Skip to content

Compliance mapping — SOC 2 + FedRAMP Moderate

This is the input an operator brings to their auditor, not a certification claim. Zion is a component; the certified system is the operator's deployment that runs Zion. The tables below name the controls each framework asks about and split each into:

  • Where Zion satisfies it — the in-binary code path, workflow file, or shipped artefact that addresses the control.
  • Operator-side residual — the deployment-level evidence the auditor will still ask the operator to produce (KMS rotation schedule, on-call runbooks, identity-provider integration, etc).
  • Out of scope — controls Zion deliberately doesn't address (and why), so the operator can document the boundary cleanly.

Cross-references:


SOC 2 — Trust Service Criteria

The 2017 AICPA TSC are organised under five categories: Security (CC), Availability (A), Confidentiality (C), Processing integrity (PI), Privacy (P). Privacy (P) is service-specific (PII handling) and depends on what data the upstream application processes — Zion as a proxy doesn't store business-PII, so P is operator-side. Each row below names the relevant criterion, what Zion satisfies, and what the operator owns.

CC — Common Criteria (Security)

TSCRequirementWhere Zion satisfies itOperator-side residual
CC1.1Integrity & ethical values codifiedApache-2.0 LICENSE, CONTRIBUTING.md, DCO sign-off gateOperator publishes their own code-of-conduct + reviewer policy
CC2.1Risk-relevant information communicateddocs/security/threat-model.md, asvs.md, structured boot log + /metricsOperator runbook covers escalation paths
CC3.1Risks identified & analysedSTRIDE table covers all 10 surfaces incl. the v0.2.x mesh addendum (§10)Risk register for the deployment topology (HA, DR)
CC4.1Internal monitoringOpenMetrics on /metrics (latency histograms, counters, exemplars), audit log (HMAC-chained, JSON-Lines)SIEM ingest; alert thresholds; incident runbook
CC5.1Control activities mitigate riskWAF gates, rate limit, mTLS, audit log, panic hookOperator's WAF profile choice + rate-limit tuning
CC6.1Logical access — authenticationmTLS (client cert validation, tls.rs); JWT/OIDC under --features authIdentity provider, key rotation, access-review schedule
CC6.2Logical access — provisioningInternal-only endpoints (/metrics, /_zion/*) gated by IP allowlistLDAP/SCIM provisioning
CC6.3Logical access — least privilegeDistroless image, UID 65532 non-root, dropped capabilities, seccompProfile=RuntimeDefault (Helm chart)Pod-level NetworkPolicies, RBAC bindings
CC6.6Boundary protectionTLS 1.3 only (tls.rs), internal_only route flag, security headers (security.rs)Edge firewall, DDoS scrubbing service
CC6.7Restrict mobile + storage mediaN/A — Zion has no client / storage component
CC6.8Detection of unauthorized actionsAudit log records auth_failure / waf_block / config_reload / admin_access; /metrics exposes zion_waf_denied, zion_rate_limitedSIEM correlation rules; on-call paging
CC7.1Vulnerability identificationcargo-audit, cargo-deny, cargo-vet, cargo-geiger workflows in supply-chain.yml; CodeQL workflowCVE triage cadence, patching SLA
CC7.2Anomaly detectionLatency histograms with exemplars, panic hook last-gasp fileOperator-side log aggregation + alerting
CC7.3Incident response processPanic hook persists root cause; audit log preserves the trailOperator IR plan + runbooks
CC7.4Recovery from incidentHot-reload of TLS + config without restart (ADR-0001)Backup/DR procedures
CC8.1Change managementSigned commits, branch protection, mandatory CI on PR (clippy across feature matrix, MSRV, integration tests, supply-chain)Production change-approval process
CC9.1Risk mitigation in vendor relationshipsSBOM (CycloneDX) per release; pinned crate hashes in Cargo.lockVendor-risk reviews, contractual provisions

A — Availability

TSCRequirementWhere Zion satisfies itOperator-side residual
A1.1Capacity planningbootstrap::Platform.tier_score() projects throughput; criterion microbench harness publishes per-component baselines under benchmarks/results/criterion/baseline.jsonLoad testing against the operator's actual upstream + traffic mix
A1.2Environmental protectionsN/A in softwareDatacentre / cloud-provider SLAs
A1.3Recovery testingChaos suite (tests/chaos.rs) covers audit-queue overflow, panic recovery, TCP-reset mid-readOperator DR drills

