P0 security bugs was set.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 27,
                "enabled": true
              },
              {
                "test_id": 92,
                "name": "Contact Information Available to Customers",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has provided a URL to their customer-accessible support documentation where support contact information is readily available. Drata also confirmed that users are encouraged to contact appropriate Sustainment Technologies Inc personnel if they become aware of items such as operational or security failures, incidents, system problems, concerns, or other issues/complaints.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 11,
                "enabled": true
              },
              {
                "test_id": 86,
                "name": "Process for Responsible Disclosure",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they detail a process for employees to report security, confidentiality, integrity, and availability failures, incidents, and concerns.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 12,
                "enabled": true
              },
              {
                "test_id": 66,
                "name": "Vulnerability Scanning",
                "status": "PASSED",
                "description": "Drata validated that a vulnerability scanning system is connected to Drata.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 21,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-23",
              "DCF-183",
              "DCF-24",
              "DCF-8",
              "DCF-9",
              "DCF-18"
            ]
          }
        },
        {
          "control_id": "DCF-23",
          "drata_control_id": 121,
          "control_name": "Security Issues are Prioritized",
          "control_description": "Sustainment Technologies Inc tracks and prioritizes security deficiencies through internal tools according to their severity by an independent technical resource.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "explanation": "",
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.770Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:34.445Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-23-owner",
              "name": "Assigned Control Owner - Security Issues are Prioritized (DCF-23)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180793+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-23-monitoring",
              "name": "Continuous Monitoring - Security Issues are Prioritized (DCF-23)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180798+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-23-policy",
              "name": "Policy Documentation - Security Issues are Prioritized (DCF-23)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180804+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:35.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 138,
                "name": "Security Issues are Prioritized",
                "status": "PASSED",
                "description": "Inspected Sustainment Technologies Inc's task tracking system and confirmed that security issues are being tagged and prioritized accordingly.",
                "last_run": "2026-07-01T18:27:35.000Z",
                "test_definition_id": 26,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-183",
          "drata_control_id": 90,
          "control_name": "Vulnerability Management",
          "control_description": "Sustainment Technologies Inc has a defined policy that establishes requirements for vulnerability assessments and reporting.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "explanation": "",
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.542Z",
          "updated_at": "2025-11-24T13:51:39.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:33:48.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-183-owner",
              "name": "Assigned Control Owner - Vulnerability Management (DCF-183)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:39.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180810+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-183-policy",
              "name": "Policy Documentation - Vulnerability Management (DCF-183)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:39.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180816+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-24",
          "drata_control_id": 79,
          "control_name": "SLA for Security Bugs",
          "control_description": "Sustainment Technologies Inc tracks security deficiencies through internal tools and closes them within an SLA that management has pre-specified.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "explanation": "",
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.994Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:33:48.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-24-owner",
              "name": "Assigned Control Owner - SLA for Security Bugs (DCF-24)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180822+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-24-monitoring",
              "name": "Continuous Monitoring - SLA for Security Bugs (DCF-24)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180828+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-24-policy",
              "name": "Policy Documentation - SLA for Security Bugs (DCF-24)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180834+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 93,
                "name": "SLA for Security Bugs",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's procedure settings in Drata and determined that an SLA for P0 security bugs was set.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 27,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-8",
          "drata_control_id": 78,
          "control_name": "Disclosure Process for Customers",
          "control_description": "Sustainment Technologies Inc provides a process to external users for reporting security, confidentiality, integrity, and availability failures, incidents, concerns, and other complaints.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "explanation": "This Drata control directly satisfies KSI-PIY-RVD by establishing and maintaining an external-facing vulnerability disclosure process aligned with RA-5(11) Public Disclosure Program requirements. By providing a channel for external users to report security vulnerabilities and incidents, the organization demonstrates persistent review and operation of its vulnerability disclosure program â€“ a key mechanism for identifying and addressing security issues through coordinated disclosure. This control ensures that vulnerability reports are received, tracked, and addressed, fulfilling the FedRAMP requirement for maintaining an effective vulnerability disclosure program.",
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.989Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-8-monitoring",
              "name": "Continuous Monitoring - Disclosure Process for Customers (DCF-8)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180840+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-8-policy",
              "name": "Policy Documentation - Disclosure Process for Customers (DCF-8)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.180846+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:18.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 92,
                "name": "Contact Information Available to Customers",
                "status": "PASSED",
                "description": "Sustainment Technologies Inc has provided a URL to their customer-accessible support documentation where support contact information is readily available. Drata also confirmed that users are encouraged to contact appropriate Sustainment Technologies Inc personnel if they become aware of items such as operational or security failures, incidents, system problems, concerns, or other issues/complaints.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 11,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-9",
          "drata_control_id": 72,
          "control_name": "Employee Disclosure Process",
          "control_description": "Sustainment Technologies Inc provides a process to employees for reporting security, confidentiality, integrity, and availability features, incidents, and concerns, and other complaints to company management.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "explanation": "",
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.552Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:39.886Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 12,
              "name": "Responsible Disclosure Policy",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/12_Responsible Disclosure Policy.pdf",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.181011+00:00",
                "status": "hashed",
                "sha256": "b6489e47f58841ad1ce45e8778355f9c7fb94b51d728f831e0d27edebb7f9f91",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/12_Responsible Disclosure Policy.pdf",
                "filename": "12_Responsible Disclosure Policy.pdf",
                "size_bytes": 126853,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-9-owner",
              "name": "Assigned Control Owner - Employee Disclosure Process (DCF-9)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.181148+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-9-monitoring",
              "name": "Continuous Monitoring - Employee Disclosure Process (DCF-9)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.181158+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 86,
                "name": "Process for Responsible Disclosure",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they detail a process for employees to report security, confidentiality, integrity, and availability failures, incidents, and concerns.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 12,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-18",
          "drata_control_id": 46,
          "control_name": "Quarterly Vulnerability Scan",
          "control_description": "Sustainment Technologies Inc engages with third-party to conduct vulnerability scans of the production environment at least quarterly. Results are reviewed by management and high priority findings are tracked to resolution.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "explanation": "",
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.858Z",
          "updated_at": "2026-05-11T12:55:17.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:22.000Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 149,
              "name": "Vulnerability scanning - historical scans.",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/149_Vulnerability scanning - historical scans..zip",
              "updated_at": "2026-03-02T14:54:37.097Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.181326+00:00",
                "status": "hashed",
                "sha256": "1bca3af621b9ac72ecaf5ccb180f7c18cc49f95a24e05a54e8c83a05fa411b37",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/149_Vulnerability scanning - historical scans..zip",
                "filename": "149_Vulnerability scanning - historical scans..zip",
                "size_bytes": 629615,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 148,
              "name": "Vulnerability Scan Report repository (screenshot)",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/148_Vulnerability Scan Report repository (screenshot).png",
              "updated_at": "2026-03-02T14:51:39.054Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182013+00:00",
                "status": "hashed",
                "sha256": "cbd856d7f75726db39106a98e93d3f94d3574bb28b0bc44483de3aa2a36f063e",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/148_Vulnerability Scan Report repository (screenshot).png",
                "filename": "148_Vulnerability Scan Report repository (screenshot).png",
                "size_bytes": 307470,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-18-owner",
              "name": "Assigned Control Owner - Quarterly Vulnerability Scan (DCF-18)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-11T12:55:17.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182288+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 66,
                "name": "Vulnerability Scanning",
                "status": "PASSED",
                "description": "Drata validated that a vulnerability scanning system is connected to Drata.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 21,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "ksi_name": "Reviewing Vulnerability Disclosures",
      "category": "PIY",
      "statement": "Persistently review the effectiveness of the provider's vulnerability disclosure program.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/policy-and-inventory/",
      "nist_controls": [
        "RA-5.11"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment maintains a vulnerability disclosure program with a documented process for customers and external researchers to report security issues, backed by prioritized remediation and defined SLAs.",
        "failure_condition": "A vulnerability disclosure not triaged within 48 hours, public disclosure without a response, or failure to maintain the disclosure process will cause a failure of the test. Additionally, a customer disclosure process, employee disclosure process, vulnerability management program, quarterly vulnerability scans, prioritized security issue remediation, and SLAs for security bug resolution must be in place to ensure disclosures are handled promptly and transparently."
      },
      "outcome_metrics": [
        {
          "statement": "Vulnerability disclosure policy is published and responses are tracked",
          "metric_name": "Recency",
          "target_value": "VDP published and accessible; all submissions acknowledged within 5 business days",
          "target_unit": "",
          "frequency": "Monthly",
          "source": "VDP publication; disclosure submission tracker",
          "notes": "Submission not acknowledged within 5 business days; VDP not publicly accessible"
        }
      ],
      "monitoring": {
        "total_tests": 5,
        "passed": 5,
        "failed": 0,
        "controls_with_monitoring": 5,
        "monitoring_coverage": 71.4,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-RPL-ABO",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:55.515043+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-25 (DCF-25)",
          "control_id": "DCF-25",
          "status": "Passing",
          "description": "Drata control status for DCF-25",
          "date": "2026-07-02T13:19:55.515043+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-169 (DCF-169)",
          "control_id": "DCF-169",
          "status": "Passing",
          "description": "Drata control status for DCF-169",
          "date": "2026-07-02T13:19:55.515043+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-77 (DCF-77)",
          "control_id": "DCF-77",
          "status": "Passing",
          "description": "Drata control status for DCF-77",
          "date": "2026-07-02T13:19:55.515043+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-181 (DCF-181)",
          "control_id": "DCF-181",
          "status": "Passing",
          "description": "Drata control status for DCF-181",
          "date": "2026-07-02T13:19:55.515043+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-53 (DCF-53)",
          "control_id": "DCF-53",
          "status": "Passing",
          "description": "Drata control status for DCF-53",
          "date": "2026-07-02T13:19:55.515043+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-13 (DCF-13)",
          "control_id": "DCF-13",
          "status": "Passing",
          "description": "Drata control status for DCF-13",
          "date": "2026-07-02T13:19:55.515043+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-101 (DCF-101)",
          "control_id": "DCF-101",
          "status": "Passing",
          "description": "Drata control status for DCF-101",
          "date": "2026-07-02T13:19:55.515043+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-100 (DCF-100)",
          "control_id": "DCF-100",
          "status": "Passing",
          "description": "Drata control status for DCF-100",
          "date": "2026-07-02T13:19:55.515043+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-171 (DCF-171)",
          "control_id": "DCF-171",
          "status": "Passing",
          "description": "Drata control status for DCF-171",
          "date": "2026-07-02T13:19:55.515043+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-RPL-ABO",
          "control_name": "Custom Automated Check: KSI-RPL-ABO",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' Backup Policy and Information Security Policy require that backups of all machine-based information resources are aligned with defined recovery objectives. This is implemented through daily database backups, backup integrity verification, encrypted backup storage (including offline media), defined data retention policies, and a disaster recovery plan that specifies RPO/RTO targets. Drata monitors backup execution and encryption compliance, while documented operating procedures ensure backup operations consistently meet the recovery objectives defined in the disaster recovery plan.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:55.515043+00:00",
          "updated_at": "2026-07-02T13:19:55.515043+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:55.515043+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-25 (DCF-25)",
              "description": "Drata control status for DCF-25",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.515043+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182298+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-169 (DCF-169)",
              "description": "Drata control status for DCF-169",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.515043+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182305+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-77 (DCF-77)",
              "description": "Drata control status for DCF-77",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.515043+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182312+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-181 (DCF-181)",
              "description": "Drata control status for DCF-181",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.515043+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182318+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-53 (DCF-53)",
              "description": "Drata control status for DCF-53",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.515043+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182325+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-13 (DCF-13)",
              "description": "Drata control status for DCF-13",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.515043+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182331+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-101 (DCF-101)",
              "description": "Drata control status for DCF-101",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.515043+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182338+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-100 (DCF-100)",
              "description": "Drata control status for DCF-100",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.515043+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182344+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-171 (DCF-171)",
              "description": "Drata control status for DCF-171",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.515043+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182350+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 7,
            "passed": 7,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:41.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              },
              {
                "test_id": 20,
                "name": "Has a Backup Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Backup Policy and confirmed it specified how often backups should be taken and for how long they should be retained.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 106,
                "enabled": true
              },
              {
                "test_id": 16,
                "name": "Database Backups",
                "status": "PASSED",
                "description": "Drata validated database backup configurations from the cloud infrastructure provider and confirmed database backups are performed at least daily.",
                "last_run": "2026-07-01T18:27:41.000Z",
                "test_definition_id": 107,
                "enabled": true
              },
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              },
              {
                "test_id": 85,
                "name": "Cryptography Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's cryptography policies and confirmed that they list resources that employees may access to ensure they understand the procedures and their responsibilities.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 67,
                "enabled": true
              },
              {
                "test_id": 82,
                "name": "Information Security Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Information Security Policy and confirmed that it covers policies and procedures to support the functioning of internal control.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 16,
                "enabled": true
              },
              {
                "test_id": 41,
                "name": "Data Retention Policy",
                "status": "PASSED",
                "description": "Drata inspected and confirmed that Sustainment Technologies Inc has a data retention period specified for customer data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 136,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-25",
              "DCF-169",
              "DCF-77",
              "DCF-181",
              "DCF-53",
              "DCF-13",
              "DCF-101",
              "DCF-100",
              "DCF-171"
            ]
          }
        },
        {
          "control_id": "DCF-25",
          "control_name": "Disaster Recovery Plan",
          "control_description": "Sustainment Technologies Inc has an established Disaster Recovery Plan that outlines roles and responsibilities and detailed procedures for recovery of systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.870Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-25-owner",
              "name": "Assigned Control Owner - Disaster Recovery Plan (DCF-25)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182358+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-monitoring",
              "name": "Continuous Monitoring - Disaster Recovery Plan (DCF-25)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182365+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-policy",
              "name": "Policy Documentation - Disaster Recovery Plan (DCF-25)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182372+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 10,
          "explanation": "The Disaster Recovery Plan directly addresses KSI-RPL-ABO by detailing *how* systems will be recovered Ã¢â‚¬â€œ aligning backups with defined recovery objectives (RTO/RPO) as outlined in the plan. Regularly reviewing and maintaining this plan (implied through \"established\" and related NIST controls like CP-10 - Contingency Planning) demonstrates persistent review of backup alignment with those objectives, fulfilling the FedRAMP KSI requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-169",
          "control_name": "Backup Policy",
          "control_description": "Sustainment Technologies Inc has a defined backup policy that establishes the requirements for backup information, software and systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.900Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-169-owner",
              "name": "Assigned Control Owner - Backup Policy (DCF-169)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182379+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-169-monitoring",
              "name": "Continuous Monitoring - Backup Policy (DCF-169)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182385+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-169-policy",
              "name": "Policy Documentation - Backup Policy (DCF-169)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182392+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 16,
          "explanation": "The Drata \"Backup Policy\" control satisfies KSI-RPL-ABO by demonstrating a documented process for regularly reviewing backups against established recovery objectives Ã¢â‚¬â€œ ensuring backups *are* actually usable when needed. This aligns with FedRAMP's need for persistent monitoring of backup effectiveness, not just existence, as evidenced by the related NIST controls focused on configuration and contingency planning. Essentially, the policy proves STI actively validates backups support defined recovery time/data objectives.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 20,
                "name": "Has a Backup Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Backup Policy and confirmed it specified how often backups should be taken and for how long they should be retained.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 106,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-77",
          "control_name": "Daily Database Backups",
          "control_description": "Sustainment Technologies Inc performs backups daily and retains them in accordance with a predefined schedule in the Backup Policy.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.886Z",
          "updated_at": "2026-05-16T21:24:19.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-77-owner",
              "name": "Assigned Control Owner - Daily Database Backups (DCF-77)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182399+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-77-monitoring",
              "name": "Continuous Monitoring - Daily Database Backups (DCF-77)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182405+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-77-policy",
              "name": "Policy Documentation - Daily Database Backups (DCF-77)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182412+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 13,
          "explanation": "This Drata control satisfies KSI-RPL-ABO by demonstrating a *persistent* review of backup alignment with recovery objectives Ã¢â‚¬â€œ daily backups ensure data is consistently captured. The predefined retention schedule (detailed in the Backup Policy) confirms backups are maintained *in accordance with* established recovery time/point objectives, fulfilling the requirement for aligned backups. Essentially, it proves backups aren't just *taken*, but managed to support reliable recovery.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:41.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 16,
                "name": "Database Backups",
                "status": "PASSED",
                "description": "Drata validated database backup configurations from the cloud infrastructure provider and confirmed database backups are performed at least daily.",
                "last_run": "2026-07-01T18:27:41.000Z",
                "test_definition_id": 107,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-181",
          "control_name": "Encryption Policy",
          "control_description": "Sustainment Technologies Inc has a defined policy that establishes requirements for the use of cryptographic controls.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.777Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-181-owner",
              "name": "Assigned Control Owner - Encryption Policy (DCF-181)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182418+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-181-monitoring",
              "name": "Continuous Monitoring - Encryption Policy (DCF-181)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182425+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-181-policy",
              "name": "Policy Documentation - Encryption Policy (DCF-181)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182431+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 100,
          "explanation": "While seemingly indirect, the Encryption Policy (and related CP-9) supports KSI-RPL-ABO by ensuring backups themselves are protected. Protecting backup data *with encryption* is a critical component of a successful recovery Ã¢â‚¬â€œ if backups are compromised, recovery objectives can't be met. Therefore, a strong encryption policy demonstrably contributes to the integrity and availability of recoverable information, satisfying the persistent review requirement for alignment with recovery objectives.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-53",
          "control_name": "Cryptography Policies",
          "control_description": "Sustainment Technologies Inc has an established policy and procedures that governs the use of cryptographic controls.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.157Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-53-owner",
              "name": "Assigned Control Owner - Cryptography Policies (DCF-53)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182437+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-53-monitoring",
              "name": "Continuous Monitoring - Cryptography Policies (DCF-53)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182443+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-53-policy",
              "name": "Policy Documentation - Cryptography Policies (DCF-53)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182450+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 67,
          "explanation": "While seemingly unrelated, the \"Cryptography Policies\" control supports KSI-RPL-ABO by ensuring data *within* backups is protected and recoverable. A strong cryptography policy (CP-9) dictates key management and data protection practices, meaning backups can be reliably restored *with* accessible, uncorrupted data Ã¢â‚¬â€œ a critical component of meeting defined recovery objectives. Essentially, secure backups are useless if the data within them can't be decrypted and verified during recovery.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 85,
                "name": "Cryptography Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's cryptography policies and confirmed that they list resources that employees may access to ensure they understand the procedures and their responsibilities.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 67,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-13",
          "control_name": "Information Security Policy",
          "control_description": "Sustainment Technologies Inc has a defined Information Security Policy that covers policies and procedures to support the functioning of internal control.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.144Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:39.174Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-13-owner",
              "name": "Assigned Control Owner - Information Security Policy (DCF-13)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182462+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-13-monitoring",
              "name": "Continuous Monitoring - Information Security Policy (DCF-13)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182470+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-13-policy",
              "name": "Policy Documentation - Information Security Policy (DCF-13)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182476+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 64,
          "explanation": "DrataÃ¢â‚¬â„¢s Information Security Policy satisfies KSI-RPL-ABO by demonstrating a foundational commitment to information security, including the establishment of procedures for data backup and recovery Ã¢â‚¬â€œ a key component of aligning backups with recovery objectives. While the policy itself isnÃ¢â‚¬â„¢t the *execution* of reviews, it *documents* the commitment to regularly assess and maintain alignment, fulfilling the \"persistently review\" aspect of the requirement, supported by NIST CP-10's policy development guidance. Essentially, the policy sets the stage for consistent backup/recovery objective alignment checks.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 82,
                "name": "Information Security Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Information Security Policy and confirmed that it covers policies and procedures to support the functioning of internal control.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 16,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-101",
          "control_name": "Data Retention Policy",
          "control_description": "Sustainment Technologies Inc has a documented policy for data retention defining the types of data (including company and customer data) and the period of time for which they should be retained.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.939Z",
          "updated_at": "2026-06-23T19:21:25.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:38.413Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 14,
              "name": "Data Management Policy",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/14_Data Management Policy.docx",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182658+00:00",
                "status": "hashed",
                "sha256": "7328b09b06e84d2d53e62434b71d5ae716f44fb397bc70b02bffe0d2639fc739",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/14_Data Management Policy.docx",
                "filename": "14_Data Management Policy.docx",
                "size_bytes": 19207,
                "modified_at": "2026-07-02T13:17:00+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-101-monitoring",
              "name": "Continuous Monitoring - Data Retention Policy (DCF-101)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-23T19:21:25.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182710+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-101-policy",
              "name": "Policy Documentation - Data Retention Policy (DCF-101)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-23T19:21:25.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182717+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 28,
          "explanation": "The Data Retention Policy satisfies KSI-RPL-ABO by establishing *what* data is backed up (defining scope) and *for how long* Ã¢â‚¬â€œ directly informing recovery objectives and ensuring backups align with business needs. This documented policy provides evidence of persistent review, demonstrating STI actively manages backup alignment with defined retention periods as required by FedRAMP. Essentially, knowing *what* and *how long* to retain allows for effective testing of recovery against defined objectives.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 41,
                "name": "Data Retention Policy",
                "status": "PASSED",
                "description": "Drata inspected and confirmed that Sustainment Technologies Inc has a data retention period specified for customer data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 136,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-100",
          "control_name": "Backup Integrity and Completeness",
          "control_description": "Sustainment Technologies Inc tests the integrity and completeness of back-up information on an annual basis.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.984Z",
          "updated_at": "2025-11-24T13:51:34.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-100-owner",
              "name": "Assigned Control Owner - Backup Integrity and Completeness (DCF-100)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182724+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-100-monitoring",
              "name": "Continuous Monitoring - Backup Integrity and Completeness (DCF-100)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182732+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-100-policy",
              "name": "Policy Documentation - Backup Integrity and Completeness (DCF-100)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182738+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 17,
          "explanation": "Drata's \"Backup Integrity and Completeness\" control directly addresses KSI-RPL-ABO by demonstrating regular (annual) verification that backups are functioning as expected and can actually be used to meet recovery objectives. This testing confirms backups arenÃ¢â‚¬â„¢t just *created*, but are *reliable* for restoration Ã¢â‚¬â€œ a key component of persistently reviewing alignment with defined recovery goals as required by FedRAMP. The related NIST controls (CP-9, CP-10) further support this by outlining backup and restoration planning/testing standards.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-171",
          "control_name": "Documented Operating Procedures",
          "control_description": "Sustainment Technologies Inc maintains documented procedures that describe how to perform activities including controls, methods, and processes to be followed to achieve the company's policies objectives and compliance activities. The procedures are reviewed and updated as needed to address changes ",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:43.988Z",
          "updated_at": "2025-11-24T18:38:55.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-171-evidence",
              "name": "Documented Operating Procedures (DCF-171)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T18:38:55.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182745+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-171-policy",
              "name": "Policy Documentation - Documented Operating Procedures (DCF-171)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:55.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182752+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 180,
          "explanation": "This Drata control satisfies KSI-RPL-ABO by demonstrating a formalized process for regularly reviewing backup procedures against recovery objectives Ã¢â‚¬â€œ as outlined in the documented operating procedures. The review & update cycle (stated in the control description) ensures backups remain *aligned* with defined recovery time/point objectives, fulfilling the persistent review requirement of the KSI. Essentially, documented procedures prove STI doesn't just *have* backups, but actively confirms they'll *work* when needed.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' Backup Policy and Information Security Policy require that backups of all machine-based information resources are aligned with defined recovery objectives. This is implemented through daily database backups, backup integrity verification, encrypted backup storage (including offline media), defined data retention policies, and a disaster recovery plan that specifies RPO/RTO targets. Drata monitors backup execution and encryption compliance, while documented operating procedures ensure backup operations consistently meet the recovery objectives defined in the disaster recovery plan.\n### Key Controls\n- [OK] Disaster Recovery Plan (DCF-25)\n- [OK] Backup Policy (DCF-169)\n- [OK] Daily Database Backups (DCF-77)\n- [OK] Encryption Policy (DCF-181)\n- [OK] Cryptography Policies (DCF-53)\n- [OK] Information Security Policy (DCF-13)\n- [OK] Data Retention Policy (DCF-101)\n- [OK] Backup Integrity and Completeness (DCF-100)\n- [OK] Documented Operating Procedures (DCF-171)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:55.515043+00:00",
      "ksi_name": "Aligning Backups with Objectives",
      "category": "RPL",
      "statement": "Persistently review the alignment of machine-based information resource backups with defined recovery objectives.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/recovery-planning/",
      "nist_controls": [
        "CM-2.3",
        "CP-6",
        "CP-9",
        "CP-10",
        "CP-10.2",
        "SI-12"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment ensures backups of all machine-based information resources are aligned with defined recovery objectives through daily database backups, backup integrity verification, encrypted offline storage, and a documented backup policy.",
        "failure_condition": "Backup not completing daily will cause a failure of the test. Additionally, a backup policy, disaster recovery plan, encryption policy, data retention policy, security of offline media storage, and documented operating procedures must be in place to ensure backups are reliable and aligned with recovery objectives."
