Compliance

Security & Compliance Posture.
Built for the audit-ready team.

Lockzero is built for the compliance-conscious developer. SOC 2 Type II is in progress. NIST 800-171 / CMMC Level 1 alignment is in place today.

SOC 2 Type II
In Progress
CMMC Level 1
Self-Attested ✓
CMMC Level 2 (key controls)
Self-Attested ✓
NIST 800-171 (54 controls)
47 implemented
Encryption at rest
AES-256-GCM / KMS
Password hashing
Argon2id + HIBP
Account lockout
10 failures → 30 min
Password history
Last 12 blocked
CMMC 2.0

CMMC Level 1 — All 17 Practices Implemented

CMMC Level 1 covers 17 practices from FAR 52.204-21 focused on basic safeguarding of Federal Contract Information (FCI). All 17 are implemented in Lockzero’s platform today.

AC.L1-3.1.1Limit access to authorized users
AC.L1-3.1.2Limit transactions to authorized functions
AC.L1-3.1.20Control/verify external connections
AC.L1-3.1.22Control CUI posted publicly
IA.L1-3.5.1Identify users, processes, devices
IA.L1-3.5.2Authenticate identities before access
MP.L1-3.8.3Sanitize media before disposal
PE.L1-3.10.1Limit physical access (AWS-managed)
PE.L1-3.10.2Escort visitors (AWS-managed)
PE.L1-3.10.3Audit physical access logs (AWS)
PE.L1-3.10.4Manage physical access devices (AWS)
PE.L1-3.10.5Protect/monitor facility (AWS)
SC.L1-3.13.1Monitor/control external communications
SC.L1-3.13.5Implement subnetworks for CUI
SI.L1-3.14.1Identify and correct information flaws
SI.L1-3.14.2Protect against malicious code
SI.L1-3.14.3Update malicious code protection
NIST SP 800-171

Full Control Implementation Matrix

Mapped to NIST SP 800-171 Rev 2 — the framework underlying CMMC Level 2.

Implemented47 controls
Partial7 partial
Planned0 planned

3.1 Access Control

3.1.1
Authorized access
Session-cookie + API-key auth; workspace RBAC (owner / admin / operator / viewer). All routes require authentication.
Implemented
3.1.2
Transaction privilege
Role-gated routes; step-up re-auth for sensitive mutations; API keys scoped to specific namespaces.
Implemented
3.1.3
CUI flow control
isCUI flag on every secret. CUI-tagged credentials are marked, filterable, and exportable separately for auditors.
Implemented
3.1.5
Least privilege
API keys are namespace-scoped; per-IDE MCP keys; viewer role read-only by default.
Implemented
3.1.8
Unsuccessful login limit
Redis-backed account lockout: 10 failures in 15 min → 30-min lockout. Counter clears on successful auth.
Implemented
3.1.9
Privacy & security notice
Login page displays: 'This is a controlled system. All access is monitored, logged, and audited. Unauthorized use is prohibited.'
Implemented
3.1.10
Session lock after inactivity
25-min idle warning modal; auto-logout at 30 min. All session activity (mousemove, keydown, click) resets the timer.
Implemented
3.1.11
Session termination
Sessions expire after 30 days max; immediate revocation on logout, password change, and admin revoke-all action.
Implemented
3.1.12
Remote access monitoring
Every authenticated request is audit-logged with actor, IP, user-agent, and timestamp.
Implemented
3.1.13
Remote access encryption
All traffic over TLS 1.2+; HSTS preload (2-year max-age); no unencrypted HTTP accepted.
Implemented
3.1.14
Remote access routing
Proxy traffic routes through Lockzero vault; client never receives the raw credential.
Implemented
3.1.20
External system connections
Provider allowlist in proxy (no dynamic URLs); explicit inbound/outbound routing enforced by Caddy.
Implemented