C — Confidentiality

TSCRequirementWhere Zion satisfies itOperator-side residual
C1.1Identification of confidential information[redact] config policy (audit.rs) — headers + query params marked sensitive are redacted in audit + access-log pathsOperator chooses [redact] keys per data-classification policy
C1.2Disposal of confidential informationAudit log rotation handled by operator's logrotate (Zion does not retain in-memory state across restart by design)Retention schedule, deletion procedures

PI — Processing Integrity

TSCRequirementWhere Zion satisfies itOperator-side residual
PI1.1Quality of input dataWAF 5-gate pipeline (waf.rs): size, content-type, Aho-Corasick scan (raw + decoded), entropy, JSON structuralApplication-side schema validation
PI1.5Records protected from unauthorised modificationHMAC-SHA256-chained audit log (ADR-0004); Cargo.lock + cosign-signed releasesAudit-log key custody (HSM / KMS)

FedRAMP Moderate baseline (NIST 800-53 rev5)

Scoped to the control families relevant to an L7 reverse proxy: AC (Access Control), AU (Audit and Accountability), CM (Configuration Management), IA (Identification and Authentication), SC (System and Communications Protection), SI (System and Information Integrity), and SA (System and Services Acquisition, where it touches build provenance).

AC — Access Control

ControlRequirementWhere Zion satisfies itOperator-side residual
AC-2Account managementmTLS leaf SHA-256 fingerprint forwarded as X-Client-Cert-Fingerprint for upstream identity bindingIdentity-provider integration, account lifecycle
AC-3Access enforcementPer-route auth_profile gate (--features auth); per-route internal_only IP allowlistRBAC at upstream
AC-4Information flow enforcementTrusted-proxy / xff_mode policy (config.rs); CORS allowlistEgress firewall
AC-7Unsuccessful logon attemptsPer-IP rate limiter (security.rs); audit auth_failure eventsLockout / step-up auth at IdP
AC-12Session terminationTLS session ticket lifetime (rustls default); idle connection timeout per accepted stream
AC-17Remote accessTLS 1.3 mandatory on [server.listen_https]; mTLS optionalVPN / bastion if required

AU — Audit and Accountability

ControlRequirementWhere Zion satisfies itOperator-side residual
AU-2Auditable eventsAudit kinds: auth_success, auth_failure, config_reload, request_blocked, admin_access, panic, mesh_publish, mesh_receive (ADR-0004)Retention policy
AU-3Content of audit recordsEach event carries kind, ts, trace_id, remote_ip, method, path, detail + HMAC chain links
AU-6Audit review, analysis, and reportingAudit log is JSON-Lines, ingestible by any SIEMDetection rules, analyst workflow
AU-9Protection of audit informationHMAC-SHA256 chain breaks on any single tampered line (ADR-0004)Chain-key (ZION_AUDIT_HMAC_KEY) stored outside the host (KMS / sealed secret)
AU-10Non-repudiationHMAC chain + per-event signature; mesh claims additionally Ed25519-signed
AU-12Audit generationBounded mpsc writer with overflow counter (zion_audit_events_dropped_total)Disk capacity monitoring

CM — Configuration Management

ControlRequirementWhere Zion satisfies itOperator-side residual
CM-2Baseline configurationzion.toml is the single source of truth; zion.example.toml is the documented baselineOperator's GitOps-managed baseline
CM-3Configuration change controlHot-reload watcher (notify-rs) + structured config_reload audit events; failed reloads rolled back to last good snapshotChange-approval workflow
CM-6Configuration settingsAll settings live in zion.toml + env vars; no hidden runtime mutationOperator's CIS-benchmark mapping
CM-7Least functionalityAll optional features (acme, auth, http3, tui, ktls, numa-aware, ml-waf, sovereign-aimp) are off by defaultOperator opts in only to features they need
CM-8System component inventoryCycloneDX SBOM per release artefact; SLSA in-toto attestationOperator merges SBOM into asset inventory