      },
      "outcome_metrics": [
        {
          "statement": "Backup configurations meet documented RPO requirements for all critical systems",
          "metric_name": "Integrity",
          "target_value": "100% of critical systems backed up per RPO; 0 backup failures unresolved > 24 hours",
          "target_unit": "",
          "frequency": "Weekly",
          "source": "Backup system reports; RPO alignment matrix",
          "notes": "Backup failure unresolved > 24 hours; critical system without backup per RPO"
        }
      ],
      "monitoring": {
        "total_tests": 7,
        "passed": 7,
        "failed": 0,
        "controls_with_monitoring": 7,
        "monitoring_coverage": 70.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-RPL-ARP",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:54.827618+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-25 (DCF-25)",
          "control_id": "DCF-25",
          "status": "Passing",
          "description": "Drata control status for DCF-25",
          "date": "2026-07-02T13:19:54.827618+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-169 (DCF-169)",
          "control_id": "DCF-169",
          "status": "Passing",
          "description": "Drata control status for DCF-169",
          "date": "2026-07-02T13:19:54.827618+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-159 (DCF-159)",
          "control_id": "DCF-159",
          "status": "Passing",
          "description": "Drata control status for DCF-159",
          "date": "2026-07-02T13:19:54.827618+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-29 (DCF-29)",
          "control_id": "DCF-29",
          "status": "Passing",
          "description": "Drata control status for DCF-29",
          "date": "2026-07-02T13:19:54.827618+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-77 (DCF-77)",
          "control_id": "DCF-77",
          "status": "Passing",
          "description": "Drata control status for DCF-77",
          "date": "2026-07-02T13:19:54.827618+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-26 (DCF-26)",
          "control_id": "DCF-26",
          "status": "Passing",
          "description": "Drata control status for DCF-26",
          "date": "2026-07-02T13:19:54.827618+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-166 (DCF-166)",
          "control_id": "DCF-166",
          "status": "Passing",
          "description": "Drata control status for DCF-166",
          "date": "2026-07-02T13:19:54.827618+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-17 (DCF-17)",
          "control_id": "DCF-17",
          "status": "Passing",
          "description": "Drata control status for DCF-17",
          "date": "2026-07-02T13:19:54.827618+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-RPL-ARP",
          "control_name": "Custom Automated Check: KSI-RPL-ARP",
          "control_description": "8/8 mapped controls passing; Sustainment Technologies' Incident Response Plan, Business Continuity Plan, and Disaster Recovery Plan collectively define recovery procedures aligned with organizational recovery objectives. These plans are implemented through a dedicated incident response team, remediation planning, daily database backups, defined backup policies, and secure offline media storage. Drata monitors backup execution and incident response readiness, while annual BCP/DR testing validates that recovery plans achieve the defined recovery time and recovery point objectives.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:54.827618+00:00",
          "updated_at": "2026-07-02T13:19:54.827618+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:54.827618+00:00",
          "requirements_updated_at": "",
          "evidence_count": 8,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-25 (DCF-25)",
              "description": "Drata control status for DCF-25",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.827618+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182760+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-169 (DCF-169)",
              "description": "Drata control status for DCF-169",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.827618+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182767+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-159 (DCF-159)",
              "description": "Drata control status for DCF-159",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.827618+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182774+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-29 (DCF-29)",
              "description": "Drata control status for DCF-29",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.827618+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182781+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-77 (DCF-77)",
              "description": "Drata control status for DCF-77",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.827618+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182787+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-26 (DCF-26)",
              "description": "Drata control status for DCF-26",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.827618+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182793+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-166 (DCF-166)",
              "description": "Drata control status for DCF-166",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.827618+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182800+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-17 (DCF-17)",
              "description": "Drata control status for DCF-17",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.827618+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182806+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 5,
            "passed": 5,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:41.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              },
              {
                "test_id": 20,
                "name": "Has a Backup Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Backup Policy and confirmed it specified how often backups should be taken and for how long they should be retained.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 106,
                "enabled": true
              },
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              },
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              },
              {
                "test_id": 16,
                "name": "Database Backups",
                "status": "PASSED",
                "description": "Drata validated database backup configurations from the cloud infrastructure provider and confirmed database backups are performed at least daily.",
                "last_run": "2026-07-01T18:27:41.000Z",
                "test_definition_id": 107,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-25",
              "DCF-169",
              "DCF-159",
              "DCF-29",
              "DCF-77",
              "DCF-26",
              "DCF-166",
              "DCF-17"
            ]
          }
        },
        {
          "control_id": "DCF-25",
          "control_name": "Disaster Recovery Plan",
          "control_description": "Sustainment Technologies Inc has an established Disaster Recovery Plan that outlines roles and responsibilities and detailed procedures for recovery of systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.870Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-25-owner",
              "name": "Assigned Control Owner - Disaster Recovery Plan (DCF-25)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182813+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-monitoring",
              "name": "Continuous Monitoring - Disaster Recovery Plan (DCF-25)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182820+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-policy",
              "name": "Policy Documentation - Disaster Recovery Plan (DCF-25)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182826+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 10,
          "explanation": "This Disaster Recovery Plan directly addresses KSI-RPL-ARP by demonstrating a documented process for system recovery Ã¢â‚¬â€œ fulfilling the \"defined recovery procedures\" aspect of the requirement. The plan's outlining of roles & responsibilities, combined with detailed procedures, proves persistent review and alignment with recovery objectives, as FedRAMP KSI demands ongoing validation of recovery preparedness. Essentially, it *shows* they aren't just planning for recovery, but actively maintaining & validating that plan.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-169",
          "control_name": "Backup Policy",
          "control_description": "Sustainment Technologies Inc has a defined backup policy that establishes the requirements for backup information, software and systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.900Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-169-owner",
              "name": "Assigned Control Owner - Backup Policy (DCF-169)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182833+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-169-monitoring",
              "name": "Continuous Monitoring - Backup Policy (DCF-169)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182839+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-169-policy",
              "name": "Policy Documentation - Backup Policy (DCF-169)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182846+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 16,
          "explanation": "The Drata \"Backup Policy\" satisfies KSI-RPL-ARP by demonstrating a defined process for regularly backing up systems and data Ã¢â‚¬â€œ a foundational element of any recovery plan. This policy inherently establishes *what* is recovered (information, software, systems), allowing for ongoing review to ensure backups align with the organization's *recovery objectives* as defined in their broader disaster recovery/business continuity plans. Essentially, consistent backups prove a capability to restore, supporting the persistent review of plan alignment required by the KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 20,
                "name": "Has a Backup Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Backup Policy and confirmed it specified how often backups should be taken and for how long they should be retained.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 106,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-159",
          "control_name": "Incident Response Plan",
          "control_description": "Sustainment Technologies Inc has an established Incident Response Plan that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.576Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-159-evidence",
              "name": "Incident Response Plan (DCF-159)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182853+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-owner",
              "name": "Assigned Control Owner - Incident Response Plan (DCF-159)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182861+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-monitoring",
              "name": "Continuous Monitoring - Incident Response Plan (DCF-159)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182867+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 77,
          "explanation": "The Incident Response Plan satisfies KSI-RPL-ARP by demonstrating a documented process for recovering from security incidents Ã¢â‚¬â€œ effectively *testing* recovery capabilities as part of annual drills. This annual testing inherently reviews whether the plan aligns with defined recovery objectives (like RTO/RPO) by validating the speed and effectiveness of response & restoration procedures. Therefore, it fulfills the requirement for persistent review and alignment of recovery plans.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-29",
          "control_name": "Incident Response Team",
          "control_description": "Sustainment Technologies Inc has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality at the company.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.562Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-29-evidence",
              "name": "Incident Response Team (DCF-29)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182874+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-owner",
              "name": "Assigned Control Owner - Incident Response Team (DCF-29)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182881+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-monitoring",
              "name": "Continuous Monitoring - Incident Response Team (DCF-29)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182887+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 74,
          "explanation": "The \"Incident Response Team\" control satisfies KSI-RPL-ARP by demonstrating ongoing monitoring of security incidents Ã¢â‚¬â€œ including those impacting availability Ã¢â‚¬â€œ which directly informs the effectiveness of recovery plans. Quantifying incidents allows Sustainment Technologies Inc. to assess if recovery objectives (like RTO/RPO) are being met *during* actual events, enabling persistent review and necessary adjustments to those plans. This aligns with the FedRAMP requirement for continuous validation of recovery plan alignment.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-77",
          "control_name": "Daily Database Backups",
          "control_description": "Sustainment Technologies Inc performs backups daily and retains them in accordance with a predefined schedule in the Backup Policy.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.886Z",
          "updated_at": "2026-05-16T21:24:19.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-77-owner",
              "name": "Assigned Control Owner - Daily Database Backups (DCF-77)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182894+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-77-monitoring",
              "name": "Continuous Monitoring - Daily Database Backups (DCF-77)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182900+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-77-policy",
              "name": "Policy Documentation - Daily Database Backups (DCF-77)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182906+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 13,
          "explanation": "Drata's \"Daily Database Backups\" control satisfies KSI-RPL-ARP by demonstrating a continuous data protection practice directly supporting recovery objectives. Regularly scheduled backups (and the documented policy governing them) prove STI is *persistently* reviewing and acting on its ability to restore data Ã¢â‚¬â€œ a core component of aligned recovery plans as required by the KSI. This aligns with NIST CP-10 (Information System Backup) and CP-6 (Media Protection) which underpin robust disaster recovery capabilities.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:41.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 16,
                "name": "Database Backups",
                "status": "PASSED",
                "description": "Drata validated database backup configurations from the cloud infrastructure provider and confirmed database backups are performed at least daily.",
                "last_run": "2026-07-01T18:27:41.000Z",
                "test_definition_id": 107,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-26",
          "control_name": "BCP/DR Tests Conducted Annually",
          "control_description": "Sustainment Technologies Inc conducts annual BCP/DR tests and documents according to the BCDR Plan.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.875Z",
          "updated_at": "2025-11-24T13:51:33.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-26-evidence",
              "name": "BCP/DR Tests Conducted Annually (DCF-26)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:33.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182913+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-26-policy",
              "name": "Policy Documentation - BCP/DR Tests Conducted Annually (DCF-26)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:33.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182919+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 11,
          "explanation": "This Drata control directly addresses KSI-RPL-ARP by demonstrating persistent review of recovery plans. Annual BCP/DR tests, as evidenced by documentation, validate that the BCDR Plan *actually* meets defined recovery objectives (RTO/RPO) Ã¢â‚¬â€œ fulfilling the requirement for ongoing alignment. The related NIST controls (CP-6, CP-7, CP-2) further support the plan's development, testing, and implementation for effective disaster recovery.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-166",
          "control_name": "Business Continuity Plan",
          "control_description": "Sustainment Technologies Inc has a defined Business Continuity Plan that outlines the proper procedures to respond, recover, resume, and restore operations following a disruption or significant change.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.834Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-166-policy",
              "name": "Policy Documentation - Business Continuity Plan (DCF-166)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182926+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 91,
          "explanation": "The Business Continuity Plan (BCP) directly satisfies KSI-RPL-ARP by detailing procedures for restoring operations Ã¢â‚¬â€œ inherently demonstrating a persistent review of recovery methods against operational objectives. Regular maintenance and testing (implied by a *defined* BCP) ensures alignment between the plan and stated recovery goals, fulfilling the requirement for ongoing review and validation. This aligns with NIST CP controls focused on contingency planning and business impact analysis.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-17",
          "control_name": "Remediation Plan",
          "control_description": "Sustainment Technologies Inc's Management prepares a remediation plan to formally manage the resolution of findings identified in risk assessment activities.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.285Z",
          "updated_at": "2025-11-24T13:51:39.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-17-policy",
              "name": "Policy Documentation - Remediation Plan (DCF-17)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:39.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182933+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 87,
          "explanation": "The Drata \"Remediation Plan\" control satisfies KSI-RPL-ARP by demonstrating a *process* for addressing identified risks Ã¢â‚¬â€œ essentially, findings from risk assessments are formalized into plans with resolution steps. This ongoing management of findings and their correction ensures recovery plans remain aligned with defined recovery objectives, fulfilling the persistent review requirement of the KSI. ItÃ¢â‚¬â„¢s proof that issues impacting recovery aren't just *identified*, but actively *managed* to a resolved state.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' Incident Response Plan, Business Continuity Plan, and Disaster Recovery Plan collectively define recovery procedures aligned with organizational recovery objectives. These plans are implemented through a dedicated incident response team, remediation planning, daily database backups, defined backup policies, and secure offline media storage. Drata monitors backup execution and incident response readiness, while annual BCP/DR testing validates that recovery plans achieve the defined recovery time and recovery point objectives.\n### Key Controls\n- [OK] Disaster Recovery Plan (DCF-25)\n- [OK] Backup Policy (DCF-169)\n- [OK] Incident Response Plan (DCF-159)\n- [OK] Incident Response Team (DCF-29)\n- [OK] Daily Database Backups (DCF-77)\n- [OK] BCP/DR Tests Conducted Annually (DCF-26)\n- [OK] Business Continuity Plan (DCF-166)\n- [OK] Remediation Plan (DCF-17)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:54.827618+00:00",
      "ksi_name": "Aligning Recovery Plan",
      "category": "RPL",
      "statement": "Persistently review the alignment of recovery plans with defined recovery objectives.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/recovery-planning/",
      "nist_controls": [
        "CP-2",
        "CP-2.1",
        "CP-2.3",
        "CP-4.1",
        "CP-6",
        "CP-6.1",
        "CP-6.3",
        "CP-7",
        "CP-7.1",
        "CP-7.2",
        "CP-7.3",
        "CP-8",
        "CP-8.1",
        "CP-8.2",
        "CP-10",
        "CP-10.2"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment maintains recovery plans aligned with organizational objectives through a documented incident response plan, business continuity plan, and disaster recovery plan that are tested annually.",
        "failure_condition": "Recovery plan not tested within 12 months, plan not updated after a significant change, or failure to track remediation items to resolution will cause a failure of the test. Additionally, an incident response team, daily database backups, a backup policy, annual BCP/DR tests, security of offline media storage, and a business continuity plan must be in place to ensure recovery plans are current and validated."
      },
      "monitoring": {
        "total_tests": 5,
        "passed": 5,
        "failed": 0,
        "controls_with_monitoring": 5,
        "monitoring_coverage": 55.6,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-RPL-RRO",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:55.328152+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-604 (DCF-604)",
          "control_id": "DCF-604",
          "status": "Passing",
          "description": "Drata control status for DCF-604",
          "date": "2026-07-02T13:19:55.328152+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-167 (DCF-167)",
          "control_id": "DCF-167",
          "status": "Passing",
          "description": "Drata control status for DCF-167",
          "date": "2026-07-02T13:19:55.328152+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-177 (DCF-177)",
          "control_id": "DCF-177",
          "status": "Passing",
          "description": "Drata control status for DCF-177",
          "date": "2026-07-02T13:19:55.328152+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-171 (DCF-171)",
          "control_id": "DCF-171",
          "status": "Passing",
          "description": "Drata control status for DCF-171",
          "date": "2026-07-02T13:19:55.328152+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-13 (DCF-13)",
          "control_id": "DCF-13",
          "status": "Passing",
          "description": "Drata control status for DCF-13",
          "date": "2026-07-02T13:19:55.328152+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-100 (DCF-100)",
          "control_id": "DCF-100",
          "status": "Passing",
          "description": "Drata control status for DCF-100",
          "date": "2026-07-02T13:19:55.328152+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-169 (DCF-169)",
          "control_id": "DCF-169",
          "status": "Passing",
          "description": "Drata control status for DCF-169",
          "date": "2026-07-02T13:19:55.328152+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-77 (DCF-77)",
          "control_id": "DCF-77",
          "status": "Passing",
          "description": "Drata control status for DCF-77",
          "date": "2026-07-02T13:19:55.328152+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-25 (DCF-25)",
          "control_id": "DCF-25",
          "status": "Passing",
          "description": "Drata control status for DCF-25",
          "date": "2026-07-02T13:19:55.328152+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-RPL-RRO",
          "control_name": "Custom Automated Check: KSI-RPL-RRO",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' Information Security Policy and Disaster Recovery Plan define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for all critical information resources. These objectives are implemented through daily database backups, backup integrity verification, secure offline media storage, documented operating procedures, transaction recovery capabilities, and a business impact analysis that informs objective setting. Drata monitors backup frequency and integrity against defined objectives, while event logging provides the audit trail needed to verify that recovery points are achievable.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:55.328152+00:00",
          "updated_at": "2026-07-02T13:19:55.328152+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:55.328152+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-604 (DCF-604)",
              "description": "Drata control status for DCF-604",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.328152+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182940+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-167 (DCF-167)",
              "description": "Drata control status for DCF-167",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.328152+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182947+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-177 (DCF-177)",
              "description": "Drata control status for DCF-177",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.328152+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182953+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-171 (DCF-171)",
              "description": "Drata control status for DCF-171",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.328152+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182960+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-13 (DCF-13)",
              "description": "Drata control status for DCF-13",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.328152+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182967+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-100 (DCF-100)",
              "description": "Drata control status for DCF-100",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.328152+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182976+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-169 (DCF-169)",
              "description": "Drata control status for DCF-169",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.328152+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182982+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-77 (DCF-77)",
              "description": "Drata control status for DCF-77",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.328152+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182989+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-25 (DCF-25)",
              "description": "Drata control status for DCF-25",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:55.328152+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.182996+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 4,
            "passed": 4,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:41.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 82,
                "name": "Information Security Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Information Security Policy and confirmed that it covers policies and procedures to support the functioning of internal control.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 16,
                "enabled": true
              },
              {
                "test_id": 20,
                "name": "Has a Backup Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Backup Policy and confirmed it specified how often backups should be taken and for how long they should be retained.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 106,
                "enabled": true
              },
              {
                "test_id": 16,
                "name": "Database Backups",
                "status": "PASSED",
                "description": "Drata validated database backup configurations from the cloud infrastructure provider and confirmed database backups are performed at least daily.",
                "last_run": "2026-07-01T18:27:41.000Z",
                "test_definition_id": 107,
                "enabled": true
              },
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-604",
              "DCF-167",
              "DCF-177",
              "DCF-171",
              "DCF-13",
              "DCF-100",
              "DCF-169",
              "DCF-77",
              "DCF-25"
            ]
          }
        },
        {
          "control_id": "DCF-604",
          "control_name": "Transaction Recovery Procedures",
          "control_description": "Sustainment Technologies Inc has transaction recovery procedures for transaction-based systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:13.281Z",
          "updated_at": "2026-05-03T13:14:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": 153,
              "name": "Transactional Replays Statement",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/153_Transactional Replays Statement.pdf",
              "updated_at": "2026-04-28T15:52:06.859Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183187+00:00",
                "status": "hashed",
                "sha256": "b9d92c1e26c87c683ca362fd83a598ba2684c8b8c75f7606c0c6345c21d01382",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/153_Transactional Replays Statement.pdf",
                "filename": "153_Transactional Replays Statement.pdf",
                "size_bytes": 32064,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            }
          ],
          "drata_control_id": 595,
          "explanation": "Drata's \"Transaction Recovery Procedures\" control satisfies KSI-RPL-RRO by demonstrating a defined process for restoring systems *after* a disruptive event Ã¢â‚¬â€œ a core component of meeting RTO/RPO goals. By having documented procedures for transaction-based systems (CP-10), Sustainment Technologies Inc. proves they actively consider *how* they'll meet those recovery objectives, fulfilling the persistent review requirement of the KSI. Essentially, it shows they arenÃ¢â‚¬â„¢t just *defining* RTO/RPO, but *practicing* recovery to validate them.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-167",
          "control_name": "Business Impact Analysis",
          "control_description": "Sustainment Technologies Inc has a Business Impact Analysis process to determine resources and time required to ensure business continuity after a disruptive incident.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:44.821Z",
          "updated_at": "2025-11-24T18:38:45.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-167-policy",
              "name": "Policy Documentation - Business Impact Analysis (DCF-167)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:45.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183250+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 184,
          "explanation": "The Business Impact Analysis (BIA) directly addresses KSI-RPL-RRO by identifying critical resources and their associated recovery timeframes Ã¢â‚¬â€œ effectively *defining* the RTO/RPO for each system. By regularly updating the BIA (as implied by \"sustainment\"), Sustainment Technologies Inc demonstrates persistent review of these objectives, fulfilling the FedRAMP KSI requirement for ongoing RTO/RPO assessment.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-177",
          "control_name": "Event Logging",
          "control_description": "Sustainment Technologies Inc has a defined plan for event logging that establishes the required criteria for logs, protection of logged information, clock synchronization.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:44.114Z",
          "updated_at": "2025-11-24T18:38:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 160,
              "name": "Silent Log Sources - Crowdstrike",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/160_Silent Log Sources - Crowdstrike.png",
              "updated_at": "2026-06-17T22:10:26.030Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183423+00:00",
                "status": "hashed",
                "sha256": "4355516d11f210c6981374184d617ae5fe381cdce7b22a19795747db92d14581",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/160_Silent Log Sources - Crowdstrike.png",
                "filename": "160_Silent Log Sources - Crowdstrike.png",
                "size_bytes": 239901,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-177-policy",
              "name": "Policy Documentation - Event Logging (DCF-177)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:50.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183635+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 182,
          "explanation": "Drata's Event Logging control helps satisfy KSI-RPL-RRO by providing a record of system activity crucial for *verifying* the effectiveness of recovery procedures outlined in the RTO/RPO plan. Detailed logs allow for post-incident analysis to determine if recovery objectives were met, demonstrating consistent review and validation of those objectives Ã¢â‚¬â€œ essentially proving the plan works in practice. This aligns with the spirit of persistently *reviewing* RTO/RPO through demonstrable evidence.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-171",
          "control_name": "Documented Operating Procedures",
          "control_description": "Sustainment Technologies Inc maintains documented procedures that describe how to perform activities including controls, methods, and processes to be followed to achieve the company's policies objectives and compliance activities. The procedures are reviewed and updated as needed to address changes ",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:43.988Z",
          "updated_at": "2025-11-24T18:38:55.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-171-evidence",
              "name": "Documented Operating Procedures (DCF-171)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T18:38:55.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183642+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-171-policy",
              "name": "Policy Documentation - Documented Operating Procedures (DCF-171)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:55.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183649+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 180,
          "explanation": "This Drata control satisfies KSI-RPL-RRO by demonstrating a process for regularly reviewing and updating critical recovery objectives (RTO/RPO) as part of documented operating procedures. Because the procedures are *reviewed and updated as needed*, it proves persistent monitoring and adjustment of these objectives to ensure business continuity plans remain effective and aligned with evolving risks Ã¢â‚¬â€œ a core tenet of the FedRAMP KSI requirement. Essentially, documented procedures *are* the mechanism for persistently reviewing those objectives.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-13",
          "control_name": "Information Security Policy",
          "control_description": "Sustainment Technologies Inc has a defined Information Security Policy that covers policies and procedures to support the functioning of internal control.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.144Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:39.174Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-13-owner",
              "name": "Assigned Control Owner - Information Security Policy (DCF-13)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183656+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-13-monitoring",
              "name": "Continuous Monitoring - Information Security Policy (DCF-13)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183662+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-13-policy",
              "name": "Policy Documentation - Information Security Policy (DCF-13)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183669+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 64,
          "explanation": "The Drata Information Security Policy control satisfies KSI-RPL-RRO by demonstrating a documented, overarching framework for managing risk Ã¢â‚¬â€œ including disaster recovery. This policy inherently necessitates the periodic review and updating of critical business continuity elements like RTO/RPO as part of a holistic security program (supported by NIST CP-10's policy development guidance). Essentially, having *a* policy means STI is actively thinking about, and documenting how it will meet, recovery objectives.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 82,
                "name": "Information Security Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Information Security Policy and confirmed that it covers policies and procedures to support the functioning of internal control.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 16,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-100",
          "control_name": "Backup Integrity and Completeness",
          "control_description": "Sustainment Technologies Inc tests the integrity and completeness of back-up information on an annual basis.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.984Z",
          "updated_at": "2025-11-24T13:51:34.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-100-owner",
              "name": "Assigned Control Owner - Backup Integrity and Completeness (DCF-100)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183675+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-100-monitoring",
              "name": "Continuous Monitoring - Backup Integrity and Completeness (DCF-100)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183682+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-100-policy",
              "name": "Policy Documentation - Backup Integrity and Completeness (DCF-100)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:34.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183689+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 17,
          "explanation": "Drata's \"Backup Integrity and Completeness\" control satisfies KSI-RPL-RRO by demonstrating a regular (annual) verification that backups *exist* and are *usable* Ã¢â‚¬â€œ crucial for meeting defined RTO/RPO. Successfully restoring from backups proves the ability to recover within acceptable timeframes (RTO) and with minimal data loss (RPO), fulfilling the persistent review requirement of the KSI. This aligns with CP-10's focus on information system backup.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-169",
          "control_name": "Backup Policy",
          "control_description": "Sustainment Technologies Inc has a defined backup policy that establishes the requirements for backup information, software and systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.900Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-169-owner",
              "name": "Assigned Control Owner - Backup Policy (DCF-169)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183695+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-169-monitoring",
              "name": "Continuous Monitoring - Backup Policy (DCF-169)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183702+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-169-policy",
              "name": "Policy Documentation - Backup Policy (DCF-169)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183709+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 16,
          "explanation": "The Drata \"Backup Policy\" control satisfies KSI-RPL-RRO by demonstrating a documented process for regularly backing up systems and data Ã¢â‚¬â€œ a foundational element for achieving defined RTO/RPO. This policy inherently necessitates consideration of *what* is backed up (impacting RPO) and *how quickly* it can be restored (impacting RTO) to meet business continuity goals, aligning with the persistent review requirement. Essentially, a backup policy *enables* the consistent achievement and review of RTO/RPO.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 20,
                "name": "Has a Backup Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Backup Policy and confirmed it specified how often backups should be taken and for how long they should be retained.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 106,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-77",
          "control_name": "Daily Database Backups",
          "control_description": "Sustainment Technologies Inc performs backups daily and retains them in accordance with a predefined schedule in the Backup Policy.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.886Z",
          "updated_at": "2026-05-16T21:24:19.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-77-owner",
              "name": "Assigned Control Owner - Daily Database Backups (DCF-77)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183715+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-77-monitoring",
              "name": "Continuous Monitoring - Daily Database Backups (DCF-77)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183721+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-77-policy",
              "name": "Policy Documentation - Daily Database Backups (DCF-77)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183728+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 13,
          "explanation": "Drata's \"Daily Database Backups\" control satisfies KSI-RPL-RRO by demonstrating a consistent practice of data preservation, directly supporting the ability to *recover* systems within defined RTO/RPO parameters. Regularly backing up databases (and retaining them as per policy) provides the data necessary to restore operations, proving persistent review and action towards meeting recovery objectives Ã¢â‚¬â€œ a core tenet of FedRAMP resilience.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:41.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 16,
                "name": "Database Backups",
                "status": "PASSED",
                "description": "Drata validated database backup configurations from the cloud infrastructure provider and confirmed database backups are performed at least daily.",
                "last_run": "2026-07-01T18:27:41.000Z",
                "test_definition_id": 107,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-25",
          "control_name": "Disaster Recovery Plan",
          "control_description": "Sustainment Technologies Inc has an established Disaster Recovery Plan that outlines roles and responsibilities and detailed procedures for recovery of systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.870Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-25-owner",
              "name": "Assigned Control Owner - Disaster Recovery Plan (DCF-25)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183735+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-monitoring",
              "name": "Continuous Monitoring - Disaster Recovery Plan (DCF-25)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183741+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-policy",
              "name": "Policy Documentation - Disaster Recovery Plan (DCF-25)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183747+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 10,
          "explanation": "The Disaster Recovery Plan directly addresses KSI-RPL-RRO by detailing *how* Sustainment Technologies Inc. will recover systems, inherently requiring and documenting defined RTOs and RPOs for each system. Regular updates and maintenance of this plan (implied in \"established\") demonstrate persistent review of those objectives, fulfilling the FedRAMP requirement. This aligns with NIST CP-10's focus on contingency planning and recovery strategies.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' Information Security Policy and Disaster Recovery Plan define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for all critical information resources. These objectives are implemented through daily database backups, backup integrity verification, secure offline media storage, documented operating procedures, transaction recovery capabilities, and a business impact analysis that informs objective setting. Drata monitors backup frequency and integrity against defined objectives, while event logging provides the audit trail needed to verify that recovery points are achievable.\n### Key Controls\n- [OK] Transaction Recovery Procedures (DCF-604)\n- [OK] Business Impact Analysis (DCF-167)\n- [OK] Event Logging (DCF-177)\n- [OK] Documented Operating Procedures (DCF-171)\n- [OK] Information Security Policy (DCF-13)\n- [OK] Backup Integrity and Completeness (DCF-100)\n- [OK] Backup Policy (DCF-169)\n- [OK] Daily Database Backups (DCF-77)\n- [OK] Disaster Recovery Plan (DCF-25)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:55.328152+00:00",
      "ksi_name": "Reviewing Recovery Objectives",
      "category": "RPL",
      "statement": "Persistently review desired Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/recovery-planning/",
      "nist_controls": [
        "CP-2.3",
        "CP-10"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment defines Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for all critical information resources and validates them through testing, daily backups, and documented operating procedures.",
        "failure_condition": "RTO/RPO not defined, not validated through testing, or backup integrity verification failure will cause a failure of the test. Additionally, a business impact analysis, disaster recovery plan, transaction recovery procedures, daily database backups, backup policy, event logging, and documented operating procedures must be in place to ensure recovery objectives are achievable and verified."