3.3 Audit & Accountability

3.3.1
Audit logging
Every create/read/update/delete writes an immutable audit event with actor, IP, user-agent, entity ID, and timestamp.
Implemented
3.3.2
User accountability
Audit logs keyed to actorUserId; API-key calls attributed to the per-key ID, not the user.
Implemented
3.3.5
Audit log review
SIEM webhook (CloudEvents format); anomaly detector fires critical alerts on unusual patterns.
Implemented
3.3.7
Authoritative time source
All timestamps are UTC from the database server; no client-supplied timestamps are accepted.
Implemented
3.3.8
Audit log protection
Hash-chained audit log (SHA-256 prev-hash linkage); S3 WORM archiving with integrity verification.
Implemented
3.3.9
Audit management controls
Audit export endpoint restricted to owner/admin role. All export actions are themselves logged.
Implemented

3.4 Configuration Management

3.4.1
Baseline configuration
docker-compose IaC; git-tracked config; all secrets in vault; no manual server changes in production.
Implemented
3.4.2
Configuration change control
All config changes require a pull request; deployment writes audit event (deployment_completed).
Implemented
3.4.6
Least functionality
Provider allowlist in proxy (no dynamic URLs); explicit firewall rules; Permissions-Policy header disables camera/mic/geolocation.
Implemented

3.5 Identification & Authentication

3.5.1
User identification
All users uniquely identified by email + UUID; no shared accounts; OAuth provider ID stored for SSO users.
Implemented
3.5.2
Device authentication
Session JWTs (30-day max); refresh token rotation on every use; immediate revocation on logout.
Implemented
3.5.3
Multi-factor auth
TOTP MFA available to all users via authenticator app; backup codes (Argon2id-hashed) for recovery.
Implemented
3.5.4
Replay-resistant auth
PKCE on OAuth flows; refresh tokens are single-use (rotated on redemption); CSRF tokens on all state-changing requests.
Implemented
3.5.7
Password complexity
12-char minimum; requires uppercase, lowercase, digit, and special character. HIBP k-anonymity breach check on every set/change.
Implemented
3.5.8
Password reuse prevention
Last 12 password hashes stored per user (Argon2id). Any new password matching a stored hash is rejected.
Implemented
3.5.10
Password hashing
Argon2id (argon2id variant) with per-user salt; memory-hard; never stored in plaintext or reversible encoding.
Implemented
3.5.11
Obscure auth feedback
Login returns identical error for invalid user vs invalid password. Lockout message reveals only TTL, not failure count.
Implemented

3.6 Incident Response

3.6.1
Incident response capability
Alert system with severity tiers (info/warning/critical); n8n webhook for incident escalation to on-call.
Implemented
3.6.2
Incident reporting
Anomaly detector fires critical alerts within seconds of detection; brute-force detection on 5+ IP failures.
Implemented
3.6.3
Incident response testing
Alert system tested via anomaly injection. Formal tabletop exercise planned pre-SOC 2 certification.
Partial

3.7 Maintenance

3.7.5
Nonlocal maintenance MFA
SSH access to production requires key-based auth. MFA for SSH via PAM is planned for CMMC L2.
Partial

3.11 Risk Assessment

3.11.1
Risk assessment
Risk register module tracks organizational risks with likelihood/impact scoring. Annual formal assessment planned.
Partial
3.11.2
Vulnerability scanning
Dependabot automated dependency alerts; Findings module tracks posture items. Third-party pen test planned pre-SOC 2.
Partial
3.11.3
Vulnerability remediation
Automated dependency bumps via Dependabot; security findings tracked to closure in Findings module.
Implemented

3.12 Security Assessment

3.12.1
Periodic assessment
SOC 2 Type II readiness assessment underway. Annual third-party pen test planned.
Partial
3.12.3
Security plan monitoring
Anomaly detection job runs every 5 minutes; continuous monitoring with alert dispatch.
Implemented
3.12.4
System security plan
This compliance page documents controls. Formal SSP document in progress for SOC 2 package.
Partial