IA — Identification and Authentication

ControlRequirementWhere Zion satisfies itOperator-side residual
IA-2Identification & authentication (org users)mTLS leaf cert validation; JWT/OIDC validation under --features authIdP integration
IA-5Authenticator managementTLS 1.3 session tickets via Ticketer (tls.rs); cert + key hot-reload via notifyCert lifecycle (renewal, revocation distribution)
IA-7Cryptographic module authenticationaws-lc-rs backend (FIPS 140-3 path under --features fips)FIPS module activation in the deployment if required
IA-9Service identification & authenticationAIMP node identity Ed25519 keypair persisted under [sovereign_aimp].identity_path (when --features sovereign-aimp); node_id is the public keyIdentity backup, rotation cadence

SC — System and Communications Protection

ControlRequirementWhere Zion satisfies itOperator-side residual
SC-7Boundary protectionHTTPS-only listener mandatory; HTTP listener optional + redirectEdge firewall, WAF profile choice
SC-8Transmission confidentiality and integrityTLS 1.3 AEAD ([TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256])TLS conformance evidence (tls-conformance.md)
SC-12Cryptographic key establishmentrustls 0.23 + aws-lc-rs default groups (X25519, secp256r1, secp384r1)Key escrow if required
SC-13Cryptographic protectionaws-lc-rs primitives; --features fips for FIPS-validated build (fips.md)FIPS attestation in deployment if required
SC-17Public Key Infrastructure certificatesACME issuance under --features acmeCert-authority choice; revocation distribution
SC-23Session authenticityTLS 1.3 ticket signing; mTLS client cert SHA-256 forwarded
SC-28Protection of information at restN/A — Zion is stateless across restart by design (caches are volatile)Application-side encryption-at-rest

SI — System and Information Integrity

ControlRequirementWhere Zion satisfies itOperator-side residual
SI-2Flaw remediationDaily cargo-audit + cargo-deny runs (supply-chain.yml); CodeQL scheduled scansCVE response SLA
SI-3Malicious code protectionWAF Aho-Corasick patterns (waf.rs); ML-WAF scoring under --features ml-wafEDR / antimalware on the host
SI-4System monitoringOpenMetrics on /metrics; structured tracing via tracing crate (ADR-0006)SIEM, on-call rotation
SI-7Software, firmware, and information integritySLSA Level 3 build provenance via Sigstore + Rekor; cosign keyless signature on container; HMAC-chained audit logImage-pull policy + signature verification at admission
SI-10Information input validationWAF 5-gate pipeline (waf.rs); simd-json structural validationApplication-side schema
SI-11Error handlingPanic hook last-gasp file; structured error type (error.rs)Alert on zion_panics_total

SA — System and Services Acquisition (build provenance)

ControlRequirementWhere Zion satisfies itOperator-side residual
SA-12Supply chain risk managementcargo-vet workflow (gated by supply-chain/audits.toml); SBOM + SLSA per release; OSSF Scorecard public badgeVendor-risk acceptance for the upstream crates' authors
SA-15Development process, standards, and toolsBranch-protected master, mandatory CI matrix (clippy across all features, MSRV 1.82, integration tests, supply-chain audits) on every PROperator's own SDLC

Out of scope

Zion does not address — and the operator's auditor should NOT expect it to — the following control families:

  • Physical and environmental protection (PE) — datacentre / cloud-provider responsibility.
  • Maintenance (MA) — host-level patching is operator-side.
  • Personnel security (PS) — organisational, not software.
  • Awareness and training (AT) — organisational.
  • Privacy (P) TSC criteria — Zion is a stateless proxy; it does not store or process business-PII. Privacy obligations attach to the upstream application, not to Zion.
  • Continuous monitoring at the SIEM/SOAR layer — Zion provides the signals (/metrics, audit log, tracing); the SIEM is operator- side.

How to use this document

  1. Auditor asks "show me your evidence for AU-9".
  2. Operator hands them this row + the ADR-0004 link + the audit log sample.
  3. Auditor asks "show me your operator-side audit-log key custody evidence".
  4. Operator hands them their KMS rotation log + sealed-secret manifest. That part is not in this document.

The boundary is deliberate — the system being certified is the operator's deployment, not Zion.

Update procedure

When a PR adds a new feature with compliance-relevant surface (a new audit kind, a new auth path, a new boundary) the same PR should add or update a row here, citing the code path that satisfies it. Reviewers catch drift via the diff.

Released under the MIT License.