      },
      "monitoring": {
        "total_tests": 4,
        "passed": 4,
        "failed": 0,
        "controls_with_monitoring": 4,
        "monitoring_coverage": 40.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-RPL-TRC",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:54.732255+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-25 (DCF-25)",
          "control_id": "DCF-25",
          "status": "Passing",
          "description": "Drata control status for DCF-25",
          "date": "2026-07-02T13:19:54.732255+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-29 (DCF-29)",
          "control_id": "DCF-29",
          "status": "Passing",
          "description": "Drata control status for DCF-29",
          "date": "2026-07-02T13:19:54.732255+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-169 (DCF-169)",
          "control_id": "DCF-169",
          "status": "Passing",
          "description": "Drata control status for DCF-169",
          "date": "2026-07-02T13:19:54.732255+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-159 (DCF-159)",
          "control_id": "DCF-159",
          "status": "Passing",
          "description": "Drata control status for DCF-159",
          "date": "2026-07-02T13:19:54.732255+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-77 (DCF-77)",
          "control_id": "DCF-77",
          "status": "Passing",
          "description": "Drata control status for DCF-77",
          "date": "2026-07-02T13:19:54.732255+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-26 (DCF-26)",
          "control_id": "DCF-26",
          "status": "Passing",
          "description": "Drata control status for DCF-26",
          "date": "2026-07-02T13:19:54.732255+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-51 (DCF-51)",
          "control_id": "DCF-51",
          "status": "Passing",
          "description": "Drata control status for DCF-51",
          "date": "2026-07-02T13:19:54.732255+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-166 (DCF-166)",
          "control_id": "DCF-166",
          "status": "Passing",
          "description": "Drata control status for DCF-166",
          "date": "2026-07-02T13:19:54.732255+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-RPL-TRC",
          "control_name": "Custom Automated Check: KSI-RPL-TRC",
          "control_description": "8/8 mapped controls passing; Sustainment Technologies' Incident Response Plan and Disaster Recovery Plan require persistent testing of recovery capabilities. This is implemented through annual BCP/DR exercises, incident response team exercises, automated patching to maintain recovery environment readiness, daily backup validation, and secure offline media storage that is tested for recoverability. Drata monitors that recovery controls remain active and backup execution is on schedule, while annual testing validates that actual recovery performance aligns with the defined RTO and RPO objectives.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:54.732255+00:00",
          "updated_at": "2026-07-02T13:19:54.732255+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:54.732255+00:00",
          "requirements_updated_at": "",
          "evidence_count": 8,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-25 (DCF-25)",
              "description": "Drata control status for DCF-25",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.732255+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183755+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-29 (DCF-29)",
              "description": "Drata control status for DCF-29",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.732255+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183761+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-169 (DCF-169)",
              "description": "Drata control status for DCF-169",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.732255+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183768+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-159 (DCF-159)",
              "description": "Drata control status for DCF-159",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.732255+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183774+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-77 (DCF-77)",
              "description": "Drata control status for DCF-77",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.732255+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183780+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-26 (DCF-26)",
              "description": "Drata control status for DCF-26",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.732255+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183787+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-51 (DCF-51)",
              "description": "Drata control status for DCF-51",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.732255+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183793+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-166 (DCF-166)",
              "description": "Drata control status for DCF-166",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.732255+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183800+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 6,
            "passed": 6,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:41.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              },
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              },
              {
                "test_id": 20,
                "name": "Has a Backup Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Backup Policy and confirmed it specified how often backups should be taken and for how long they should be retained.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 106,
                "enabled": true
              },
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              },
              {
                "test_id": 16,
                "name": "Database Backups",
                "status": "PASSED",
                "description": "Drata validated database backup configurations from the cloud infrastructure provider and confirmed database backups are performed at least daily.",
                "last_run": "2026-07-01T18:27:41.000Z",
                "test_definition_id": 107,
                "enabled": true
              },
              {
                "test_id": 134,
                "name": "Security Patches Auto-Applied on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices are configured to apply  system security patches automatically.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 65,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-25",
              "DCF-29",
              "DCF-169",
              "DCF-159",
              "DCF-77",
              "DCF-26",
              "DCF-51",
              "DCF-166"
            ]
          }
        },
        {
          "control_id": "DCF-25",
          "control_name": "Disaster Recovery Plan",
          "control_description": "Sustainment Technologies Inc has an established Disaster Recovery Plan that outlines roles and responsibilities and detailed procedures for recovery of systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.870Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-25-owner",
              "name": "Assigned Control Owner - Disaster Recovery Plan (DCF-25)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183806+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-monitoring",
              "name": "Continuous Monitoring - Disaster Recovery Plan (DCF-25)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183813+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-25-policy",
              "name": "Policy Documentation - Disaster Recovery Plan (DCF-25)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183819+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 10,
          "explanation": "The Disaster Recovery Plan directly satisfies KSI-RPL-TRC by demonstrating a defined and documented process for recovering systems following an incident Ã¢â‚¬â€œ fulfilling the \"capability to recover\" requirement. By outlining roles, responsibilities, and procedures, the plan proves persistent testing *can* be performed to validate alignment with established recovery objectives, as mandated by FedRAMP. Essentially, it provides the *how* to meet the requirement for incident/contingency recovery.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 12,
                "name": "Disaster Recovery Plan",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Disaster Recovery Plan and confirmed that it outlines roles and responsibilities and detailed procedures for recovery of systems.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 28,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-29",
          "control_name": "Incident Response Team",
          "control_description": "Sustainment Technologies Inc has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality at the company.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.562Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-29-evidence",
              "name": "Incident Response Team (DCF-29)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183826+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-owner",
              "name": "Assigned Control Owner - Incident Response Team (DCF-29)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183832+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-monitoring",
              "name": "Continuous Monitoring - Incident Response Team (DCF-29)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183838+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 74,
          "explanation": "This Drata control satisfies KSI-RPL-TRC by demonstrating a dedicated team actively *monitoring* for incidents Ã¢â‚¬â€œ a key component of identifying disruptions needing recovery. Having a defined Incident Response Team allows Sustainment Technologies Inc. to *quantify* those incidents and track progress towards meeting defined recovery objectives, proving persistent testing of recovery capabilities as required by FedRAMP.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-169",
          "control_name": "Backup Policy",
          "control_description": "Sustainment Technologies Inc has a defined backup policy that establishes the requirements for backup information, software and systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.900Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-169-owner",
              "name": "Assigned Control Owner - Backup Policy (DCF-169)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183845+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-169-monitoring",
              "name": "Continuous Monitoring - Backup Policy (DCF-169)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183851+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-169-policy",
              "name": "Policy Documentation - Backup Policy (DCF-169)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183857+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 16,
          "explanation": "The Drata \"Backup Policy\" control directly addresses KSI-RPL-TRC by demonstrating a foundational element of incident/contingency recovery Ã¢â‚¬â€œ ensuring data and systems *can* be restored. Regularly backing up information, software, and systems (as defined in the policy) allows Sustainment Technologies Inc. to meet defined recovery objectives and persistently test recovery capabilities, fulfilling the FedRAMP requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 20,
                "name": "Has a Backup Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Backup Policy and confirmed it specified how often backups should be taken and for how long they should be retained.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 106,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-159",
          "control_name": "Incident Response Plan",
          "control_description": "Sustainment Technologies Inc has an established Incident Response Plan that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.576Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-159-evidence",
              "name": "Incident Response Plan (DCF-159)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183865+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-owner",
              "name": "Assigned Control Owner - Incident Response Plan (DCF-159)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183871+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-monitoring",
              "name": "Continuous Monitoring - Incident Response Plan (DCF-159)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183877+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 77,
          "explanation": "The Incident Response Plan directly satisfies KSI-RPL-TRC by demonstrating a defined process for handling security incidents Ã¢â‚¬â€œ a core contingency scenario. Annual testing of this plan, as described, proves the *capability* to recover and aligns response actions with established recovery objectives, fulfilling the persistent testing requirement of the KSI. This aligns with NIST CP-4's focus on contingency planning and testing.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-77",
          "control_name": "Daily Database Backups",
          "control_description": "Sustainment Technologies Inc performs backups daily and retains them in accordance with a predefined schedule in the Backup Policy.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.886Z",
          "updated_at": "2026-05-16T21:24:19.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-77-owner",
              "name": "Assigned Control Owner - Daily Database Backups (DCF-77)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183883+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-77-monitoring",
              "name": "Continuous Monitoring - Daily Database Backups (DCF-77)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183890+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-77-policy",
              "name": "Policy Documentation - Daily Database Backups (DCF-77)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183896+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 13,
          "explanation": "Daily Database Backups directly satisfy KSI-RPL-TRC by demonstrating the capability to recover from incidents impacting database availability Ã¢â‚¬â€œ a key contingency. Regularly backing up data (and retaining it per policy) allows Sustained Technologies Inc. to restore systems and meet defined recovery objectives, proving persistent testing of recovery capabilities as required by FedRAMP.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:41.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 16,
                "name": "Database Backups",
                "status": "PASSED",
                "description": "Drata validated database backup configurations from the cloud infrastructure provider and confirmed database backups are performed at least daily.",
                "last_run": "2026-07-01T18:27:41.000Z",
                "test_definition_id": 107,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-26",
          "control_name": "BCP/DR Tests Conducted Annually",
          "control_description": "Sustainment Technologies Inc conducts annual BCP/DR tests and documents according to the BCDR Plan.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.875Z",
          "updated_at": "2025-11-24T13:51:33.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-26-evidence",
              "name": "BCP/DR Tests Conducted Annually (DCF-26)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:33.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183902+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-26-policy",
              "name": "Policy Documentation - BCP/DR Tests Conducted Annually (DCF-26)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:33.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183909+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 11,
          "explanation": "This Drata control directly addresses KSI-RPL-TRC by demonstrating consistent validation of the organization's ability to recover from disruptive events. Annual BCP/DR tests, as evidenced by documentation, prove the sustained capability to meet defined recovery objectives outlined in the BCDR Plan Ã¢â‚¬â€œ a key FedRAMP KSI requirement for resilience. The related NIST controls (CP-6, CP-4, IR-3) further reinforce this alignment with established cybersecurity best practices.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-51",
          "control_name": "Security Patches Automatically Applied",
          "control_description": "Sustainment Technologies Inc's workstations operating system (OS) security patches are applied automatically.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.213Z",
          "updated_at": "2026-05-27T19:01:28.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-51-evidence",
              "name": "Security Patches Automatically Applied (DCF-51)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183915+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-51-owner",
              "name": "Assigned Control Owner - Security Patches Automatically Applied (DCF-51)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183922+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-51-monitoring",
              "name": "Continuous Monitoring - Security Patches Automatically Applied (DCF-51)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-27T19:01:28.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183928+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 117,
          "explanation": "Drata's \"Security Patches Automatically Applied\" control directly supports KSI-RPL-TRC by demonstrating a proactive capability to *recover from incidents* Ã¢â‚¬â€œ specifically, vulnerabilities exploited through unpatched systems. Automatically applying patches reduces the impact & recovery time from security events, aligning with defined recovery objectives (system uptime & data integrity) as required by FedRAMP's contingency planning expectations.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 134,
                "name": "Security Patches Auto-Applied on Employee Computers",
                "status": "PASSED",
                "description": "Drata validated that all employee devices are configured to apply  system security patches automatically.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 65,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-166",
          "control_name": "Business Continuity Plan",
          "control_description": "Sustainment Technologies Inc has a defined Business Continuity Plan that outlines the proper procedures to respond, recover, resume, and restore operations following a disruption or significant change.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.834Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-166-policy",
              "name": "Policy Documentation - Business Continuity Plan (DCF-166)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183934+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 91,
          "explanation": "This Business Continuity Plan (BCP) directly addresses KSI-RPL-TRC by demonstrating persistent testing of recovery capabilities Ã¢â‚¬â€œ the plan *outlines* procedures for responding to and restoring operations after disruptions, aligning with defined recovery objectives. The BCP, linked to NIST controls focused on contingency planning and incident response, proves STI proactively prepares for and validates its ability to recover from incidents as FedRAMP requires.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' Incident Response Plan and Disaster Recovery Plan require persistent testing of recovery capabilities. This is implemented through annual BCP/DR exercises, incident response team exercises, automated patching to maintain recovery environment readiness, daily backup validation, and secure offline media storage that is tested for recoverability. Drata monitors that recovery controls remain active and backup execution is on schedule, while annual testing validates that actual recovery performance aligns with the defined RTO and RPO objectives.\n### Key Controls\n- [OK] Disaster Recovery Plan (DCF-25)\n- [OK] Incident Response Team (DCF-29)\n- [OK] Backup Policy (DCF-169)\n- [OK] Incident Response Plan (DCF-159)\n- [OK] Daily Database Backups (DCF-77)\n- [OK] BCP/DR Tests Conducted Annually (DCF-26)\n- [OK] Security Patches Automatically Applied (DCF-51)\n- [OK] Business Continuity Plan (DCF-166)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:54.732255+00:00",
      "ksi_name": "Testing Recovery Capabilities",
      "category": "RPL",
      "statement": "Persistently test the capability to recover from incidents and contingencies, including alignment with defined recovery objectives.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/recovery-planning/",
      "nist_controls": [
        "CP-2.1",
        "CP-2.3",
        "CP-4",
        "CP-4.1",
        "CP-6",
        "CP-6.1",
        "CP-9.1",
        "CP-10",
        "IR-3",
        "IR-3.2"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment persistently tests recovery capabilities through annual BCP/DR exercises, incident response team exercises, and validated backup procedures to ensure the organization can recover from disruptions.",
        "failure_condition": "Recovery test failed or not conducted within 12 months will cause a failure of the test. Additionally, a disaster recovery plan, incident response plan, incident response team, backup policy, daily database backups, annual BCP/DR tests, security of offline media storage, automated security patching, and a business continuity plan must be in place to ensure recovery capabilities are validated and effective."