3.13 System & Communications Protection

3.13.1
Boundary protection
Caddy reverse proxy with TLS termination; CSP, HSTS (2yr preload), X-Frame-Options DENY, Referrer-Policy, Permissions-Policy.
Implemented
3.13.3
Separate user/system functions
CUI flag on secrets; API keys namespace-scoped; admin functions on separate role-gated routes.
Implemented
3.13.5
Public-access safeguards
Public routes are read-only metadata; all write operations require auth + CSRF token.
Implemented
3.13.8
Encryption in transit
TLS 1.2+ enforced everywhere via Caddy; HSTS preload with 2-year max-age on all domains.
Implemented
3.13.10
Key management
AWS KMS envelope encryption; data keys derived per-secret; KMS manages key rotation; keys never in logs or responses.
Implemented
3.13.11
FIPS-approved crypto
AES-256-GCM + SHA-256 are FIPS 140-2 approved algorithms. FIPS 140-2 validated module pending for Enterprise tier.
Partial
3.13.12
Collaborative device control
Permissions-Policy header: camera=(), microphone=(), geolocation=(). No collaborative device access possible.
Implemented
3.13.13
Mobile code control
Strict CSP: script-src 'self'; no external script sources; no eval() in production.
Implemented
3.13.15
Session authenticity
CSRF double-submit pattern; SameSite=Strict cookies; HttpOnly; Secure flag enforced.
Implemented
3.13.16
CUI at rest
All secret values encrypted with AES-256-GCM before storage; envelope key in AWS KMS; encryption key never stored with data.
Implemented

3.14 System & Information Integrity

3.14.1
Flaw remediation
Automated Dependabot alerts; security findings surfaced in Findings module; patches applied within defined SLA.
Implemented
3.14.3
Security alerts & monitoring
Real-time anomaly detection; SIEM CloudEvents webhook; alert dispatch for critical events within seconds.
Implemented
3.14.4
Malicious code protection
Input validated with Zod at every API boundary; no eval(); strict CSP; honeypot API keys detect vault compromise.
Implemented
3.14.6
System monitoring
Health probe job + daily snapshot job; uptime monitoring with PagerDuty-compatible alert escalation.
Implemented
3.14.7
Unauthorized use detection
Honeypot API keys; access review notifier; anomaly detector on unusual call patterns; brute-force IP detection.
Implemented
Beyond the Checklist

Additional Security Practices

Honeypot API Keys
Deploy canary keys that look real. Any call to a honeypot fires a critical alert instantly — the only way they can be called is if your vault is compromised.
Hash-Chained Audit Log
Every audit event includes the SHA-256 hash of the previous event. Any tampering breaks the chain and is detectable on demand by auditors.
WORM S3 Archive
Audit archives are written to S3 with object lock (Write Once, Read Many). Once written, no principal — including root — can delete or overwrite them.
HIBP Breach Check
Every password set or changed is checked against Have I Been Pwned's 800M+ breach list using k-anonymity (the full hash never leaves your server).
Password History (12)
The last 12 password hashes are stored per user. Any new password matching a prior one is rejected, preventing credential cycling attacks.
Account Lockout
10 failed login attempts within 15 minutes triggers a 30-minute lockout. The lockout is Redis-backed and shared across all API instances.
CUI Tagging
Mark any secret as Controlled Unclassified Information (CUI). Tagged secrets are highlighted in the UI and filterable for CMMC reporting.
Session Idle Timeout
25-minute idle warning; automatic logout at 30 minutes of inactivity. CMMC AC.L2-3.1.10 compliant with a visible countdown and "Stay logged in" option.
SIEM Integration
All audit events fire as CloudEvents webhooks to your SIEM. Integrate with Datadog, Splunk, Elastic, or any webhook-capable platform.
Anomaly Detection
Automated behavioral analysis runs every 5 minutes. Unusual call volumes, off-hours access, and failed auth spikes trigger immediate alerts.
Zero-Downtime Rotation
Secret rotation creates a new key, validates it, updates consumers, then revokes the old key. Full rollback available at any step.
Namespace Scoping
API keys can be locked to specific namespaces. An MCP key for your frontend project cannot touch your billing secrets.
For Auditors

Audit Evidence Export

Export a full CSV of your audit log for any date range directly from the API:

GET /audit/export?from=2025-01-01&to=2025-12-31
Authorization: Bearer <your-api-key>
Accept: text/csv

# Returns CSV: id, actorUserId, action, entityType, entityId, ipAddress, createdAt
# Requires owner or admin role. Max 10,000 rows per request.

Enterprise plans include direct S3 audit archive access and automated WORM export scheduling.

Need a compliance packet?

SOC 2 reports, NIST 800-171 SSP, pen test results, and custom DPAs are available for Enterprise plans.

Contact security@lockzero.ioView Enterprise
Compliance & Security Posture — Lockzero | Lockzero