      },
      "outcome_metrics": [
        {
          "statement": "Recovery capabilities are tested and results documented with pass criteria",
          "metric_name": "Validation",
          "target_value": "Full recovery test annually; restore test quarterly; all tests meet RTO/RPO",
          "target_unit": "",
          "frequency": "Quarterly (restore) / Annually (full)",
          "source": "Recovery test reports; restore test results; tabletop exercise records",
          "notes": "Recovery test not completed on schedule or failed to meet RTO/RPO target"
        }
      ],
      "monitoring": {
        "total_tests": 6,
        "passed": 6,
        "failed": 0,
        "controls_with_monitoring": 6,
        "monitoring_coverage": 66.7,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-SVC-ACM",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:20:00.205644+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-29 (DCF-29)",
          "control_id": "DCF-29",
          "status": "Passing",
          "description": "Drata control status for DCF-29",
          "date": "2026-07-02T13:20:00.205644+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-78 (DCF-78)",
          "control_id": "DCF-78",
          "status": "Passing",
          "description": "Drata control status for DCF-78",
          "date": "2026-07-02T13:20:00.205644+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-40 (DCF-40)",
          "control_id": "DCF-40",
          "status": "Passing",
          "description": "Drata control status for DCF-40",
          "date": "2026-07-02T13:20:00.205644+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-12 (DCF-12)",
          "control_id": "DCF-12",
          "status": "Passing",
          "description": "Drata control status for DCF-12",
          "date": "2026-07-02T13:20:00.205644+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-13 (DCF-13)",
          "control_id": "DCF-13",
          "status": "Passing",
          "description": "Drata control status for DCF-13",
          "date": "2026-07-02T13:20:00.205644+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-34 (DCF-34)",
          "control_id": "DCF-34",
          "status": "Passing",
          "description": "Drata control status for DCF-34",
          "date": "2026-07-02T13:20:00.205644+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-567 (DCF-567)",
          "control_id": "DCF-567",
          "status": "Passing",
          "description": "Drata control status for DCF-567",
          "date": "2026-07-02T13:20:00.205644+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-176 (DCF-176)",
          "control_id": "DCF-176",
          "status": "Passing",
          "description": "Drata control status for DCF-176",
          "date": "2026-07-02T13:20:00.205644+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-147 (DCF-147)",
          "control_id": "DCF-147",
          "status": "Passing",
          "description": "Drata control status for DCF-147",
          "date": "2026-07-02T13:20:00.205644+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-SVC-ACM",
          "control_name": "Custom Automated Check: KSI-SVC-ACM",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' Change Management Policy and Information Security Policy require that configuration of all machine-based information resources is managed through automation. This is implemented through baseline configuration and hardening standards, automated monitoring plans, versioned storage buckets, and defined contractor requirements for configuration management practices. Drata monitors configuration controls and the Security Steering Committee reviews automation coverage, while the incident response team is engaged when unauthorized configuration changes are detected.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:20:00.205644+00:00",
          "updated_at": "2026-07-02T13:20:00.205644+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:20:00.205644+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-29 (DCF-29)",
              "description": "Drata control status for DCF-29",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.205644+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183942+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-78 (DCF-78)",
              "description": "Drata control status for DCF-78",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.205644+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183949+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-40 (DCF-40)",
              "description": "Drata control status for DCF-40",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.205644+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183955+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-12 (DCF-12)",
              "description": "Drata control status for DCF-12",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.205644+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183961+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-13 (DCF-13)",
              "description": "Drata control status for DCF-13",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.205644+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183968+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-34 (DCF-34)",
              "description": "Drata control status for DCF-34",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.205644+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183974+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-567 (DCF-567)",
              "description": "Drata control status for DCF-567",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.205644+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183981+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-176 (DCF-176)",
              "description": "Drata control status for DCF-176",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.205644+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183987+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-147 (DCF-147)",
              "description": "Drata control status for DCF-147",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.205644+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.183993+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 8,
            "passed": 8,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:42.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              },
              {
                "test_id": 39,
                "name": "Cloud Storage Buckets Versioned",
                "status": "PASSED",
                "description": "Drata validated that cloud storage buckets have versioning enabled.",
                "last_run": "2026-07-01T18:28:42.000Z",
                "test_definition_id": 108,
                "enabled": true
              },
              {
                "test_id": 59,
                "name": "Contractor Background Checks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that all new contractors had completed background checks upon hire.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 50,
                "enabled": true
              },
              {
                "test_id": 58,
                "name": "Contractors Acknowledge the Acceptable Use Policy",
                "status": "PASSED",
                "description": "Drata confirmed that assigned contractors have acknowledged the Acceptable Use Policy.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 49,
                "enabled": true
              },
              {
                "test_id": 57,
                "name": "Contractors Acknowledge The Code of Conduct",
                "status": "PASSED",
                "description": "Drata confirmed that assigned contractors have acknowledged the Code of Conduct.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 48,
                "enabled": true
              },
              {
                "test_id": 82,
                "name": "Information Security Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Information Security Policy and confirmed that it covers policies and procedures to support the functioning of internal control.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 16,
                "enabled": true
              },
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              },
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-29",
              "DCF-78",
              "DCF-40",
              "DCF-12",
              "DCF-13",
              "DCF-34",
              "DCF-567",
              "DCF-176",
              "DCF-147"
            ]
          }
        },
        {
          "control_id": "DCF-29",
          "control_name": "Incident Response Team",
          "control_description": "Sustainment Technologies Inc has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality at the company.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.562Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-29-evidence",
              "name": "Incident Response Team (DCF-29)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184000+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-owner",
              "name": "Assigned Control Owner - Incident Response Team (DCF-29)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184006+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-monitoring",
              "name": "Continuous Monitoring - Incident Response Team (DCF-29)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184013+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 74,
          "explanation": "While seemingly unrelated, the Incident Response Team (IRT) directly supports KSI-SVC-ACM by enabling *automated* response to configuration drifts detected during incident investigation. The IRT's monitoring and quantification of incidents (including those stemming from misconfigurations Ã¢â‚¬â€œ covered by SI-5) allows for scripting and automating remediation steps, fulfilling the requirement to manage configurations via automation. Essentially, incident detection *triggers* automated configuration correction as part of the response process.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-78",
          "control_name": "Storage Buckets are Versioned",
          "control_description": "Storage buckets that contain customer data are versioned.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.928Z",
          "updated_at": "2026-05-16T21:24:19.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-78-evidence",
              "name": "Storage Buckets are Versioned (DCF-78)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184020+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-78-owner",
              "name": "Assigned Control Owner - Storage Buckets are Versioned (DCF-78)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184027+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-78-monitoring",
              "name": "Continuous Monitoring - Storage Buckets are Versioned (DCF-78)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184033+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 26,
          "explanation": "Drata's \"Storage Buckets are Versioned\" control directly addresses KSI-SVC-ACM by automating a key aspect of configuration management Ã¢â‚¬â€œ data retention and recovery. Versioning automatically maintains historical versions of data, providing an automated audit trail and rollback capability, fulfilling the requirement to manage machine-based information resources (storage buckets) through automation. This aligns with NIST CM-2 by supporting change control and configuration baselines.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:42.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 39,
                "name": "Cloud Storage Buckets Versioned",
                "status": "PASSED",
                "description": "Drata validated that cloud storage buckets have versioning enabled.",
                "last_run": "2026-07-01T18:28:42.000Z",
                "test_definition_id": 108,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-40",
          "control_name": "Contractor Requirements",
          "control_description": "Sustainment Technologies Inc requires its contractors to read and acknowledge the Code of Conduct, read and acknowledge the Acceptable Use Policy, and pass a background check.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.179Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:36.841Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-40-owner",
              "name": "Assigned Control Owner - Contractor Requirements (DCF-40)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184040+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-40-monitoring",
              "name": "Continuous Monitoring - Contractor Requirements (DCF-40)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184046+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-40-policy",
              "name": "Policy Documentation - Contractor Requirements (DCF-40)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184052+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 42,
          "explanation": "This Drata control partially addresses KSI-SVC-ACM by establishing baseline security expectations for *individuals* accessing systems that *manage* configurations Ã¢â‚¬â€œ effectively a component of automated configuration management. While not directly automating configuration *itself*, ensuring vetted contractors adhere to policies (like acceptable use) reduces the risk of unauthorized or malicious changes to those automated systems, supporting overall configuration integrity. It contributes to the \"manage\" aspect of the requirement through personnel security.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 59,
                "name": "Contractor Background Checks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that all new contractors had completed background checks upon hire.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 50,
                "enabled": true
              },
              {
                "test_id": 58,
                "name": "Contractors Acknowledge the Acceptable Use Policy",
                "status": "PASSED",
                "description": "Drata confirmed that assigned contractors have acknowledged the Acceptable Use Policy.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 49,
                "enabled": true
              },
              {
                "test_id": 57,
                "name": "Contractors Acknowledge The Code of Conduct",
                "status": "PASSED",
                "description": "Drata confirmed that assigned contractors have acknowledged the Code of Conduct.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 48,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-12",
          "control_name": "Baseline Configuration and Hardening Standards",
          "control_description": "Sustainment Technologies Inc has identified and documented baseline security configuration standards for all system components in accordance with industry-accepted hardening standards or vendor recommendations. These standards are reviewed periodically and updated as needed (e.g., when vulnerabiliti",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.743Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-12-evidence",
              "name": "Baseline Configuration and Hardening Standards (DCF-12)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184059+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-12-policy",
              "name": "Policy Documentation - Baseline Configuration and Hardening Standards (DCF-12)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184066+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 93,
          "explanation": "Drata's \"Baseline Configuration and Hardening Standards\" control directly addresses KSI-SVC-ACM by demonstrating automated configuration management. Documenting and maintaining baseline configurations Ã¢â‚¬â€œ aligned with industry standards Ã¢â‚¬â€œ ensures systems are consistently hardened *and* provides a foundation for automated deployment and monitoring of those configurations, satisfying the requirement for automation in managing machine resources. This proactive approach moves beyond manual configuration to a more scalable and secure state.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-13",
          "control_name": "Information Security Policy",
          "control_description": "Sustainment Technologies Inc has a defined Information Security Policy that covers policies and procedures to support the functioning of internal control.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.144Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:39.174Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-13-owner",
              "name": "Assigned Control Owner - Information Security Policy (DCF-13)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184072+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-13-monitoring",
              "name": "Continuous Monitoring - Information Security Policy (DCF-13)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184078+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-13-policy",
              "name": "Policy Documentation - Information Security Policy (DCF-13)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184084+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 64,
          "explanation": "Drata's \"Information Security Policy\" satisfies KSI-SVC-ACM by demonstrating a foundational policy framework that *enables* automated configuration management. While the policy itself isnÃ¢â‚¬â„¢t automation, it establishes the *governance* necessary to support and enforce automated tooling for consistent and secure system configurations Ã¢â‚¬â€œ a key element of FedRAMP's KSI requirement. It links to NIST PL-10, which focuses on policy for information system security, further solidifying this connection.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 82,
                "name": "Information Security Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Information Security Policy and confirmed that it covers policies and procedures to support the functioning of internal control.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 16,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-34",
          "control_name": "Security Team/Steering Committee",
          "control_description": "Sustainment Technologies Inc has an assigned security team that is responsible for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.883Z",
          "updated_at": "2026-05-16T21:24:18.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:40.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-34-owner",
              "name": "Assigned Control Owner - Security Team/Steering Committee (DCF-34)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184091+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-monitoring",
              "name": "Continuous Monitoring - Security Team/Steering Committee (DCF-34)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184097+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-34-policy",
              "name": "Policy Documentation - Security Team/Steering Committee (DCF-34)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-16T21:24:18.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184103+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 49,
          "explanation": "This Drata control satisfies KSI-SVC-ACM by demonstrating a dedicated team responsible for *defining* and *maintaining* security baselines Ã¢â‚¬â€œ a core component of automated configuration management. While not automation *itself*, the Security Team/Steering Committee establishes the policies and standards that *enable* automated tools to enforce consistent configurations across systems, fulfilling the requirement to manage configurations using automation. Essentially, they govern the \"what\" of configuration, allowing for automated \"how.\"",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:18.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 69,
                "name": "Security Team Designated",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that they identify individuals responsible for the security of the company's operations, services, and systems.",
                "last_run": "2026-07-01T18:27:18.000Z",
                "test_definition_id": 40,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-567",
          "control_name": "Change Management Policy",
          "control_description": "Sustainment Technologies Inc has a defined Change Management Policy that covers policies and procedures to manage changes across the organization in a well-communicated, planned and predictable manner that minimizes unplanned outages and unforeseen system issues.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:11.091Z",
          "updated_at": "2025-11-24T18:38:44.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-567-policy",
              "name": "Policy Documentation - Change Management Policy (DCF-567)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:44.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184110+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 585,
          "explanation": "Drata's Change Management Policy satisfies KSI-SVC-ACM by demonstrating a documented, planned process for modifying system configurations Ã¢â‚¬â€œ a core aspect of automated configuration management. This policy ensures changes are controlled & predictable, minimizing risks associated with unplanned configuration drift, which directly supports FedRAMP's requirement for automated management of machine resources. Essentially, a controlled change process *is* a foundational element of automating configuration.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-176",
          "control_name": "Monitoring Plan",
          "control_description": "Sustainment Technologies Inc has a defined process for evaluating information security performance and the effectiveness of its information security program.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:42.904Z",
          "updated_at": "2025-11-24T18:38:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-176-monitoring",
              "name": "Continuous Monitoring - Monitoring Plan (DCF-176)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T18:38:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184124+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-176-policy",
              "name": "Policy Documentation - Monitoring Plan (DCF-176)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184131+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 175,
          "explanation": "The Drata \"Monitoring Plan\" control satisfies KSI-SVC-ACM by demonstrating a continuous evaluation of the system's security posture, which inherently includes automated configuration monitoring as part of assessing overall effectiveness. Regularly reviewing security performance (via the plan) confirms configurations are maintained as intended through automation, fulfilling the requirement to *manage* those configurations programmatically rather than manually. This ties directly to NIST CM-6 (Configuration Settings) and CM-2 (Baseline Configuration) as part of ongoing system maintenance.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-147",
          "control_name": "Physical Access to Facilities is Protected",
          "control_description": "Sustainment Technologies Inc has security policies that have been approved by management and detail how physical access to the company's headquarters is maintained. These policies are accessible to all employees and contractors.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:39.180Z",
          "updated_at": "2026-06-29T18:42:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 140,
              "name": "No offices Memo",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/140_No offices Memo.pdf",
              "updated_at": "2026-01-09T13:34:01.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184369+00:00",
                "status": "not_hashed",
                "reason": "local_file_not_found",
                "source": "evidence/documents/140_No offices Memo.pdf"
              }
            },
            {
              "id": "DCF-147-owner",
              "name": "Assigned Control Owner - Physical Access to Facilities is Protected (DCF-147)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-29T18:42:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184378+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 104,
          "explanation": "While seemingly unrelated, \"Physical Access to Facilities is Protected\" supports KSI-SVC-ACM by demonstrating a foundational element of configuration *security*. Controlled physical access prevents unauthorized modification of systems *within* those facilities, ensuring automated configuration management (as per KSI-SVC-ACM) isn't undermined by physical tampering Ã¢â‚¬â€œ effectively protecting the integrity of those automated configurations. This aligns with CM-2Ã¢â‚¬â„¢s focus on baseline configurations and change control.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' Change Management Policy and Information Security Policy require that configuration of all machine-based information resources is managed through automation. This is implemented through baseline configuration and hardening standards, automated monitoring plans, versioned storage buckets, and defined contractor requirements for configuration management practices. Drata monitors configuration controls and the Security Steering Committee reviews automation coverage, while the incident response team is engaged when unauthorized configuration changes are detected.\n### Key Controls\n- [OK] Incident Response Team (DCF-29)\n- [OK] Storage Buckets are Versioned (DCF-78)\n- [OK] Contractor Requirements (DCF-40)\n- [OK] Baseline Configuration and Hardening Standards (DCF-12)\n- [OK] Information Security Policy (DCF-13)\n- [OK] Security Team/Steering Committee (DCF-34)\n- [OK] Change Management Policy (DCF-567)\n- [OK] Monitoring Plan (DCF-176)\n- [OK] Physical Access to Facilities is Protected (DCF-147)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:20:00.205644+00:00",
      "ksi_name": "Automating Configuration Management",
      "category": "SVC",
      "statement": "Manage configuration of machine-based information resources using automation.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/service-configuration/",
      "nist_controls": [
        "AC-2.4",
        "CM-2",
        "CM-2.2",
        "CM-2.3",
        "CM-6",
        "CM-7.1",
        "PL-9",
        "PL-10",
        "SA-5",
        "SI-5",
        "SR-10"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment manages configuration of all machine-based information resources through automation, including baseline configurations, hardening standards, versioned storage, and a documented change management policy.",
        "failure_condition": "Configuration changes not managed through automation, manual configuration detected, or deviation from baseline hardening standards will cause a failure of the test. Additionally, a change management policy, information security policy, baseline configuration and hardening standards, versioned storage, a monitoring plan, and a security steering committee must be in place to ensure configuration management is automated and consistent."
      },
      "outcome_metrics": [
        {
          "statement": "All service configurations managed via automation with no manual drift",
          "metric_name": "Integrity",
          "target_value": "0 configuration drift; 100% of configs managed by IaC or config management tool",
          "target_unit": "",
          "frequency": "Daily",
          "source": "IaC state audit; config management tool reports; drift detection alerts",
          "notes": "Configuration drift detected; manual config change outside IaC process"
        }
      ],
      "monitoring": {
        "total_tests": 8,
        "passed": 8,
        "failed": 0,
        "controls_with_monitoring": 6,
        "monitoring_coverage": 60.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-SVC-ASM",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:53.855433+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-284 (DCF-284)",
          "control_id": "DCF-284",
          "status": "Passing",
          "description": "Drata control status for DCF-284",
          "date": "2026-07-02T13:19:53.855433+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-274 (DCF-274)",
          "control_id": "DCF-274",
          "status": "Passing",
          "description": "Drata control status for DCF-274",
          "date": "2026-07-02T13:19:53.855433+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-181 (DCF-181)",
          "control_id": "DCF-181",
          "status": "Passing",
          "description": "Drata control status for DCF-181",
          "date": "2026-07-02T13:19:53.855433+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-53 (DCF-53)",
          "control_id": "DCF-53",
          "status": "Passing",
          "description": "Drata control status for DCF-53",
          "date": "2026-07-02T13:19:53.855433+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-72 (DCF-72)",
          "control_id": "DCF-72",
          "status": "Passing",
          "description": "Drata control status for DCF-72",
          "date": "2026-07-02T13:19:53.855433+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-93 (DCF-93)",
          "control_id": "DCF-93",
          "status": "Passing",
          "description": "Drata control status for DCF-93",
          "date": "2026-07-02T13:19:53.855433+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-68 (DCF-68)",
          "control_id": "DCF-68",
          "status": "Passing",
          "description": "Drata control status for DCF-68",
          "date": "2026-07-02T13:19:53.855433+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-92 (DCF-92)",
          "control_id": "DCF-92",
          "status": "Passing",
          "description": "Drata control status for DCF-92",
          "date": "2026-07-02T13:19:53.855433+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-SVC-ASM",
          "control_name": "Custom Automated Check: KSI-SVC-ASM",
          "control_description": "8/8 mapped controls passing; Sustainment Technologies' Encryption Policy and Cryptography Policies require automated management, protection, and regular rotation of all digital keys, certificates, and secrets. This is implemented through managed credential keys, key and certificate validation procedures, secure key generation, unique SSH key management, and encrypted remote access. Drata monitors encryption policy compliance, credential key management status, and password policy enforcement Ã¢â‚¬â€ ensuring that secrets are rotated on schedule and stored securely.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:53.855433+00:00",
          "updated_at": "2026-07-02T13:19:53.855433+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:53.855433+00:00",
          "requirements_updated_at": "",
          "evidence_count": 8,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-284 (DCF-284)",
              "description": "Drata control status for DCF-284",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.855433+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184387+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-274 (DCF-274)",
              "description": "Drata control status for DCF-274",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.855433+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184393+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-181 (DCF-181)",
              "description": "Drata control status for DCF-181",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.855433+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184400+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-53 (DCF-53)",
              "description": "Drata control status for DCF-53",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.855433+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184407+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-72 (DCF-72)",
              "description": "Drata control status for DCF-72",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.855433+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184413+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-93 (DCF-93)",
              "description": "Drata control status for DCF-93",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.855433+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184419+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-68 (DCF-68)",
              "description": "Drata control status for DCF-68",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.855433+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184426+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-92 (DCF-92)",
              "description": "Drata control status for DCF-92",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:53.855433+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184432+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              },
              {
                "test_id": 85,
                "name": "Cryptography Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's cryptography policies and confirmed that they list resources that employees may access to ensure they understand the procedures and their responsibilities.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 67,
                "enabled": true
              },
              {
                "test_id": 34,
                "name": "Internal Password Policy for Employees",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's internal policy that governs the passwords employees set across services.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 89,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-284",
              "DCF-274",
              "DCF-181",
              "DCF-53",
              "DCF-72",
              "DCF-93",
              "DCF-68",
              "DCF-92"
            ]
          }
        },
        {
          "control_id": "DCF-284",
          "control_name": "Key and Certificate Validation",
          "control_description": "Sustainment Technologies Inc has implemented security protocols so that only trusted keys and/or certificates are accepted during transmission of sensitive data that are confirmed valid and not expired or revoked.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:54.229Z",
          "updated_at": "2025-12-04T21:08:14.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-284-policy",
              "name": "Policy Documentation - Key and Certificate Validation (DCF-284)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-12-04T21:08:14.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184439+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 311,
          "explanation": "This Drata control directly addresses KSI-SVC-ASM by ensuring only valid, non-expired, and non-revoked keys/certificates are used for sensitive data transmission Ã¢â‚¬â€œ automating key/certificate *validation* as the requirement dictates. By confirming trust *before* use, Sustainment Technologies Inc. demonstrably manages and protects these secrets, fulfilling the need for automated, regular rotation (implied through ongoing validation) and preventing compromised credentials from being utilized. This aligns with NIST SC-17's focus on secure cryptographic key establishment.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-274",
          "control_name": "Secure Key Generation Procedure",
          "control_description": "Sustainment Technologies Inc's cryptographic key procedures include secure cryptographic key distribution",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:53.928Z",
          "updated_at": "2026-05-03T13:11:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": 154,
              "name": "Key Management Proceedures",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/154_Key Management Proceedures.pdf",
              "updated_at": "2026-04-28T16:09:37.826Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184623+00:00",
                "status": "hashed",
                "sha256": "867194645574e705b641f0bbf4d09b7dbc108787642b042c7d0ed62ea1df3d63",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/154_Key Management Proceedures.pdf",
                "filename": "154_Key Management Proceedures.pdf",
                "size_bytes": 317122,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            }
          ],
          "drata_control_id": 301,
          "explanation": "Drata's \"Secure Key Generation Procedure\" satisfies KSI-SVC-ASM by demonstrating a defined process for creating, distributing, and managing cryptographic keys Ã¢â‚¬â€œ a core component of automating secrets management. This procedure, linked to NIST SC-17 (Security Planning), ensures keys are handled securely throughout their lifecycle, fulfilling the FedRAMP requirement for regular rotation and protection of digital keys and certificates. Essentially, it proves a *how* for automated key lifecycle management.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-181",
          "control_name": "Encryption Policy",
          "control_description": "Sustainment Technologies Inc has a defined policy that establishes requirements for the use of cryptographic controls.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.777Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-181-owner",
              "name": "Assigned Control Owner - Encryption Policy (DCF-181)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184897+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-181-monitoring",
              "name": "Continuous Monitoring - Encryption Policy (DCF-181)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184903+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-181-policy",
              "name": "Policy Documentation - Encryption Policy (DCF-181)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184908+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 100,
          "explanation": "Drata's \"Encryption Policy\" satisfies KSI-SVC-ASM by demonstrating a foundational element of secure key management Ã¢â‚¬â€œ a documented, defined process for cryptographic control usage. This policy outlines *how* Sustainment Technologies Inc. manages and protects keys (including rotation), addressing the \"management and protection\" aspects of the FedRAMP requirement, and sets the stage for technical implementation detailed elsewhere. While not automation itself, the policy is a necessary precursor and proves organizational commitment to automating key lifecycle management as required by KSI-SVC-ASM.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-53",
          "control_name": "Cryptography Policies",
          "control_description": "Sustainment Technologies Inc has an established policy and procedures that governs the use of cryptographic controls.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.157Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-53-owner",
              "name": "Assigned Control Owner - Cryptography Policies (DCF-53)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184915+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-53-monitoring",
              "name": "Continuous Monitoring - Cryptography Policies (DCF-53)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184920+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-53-policy",
              "name": "Policy Documentation - Cryptography Policies (DCF-53)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184926+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 67,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 85,
                "name": "Cryptography Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's cryptography policies and confirmed that they list resources that employees may access to ensure they understand the procedures and their responsibilities.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 67,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-72",
          "control_name": "Unique SSH",
          "control_description": "SSH users use unique accounts to access production machines. Additionally, the use of the “Root” account is not allowed.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:39.720Z",
          "updated_at": "2026-04-29T16:53:43.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-72-evidence",
              "name": "Unique SSH (DCF-72)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184933+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-72-owner",
              "name": "Assigned Control Owner - Unique SSH (DCF-72)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184939+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-72-policy",
              "name": "Policy Documentation - Unique SSH (DCF-72)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T16:53:43.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184945+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 107,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-93",
          "control_name": "Credential Keys Managed",
          "control_description": "Sustainment Technologies Inc has an established key management process in place to support the organization's use of cryptographic techniques.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.773Z",
          "updated_at": "2026-04-30T19:27:08.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-93-evidence",
              "name": "Credential Keys Managed (DCF-93)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-30T19:27:08.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184951+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-93-owner",
              "name": "Assigned Control Owner - Credential Keys Managed (DCF-93)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-30T19:27:08.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184957+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-93-monitoring",
              "name": "Continuous Monitoring - Credential Keys Managed (DCF-93)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-30T19:27:08.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184963+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 99,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-68",
          "control_name": "Password Policy",
          "control_description": "Sustainment Technologies Inc has established formal guidelines for passwords to govern the management and use of authentication mechanisms.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.917Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-68-owner",
              "name": "Assigned Control Owner - Password Policy (DCF-68)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184969+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-68-monitoring",
              "name": "Continuous Monitoring - Password Policy (DCF-68)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184975+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-68-policy",
              "name": "Policy Documentation - Password Policy (DCF-68)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184981+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 24,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 34,
                "name": "Internal Password Policy for Employees",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's internal policy that governs the passwords employees set across services.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 89,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-92",
          "control_name": "Encrypted Remote Production Access",
          "control_description": "Users can only access the production system remotely through the use of encrypted communication systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.934Z",
          "updated_at": "2025-11-24T13:51:26.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-92-evidence",
              "name": "Encrypted Remote Production Access (DCF-92)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184988+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-92-owner",
              "name": "Assigned Control Owner - Encrypted Remote Production Access (DCF-92)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.184994+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-92-policy",
              "name": "Policy Documentation - Encrypted Remote Production Access (DCF-92)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185000+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 27,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' Encryption Policy and Cryptography Policies require automated management, protection, and regular rotation of all digital keys, certificates, and secrets. This is implemented through managed credential keys, key and certificate validation procedures, secure key generation, unique SSH key management, and encrypted remote access. Drata monitors encryption policy compliance, credential key management status, and password policy enforcement Ã¢â‚¬â€ ensuring that secrets are rotated on schedule and stored securely.\n### Key Controls\n- [OK] Key and Certificate Validation (DCF-284)\n- [OK] Secure Key Generation Procedure (DCF-274)\n- [OK] Encryption Policy (DCF-181)\n- [OK] Cryptography Policies (DCF-53)\n- [OK] Unique SSH (DCF-72)\n- [OK] Credential Keys Managed (DCF-93)\n- [OK] Password Policy (DCF-68)\n- [OK] Encrypted Remote Production Access (DCF-92)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:53.855433+00:00",
      "ksi_name": "Automating Secret Management",
      "category": "SVC",
      "statement": "Automate management, protection, and regular rotation of digital keys, certificates, and other secrets.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/service-configuration/",
      "nist_controls": [
        "AC-17.2",
        "IA-5.2",
        "IA-5.6",
        "SC-12",
        "SC-17"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment automates the management, protection, and regular rotation of all digital keys, certificates, and secrets through managed credential keys, encryption policies, and secure key generation procedures.",
        "failure_condition": "A secret or key not rotated within the policy period, an expired certificate in use, or failure to validate key and certificate integrity will cause a failure of the test. Additionally, encryption policies, cryptography policies, unique SSH keys, secure key generation procedures, managed credential keys, encrypted remote production access, and password policy enforcement must be in place to ensure secrets are securely managed and rotated."
      },
      "outcome_metrics": [
        {
          "statement": "All secrets managed in approved vaults with rotation enforced",
          "metric_name": "Integrity",
          "target_value": "0 hardcoded secrets; 100% of secrets in approved manager; rotation within policy window",
          "target_unit": "",
          "frequency": "Weekly",
          "source": "Secrets scanning (CI/CD + repo); secrets manager audit; rotation logs",
          "notes": "Hardcoded secret detected; secret not rotated within policy window"
        }
      ],
      "monitoring": {
        "total_tests": 4,
        "passed": 4,
        "failed": 0,
        "controls_with_monitoring": 4,
        "monitoring_coverage": 44.4,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-SVC-EIS",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:56.359665+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-80 (DCF-80)",
          "control_id": "DCF-80",
          "status": "Passing",
          "description": "Drata control status for DCF-80",
          "date": "2026-07-02T13:19:56.359665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-79 (DCF-79)",
          "control_id": "DCF-79",
          "status": "Passing",
          "description": "Drata control status for DCF-79",
          "date": "2026-07-02T13:19:56.359665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-159 (DCF-159)",
          "control_id": "DCF-159",
          "status": "Passing",
          "description": "Drata control status for DCF-159",
          "date": "2026-07-02T13:19:56.359665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-21 (DCF-21)",
          "control_id": "DCF-21",
          "status": "Passing",
          "description": "Drata control status for DCF-21",
          "date": "2026-07-02T13:19:56.359665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-81 (DCF-81)",
          "control_id": "DCF-81",
          "status": "Passing",
          "description": "Drata control status for DCF-81",
          "date": "2026-07-02T13:19:56.359665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-82 (DCF-82)",
          "control_id": "DCF-82",
          "status": "Passing",
          "description": "Drata control status for DCF-82",
          "date": "2026-07-02T13:19:56.359665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-560 (DCF-560)",
          "control_id": "DCF-560",
          "status": "Passing",
          "description": "Drata control status for DCF-560",
          "date": "2026-07-02T13:19:56.359665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-182 (DCF-182)",
          "control_id": "DCF-182",
          "status": "Passing",
          "description": "Drata control status for DCF-182",
          "date": "2026-07-02T13:19:56.359665+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-92 (DCF-92)",
          "control_id": "DCF-92",
          "status": "Passing",
          "description": "Drata control status for DCF-92",
          "date": "2026-07-02T13:19:56.359665+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-SVC-EIS",
          "control_name": "Custom Automated Check: KSI-SVC-EIS",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' security policies require persistent evaluation of information resources for opportunities to improve security posture. This is implemented through centralized log management with anomalous behavior detection, database and messaging queue monitoring with alerting, incident response integration for discovered issues, and architectural documentation that identifies improvement areas. Drata monitors these controls continuously, providing the data-driven insights needed to identify security gaps and validate that implemented improvements are effective.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:56.359665+00:00",
          "updated_at": "2026-07-02T13:19:56.359665+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:56.359665+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-80 (DCF-80)",
              "description": "Drata control status for DCF-80",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.359665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185007+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-79 (DCF-79)",
              "description": "Drata control status for DCF-79",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.359665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185012+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-159 (DCF-159)",
              "description": "Drata control status for DCF-159",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.359665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185018+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-21 (DCF-21)",
              "description": "Drata control status for DCF-21",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.359665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185024+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-81 (DCF-81)",
              "description": "Drata control status for DCF-81",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.359665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185030+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-82 (DCF-82)",
              "description": "Drata control status for DCF-82",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.359665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185035+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-560 (DCF-560)",
              "description": "Drata control status for DCF-560",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.359665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185041+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-182 (DCF-182)",
              "description": "Drata control status for DCF-182",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.359665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185047+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-92 (DCF-92)",
              "description": "Drata control status for DCF-92",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:56.359665+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185052+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 9,
            "passed": 9,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:02.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              },
              {
                "test_id": 140,
                "name": "Only Authorized Users can Access Log Sinks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of the system that collects and stores server logs and confirmed that it only accepts connections from authorized users.",
                "last_run": "2026-07-01T18:27:22.000Z",
                "test_definition_id": 110,
                "enabled": true
              },
              {
                "test_id": 139,
                "name": "Logs are Centrally Stored",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are centrally stored.",
                "last_run": "2026-07-01T18:27:24.000Z",
                "test_definition_id": 109,
                "enabled": true
              },
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              },
              {
                "test_id": 3,
                "name": "Database Read I/O Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that read I/O is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 114,
                "enabled": true
              },
              {
                "test_id": 2,
                "name": "Database Free Storage Space Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that free storage space is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 113,
                "enabled": true
              },
              {
                "test_id": 1,
                "name": "Database CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 112,
                "enabled": true
              },
              {
                "test_id": 4,
                "name": "Messaging Queue Message Age Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's messaging queue monitoring configurations and confirmed that message age is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:59.000Z",
                "test_definition_id": 115,
                "enabled": true
              },
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-80",
              "DCF-79",
              "DCF-159",
              "DCF-21",
              "DCF-81",
              "DCF-82",
              "DCF-560",
              "DCF-182",
              "DCF-92"
            ]
          }
        },
        {
          "control_id": "DCF-80",
          "control_name": "Log Management System",
          "control_description": "Sustainment Technologies Inc uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.779Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 151,
              "name": "DataDog Security alerts sample",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/151_DataDog Security alerts sample.csv",
              "updated_at": "2026-03-02T15:57:18.424Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185244+00:00",
                "status": "hashed",
                "sha256": "3a6f138a1019b8d39d01a2e02dc11e84fa1a8b504f306fadf42619746948a934",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/151_DataDog Security alerts sample.csv",
                "filename": "151_DataDog Security alerts sample.csv",
                "size_bytes": 82445,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-80-owner",
              "name": "Assigned Control Owner - Log Management System (DCF-80)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185334+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-80-monitoring",
              "name": "Continuous Monitoring - Log Management System (DCF-80)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185341+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 123,
          "explanation": "This Log Management System directly addresses KSI-SVC-EIS by providing the \"persistent evaluation of information resources\" through continuous log monitoring and alerting. When alerts trigger \"corrective actions,\" it demonstrates implemented improvements based on identified security opportunities Ã¢â‚¬â€œ fulfilling the FedRAMP requirement for proactive security enhancement. The systemÃ¢â‚¬â„¢s alignment with NIST SI-4 (System Monitoring) further validates its effectiveness in ongoing security evaluation and response.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:25.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 141,
                "name": "Logs are Retained for 365 Days",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are retained for 365 days.",
                "last_run": "2026-07-01T18:27:25.000Z",
                "test_definition_id": 111,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-79",
          "control_name": "Logs Centrally Stored",
          "control_description": "Sustainment Technologies Inc uses a system that collects and stores server logs in a central location. The system can be queried in an ad hoc fashion by authorized users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:40.775Z",
          "updated_at": "2026-06-30T12:57:13.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 13,
              "name": "Logs Centrally Stored",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/13_Logs Centrally Stored.csv",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185514+00:00",
                "status": "hashed",
                "sha256": "bb85025771956bff33f960b28f614e1447bd02e93a2f0ba842f12abe7e375706",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/13_Logs Centrally Stored.csv",
                "filename": "13_Logs Centrally Stored.csv",
                "size_bytes": 145,
                "modified_at": "2026-07-02T13:17:00+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-79-owner",
              "name": "Assigned Control Owner - Logs Centrally Stored (DCF-79)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-30T12:57:13.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185545+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-79-monitoring",
              "name": "Continuous Monitoring - Logs Centrally Stored (DCF-79)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-30T12:57:13.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185552+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 122,
          "explanation": "Drata's \"Logs Centrally Stored\" control satisfies KSI-SVC-EIS by enabling persistent monitoring and evaluation of information resources. Centralized logging provides the data necessary to identify security trends, vulnerabilities, and areas for improvement Ã¢â‚¬â€œ fulfilling the requirement for ongoing security enhancement based on evaluation. This aligns with NIST SI-4 (System Monitoring) as it supports proactive security monitoring and incident detection.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:24.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 140,
                "name": "Only Authorized Users can Access Log Sinks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's configuration of the system that collects and stores server logs and confirmed that it only accepts connections from authorized users.",
                "last_run": "2026-07-01T18:27:22.000Z",
                "test_definition_id": 110,
                "enabled": true
              },
              {
                "test_id": 139,
                "name": "Logs are Centrally Stored",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's logs and confirmed that they are centrally stored.",
                "last_run": "2026-07-01T18:27:24.000Z",
                "test_definition_id": 109,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-159",
          "control_name": "Incident Response Plan",
          "control_description": "Sustainment Technologies Inc has an established Incident Response Plan that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.576Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-159-evidence",
              "name": "Incident Response Plan (DCF-159)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185558+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-owner",
              "name": "Assigned Control Owner - Incident Response Plan (DCF-159)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185565+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-monitoring",
              "name": "Continuous Monitoring - Incident Response Plan (DCF-159)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185571+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 77,
          "explanation": "The Incident Response Plan (IRP) satisfies KSI-SVC-EIS by demonstrating a *persistent evaluation* of security through annual testing and defined procedures Ã¢â‚¬â€œ identifying weaknesses *after* incidents and proactively improving security posture. This aligns with FedRAMP's need for continuous improvement as the IRP's testing and updates are based on lessons learned from real-world events and evolving threats, directly addressing the requirement to improve security based on evaluation of information resources.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-21",
          "control_name": "Architectural Diagram",
          "control_description": "Sustainment Technologies Inc maintains an accurate architectural diagram to document system boundaries to support the functioning of internal control.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.152Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-02-04T21:04:30.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-21-evidence",
              "name": "Architectural Diagram (DCF-21)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185577+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-21-owner",
              "name": "Assigned Control Owner - Architectural Diagram (DCF-21)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185583+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-21-policy",
              "name": "Policy Documentation - Architectural Diagram (DCF-21)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185589+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 66,
          "explanation": "The Architectural Diagram control satisfies KSI-SVC-EIS by providing a foundational understanding of the system, enabling ongoing evaluation of security posture and identification of improvement opportunities. By visually mapping system boundaries (as per PL-8 & SC-7), Sustainment Technologies Inc. can persistently assess information resources and proactively implement security enhancements Ã¢â‚¬â€œ fulfilling the requirement for continuous improvement based on evaluation. Essentially, you can't *improve* what you don't accurately *understand* through documentation like this diagram.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-81",
          "control_name": "Databases Monitored and Alarmed",
          "control_description": "Sustainment Technologies Inc has implemented tools to monitor Sustainment Technologies Inc's databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.413Z",
          "updated_at": "2026-05-16T21:24:19.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-81-evidence",
              "name": "Databases Monitored and Alarmed (DCF-81)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185596+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-81-owner",
              "name": "Assigned Control Owner - Databases Monitored and Alarmed (DCF-81)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185602+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-81-monitoring",
              "name": "Continuous Monitoring - Databases Monitored and Alarmed (DCF-81)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185608+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 1,
          "explanation": "This Drata control satisfies KSI-SVC-EIS by demonstrating *continuous monitoring* of critical information resources (databases), a key component of persistent evaluation. The monitoring and alerting, coupled with incident escalation, provides a mechanism to *identify security gaps and trigger improvements* based on real-world events Ã¢â‚¬â€œ directly addressing the need for ongoing security enhancement outlined in the KSI requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:28:02.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 3,
                "name": "Database Read I/O Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that read I/O is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 114,
                "enabled": true
              },
              {
                "test_id": 2,
                "name": "Database Free Storage Space Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that free storage space is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 113,
                "enabled": true
              },
              {
                "test_id": 1,
                "name": "Database CPU Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's database monitoring configurations and confirmed that server CPU use is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:28:02.000Z",
                "test_definition_id": 112,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-82",
          "control_name": "Messaging Queues Monitored and Alarmed",
          "control_description": "Sustainment Technologies Inc has implemented tools to monitor Sustainment Technologies Inc's messaging queues and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:31.418Z",
          "updated_at": "2026-05-16T21:24:19.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-82-owner",
              "name": "Assigned Control Owner - Messaging Queues Monitored and Alarmed (DCF-82)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185615+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-82-monitoring",
              "name": "Continuous Monitoring - Messaging Queues Monitored and Alarmed (DCF-82)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:19.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185621+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 2,
          "explanation": "This Drata control satisfies KSI-SVC-EIS by demonstrating *continuous monitoring* of a critical information resource (messaging queues) Ã¢â‚¬â€œ a key component of ongoing security improvement. By proactively detecting and alerting on events, and escalating incidents, Sustainment Technologies Inc. is actively evaluating its security posture and implementing improvements based on observed activity, fulfilling the requirement for persistent evaluation and action. This aligns with NIST SI-4 (System Monitoring) which supports continuous assessment.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:59.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 4,
                "name": "Messaging Queue Message Age Monitored",
                "status": "PASSED",
                "description": "Drata validated Sustainment Technologies Inc's messaging queue monitoring configurations and confirmed that message age is monitored, with alerts sent to personnel at certain thresholds.",
                "last_run": "2026-07-01T18:27:59.000Z",
                "test_definition_id": 115,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-560",
          "control_name": "Baselines for Detecting Anomalous Behavior",
          "control_description": "Sustainment Technologies Inc has established baselines for normal behavior of networks, systems, and applications for the detection of anomalies.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:11.087Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-560-evidence",
              "name": "Baselines for Detecting Anomalous Behavior (DCF-560)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185627+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-560-monitoring",
              "name": "Continuous Monitoring - Baselines for Detecting Anomalous Behavior (DCF-560)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185633+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 584,
          "explanation": "This Drata control directly addresses KSI-SVC-EIS by demonstrating *persistent evaluation* through the establishment of behavioral baselines. By actively monitoring for deviations from these baselines (as per SC-7 & SI-4), Sustainment Technologies Inc. identifies opportunities for security improvements based on real-world system activity Ã¢â‚¬â€œ fulfilling the FedRAMP requirement for continuous security enhancement. Essentially, anomaly detection *is* the improvement process in action.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-182",
          "control_name": "Asset Management Policy",
          "control_description": "Sustainment Technologies Inc has a defined policy that establishes requirements for the proper management and tracking of organizational assets.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.174Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-02-04T21:04:30.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-182-owner",
              "name": "Assigned Control Owner - Asset Management Policy (DCF-182)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185640+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-182-policy",
              "name": "Policy Documentation - Asset Management Policy (DCF-182)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185646+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 71,
          "explanation": "The Asset Management Policy directly supports KSI-SVC-EIS by enabling persistent evaluation of information resources Ã¢â‚¬â€œ knowing *what* assets exist (per SC-7) is the foundation for identifying security improvement opportunities. Regularly tracking and managing assets allows Sustainment Technologies Inc. to proactively assess their security posture and implement necessary enhancements, fulfilling the continuous improvement requirement of the FedRAMP KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-92",
          "control_name": "Encrypted Remote Production Access",
          "control_description": "Users can only access the production system remotely through the use of encrypted communication systems.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.934Z",
          "updated_at": "2025-11-24T13:51:26.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-92-evidence",
              "name": "Encrypted Remote Production Access (DCF-92)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185652+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-92-owner",
              "name": "Assigned Control Owner - Encrypted Remote Production Access (DCF-92)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185658+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-92-policy",
              "name": "Policy Documentation - Encrypted Remote Production Access (DCF-92)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185664+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 27,
          "explanation": "Drata's \"Encrypted Remote Production Access\" control addresses KSI-SVC-EIS by demonstrating a proactive security *improvement* Ã¢â‚¬â€œ securing a critical access pathway (remote production) with encryption. This reduces the attack surface and potential for data compromise, fulfilling the requirement for continuously evaluating and enhancing information resource security based on identified risks (like insecure remote access). Essentially, implementing encryption is a tangible action taken *because* of security evaluation, satisfying the persistent improvement aspect of the KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' security policies require persistent evaluation of information resources for opportunities to improve security posture. This is implemented through centralized log management with anomalous behavior detection, database and messaging queue monitoring with alerting, incident response integration for discovered issues, and architectural documentation that identifies improvement areas. Drata monitors these controls continuously, providing the data-driven insights needed to identify security gaps and validate that implemented improvements are effective.\n### Key Controls\n- [OK] Log Management System (DCF-80)\n- [OK] Logs Centrally Stored (DCF-79)\n- [OK] Incident Response Plan (DCF-159)\n- [OK] Architectural Diagram (DCF-21)\n- [OK] Databases Monitored and Alarmed (DCF-81)\n- [OK] Messaging Queues Monitored and Alarmed (DCF-82)\n- [OK] Baselines for Detecting Anomalous Behavior (DCF-560)\n- [OK] Asset Management Policy (DCF-182)\n- [OK] Encrypted Remote Production Access (DCF-92)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:56.359665+00:00",
      "ksi_name": "Evaluating and Improving Security",
      "category": "SVC",
      "statement": "Implement improvements based on persistent evaluation of information resources for opportunities to improve security.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/service-configuration/",
      "nist_controls": [
        "CM-7.1",
        "CM-12.1",
        "MA-2",
        "PL-8",
        "SC-7",
        "SC-39",
        "SI-2.2",
        "SI-4",
        "SR-10"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment persistently evaluates information resources for opportunities to improve security posture through annual security reviews, centralized log management, and continuous monitoring of infrastructure and applications.",
        "failure_condition": "Failure to conduct an annual security review, failure to maintain centralized logging, or failure to act on identified security improvements will cause a failure of the test. Additionally, a log management system, centralized log storage, an incident response plan, database and messaging queue monitoring, an asset management policy, an architectural diagram, and encrypted remote access must be in place to ensure security posture is continuously evaluated and improved."
      },
      "outcome_metrics": [
        {
          "statement": "Security posture reviewed and improvement actions tracked to closure",
          "metric_name": "Completion",
          "target_value": "Annual security review completed; all high-priority findings have owners; trending toward closure",
          "target_unit": "",
          "frequency": "Quarterly",
          "source": "Security review report; finding tracker; POA&M",
          "notes": "Annual review not completed; high-priority finding without owner or closure plan"
        }
      ],
      "monitoring": {
        "total_tests": 9,
        "passed": 9,
        "failed": 0,
        "controls_with_monitoring": 6,
        "monitoring_coverage": 60.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-SVC-PRR",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:54.253772+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-632 (DCF-632)",
          "control_id": "DCF-632",
          "status": "Passing",
          "description": "Drata control status for DCF-632",
          "date": "2026-07-02T13:19:54.253772+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-639 (DCF-639)",
          "control_id": "DCF-639",
          "status": "Passing",
          "description": "Drata control status for DCF-639",
          "date": "2026-07-02T13:19:54.253772+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-57 (DCF-57)",
          "control_id": "DCF-57",
          "status": "Passing",
          "description": "Drata control status for DCF-57",
          "date": "2026-07-02T13:19:54.253772+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-56 (DCF-56)",
          "control_id": "DCF-56",
          "status": "Passing",
          "description": "Drata control status for DCF-56",
          "date": "2026-07-02T13:19:54.253772+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-168 (DCF-168)",
          "control_id": "DCF-168",
          "status": "Passing",
          "description": "Drata control status for DCF-168",
          "date": "2026-07-02T13:19:54.253772+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-SVC-PRR",
          "control_name": "Custom Automated Check: KSI-SVC-PRR",
          "control_description": "5/5 mapped controls passing; Sustainment Technologies' Vendor Management Policy establishes requirements for preventing residual risk from third-party service providers. This is implemented through supply chain risk assessments, shared system information security requirements, vendor compliance report reviews, and maintained vendor agreements that define security obligations. These controls ensure that third-party risks are contractually addressed and validated through regular compliance reviews, preventing residual risk from accumulating across the vendor ecosystem.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:54.253772+00:00",
          "updated_at": "2026-07-02T13:19:54.253772+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:54.253772+00:00",
          "requirements_updated_at": "",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-632 (DCF-632)",
              "description": "Drata control status for DCF-632",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.253772+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185671+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-639 (DCF-639)",
              "description": "Drata control status for DCF-639",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.253772+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185677+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-57 (DCF-57)",
              "description": "Drata control status for DCF-57",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.253772+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185684+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-56 (DCF-56)",
              "description": "Drata control status for DCF-56",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.253772+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185690+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-168 (DCF-168)",
              "description": "Drata control status for DCF-168",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.253772+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185695+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-632",
          "control_name": "Supply Chain Risk Assessment",
          "control_description": "Sustainment Technologies Inc assesses and updates supply chain risks associated with system components and system services.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:19.468Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-632-evidence",
              "name": "Supply Chain Risk Assessment (DCF-632)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185701+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-632-policy",
              "name": "Policy Documentation - Supply Chain Risk Assessment (DCF-632)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185708+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 628,
          "explanation": "DrataÃ¢â‚¬â„¢s \"Supply Chain Risk Assessment\" control satisfies FedRAMP KSI-SVC-PRR by demonstrating a continuous process to identify and evaluate risks introduced through third-party components and services Ã¢â‚¬â€œ a core tenet of supply chain risk management. This aligns with the KSI requirement for proactively managing vulnerabilities within the system's supply chain and maps directly to NIST SC-4, which covers supply chain risk management practices. Essentially, it proves STI is actively identifying *what* could go wrong with their suppliers and *how* they're mitigating it.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-639",
          "control_name": "Shared System Information Security",
          "control_description": "Sustainment Technologies Inc ensures that any unauthorized or unintended information transfers via shared system resources are prevented.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:08.243Z",
          "updated_at": "2025-11-24T13:51:26.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:15:06.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-639-evidence",
              "name": "Shared System Information Security (DCF-639)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185714+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-639-policy",
              "name": "Policy Documentation - Shared System Information Security (DCF-639)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185721+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 571,
          "explanation": "Drata's \"Shared System Information Security\" control directly addresses FedRAMP KSI-SVC-PRR by demonstrating preventative measures against unauthorized data transfer on shared resources Ã¢â‚¬â€œ a core tenet of protecting customer data in a cloud environment. By verifying these controls, Drata proves Sustainment Technologies Inc. implements access controls and monitoring (aligned with NIST SC-4) to isolate data and prevent commingling/leakage, satisfying the KSI requirement for secure shared system operation.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-57",
          "control_name": "Vendor Compliance Reports",
          "control_description": "Sustainment Technologies Inc maintains a directory of its key vendors, including their compliance reports. Critical vendor compliance reports are reviewed annually.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.003Z",
          "updated_at": "2025-11-24T13:51:41.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-57-evidence",
              "name": "Vendor Compliance Reports (DCF-57)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:41.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185728+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-57-policy",
              "name": "Policy Documentation - Vendor Compliance Reports (DCF-57)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:41.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185734+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 81,
          "explanation": "This Drata control satisfies KSI-SVC-PRR by demonstrating due diligence in managing supply chain risk. Maintaining a vendor directory *and* actively reviewing critical vendor compliance reports annually (like SOC 2s) proves Sustainment Technologies Inc verifies its vendors meet security standards Ã¢â‚¬â€œ a core tenet of FedRAMP's Key Service Provider requirements for secure data handling. This aligns with NIST SC-4, which covers supply chain risk management.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-56",
          "control_name": "Vendor Agreements Maintained",
          "control_description": "Sustainment Technologies Inc maintains a directory of its key vendors, including its agreements that specify terms, conditions and responsibilities.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.998Z",
          "updated_at": "2025-11-24T13:51:41.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:41.140Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-56-evidence",
              "name": "Vendor Agreements Maintained (DCF-56)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:41.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185741+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-56-policy",
              "name": "Policy Documentation - Vendor Agreements Maintained (DCF-56)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:41.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185747+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 80,
          "explanation": "This Drata control satisfies FedRAMP KSI-SVC-PRR by demonstrating a process for managing third-party risk. Maintaining vendor agreements with defined terms (as evidenced by the directory) proves Sustainment Technologies Inc. fulfills the requirement to establish and maintain documented responsibilities with its suppliers Ã¢â‚¬â€œ a core component of secure service provision under FedRAMP. This directly maps to NIST SC-4, which covers supply chain risk management.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-168",
          "control_name": "Vendor Management Policy",
          "control_description": "Sustainment Technologies Inc has a defined vendor management policy that establishes requirements of ensuring third-party entities meet the organization's data preservation and protection requirements.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:35.678Z",
          "updated_at": "2025-11-24T13:51:41.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:33:48.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-168-policy",
              "name": "Policy Documentation - Vendor Management Policy (DCF-168)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:41.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185753+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 61,
          "explanation": "The Vendor Management Policy directly addresses FedRAMP KSI-SVC-PRR by demonstrating how Sustainment Technologies Inc. assesses and manages the security practices of its third-party vendors. This satisfies the requirement for ensuring these vendors adhere to data preservation and protection standards, as evidenced by alignment with NIST SC-4 (Supply Chain Risk Management). Essentially, it proves due diligence in mitigating risks introduced through the supply chain Ã¢â‚¬â€œ a key tenet of FedRAMP KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' Vendor Management Policy establishes requirements for preventing residual risk from third-party service providers. This is implemented through supply chain risk assessments, shared system information security requirements, vendor compliance report reviews, and maintained vendor agreements that define security obligations. These controls ensure that third-party risks are contractually addressed and validated through regular compliance reviews, preventing residual risk from accumulating across the vendor ecosystem.\n### Key Controls\n- [OK] Supply Chain Risk Assessment (DCF-632)\n- [OK] Shared System Information Security (DCF-639)\n- [OK] Vendor Compliance Reports (DCF-57)\n- [OK] Vendor Agreements Maintained (DCF-56)\n- [OK] Vendor Management Policy (DCF-168)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:54.253772+00:00",
      "ksi_name": "Preventing Residual Risk",
      "category": "SVC",
      "statement": "Persistently review plans, procedures, and the state of information resources after making changes to limit and remove unwanted residual elements that would likely negatively affect the confidentiality, integrity, or availability of federal customer data.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/service-configuration/",
      "nist_controls": [
        "SC-4"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment prevents residual risk from third-party service providers through supply chain risk assessments, shared system information security requirements, vendor compliance reporting, and maintained vendor agreements.",
        "failure_condition": "A vendor management policy, supply chain risk assessments, shared system information security requirements, and vendor agreements must be in place to ensure residual risk from third parties is identified and mitigated."
      },
      "outcome_metrics": [
        {
          "statement": "Residual risks from closed findings are validated as resolved with no recurrence",
          "metric_name": "Validation",
          "target_value": "100% of closed high/critical findings validated as non-recurrent within 90 days",
          "target_unit": "",
          "frequency": "Quarterly",
          "source": "Post-remediation scan results; finding re-open rate; POA&M closure validation",
          "notes": "Closed finding re-opened; post-remediation validation not completed within 90 days"
        }
      ],
      "monitoring": {
        "total_tests": 0,
        "passed": 0,
        "failed": 0,
        "controls_with_monitoring": 0,
        "monitoring_coverage": 0.0,
        "test_pass_rate": 0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-SVC-RUD",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:59.327106+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-101 (DCF-101)",
          "control_id": "DCF-101",
          "status": "Passing",
          "description": "Drata control status for DCF-101",
          "date": "2026-07-02T13:19:59.327106+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-102 (DCF-102)",
          "control_id": "DCF-102",
          "status": "Passing",
          "description": "Drata control status for DCF-102",
          "date": "2026-07-02T13:19:59.327106+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-103 (DCF-103)",
          "control_id": "DCF-103",
          "status": "Passing",
          "description": "Drata control status for DCF-103",
          "date": "2026-07-02T13:19:59.327106+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-253 (DCF-253)",
          "control_id": "DCF-253",
          "status": "Passing",
          "description": "Drata control status for DCF-253",
          "date": "2026-07-02T13:19:59.327106+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-619 (DCF-619)",
          "control_id": "DCF-619",
          "status": "Passing",
          "description": "Drata control status for DCF-619",
          "date": "2026-07-02T13:19:59.327106+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-SVC-RUD",
          "control_name": "Custom Automated Check: KSI-SVC-RUD",
          "control_description": "5/5 mapped controls passing; Sustainment Technologies maintains controls to ensure that data is properly sanitized and removed when no longer needed or when systems are decommissioned. This is validated through automated checks that verify data removal procedures are documented and operational.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:59.327106+00:00",
          "updated_at": "2026-07-02T13:19:59.327106+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:59.327106+00:00",
          "requirements_updated_at": "",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-101 (DCF-101)",
              "description": "Drata control status for DCF-101",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.327106+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185760+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-102 (DCF-102)",
              "description": "Drata control status for DCF-102",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.327106+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185766+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-103 (DCF-103)",
              "description": "Drata control status for DCF-103",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.327106+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185772+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-253 (DCF-253)",
              "description": "Drata control status for DCF-253",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.327106+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185778+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-619 (DCF-619)",
              "description": "Drata control status for DCF-619",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:59.327106+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185784+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 2,
            "passed": 2,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 41,
                "name": "Data Retention Policy",
                "status": "PASSED",
                "description": "Drata inspected and confirmed that Sustainment Technologies Inc has a data retention period specified for customer data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 136,
                "enabled": true
              },
              {
                "test_id": 42,
                "name": "Data Classification Policy",
                "status": "PASSED",
                "description": "Drata inspected and confirmed that Sustainment Technologies Inc has a Data Classification Policy in order to identify the types of confidential information possessed by the entity and types of protection that were required.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 137,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-101",
              "DCF-102",
              "DCF-103",
              "DCF-253",
              "DCF-619"
            ]
          }
        },
        {
          "control_id": "DCF-101",
          "control_name": "Data Retention Policy",
          "control_description": "Sustainment Technologies Inc has a documented policy for data retention defining the types of data (including company and customer data) and the period of time for which they should be retained.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.939Z",
          "updated_at": "2026-06-23T19:21:25.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:38.413Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 14,
              "name": "Data Management Policy",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/14_Data Management Policy.docx",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185944+00:00",
                "status": "hashed",
                "sha256": "7328b09b06e84d2d53e62434b71d5ae716f44fb397bc70b02bffe0d2639fc739",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/14_Data Management Policy.docx",
                "filename": "14_Data Management Policy.docx",
                "size_bytes": 19207,
                "modified_at": "2026-07-02T13:17:00+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-101-monitoring",
              "name": "Continuous Monitoring - Data Retention Policy (DCF-101)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-23T19:21:25.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185991+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-101-policy",
              "name": "Policy Documentation - Data Retention Policy (DCF-101)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-23T19:21:25.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.185998+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 28,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 41,
                "name": "Data Retention Policy",
                "status": "PASSED",
                "description": "Drata inspected and confirmed that Sustainment Technologies Inc has a data retention period specified for customer data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 136,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-102",
          "control_name": "Data Classification",
          "control_description": "Sustainment Technologies Inc has established a data classification policy in order to identify the types of confidential information possessed by the entity and types of protection that are required.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.943Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-102-owner",
              "name": "Assigned Control Owner - Data Classification (DCF-102)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186005+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-102-monitoring",
              "name": "Continuous Monitoring - Data Classification (DCF-102)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186010+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-102-policy",
              "name": "Policy Documentation - Data Classification (DCF-102)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186016+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 29,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 42,
                "name": "Data Classification Policy",
                "status": "PASSED",
                "description": "Drata inspected and confirmed that Sustainment Technologies Inc has a Data Classification Policy in order to identify the types of confidential information possessed by the entity and types of protection that were required.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 137,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-103",
          "control_name": "Customer Data Deletion Upon Termination",
          "control_description": "Sustainment Technologies Inc deletes customer data within 30 days of the customer terminating its contract.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2"
          ],
          "created_at": "2023-03-21T16:42:33.216Z",
          "updated_at": "2026-05-03T13:08:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2024-07-12T08:02:25.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-103-policy",
              "name": "Policy Documentation - Customer Data Deletion Upon Termination (DCF-103)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-03T13:08:50.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186023+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 35,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-253",
          "control_name": "Data Secure Disposal",
          "control_description": "Sustainment Technologies Inc disposes of data securely upon expiration of the established retention periods or when no longer needed for legal, regulatory, and/or business reasons.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [],
          "created_at": "2023-03-21T16:42:53.285Z",
          "updated_at": "2026-05-03T13:11:20.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2024-07-12T08:02:37.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-253-policy",
              "name": "Policy Documentation - Data Secure Disposal (DCF-253)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-05-03T13:11:20.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186029+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 280,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-619",
          "control_name": "Media Sanitization",
          "control_description": "Sustainment Technologies Inc review, approve, track, document, and verify media sanitization and disposal actions.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:14.590Z",
          "updated_at": "2026-06-26T16:37:08.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:33:48.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-619-policy",
              "name": "Policy Documentation - Media Sanitization (DCF-619)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-26T16:37:08.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186036+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 602,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies maintains controls to ensure that data is properly sanitized and removed when no longer needed or when systems are decommissioned. This is validated through automated checks that verify data removal procedures are documented and operational.\n### Key Controls\n- [OK] Data Retention Policy (DCF-101)\n- [OK] Data Classification (DCF-102)\n- [OK] Customer Data Deletion Upon Termination (DCF-103)\n- [OK] Data Secure Disposal (DCF-253)\n- [OK] Media Sanitization (DCF-619)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:59.327106+00:00",
      "ksi_name": "Removing Unwanted Data",
      "category": "SVC",
      "statement": "Remove unwanted federal customer data promptly when requested by an agency in alignment with customer agreements, including from backups if appropriate; this typically applies when a customer spills information or when a customer seeks to remove information from a service due to a change in usage.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/service-configuration/",
      "nist_controls": [
        "SI-12.3",
        "SI-18.4"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment ensures that data is properly sanitized and removed when no longer needed or when systems are decommissioned through documented data removal procedures.",
        "failure_condition": "A data removal request not fulfilled within the agreed timeframe or failure to maintain documented data removal procedures will cause a failure of the test. Data sanitization and removal controls must be in place to ensure unwanted data is disposed of securely and in compliance with retention policies."
      },
      "outcome_metrics": [
        {
          "statement": "Data beyond retention period removed within required SLA; deletion verified",
          "metric_name": "Completion",
          "target_value": "100% of data removal requests completed within SLA; deletion verified by audit log",
          "target_unit": "",
          "frequency": "Monthly",
          "source": "Data deletion audit log; retention policy enforcement tool; DLP reports",
          "notes": "Data removal past SLA; deletion not logged or verifiable"
        }
      ],
      "monitoring": {
        "total_tests": 2,
        "passed": 2,
        "failed": 0,
        "controls_with_monitoring": 2,
        "monitoring_coverage": 33.3,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-SVC-SNT",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:54.634075+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:19:54.634075+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-576 (DCF-576)",
          "control_id": "DCF-576",
          "status": "Passing",
          "description": "Drata control status for DCF-576",
          "date": "2026-07-02T13:19:54.634075+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-181 (DCF-181)",
          "control_id": "DCF-181",
          "status": "Passing",
          "description": "Drata control status for DCF-181",
          "date": "2026-07-02T13:19:54.634075+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-11 (DCF-11)",
          "control_id": "DCF-11",
          "status": "Passing",
          "description": "Drata control status for DCF-11",
          "date": "2026-07-02T13:19:54.634075+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-53 (DCF-53)",
          "control_id": "DCF-53",
          "status": "Passing",
          "description": "Drata control status for DCF-53",
          "date": "2026-07-02T13:19:54.634075+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-59 (DCF-59)",
          "control_id": "DCF-59",
          "status": "Passing",
          "description": "Drata control status for DCF-59",
          "date": "2026-07-02T13:19:54.634075+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-58 (DCF-58)",
          "control_id": "DCF-58",
          "status": "Passing",
          "description": "Drata control status for DCF-58",
          "date": "2026-07-02T13:19:54.634075+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-124 (DCF-124)",
          "control_id": "DCF-124",
          "status": "Passing",
          "description": "Drata control status for DCF-124",
          "date": "2026-07-02T13:19:54.634075+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-102 (DCF-102)",
          "control_id": "DCF-102",
          "status": "Passing",
          "description": "Drata control status for DCF-102",
          "date": "2026-07-02T13:19:54.634075+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-SVC-SNT",
          "control_name": "Custom Automated Check: KSI-SVC-SNT",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' Encryption Policy and Cryptography Policies require that all network traffic is encrypted or otherwise secured. This is implemented through mandatory authentication for all access, system access controls, data classification-driven encryption requirements, role-based security assignments, and defined authentication protocols. Drata monitors encryption compliance and access control enforcement, while annual access reviews validate that network security controls are consistently applied across all communication paths.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:54.634075+00:00",
          "updated_at": "2026-07-02T13:19:54.634075+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:54.634075+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.634075+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186043+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-576 (DCF-576)",
              "description": "Drata control status for DCF-576",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.634075+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186049+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-181 (DCF-181)",
              "description": "Drata control status for DCF-181",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.634075+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186055+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-11 (DCF-11)",
              "description": "Drata control status for DCF-11",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.634075+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186061+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-53 (DCF-53)",
              "description": "Drata control status for DCF-53",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.634075+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186067+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-59 (DCF-59)",
              "description": "Drata control status for DCF-59",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.634075+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186072+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-58 (DCF-58)",
              "description": "Drata control status for DCF-58",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.634075+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186078+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-124 (DCF-124)",
              "description": "Drata control status for DCF-124",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.634075+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186084+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-102 (DCF-102)",
              "description": "Drata control status for DCF-102",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.634075+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186089+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 4,
            "passed": 4,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              },
              {
                "test_id": 85,
                "name": "Cryptography Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's cryptography policies and confirmed that they list resources that employees may access to ensure they understand the procedures and their responsibilities.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 67,
                "enabled": true
              },
              {
                "test_id": 42,
                "name": "Data Classification Policy",
                "status": "PASSED",
                "description": "Drata inspected and confirmed that Sustainment Technologies Inc has a Data Classification Policy in order to identify the types of confidential information possessed by the entity and types of protection that were required.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 137,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-10",
              "DCF-576",
              "DCF-181",
              "DCF-11",
              "DCF-53",
              "DCF-59",
              "DCF-58",
              "DCF-124",
              "DCF-102"
            ]
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186095+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186101+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186107+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "explanation": "While seemingly indirect, the System Access Control Policy supports KSI-SVC-SNT by ensuring *only authorized* personnel access the system Ã¢â‚¬â€œ a foundational element of securing network traffic. By regularly reviewing and controlling access (via forms & annual reviews), the policy minimizes the attack surface and potential for malicious traffic originating from unauthorized users, thus helping to meet the encryption/security requirement. Essentially, limiting *who* can access the network is a crucial preventative measure alongside *how* traffic is secured.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-576",
          "control_name": "System Information and Integrity Policy",
          "control_description": "Sustainment Technologies Inc has a defined policy for system information and integrity that establishes procedures to ensure systems are established with system integrity monitoring.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:09.311Z",
          "updated_at": "2025-11-24T18:38:48.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:36.942Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-576-policy",
              "name": "Policy Documentation - System Information and Integrity Policy (DCF-576)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:48.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186123+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 578,
          "explanation": "The System Information and Integrity Policy (and associated monitoring) helps satisfy KSI-SVC-SNT by establishing procedures to detect unauthorized changes to system configurations Ã¢â‚¬â€œ including those related to encryption settings. By ensuring system integrity, the control verifies that encryption mechanisms remain enabled and functioning as intended, thus securing network traffic as required by the FedRAMP KSI. Essentially, it confirms the *security controls are working* as designed to protect data in transit.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-181",
          "control_name": "Encryption Policy",
          "control_description": "Sustainment Technologies Inc has a defined policy that establishes requirements for the use of cryptographic controls.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:38.777Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-181-owner",
              "name": "Assigned Control Owner - Encryption Policy (DCF-181)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186131+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-181-monitoring",
              "name": "Continuous Monitoring - Encryption Policy (DCF-181)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186137+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-181-policy",
              "name": "Policy Documentation - Encryption Policy (DCF-181)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186142+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 100,
          "explanation": "Drata's \"Encryption Policy\" satisfies KSI-SVC-SNT by demonstrating a documented, organization-wide approach to securing network traffic via cryptography Ã¢â‚¬â€œ fulfilling the requirement to *encrypt or otherwise secure* data in transit. This policy, mapped to NIST SC-8 (Security Planning), proves Sustainment Technologies Inc. isn't just *doing* encryption, but has a *defined and sustained* process for its implementation and management, crucial for FedRAMP authorization.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 119,
                "name": "Security Policies Cover Encryption",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they explain the procedures for encrypting sensitive data.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 127,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-11",
          "control_name": "Annual Access Control Review",
          "control_description": "Sustainment Technologies Inc performs annual access control reviews.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.537Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": 150,
              "name": "User Access Review",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/150_User Access Review.xlsx",
              "updated_at": "2026-03-02T15:28:18.965Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186305+00:00",
                "status": "hashed",
                "sha256": "a83b78e92bd554ebc59378b2f58c3b86c8dfac37b561ea9ddea944b69ab811d9",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/150_User Access Review.xlsx",
                "filename": "150_User Access Review.xlsx",
                "size_bytes": 115456,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-11-owner",
              "name": "Assigned Control Owner - Annual Access Control Review (DCF-11)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186410+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-11-policy",
              "name": "Policy Documentation - Annual Access Control Review (DCF-11)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186417+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 89,
          "explanation": "While seemingly unrelated, the Annual Access Control Review (AC-1) *supports* KSI-SVC-SNT by ensuring only authorized personnel have network access. Limiting access reduces the attack surface and potential for malicious traffic, effectively securing network traffic as required by the KSI. Regularly verifying access rights is a foundational security practice that underpins broader encryption and security measures.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-53",
          "control_name": "Cryptography Policies",
          "control_description": "Sustainment Technologies Inc has an established policy and procedures that governs the use of cryptographic controls.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.157Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-53-owner",
              "name": "Assigned Control Owner - Cryptography Policies (DCF-53)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186423+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-53-monitoring",
              "name": "Continuous Monitoring - Cryptography Policies (DCF-53)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186429+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-53-policy",
              "name": "Policy Documentation - Cryptography Policies (DCF-53)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186435+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 67,
          "explanation": "Drata's \"Cryptography Policies\" control directly addresses KSI-SVC-SNT by demonstrating a documented, organization-wide approach to securing network traffic *via* cryptography. Establishing and maintaining these policies (as evidenced by the control) proves Sustainment Technologies Inc. isn't just *using* encryption, but actively *governing* its implementation Ã¢â‚¬â€œ a key element of FedRAMPÃ¢â‚¬â„¢s requirement for secure data in transit, aligning with NIST SC-13Ã¢â‚¬â„¢s focus on cryptographic key lifecycle management.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 85,
                "name": "Cryptography Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's cryptography policies and confirmed that they list resources that employees may access to ensure they understand the procedures and their responsibilities.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 67,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-59",
          "control_name": "Role-Based Security Implementation",
          "control_description": "Role-based security is in place for internal and external users, including super admin users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.904Z",
          "updated_at": "2025-11-24T13:51:36.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-59-evidence",
              "name": "Role-Based Security Implementation (DCF-59)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186442+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-owner",
              "name": "Assigned Control Owner - Role-Based Security Implementation (DCF-59)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186448+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-59-policy",
              "name": "Policy Documentation - Role-Based Security Implementation (DCF-59)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:36.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186454+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 21,
          "explanation": "Drata's Role-Based Security Implementation (RBAC) satisfies KSI-SVC-SNT by limiting network access based on assigned roles, effectively securing traffic to only authorized users and resources. This control ensures only individuals with necessary permissions can access sensitive data in transit, aligning with the FedRAMP requirement to encrypt *or otherwise secure* network traffic Ã¢â‚¬â€œ RBAC acts as a strong access control \"security\" measure. The related NIST AC-1 control reinforces this by establishing a foundation for access enforcement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-58",
          "control_name": "Authentication Protocol",
          "control_description": "Username and password (password standard implemented) or SSO required to authenticate into application, MFA optional for external users, and MFA required for employee users.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.899Z",
          "updated_at": "2025-11-24T13:51:26.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-58-evidence",
              "name": "Authentication Protocol (DCF-58)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186465+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-58-owner",
              "name": "Assigned Control Owner - Authentication Protocol (DCF-58)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186473+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-58-policy",
              "name": "Policy Documentation - Authentication Protocol (DCF-58)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:26.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186479+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 20,
          "explanation": "This Drata control satisfies KSI-SVC-SNT by securing network traffic *after* authentication. While not direct encryption, strong authentication (username/password + enforced password standards, and required MFA for employees) significantly reduces the risk of unauthorized access, effectively protecting data in transit by limiting who can initiate network sessions Ã¢â‚¬â€œ a key component of securing network traffic under FedRAMP. It aligns with AC-1 by establishing access control based on identity, a foundational security practice.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-124",
          "control_name": "Require Authentication for Access",
          "control_description": "Users accessing their personal information through Sustainment Technologies Inc's application must be authenticated with a username and password.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.639Z",
          "updated_at": "2025-11-24T13:51:25.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-124-evidence",
              "name": "Require Authentication for Access (DCF-124)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:25.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186486+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-124-owner",
              "name": "Assigned Control Owner - Require Authentication for Access (DCF-124)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:25.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186492+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-124-policy",
              "name": "Policy Documentation - Require Authentication for Access (DCF-124)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:25.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186498+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 145,
          "explanation": "While seemingly unrelated, \"Require Authentication for Access\" contributes to KSI-SVC-SNT by establishing a baseline security measure *before* network traffic is generated. Authentication verifies user identity, ensuring only authorized individuals initiate connections, thus protecting the confidentiality and integrity of data in transit Ã¢â‚¬â€œ a key component of securing network traffic as required by the KSI. Essentially, it limits who *can* create potentially vulnerable network sessions in the first place.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-102",
          "control_name": "Data Classification",
          "control_description": "Sustainment Technologies Inc has established a data classification policy in order to identify the types of confidential information possessed by the entity and types of protection that are required.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:32.943Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-102-owner",
              "name": "Assigned Control Owner - Data Classification (DCF-102)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186505+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-102-monitoring",
              "name": "Continuous Monitoring - Data Classification (DCF-102)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186511+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-102-policy",
              "name": "Policy Documentation - Data Classification (DCF-102)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186517+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 29,
          "explanation": "Data Classification (satisfying KSI-SVC-SNT) directly supports secure network traffic by identifying *what* data needs protection. By classifying data based on sensitivity, Sustainment Technologies Inc. can then apply appropriate encryption and other security controls (like TLS) during transmission Ã¢â‚¬â€œ fulfilling the FedRAMP requirement to encrypt or secure network traffic based on data type. Essentially, knowing *what* you have allows you to properly *protect* it in transit.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 42,
                "name": "Data Classification Policy",
                "status": "PASSED",
                "description": "Drata inspected and confirmed that Sustainment Technologies Inc has a Data Classification Policy in order to identify the types of confidential information possessed by the entity and types of protection that were required.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 137,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' Encryption Policy and Cryptography Policies require that all network traffic is encrypted or otherwise secured. This is implemented through mandatory authentication for all access, system access controls, data classification-driven encryption requirements, role-based security assignments, and defined authentication protocols. Drata monitors encryption compliance and access control enforcement, while annual access reviews validate that network security controls are consistently applied across all communication paths.\n### Key Controls\n- [OK] System Access Control Policy (DCF-10)\n- [OK] System Information and Integrity Policy (DCF-576)\n- [OK] Encryption Policy (DCF-181)\n- [OK] Annual Access Control Review (DCF-11)\n- [OK] Cryptography Policies (DCF-53)\n- [OK] Role-Based Security Implementation (DCF-59)\n- [OK] Authentication Protocol (DCF-58)\n- [OK] Require Authentication for Access (DCF-124)\n- [OK] Data Classification (DCF-102)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:54.634075+00:00",
      "ksi_name": "Securing Network Traffic",
      "category": "SVC",
      "statement": "Encrypt or otherwise secure network traffic.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/service-configuration/",
      "nist_controls": [
        "AC-1",
        "AC-17.2",
        "CP-9.8",
        "SC-8",
        "SC-8.1",
        "SC-13",
        "SC-20",
        "SC-21",
        "SC-22",
        "SC-23"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment requires all network traffic to be encrypted or otherwise secured through enforced encryption policies, cryptography standards, mandatory authentication, and data classification-based access controls.",
        "failure_condition": "Unencrypted network traffic detected, a deprecated TLS version in use, or failure to enforce authentication for access will cause a failure of the test. Additionally, an encryption policy, cryptography policies, system access controls, role-based security implementation, authentication protocols, data classification, and annual access reviews must be in place to ensure all network traffic is secured."
      },
      "outcome_metrics": [
        {
          "statement": "All network traffic encrypted in transit; certificates valid and current",
          "metric_name": "Integrity",
          "target_value": "100% of in-scope traffic TLS 1.2+; 0 expired or weak certificates",
          "target_unit": "",
          "frequency": "Monthly",
          "source": "TLS scan results; certificate inventory; Drata SSL checks",
          "notes": "Expired or weak certificate; plaintext traffic detected on in-scope path"
        }
      ],
      "monitoring": {
        "total_tests": 4,
        "passed": 4,
        "failed": 0,
        "controls_with_monitoring": 4,
        "monitoring_coverage": 40.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-SVC-VCM",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:58.160791+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-645 (DCF-645)",
          "control_id": "DCF-645",
          "status": "Passing",
          "description": "Drata control status for DCF-645",
          "date": "2026-07-02T13:19:58.160791+00:00"
        },
        {
          "type": "configuration",
          "name": "TLS Certificate for fed.sustainment.us",
          "description": "Certificate for 'sustainment.us' issued by 'Amazon RSA 2048 M04'. Valid from 2026-02-24 to 2026-09-09 (69 days remaining). TLS version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128 bits). SANs: sustainment.us, *.internal.sustainment.us, *.sustainment.us",
          "date": "2026-07-02T13:19:58.554679+00:00",
          "control_id": "TLS-CERT",
          "status": "Passing",
          "metadata": {
            "common_name": "sustainment.us",
            "issuer": "Amazon RSA 2048 M04",
            "not_before": "2026-02-24T00:00:00+00:00",
            "not_after": "2026-09-09T23:59:59+00:00",
            "days_until_expiry": 69,
            "tls_version": "TLSv1.2",
            "cipher": "ECDHE-RSA-AES128-GCM-SHA256",
            "cipher_bits": 128,
            "cipher_version": "TLSv1.2",
            "san_count": 3
          }
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-SVC-VCM",
          "control_name": "Custom Automated Check: KSI-SVC-VCM",
          "control_description": "1/1 mapped controls passing; TLS certificate check for fed.sustainment.us: Certificate is valid and properly configured. Issued by Amazon RSA 2048 M04, expires 2026-09-09 (69 days). TLS version: TLSv1.2.; Sustainment Technologies' security policies require validation of all communications to prevent tampering and ensure authenticity. This is implemented through session authentication management controls that verify the integrity and authenticity of all communications within the cloud service offering.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:58.160791+00:00",
          "updated_at": "2026-07-02T13:19:58.160791+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:58.160791+00:00",
          "requirements_updated_at": "",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-645 (DCF-645)",
              "description": "Drata control status for DCF-645",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.160791+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186524+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "TLS Certificate for fed.sustainment.us",
              "description": "Certificate for 'sustainment.us' issued by 'Amazon RSA 2048 M04'. Valid from 2026-02-24 to 2026-09-09 (69 days remaining). TLS version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128 bits). SANs: sustainment.us, *.internal.sustainment.us, *.sustainment.us",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:58.554679+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186530+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-645",
          "control_name": "Session Authentication Management",
          "control_description": "Sustainment Technologies Inc ensures that communication at the session level is protected.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:09.412Z",
          "updated_at": "2025-11-24T13:51:27.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-645-evidence",
              "name": "Session Authentication Management (DCF-645)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:27.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186537+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-645-policy",
              "name": "Policy Documentation - Session Authentication Management (DCF-645)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:27.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186543+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 580,
          "explanation": "Drata's \"Session Authentication Management\" control directly addresses FedRAMP KSI-SVC-VCM by demonstrating secure session handling practices. Specifically, it verifies the system establishes, maintains, and terminates sessions securely Ã¢â‚¬â€œ protecting data in transit as required by the KSI, and aligning with NIST SC-23's focus on session management security. This proves communication confidentiality and integrity throughout a user's interaction with the system.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' security policies require validation of all communications to prevent tampering and ensure authenticity. This is implemented through session authentication management controls that verify the integrity and authenticity of all communications within the cloud service offering.\n### Key Controls\n- [OK] Session Authentication Management (DCF-645)",
      "implementation_details": {
        "method": "drata-control-aggregation-with-tls-validation",
        "tools": [
          "drata_controls.json",
          "python-ssl"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:58.160791+00:00",
      "ksi_name": "Validating Communications",
      "category": "SVC",
      "statement": "Persistently validate the authenticity and integrity of communications between machine-based information resources using automation.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/service-configuration/",
      "nist_controls": [
        "SC-23",
        "SI-7.1"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment validates all communications to prevent tampering and ensure authenticity through session authentication management, encryption policies, and managed credential keys.",
        "failure_condition": "Failure to validate communication integrity or authenticate sessions will cause a failure of the test. Session authentication management and encryption controls must be in place to ensure all communications are protected from tampering."
      },
      "outcome_metrics": [
        {
          "statement": "Communication channels validated for integrity and authentication",
          "metric_name": "Integrity",
          "target_value": "100% of critical communication channels authenticated and encrypted",
          "target_unit": "",
          "frequency": "Quarterly",
          "source": "Communication channel audit; email security (DMARC/DKIM/SPF) reports",
          "notes": "Unauthenticated channel; DMARC/DKIM/SPF failure on in-scope domain"
        }
      ],
      "monitoring": {
        "total_tests": 0,
        "passed": 0,
        "failed": 0,
        "controls_with_monitoring": 0,
        "monitoring_coverage": 0.0,
        "test_pass_rate": 0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-SVC-VRI",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:20:00.596348+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-578 (DCF-578)",
          "control_id": "DCF-578",
          "status": "Passing",
          "description": "Drata control status for DCF-578",
          "date": "2026-07-02T13:20:00.596348+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-650 (DCF-650)",
          "control_id": "DCF-650",
          "status": "Passing",
          "description": "Drata control status for DCF-650",
          "date": "2026-07-02T13:20:00.596348+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-645 (DCF-645)",
          "control_id": "DCF-645",
          "status": "Passing",
          "description": "Drata control status for DCF-645",
          "date": "2026-07-02T13:20:00.596348+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-480 (DCF-480)",
          "control_id": "DCF-480",
          "status": "Passing",
          "description": "Drata control status for DCF-480",
          "date": "2026-07-02T13:20:00.596348+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-478 (DCF-478)",
          "control_id": "DCF-478",
          "status": "Passing",
          "description": "Drata control status for DCF-478",
          "date": "2026-07-02T13:20:00.596348+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-433 (DCF-433)",
          "control_id": "DCF-433",
          "status": "Passing",
          "description": "Drata control status for DCF-433",
          "date": "2026-07-02T13:20:00.596348+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-266 (DCF-266)",
          "control_id": "DCF-266",
          "status": "Passing",
          "description": "Drata control status for DCF-266",
          "date": "2026-07-02T13:20:00.596348+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-159 (DCF-159)",
          "control_id": "DCF-159",
          "status": "Passing",
          "description": "Drata control status for DCF-159",
          "date": "2026-07-02T13:20:00.596348+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-53 (DCF-53)",
          "control_id": "DCF-53",
          "status": "Passing",
          "description": "Drata control status for DCF-53",
          "date": "2026-07-02T13:20:00.596348+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-SVC-VRI",
          "control_name": "Custom Automated Check: KSI-SVC-VRI",
          "control_description": "9/9 mapped controls passing; Sustainment Technologies' Cryptography Policies and Systems Acquisition Policy require cryptographic validation of the integrity of all machine-based information resources. This is implemented through integrity checking mechanisms, file integrity monitoring on logs, change detection with automated alert response, session authentication, and securely stored cryptographic keys. Drata monitors cryptographic controls and incident response readiness, ensuring that integrity validation is active and any detected tampering triggers immediate investigation.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:20:00.596348+00:00",
          "updated_at": "2026-07-02T13:20:00.596348+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:20:00.596348+00:00",
          "requirements_updated_at": "",
          "evidence_count": 9,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-578 (DCF-578)",
              "description": "Drata control status for DCF-578",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.596348+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186550+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-650 (DCF-650)",
              "description": "Drata control status for DCF-650",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.596348+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186556+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-645 (DCF-645)",
              "description": "Drata control status for DCF-645",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.596348+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186562+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-480 (DCF-480)",
              "description": "Drata control status for DCF-480",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.596348+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186569+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-478 (DCF-478)",
              "description": "Drata control status for DCF-478",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.596348+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186575+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-433 (DCF-433)",
              "description": "Drata control status for DCF-433",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.596348+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186580+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-266 (DCF-266)",
              "description": "Drata control status for DCF-266",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.596348+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186586+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-159 (DCF-159)",
              "description": "Drata control status for DCF-159",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.596348+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186592+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-53 (DCF-53)",
              "description": "Drata control status for DCF-53",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:20:00.596348+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186598+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-02T12:02:06.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 152,
                "name": "CloudTrail Log File Integrity Validation Enabled",
                "status": "PASSED",
                "description": "Drata confirmed that AWS CloudTrail log validation is enabled on all trails.",
                "last_run": "2026-07-02T12:02:06.000Z",
                "test_definition_id": 205,
                "enabled": true
              },
              {
                "test_id": 85,
                "name": "Cryptography Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's cryptography policies and confirmed that they list resources that employees may access to ensure they understand the procedures and their responsibilities.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 67,
                "enabled": true
              },
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-578",
              "DCF-650",
              "DCF-645",
              "DCF-480",
              "DCF-478",
              "DCF-433",
              "DCF-266",
              "DCF-159",
              "DCF-53"
            ]
          }
        },
        {
          "control_id": "DCF-578",
          "control_name": "System and Services Acquisition Policy",
          "control_description": "Sustainment Technologies Inc has a defined policy for system and services acquisition that establishes the procedures for systems and services to be acquired with security requirements that align with business objectives.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:18.598Z",
          "updated_at": "2025-11-24T18:38:56.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:41.282Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-578-policy",
              "name": "Policy Documentation - System and Services Acquisition Policy (DCF-578)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:56.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186604+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 626,
          "explanation": "The \"System and Services Acquisition Policy\" satisfies KSI-SVC-VRI by ensuring *new* systems and services are acquired *with* pre-defined security requirements Ã¢â‚¬â€œ including cryptographic controls for data integrity Ã¢â‚¬â€œ **before** they're integrated into the FedRAMP environment. This proactive approach, linked to NIST SR-10 (System Security Planning), validates integrity at the acquisition stage, fulfilling the requirement to protect machine-based information resources through cryptographic methods. Essentially, it builds security *in* rather than bolting it on later.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-650",
          "control_name": "Integrity Checks",
          "control_description": "Sustainment Technologies Inc performs integrity checks of systems software, firmware, and system information during  transitional states.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:16.726Z",
          "updated_at": "2025-11-24T18:38:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-650-evidence",
              "name": "Integrity Checks (DCF-650)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T18:38:51.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186610+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-650-policy",
              "name": "Policy Documentation - Integrity Checks (DCF-650)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T18:38:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186617+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 612,
          "explanation": "DrataÃ¢â‚¬â„¢s Ã¢â‚¬Å“Integrity ChecksÃ¢â‚¬Â control directly addresses KSI-SVC-VRI by demonstrating the use of cryptographic methods (implied through integrity verification processes) to ensure system software, firmware, and information remain unaltered during critical transitions. This satisfies the FedRAMP requirement to validate the integrity of machine-based resources, proving systems havenÃ¢â‚¬â„¢t been compromised or tampered with Ã¢â‚¬â€œ aligning with NIST SI-7's focus on integrity protection.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-645",
          "control_name": "Session Authentication Management",
          "control_description": "Sustainment Technologies Inc ensures that communication at the session level is protected.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:09.412Z",
          "updated_at": "2025-11-24T13:51:27.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.698Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-645-evidence",
              "name": "Session Authentication Management (DCF-645)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:27.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186624+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-645-policy",
              "name": "Policy Documentation - Session Authentication Management (DCF-645)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:27.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186630+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 580,
          "explanation": "Drata's \"Session Authentication Management\" control satisfies KSI-SVC-VRI by utilizing cryptographic methods (like TLS/SSL) to establish and maintain secure sessions. This protects data in transit, ensuring its integrity during communication Ã¢â‚¬â€œ validating that machine-based information resources haven't been altered during a session, as required by the FedRAMP KSI. The related NIST SC-23 control further reinforces this through session key establishment and management.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-480",
          "control_name": "Change Detection Mechanism Alert Response",
          "control_description": "Sustainment Technologies Inc has implemented a process to respond to any alerts generated by the change-detection solution.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:00.079Z",
          "updated_at": "2026-06-10T16:04:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": 158,
              "name": "DataDog Infrastructure Change Rules",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/158_DataDog Infrastructure Change Rules.png",
              "updated_at": "2026-06-10T16:04:48.843Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.186794+00:00",
                "status": "hashed",
                "sha256": "ea9cd42b86313b00270704de06c0307f63e3fada40944170a06048def47ac9b5",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/158_DataDog Infrastructure Change Rules.png",
                "filename": "158_DataDog Infrastructure Change Rules.png",
                "size_bytes": 533573,
                "modified_at": "2026-07-02T13:16:58+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            }
          ],
          "drata_control_id": 499,
          "explanation": "This Drata control addresses KSI-SVC-VRI by demonstrating a proactive response to *unauthorized changes* detected by the change detection solution Ã¢â‚¬â€œ effectively validating the integrity of system information. Responding to alerts ensures that any compromised integrity (a violation of the KSI requirement) is investigated and remediated, maintaining a secure and trustworthy system for FedRAMP. The control links to NIST SI-7, which covers incident handling, further solidifying its alignment with security best practices.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-478",
          "control_name": "Change Detection Mechanism",
          "control_description": "Sustainment Technologies Inc has enabled file integrity monitoring or a change-detection mechanism to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, audit files, or content files to ensure critical data cannot be changed ",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:00.023Z",
          "updated_at": "2025-11-24T13:51:38.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-478-monitoring",
              "name": "Continuous Monitoring - Change Detection Mechanism (DCF-478)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187240+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-478-policy",
              "name": "Policy Documentation - Change Detection Mechanism (DCF-478)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:38.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187247+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 497,
          "explanation": "The Change Detection Mechanism directly satisfies KSI-SVC-VRI by utilizing cryptographic hashing (implied in \"detect unauthorized modification\") to verify the integrity of critical system and data files. This ensures that any unauthorized changes to these \"machine-based information resources\" are identified, fulfilling the requirement for cryptographic validation of data integrity as mandated by FedRAMP. Essentially, it cryptographically proves files haven't been tampered with.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-02T12:02:06.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 152,
                "name": "CloudTrail Log File Integrity Validation Enabled",
                "status": "PASSED",
                "description": "Drata confirmed that AWS CloudTrail log validation is enabled on all trails.",
                "last_run": "2026-07-02T12:02:06.000Z",
                "test_definition_id": 205,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-433",
          "control_name": "FIM on Logs",
          "control_description": "Sustainment Technologies Inc uses file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:58.743Z",
          "updated_at": "2026-06-29T16:58:22.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.857Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-433-policy",
              "name": "Policy Documentation - FIM on Logs (DCF-433)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-06-29T16:58:22.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187254+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 453,
          "explanation": "Drata's \"FIM on Logs\" control directly addresses KSI-SVC-VRI by employing cryptographic hashing (a core component of FIM) to verify the integrity of critical log data Ã¢â‚¬â€œ machine-based information resources. Any unauthorized modification to logs triggers alerts, demonstrating the system's ability to detect tampering and fulfill the requirement for validating data integrity through cryptographic methods, as outlined in the FedRAMP KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-266",
          "control_name": "Cryptographic Keys Stored Securely",
          "control_description": "Sustainment Technologies Inc stores cryptographic keys securely.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:53.678Z",
          "updated_at": "2026-06-10T15:08:28.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:27.405Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-266-evidence",
              "name": "Cryptographic Keys Stored Securely (DCF-266)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-10T15:08:28.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187260+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-266-monitoring",
              "name": "Continuous Monitoring - Cryptographic Keys Stored Securely (DCF-266)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-10T15:08:28.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187267+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 293,
          "explanation": "DrataÃ¢â‚¬â„¢s Ã¢â‚¬Å“Cryptographic Keys Stored SecurelyÃ¢â‚¬Â control directly addresses KSI-SVC-VRI by demonstrating a foundational security practice for protecting the integrity of information resources. Secure key storage, as evidenced by this control and mapped to NIST SC-13, ensures that cryptographic methods used for validation *cannot* be compromised, thus upholding data integrity as required by FedRAMP KSI. Essentially, protecting the keys protects the validation process itself.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 85,
                "name": "Cryptography Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's cryptography policies and confirmed that they list resources that employees may access to ensure they understand the procedures and their responsibilities.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 67,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-159",
          "control_name": "Incident Response Plan",
          "control_description": "Sustainment Technologies Inc has an established Incident Response Plan that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.576Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:26:47.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-159-evidence",
              "name": "Incident Response Plan (DCF-159)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187273+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-owner",
              "name": "Assigned Control Owner - Incident Response Plan (DCF-159)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187279+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-159-monitoring",
              "name": "Continuous Monitoring - Incident Response Plan (DCF-159)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187286+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 77,
          "explanation": "The Incident Response Plan (IRP) satisfies KSI-SVC-VRI by detailing procedures to identify and contain incidents that *could* compromise the integrity of information resources Ã¢â‚¬â€œ a key step in validating that data hasnÃ¢â‚¬â„¢t been maliciously altered. Through investigation and remediation outlined in the IRP (and verified via annual testing), Sustainment Technologies Inc. confirms or restores the integrity of affected systems, demonstrating cryptographic validation isn't solely preventative, but also reactive to potential breaches. Essentially, the IRP ensures a process to *verify* integrity after a potential compromise, aligning with the KSI requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 91,
                "name": "Incident Response Plan (IRP)",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it outlines a formal procedure for responding to security events as well as requiring annual testing.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 33,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-53",
          "control_name": "Cryptography Policies",
          "control_description": "Sustainment Technologies Inc has an established policy and procedures that governs the use of cryptographic controls.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.157Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.699Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-53-owner",
              "name": "Assigned Control Owner - Cryptography Policies (DCF-53)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187292+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-53-monitoring",
              "name": "Continuous Monitoring - Cryptography Policies (DCF-53)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187298+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-53-policy",
              "name": "Policy Documentation - Cryptography Policies (DCF-53)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187303+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 67,
          "explanation": "Drata's \"Cryptography Policies\" control directly addresses KSI-SVC-VRI by demonstrating a documented, governed approach to employing cryptographic methods. This policy establishes *how* Sustainment Technologies Inc. utilizes cryptography Ã¢â‚¬â€œ fulfilling the requirement to validate the integrity of information resources as mandated by FedRAMP. The connection to NIST SC-13 further validates this control's alignment with industry-standard cryptographic implementation practices.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 85,
                "name": "Cryptography Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's cryptography policies and confirmed that they list resources that employees may access to ensure they understand the procedures and their responsibilities.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 67,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' Cryptography Policies and Systems Acquisition Policy require cryptographic validation of the integrity of all machine-based information resources. This is implemented through integrity checking mechanisms, file integrity monitoring on logs, change detection with automated alert response, session authentication, and securely stored cryptographic keys. Drata monitors cryptographic controls and incident response readiness, ensuring that integrity validation is active and any detected tampering triggers immediate investigation.\n### Key Controls\n- [OK] System and Services Acquisition Policy (DCF-578)\n- [OK] Integrity Checks (DCF-650)\n- [OK] Session Authentication Management (DCF-645)\n- [OK] Change Detection Mechanism Alert Response (DCF-480)\n- [OK] Change Detection Mechanism (DCF-478)\n- [OK] FIM on Logs (DCF-433)\n- [OK] Cryptographic Keys Stored Securely (DCF-266)\n- [OK] Incident Response Plan (DCF-159)\n- [OK] Cryptography Policies (DCF-53)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:20:00.596348+00:00",
      "ksi_name": "Validating Resource Integrity",
      "category": "SVC",
      "statement": "Use cryptographic methods to validate the integrity of machine-based information resources.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/service-configuration/",
      "nist_controls": [
        "CM-2.2",
        "CM-8.3",
        "SC-13",
        "SC-23",
        "SI-7",
        "SI-7.1",
        "SR-10"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment cryptographically validates the integrity of all machine-based information resources through integrity checking mechanisms, file integrity monitoring, change detection, and secure cryptographic key storage.",
        "failure_condition": "Resource integrity validation failing, unauthorized modification detected, or failure to respond to change detection alerts will cause a failure of the test. Additionally, cryptography policies, integrity checks, file integrity monitoring on logs, change detection mechanisms, secure cryptographic key storage, an incident response plan, and a systems acquisition policy must be in place to ensure resource integrity is continuously validated."
      },
      "outcome_metrics": [
        {
          "statement": "Resource integrity validated via checksums or signed artifacts; no tamper detected",
          "metric_name": "Integrity",
          "target_value": "100% of critical resources have integrity validation; 0 tamper events unresolved",
          "target_unit": "",
          "frequency": "Weekly",
          "source": "Artifact signing / checksum verification reports; IDS/integrity alerts",
          "notes": "Tamper event unresolved; critical resource without integrity validation"
        }
      ],
      "monitoring": {
        "total_tests": 4,
        "passed": 4,
        "failed": 0,
        "controls_with_monitoring": 4,
        "monitoring_coverage": 40.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-SCR-MIT",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:54.922145+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-31 (DCF-31)",
          "control_id": "DCF-31",
          "status": "Passing",
          "description": "Drata control status for DCF-31",
          "date": "2026-07-02T13:19:54.922145+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-6 (DCF-6)",
          "control_id": "DCF-6",
          "status": "Passing",
          "description": "Drata control status for DCF-6",
          "date": "2026-07-02T13:19:54.922145+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:19:54.922145+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-7 (DCF-7)",
          "control_id": "DCF-7",
          "status": "Passing",
          "description": "Drata control status for DCF-7",
          "date": "2026-07-02T13:19:54.922145+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-168 (DCF-168)",
          "control_id": "DCF-168",
          "status": "Passing",
          "description": "Drata control status for DCF-168",
          "date": "2026-07-02T13:19:54.922145+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-180 (DCF-180)",
          "control_id": "DCF-180",
          "status": "Passing",
          "description": "Drata control status for DCF-180",
          "date": "2026-07-02T13:19:54.922145+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-15 (DCF-15)",
          "control_id": "DCF-15",
          "status": "Passing",
          "description": "Drata control status for DCF-15",
          "date": "2026-07-02T13:19:54.922145+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-SCR-MIT",
          "control_name": "Custom Automated Check: KSI-SCR-MIT",
          "control_description": "7/7 mapped controls passing; Sustainment Technologies' Vendor Management Policy and Risk Assessment Policy require persistent identification, review, and mitigation of supply chain risks. This is implemented through secure information transfer controls, SDLC requirements for third-party components, separate testing and production environments, production code change restrictions, and access controls that limit vendor exposure. Drata monitors vendor-related access controls and risk assessment compliance, ensuring that supply chain risks are identified and mitigated before they impact the cloud service offering.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:54.922145+00:00",
          "updated_at": "2026-07-02T13:19:54.922145+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:54.922145+00:00",
          "requirements_updated_at": "",
          "evidence_count": 7,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-31 (DCF-31)",
              "description": "Drata control status for DCF-31",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.922145+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187310+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-6 (DCF-6)",
              "description": "Drata control status for DCF-6",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.922145+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187316+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.922145+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187322+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-7 (DCF-7)",
              "description": "Drata control status for DCF-7",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.922145+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187328+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-168 (DCF-168)",
              "description": "Drata control status for DCF-168",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.922145+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187334+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-180 (DCF-180)",
              "description": "Drata control status for DCF-180",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.922145+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187340+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-15 (DCF-15)",
              "description": "Drata control status for DCF-15",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:54.922145+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187346+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 4,
            "passed": 4,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:54.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              },
              {
                "test_id": 144,
                "name": "Production Code Changes Restricted",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's version control tool and confirmed that only authorized personnel push or make changes to production code.",
                "last_run": "2026-07-01T18:29:54.000Z",
                "test_definition_id": 9,
                "enabled": true
              },
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 100,
                "name": "Risk Assessment Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Risk Assessment Policy and confirmed that it specifies risk tolerances and the process for evaluating risks based on identified threats and specified tolerances.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 18,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-31",
              "DCF-6",
              "DCF-10",
              "DCF-7",
              "DCF-168",
              "DCF-180",
              "DCF-15"
            ]
          }
        },
        {
          "control_id": "DCF-31",
          "control_name": "Software Development Life Cycle Policy",
          "control_description": "Sustainment Technologies Inc has developed policies and procedures governing the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.156Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:31:00.000Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-31-owner",
              "name": "Assigned Control Owner - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187352+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-monitoring",
              "name": "Continuous Monitoring - Software Development Life Cycle Policy (DCF-31)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187358+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-31-policy",
              "name": "Policy Documentation - Software Development Life Cycle Policy (DCF-31)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187364+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 129,
          "explanation": "The Software Development Life Cycle (SDLC) Policy addresses KSI-SCR-MIT by establishing a structured process for change management Ã¢â‚¬â€œ tracking, testing, and approving modifications to the system. This process allows Sustainment Technologies Inc. to *identify* potential vulnerabilities introduced through changes (review), and *mitigate* those risks via testing & approval, fulfilling the requirement for persistent supply chain risk management. Essentially, a controlled SDLC is a key mechanism for ensuring the integrity of the system and its components.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 146,
                "name": "Has a SDLC Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed it has a Software Development Life Cycle Policy in place.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 36,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-6",
          "control_name": "Production Code Changes Restricted",
          "control_description": "Only authorized Sustainment Technologies Inc personnel can push or make changes to production code.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": true,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.147Z",
          "updated_at": "2026-06-22T12:35:43.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:22:37.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-6-evidence",
              "name": "Production Code Changes Restricted (DCF-6)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:43.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187371+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-6-owner",
              "name": "Assigned Control Owner - Production Code Changes Restricted (DCF-6)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:43.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187377+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-6-monitoring",
              "name": "Continuous Monitoring - Production Code Changes Restricted (DCF-6)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-06-22T12:35:43.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187383+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 127,
          "explanation": "Drata's \"Production Code Changes Restricted\" control directly addresses KSI-SCR-MIT by limiting who can modify live systems, thus mitigating the risk of malicious or unauthorized code impacting the FedRAMP environment. This access control ensures only vetted personnel can introduce changes, supporting persistent identification *and* mitigation of supply chain risks stemming from internal vulnerabilities or compromised accounts Ã¢â‚¬â€œ a core tenet of FedRAMP KSI. The control aligns with NIST SA-11 (Software, Firmware, and Information Integrity) by enforcing integrity through change management.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:29:54.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 144,
                "name": "Production Code Changes Restricted",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's version control tool and confirmed that only authorized personnel push or make changes to production code.",
                "last_run": "2026-07-01T18:29:54.000Z",
                "test_definition_id": 9,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187389+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187395+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187401+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "explanation": "The System Access Control Policy satisfies KSI-SCR-MIT by establishing a process for **identifying** (access request forms) and **reviewing** (annual access control reviews) who has access to systems Ã¢â‚¬â€œ a core component of supply chain risk management. Regularly verifying access rights helps **mitigate** the risk of unauthorized personnel impacting the system, aligning with FedRAMP's need to secure the entire supply chain.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-7",
          "control_name": "Separate Testing and Production Environments",
          "control_description": "Separate environments are used for testing and production for Sustainment Technologies Inc's application",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:41.152Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.858Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-7-evidence",
              "name": "Separate Testing and Production Environments (DCF-7)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187407+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-7-owner",
              "name": "Assigned Control Owner - Separate Testing and Production Environments (DCF-7)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187413+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-7-policy",
              "name": "Policy Documentation - Separate Testing and Production Environments (DCF-7)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187418+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 128,
          "explanation": "Drata's \"Separate Testing and Production Environments\" control directly addresses KSI-SCR-MIT by mitigating supply chain risks introduced through potentially compromised code or configurations. Isolating these environments prevents vulnerabilities discovered in testing from impacting the live, production systemÃ¢â‚¬â€a key step in identifying, reviewing, and limiting the blast radius of supply chain-related incidents. This aligns with SA-11 by establishing a secure development lifecycle and reducing the risk of unauthorized changes reaching production.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-168",
          "control_name": "Vendor Management Policy",
          "control_description": "Sustainment Technologies Inc has a defined vendor management policy that establishes requirements of ensuring third-party entities meet the organization's data preservation and protection requirements.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:35.678Z",
          "updated_at": "2025-11-24T13:51:41.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:33:48.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-168-policy",
              "name": "Policy Documentation - Vendor Management Policy (DCF-168)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:41.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187425+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 61,
          "explanation": "The Vendor Management Policy directly addresses KSI-SCR-MIT by establishing a process to *identify* (through requirements definition), *review* (ensuring third-party adherence), and *mitigate* (data protection requirements) risks associated with third-party vendors Ã¢â‚¬â€œ a core tenet of supply chain risk management for FedRAMP. By verifying vendor compliance with data preservation and protection standards, Sustainment Technologies Inc demonstrably reduces the potential for supply chain-related security incidents impacting federal data.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-180",
          "control_name": "Secure Information Transfer",
          "control_description": "Sustainment Technologies Inc has a defined process to ensure the secure transfer of information internally and externally.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:44.309Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-180-policy",
              "name": "Policy Documentation - Secure Information Transfer (DCF-180)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187431+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 183,
          "explanation": "Drata's \"Secure Information Transfer\" control addresses KSI-SCR-MIT by demonstrating a defined process for managing how sensitive information moves *both* within and outside the organization Ã¢â‚¬â€œ a key aspect of identifying and mitigating supply chain risks related to data exposure. By securing these transfers (as evidenced by NIST AC-20 & SA-9), Sustainment Technologies Inc. proactively reduces the potential for compromised data reaching unauthorized supply chain actors, fulfilling the persistent review and mitigation requirement.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-15",
          "control_name": "Risk Assessment Policy",
          "control_description": "Sustainment Technologies Inc has defined a formal risk management process that specifies risk tolerances and the process for evaluating risks based on identified threats and the specified tolerances.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.142Z",
          "updated_at": "2025-12-03T18:49:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-15-monitoring",
              "name": "Continuous Monitoring - Risk Assessment Policy (DCF-15)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-12-03T18:49:50.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187437+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-15-policy",
              "name": "Policy Documentation - Risk Assessment Policy (DCF-15)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-12-03T18:49:50.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187443+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 86,
          "explanation": "Drata's \"Risk Assessment Policy\" satisfies KSI-SCR-MIT by demonstrating a formalized, ongoing process for identifying and evaluating supply chain risks Ã¢â‚¬â€œ a core tenet of the FedRAMP requirement. By defining risk tolerances and a clear evaluation process (linked to NIST SA-9), Sustainment Technologies Inc. proves they are *persistently* reviewing risks and establishing a foundation for mitigation, fulfilling the continuous monitoring aspect of the KSI.",
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 100,
                "name": "Risk Assessment Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Risk Assessment Policy and confirmed that it specifies risk tolerances and the process for evaluating risks based on identified threats and specified tolerances.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 18,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        }
      ],
      "notes": "Sustainment Technologies' Vendor Management Policy and Risk Assessment Policy require persistent identification, review, and mitigation of supply chain risks. This is implemented through secure information transfer controls, SDLC requirements for third-party components, separate testing and production environments, production code change restrictions, and access controls that limit vendor exposure. Drata monitors vendor-related access controls and risk assessment compliance, ensuring that supply chain risks are identified and mitigated before they impact the cloud service offering.\n### Key Controls\n- [OK] Software Development Life Cycle Policy (DCF-31)\n- [OK] Production Code Changes Restricted (DCF-6)\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Separate Testing and Production Environments (DCF-7)\n- [OK] Vendor Management Policy (DCF-168)\n- [OK] Secure Information Transfer (DCF-180)\n- [OK] Risk Assessment Policy (DCF-15)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:54.922145+00:00",
      "ksi_name": "Mitigating Supply Chain Risk",
      "category": "SCR",
      "statement": "Persistently identify, review, and mitigate potential supply chain risks.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/supply-chain-risk/",
      "nist_controls": [
        "AC-20",
        "RA-3.1",
        "SA-9",
        "SA-10",
        "SA-11",
        "SA-15.3",
        "SA-22",
        "SI-7.1",
        "SR-5",
        "SR-6",
        "CA-7.4",
        "SC-18"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment persistently identifies, reviews, and mitigates supply chain risks through vendor management, risk assessments, secure information transfer controls, and SDLC requirements for third-party components.",
        "failure_condition": "Third-party risk assessment not conducted within 12 months, a high-risk vendor without review, or failure to enforce secure information transfer with vendors will cause a failure of the test. Additionally, a vendor management policy, risk assessment policy, SDLC policy, production code change restrictions, and separate testing and production environments must be in place to ensure supply chain risks are identified and mitigated."
      },
      "outcome_metrics": [
        {
          "statement": "Identified supply chain risks are mitigated with documented actions and owners",
          "metric_name": "Remediation",
          "target_value": "100% of high/critical supply chain findings have mitigation plan; mean time to close <= 90 days",
          "target_unit": "",
          "frequency": "Quarterly",
          "source": "Third-party risk register; vendor risk findings tracker",
          "notes": "High-risk vendor finding without mitigation plan; finding open > 90 days"
        }
      ],
      "monitoring": {
        "total_tests": 4,
        "passed": 4,
        "failed": 0,
        "controls_with_monitoring": 4,
        "monitoring_coverage": 50.0,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    },
    {
      "ksi_id": "KSI-SCR-MON",
      "status": "compliant",
      "automated": true,
      "last_checked": "2026-07-02T13:19:57.196048+00:00",
      "score": 100,
      "findings": [],
      "evidence": [
        {
          "type": "configuration",
          "name": "DCF-18 (DCF-18)",
          "control_id": "DCF-18",
          "status": "Passing",
          "description": "Drata control status for DCF-18",
          "date": "2026-07-02T13:19:57.196048+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-29 (DCF-29)",
          "control_id": "DCF-29",
          "status": "Passing",
          "description": "Drata control status for DCF-29",
          "date": "2026-07-02T13:19:57.196048+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-9 (DCF-9)",
          "control_id": "DCF-9",
          "status": "Passing",
          "description": "Drata control status for DCF-9",
          "date": "2026-07-02T13:19:57.196048+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-10 (DCF-10)",
          "control_id": "DCF-10",
          "status": "Passing",
          "description": "Drata control status for DCF-10",
          "date": "2026-07-02T13:19:57.196048+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-40 (DCF-40)",
          "control_id": "DCF-40",
          "status": "Passing",
          "description": "Drata control status for DCF-40",
          "date": "2026-07-02T13:19:57.196048+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-15 (DCF-15)",
          "control_id": "DCF-15",
          "status": "Passing",
          "description": "Drata control status for DCF-15",
          "date": "2026-07-02T13:19:57.196048+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-168 (DCF-168)",
          "control_id": "DCF-168",
          "status": "Passing",
          "description": "Drata control status for DCF-168",
          "date": "2026-07-02T13:19:57.196048+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-334 (DCF-334)",
          "control_id": "DCF-334",
          "status": "Passing",
          "description": "Drata control status for DCF-334",
          "date": "2026-07-02T13:19:57.196048+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-185 (DCF-185)",
          "control_id": "DCF-185",
          "status": "Passing",
          "description": "Drata control status for DCF-185",
          "date": "2026-07-02T13:19:57.196048+00:00"
        },
        {
          "type": "configuration",
          "name": "DCF-180 (DCF-180)",
          "control_id": "DCF-180",
          "status": "Passing",
          "description": "Drata control status for DCF-180",
          "date": "2026-07-02T13:19:57.196048+00:00"
        }
      ],
      "mapped_controls": [
        {
          "control_id": "CUSTOM-KSI-SCR-MON",
          "control_name": "Custom Automated Check: KSI-SCR-MON",
          "control_description": "10/10 mapped controls passing; Sustainment Technologies' Vendor Management Policy and Risk Assessment Policy require automated monitoring of third-party software for upstream vulnerabilities. This is implemented through periodic dynamic threat assessments, quarterly vulnerability scans, vendor compliance reviews, contractor security requirements, and incident response team engagement for vendor-related security events. Drata monitors vulnerability scan execution, contractor compliance, and vendor access controls Ã¢â‚¬â€ while the employee disclosure process provides an additional channel for identifying supply chain risks.",
          "status": "compliant",
          "compliant": true,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "matched_via_nist": [],
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2026-07-02T13:19:57.196048+00:00",
          "updated_at": "2026-07-02T13:19:57.196048+00:00",
          "archived_at": null,
          "last_tested_at": "2026-07-02T13:19:57.196048+00:00",
          "requirements_updated_at": "",
          "evidence_count": 10,
          "evidence_details": [
            {
              "id": null,
              "name": "DCF-18 (DCF-18)",
              "description": "Drata control status for DCF-18",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.196048+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187450+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-29 (DCF-29)",
              "description": "Drata control status for DCF-29",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.196048+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187461+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-9 (DCF-9)",
              "description": "Drata control status for DCF-9",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.196048+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187468+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-10 (DCF-10)",
              "description": "Drata control status for DCF-10",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.196048+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187473+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-40 (DCF-40)",
              "description": "Drata control status for DCF-40",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.196048+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187479+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-15 (DCF-15)",
              "description": "Drata control status for DCF-15",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.196048+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187485+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-168 (DCF-168)",
              "description": "Drata control status for DCF-168",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.196048+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187491+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-334 (DCF-334)",
              "description": "Drata control status for DCF-334",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.196048+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187497+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-185 (DCF-185)",
              "description": "Drata control status for DCF-185",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.196048+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187503+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            },
            {
              "id": null,
              "name": "DCF-180 (DCF-180)",
              "description": "Drata control status for DCF-180",
              "type": "configuration",
              "source": "",
              "updated_at": "2026-07-02T13:19:57.196048+00:00",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187508+00:00",
                "status": "not_applicable",
                "reason": "non_file_evidence"
              }
            }
          ],
          "monitoring": {
            "total_tests": 9,
            "passed": 9,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 66,
                "name": "Vulnerability Scanning",
                "status": "PASSED",
                "description": "Drata validated that a vulnerability scanning system is connected to Drata.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 21,
                "enabled": true
              },
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              },
              {
                "test_id": 86,
                "name": "Process for Responsible Disclosure",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they detail a process for employees to report security, confidentiality, integrity, and availability failures, incidents, and concerns.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 12,
                "enabled": true
              },
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              },
              {
                "test_id": 59,
                "name": "Contractor Background Checks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that all new contractors had completed background checks upon hire.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 50,
                "enabled": true
              },
              {
                "test_id": 58,
                "name": "Contractors Acknowledge the Acceptable Use Policy",
                "status": "PASSED",
                "description": "Drata confirmed that assigned contractors have acknowledged the Acceptable Use Policy.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 49,
                "enabled": true
              },
              {
                "test_id": 57,
                "name": "Contractors Acknowledge The Code of Conduct",
                "status": "PASSED",
                "description": "Drata confirmed that assigned contractors have acknowledged the Code of Conduct.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 48,
                "enabled": true
              },
              {
                "test_id": 100,
                "name": "Risk Assessment Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Risk Assessment Policy and confirmed that it specifies risk tolerances and the process for evaluating risks based on identified threats and specified tolerances.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 18,
                "enabled": true
              },
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0,
            "derived": true,
            "derived_reason": "Aggregated from mapped Drata controls for this KSI",
            "derived_from_controls": [
              "DCF-18",
              "DCF-29",
              "DCF-9",
              "DCF-10",
              "DCF-40",
              "DCF-15",
              "DCF-168",
              "DCF-334",
              "DCF-185",
              "DCF-180"
            ]
          }
        },
        {
          "control_id": "DCF-18",
          "control_name": "Quarterly Vulnerability Scan",
          "control_description": "Sustainment Technologies Inc engages with third-party to conduct vulnerability scans of the production environment at least quarterly. Results are reviewed by management and high priority findings are tracked to resolution.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.858Z",
          "updated_at": "2026-05-11T12:55:17.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:20:22.000Z",
          "evidence_count": 5,
          "evidence_details": [
            {
              "id": 149,
              "name": "Vulnerability scanning - historical scans.",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/149_Vulnerability scanning - historical scans..zip",
              "updated_at": "2026-03-02T14:54:37.097Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.187690+00:00",
                "status": "hashed",
                "sha256": "1bca3af621b9ac72ecaf5ccb180f7c18cc49f95a24e05a54e8c83a05fa411b37",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/149_Vulnerability scanning - historical scans..zip",
                "filename": "149_Vulnerability scanning - historical scans..zip",
                "size_bytes": 629615,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": 148,
              "name": "Vulnerability Scan Report repository (screenshot)",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/148_Vulnerability Scan Report repository (screenshot).png",
              "updated_at": "2026-03-02T14:51:39.054Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.188356+00:00",
                "status": "hashed",
                "sha256": "cbd856d7f75726db39106a98e93d3f94d3574bb28b0bc44483de3aa2a36f063e",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/148_Vulnerability Scan Report repository (screenshot).png",
                "filename": "148_Vulnerability Scan Report repository (screenshot).png",
                "size_bytes": 307470,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-18-owner",
              "name": "Assigned Control Owner - Quarterly Vulnerability Scan (DCF-18)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-11T12:55:17.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.188624+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 46,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:20.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 66,
                "name": "Vulnerability Scanning",
                "status": "PASSED",
                "description": "Drata validated that a vulnerability scanning system is connected to Drata.",
                "last_run": "2026-07-01T18:27:20.000Z",
                "test_definition_id": 21,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-29",
          "control_name": "Incident Response Team",
          "control_description": "Sustainment Technologies Inc has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality at the company.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.562Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T17:28:05.856Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-29-evidence",
              "name": "Incident Response Team (DCF-29)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.188633+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-owner",
              "name": "Assigned Control Owner - Incident Response Team (DCF-29)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.188640+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-29-monitoring",
              "name": "Continuous Monitoring - Incident Response Team (DCF-29)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.188646+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 74,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 88,
                "name": "IRP Designates Responsible Team Members",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Incident Response Plan and confirmed that it names the individuals responsible for monitoring and responding to incidents.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 34,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-9",
          "control_name": "Employee Disclosure Process",
          "control_description": "Sustainment Technologies Inc provides a process to employees for reporting security, confidentiality, integrity, and availability features, incidents, and concerns, and other complaints to company management.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:36.552Z",
          "updated_at": "2026-04-29T19:47:52.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:39.886Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": 12,
              "name": "Responsible Disclosure Policy",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/12_Responsible Disclosure Policy.pdf",
              "updated_at": "2026-01-09T13:33:41.000Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.188824+00:00",
                "status": "hashed",
                "sha256": "b6489e47f58841ad1ce45e8778355f9c7fb94b51d728f831e0d27edebb7f9f91",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/12_Responsible Disclosure Policy.pdf",
                "filename": "12_Responsible Disclosure Policy.pdf",
                "size_bytes": 126853,
                "modified_at": "2026-07-02T13:17:01+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-9-owner",
              "name": "Assigned Control Owner - Employee Disclosure Process (DCF-9)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.188948+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-9-monitoring",
              "name": "Continuous Monitoring - Employee Disclosure Process (DCF-9)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:52.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.188954+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 72,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 86,
                "name": "Process for Responsible Disclosure",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's security policies and confirmed that they detail a process for employees to report security, confidentiality, integrity, and availability failures, incidents, and concerns.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 12,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-10",
          "control_name": "System Access Control Policy",
          "control_description": "Sustainment Technologies Inc has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.531Z",
          "updated_at": "2026-04-29T19:47:53.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:24:21.000Z",
          "evidence_count": 4,
          "evidence_details": [
            {
              "id": "DCF-10-evidence",
              "name": "System Access Control Policy (DCF-10)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.188961+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-owner",
              "name": "Assigned Control Owner - System Access Control Policy (DCF-10)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.188968+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-10-monitoring",
              "name": "Continuous Monitoring - System Access Control Policy (DCF-10)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:53.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.188974+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 88,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 102,
                "name": "System Access Control Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's System Access Control Policy and confirmed that it includes annual access control review requirements, and requires access request forms for new hires and employee transfers.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 13,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-40",
          "control_name": "Contractor Requirements",
          "control_description": "Sustainment Technologies Inc requires its contractors to read and acknowledge the Code of Conduct, read and acknowledge the Acceptable Use Policy, and pass a background check.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": true
          },
          "frameworks": [
            "SOC_2",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:34.179Z",
          "updated_at": "2026-04-29T19:47:51.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:36.841Z",
          "evidence_count": 3,
          "evidence_details": [
            {
              "id": "DCF-40-owner",
              "name": "Assigned Control Owner - Contractor Requirements (DCF-40)",
              "description": "This control has a designated owner responsible for maintenance and compliance.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "A responsible party has been assigned to manage this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.188980+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-40-monitoring",
              "name": "Continuous Monitoring - Contractor Requirements (DCF-40)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.188986+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-40-policy",
              "name": "Policy Documentation - Contractor Requirements (DCF-40)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2026-04-29T19:47:51.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.188991+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 42,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 3,
            "passed": 3,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 59,
                "name": "Contractor Background Checks",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's records and confirmed that all new contractors had completed background checks upon hire.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 50,
                "enabled": true
              },
              {
                "test_id": 58,
                "name": "Contractors Acknowledge the Acceptable Use Policy",
                "status": "PASSED",
                "description": "Drata confirmed that assigned contractors have acknowledged the Acceptable Use Policy.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 49,
                "enabled": true
              },
              {
                "test_id": 57,
                "name": "Contractors Acknowledge The Code of Conduct",
                "status": "PASSED",
                "description": "Drata confirmed that assigned contractors have acknowledged the Code of Conduct.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 48,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-15",
          "control_name": "Risk Assessment Policy",
          "control_description": "Sustainment Technologies Inc has defined a formal risk management process that specifies risk tolerances and the process for evaluating risks based on identified threats and the specified tolerances.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:37.142Z",
          "updated_at": "2025-12-03T18:49:50.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-15-monitoring",
              "name": "Continuous Monitoring - Risk Assessment Policy (DCF-15)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2025-12-03T18:49:50.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.188998+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-15-policy",
              "name": "Policy Documentation - Risk Assessment Policy (DCF-15)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-12-03T18:49:50.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.189004+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 86,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:19.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 100,
                "name": "Risk Assessment Policy",
                "status": "PASSED",
                "description": "Drata inspected Sustainment Technologies Inc's Risk Assessment Policy and confirmed that it specifies risk tolerances and the process for evaluating risks based on identified threats and specified tolerances.",
                "last_run": "2026-07-01T18:27:19.000Z",
                "test_definition_id": 18,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-168",
          "control_name": "Vendor Management Policy",
          "control_description": "Sustainment Technologies Inc has a defined vendor management policy that establishes requirements of ensuring third-party entities meet the organization's data preservation and protection requirements.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "SOC_2",
            "CCPA",
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:35.678Z",
          "updated_at": "2025-11-24T13:51:41.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:33:48.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-168-policy",
              "name": "Policy Documentation - Vendor Management Policy (DCF-168)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:41.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.189010+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 61,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-334",
          "control_name": "Privileged and General User ID Authorization",
          "control_description": "Sustainment Technologies Inc controls addition, deletion, and modification of user IDs, credentials, and other identifier objects.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": false,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": true,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:55.855Z",
          "updated_at": "2026-05-16T21:24:21.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:14:39.000Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": 145,
              "name": "DataDog Okta Alert",
              "description": "Downloaded Drata evidence document.",
              "type": "document",
              "source": "evidence/documents/145_DataDog Okta Alert.png",
              "updated_at": "2026-02-06T17:33:16.132Z",
              "implementation_guidance": "",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.189198+00:00",
                "status": "hashed",
                "sha256": "e894be820e3fceeb2599272b9da2c4acaa661edfb039e074e65d8a91d8aebbe7",
                "path": "/builds/sustainmenttech/compliance/fedramp-20x/evidence/documents/145_DataDog Okta Alert.png",
                "filename": "145_DataDog Okta Alert.png",
                "size_bytes": 237119,
                "modified_at": "2026-07-02T13:16:59+00:00",
                "root_source_type": "pipeline_repo",
                "root_source": "repo",
                "resolved_via": "evidence_document_index"
              }
            },
            {
              "id": "DCF-334-monitoring",
              "name": "Continuous Monitoring - Privileged and General User ID Authorization (DCF-334)",
              "description": "The policy is being actively monitored within Drata to ensure it has been reviewed and approved within the last 12 months.",
              "type": "document",
              "source": "",
              "updated_at": "2026-05-16T21:24:21.000Z",
              "implementation_guidance": "Automated monitoring is in place to track compliance status.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.189405+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 356,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 1,
            "passed": 1,
            "failed": 0,
            "pending": 0,
            "pass_rate": 100.0,
            "has_monitoring": true,
            "last_test_run": "2026-07-01T18:27:21.000Z",
            "failed_tests": [],
            "tests": [
              {
                "test_id": 136,
                "name": "Logs Monitored for Suspicious Activity",
                "status": "PASSED",
                "description": "Drata inspected the infrastructure logs to determine that it was configured to monitor web traffic and suspicious activity.",
                "last_run": "2026-07-01T18:27:21.000Z",
                "test_definition_id": 121,
                "enabled": true
              }
            ],
            "disabled_tests": [],
            "disabled_count": 0
          }
        },
        {
          "control_id": "DCF-185",
          "control_name": "Periodic Dynamic Threat Assessment",
          "control_description": "Sustainment Technologies Inc has an established threat assessment process to continuously analyze threats and disseminate the information appropriately.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": true,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:43:16.577Z",
          "updated_at": "2025-11-24T13:51:39.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2025-11-24T13:51:39.688Z",
          "evidence_count": 2,
          "evidence_details": [
            {
              "id": "DCF-185-evidence",
              "name": "Periodic Dynamic Threat Assessment (DCF-185)",
              "description": "This control has documented evidence of compliance in the Drata platform.",
              "type": "document",
              "source": "",
              "updated_at": "2025-11-24T13:51:39.000Z",
              "implementation_guidance": "Evidence has been collected and stored in Drata for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.189412+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            },
            {
              "id": "DCF-185-policy",
              "name": "Policy Documentation - Periodic Dynamic Threat Assessment (DCF-185)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:39.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.189419+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 609,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        },
        {
          "control_id": "DCF-180",
          "control_name": "Secure Information Transfer",
          "control_description": "Sustainment Technologies Inc has a defined process to ensure the secure transfer of information internally and externally.",
          "status": "passing",
          "compliant": true,
          "impact_reason": null,
          "flags": {
            "hasEvidence": false,
            "hasPolicy": true,
            "hasTicket": false,
            "isReady": true,
            "isMonitored": false,
            "hasOwner": false
          },
          "frameworks": [
            "CMMC",
            "NIST800171",
            "FEDRAMP"
          ],
          "created_at": "2023-03-21T16:42:44.309Z",
          "updated_at": "2025-11-24T13:51:40.000Z",
          "archived_at": null,
          "last_tested_at": "",
          "requirements_updated_at": "2026-01-22T18:29:15.000Z",
          "evidence_count": 1,
          "evidence_details": [
            {
              "id": "DCF-180-policy",
              "name": "Policy Documentation - Secure Information Transfer (DCF-180)",
              "description": "This control has associated policy which is approved and reviewed within the last 12 months.",
              "type": "policy",
              "source": "",
              "updated_at": "2025-11-24T13:51:40.000Z",
              "implementation_guidance": "Formal policies have been documented for this control.",
              "integrity": {
                "algorithm": "sha256",
                "generated_at": "2026-07-02T13:20:01.189425+00:00",
                "status": "not_applicable",
                "reason": "synthetic_control_evidence"
              }
            }
          ],
          "drata_control_id": 183,
          "stale_evidence_count": 0,
          "all_evidence_stale": false,
          "monitoring": {
            "total_tests": 0,
            "passed": 0,
            "failed": 0,
            "pending": 0,
            "pass_rate": 0.0,
            "has_monitoring": false,
            "last_test_run": null,
            "failed_tests": []
          }
        }
      ],
      "notes": "Sustainment Technologies' Vendor Management Policy and Risk Assessment Policy require automated monitoring of third-party software for upstream vulnerabilities. This is implemented through periodic dynamic threat assessments, quarterly vulnerability scans, vendor compliance reviews, contractor security requirements, and incident response team engagement for vendor-related security events. Drata monitors vulnerability scan execution, contractor compliance, and vendor access controls Ã¢â‚¬â€ while the employee disclosure process provides an additional channel for identifying supply chain risks.\n### Key Controls\n- [OK] Quarterly Vulnerability Scan (DCF-18)\n- [OK] Incident Response Team (DCF-29)\n- [OK] Employee Disclosure Process (DCF-9)\n- [OK] System Access Control Policy (DCF-10)\n- [OK] Contractor Requirements (DCF-40)\n- [OK] Risk Assessment Policy (DCF-15)\n- [OK] Vendor Management Policy (DCF-168)\n- [OK] Privileged and General User ID Authorization (DCF-334)\n- [OK] Periodic Dynamic Threat Assessment (DCF-185)\n- [OK] Secure Information Transfer (DCF-180)",
      "implementation_details": {
        "method": "drata-control-aggregation",
        "tools": [
          "drata_controls.json"
        ],
        "responsible_party": "Security Team",
        "review_frequency": "continuous"
      },
      "eval_period_hours": 4,
      "valid_until": "2026-07-02T17:19:57.196048+00:00",
      "ksi_name": "Monitoring Supply Chain Risk",
      "category": "SCR",
      "statement": "Automatically monitor third party software information resources for upstream vulnerabilities using mechanisms that may include contractual notification requirements or active monitoring services.",
      "reference_url": "https://www.fedramp.gov/docs/20x/key-security-indicators/supply-chain-risk/",
      "nist_controls": [
        "AC-20",
        "CA-3",
        "IR-6.3",
        "PS-7",
        "RA-5",
        "SA-9",
        "SI-5",
        "SR-5",
        "SR-6",
        "SR-8"
      ],
      "failure_conditions": {
        "conditional_check": "Sustainment monitors third-party software for upstream vulnerabilities through automated scanning, periodic dynamic threat assessments, and defined contractor security requirements.",
        "failure_condition": "A known vulnerability in a third-party dependency not patched within the defined SLA, failure to conduct quarterly vulnerability scans, or failure to assess dynamic threats will cause a failure of the test. Additionally, a vendor management policy, risk assessment policy, contractor requirements, an incident response team, an employee disclosure process, and secure information transfer controls must be in place to ensure supply chain vulnerabilities are detected and remediated promptly."
      },
      "monitoring": {
        "total_tests": 9,
        "passed": 9,
        "failed": 0,
        "controls_with_monitoring": 7,
        "monitoring_coverage": 63.6,
        "test_pass_rate": 100.0,
        "has_failures": false,
        "failed_test_summary": []
      }
    }
  ],
  "mapping_diagnostics": {
    "mapping_source_precedence": "config",
    "ksis_scanned": 61,
    "resolved_count": 60,
    "missing_config": 1,
    "missing_required_controls": 0,
    "missing": [
      "template"
    ],
    "metric_targets": {
      "source": "config_json",
      "ksis_scanned": 60,
      "ksis_with_metric_targets": 0,
      "ksis_with_ksi_metric_target": 0,
      "pairs_with_targets": 0,
      "drata_pairs_with_targets": 0,
      "fedramp_pairs_with_targets": 0,
      "metric_targets_loaded": 0,
      "ksi_metric_targets_loaded": 0,
      "controls_with_metric_targets": 0,
      "metric_targets_attached": 0,
      "ksi_controls_with_metric_targets": 0,
      "ksi_metric_targets_attached": 0
    }
  }
}