TRACE
TRACE // SECURITY POSTURE

Built for the
audit you will be asked for.

TRACE’s entire reason for being is to produce a defensible chain-of-custody record. Every architectural decision optimizes for tamper evidence and auditability — starting at the AWS account boundary and going down to the tag-level X.509 certificate.

FedRAMP High
In flight · target authorization Q4
NIST 800-53 Rev 5
Active controls baseline
NIST 800-171 R3
Aligned
DFARS 252.204-7012
Aligned · audit support via TRACE blockchain
CMMC Level 2
On the roadmap, paired with sibling FORCE
AWS GovCloud us-gov-east-1
Production region
FIPS 140-3
All endpoints
Object Lock GOVERNANCE · 7 years
CloudTrail + audit log buckets

Controls

Each block below maps to a NIST 800-53 control family. Full control inheritance is documented in the FedRAMP package; this is the operator-facing summary.

AC · Account isolation

TRACE deploys to its own AWS account inside the BigOne Platforms organization. It does not share IAM, Cognito, or Secrets Manager with FORGE or any sibling product.

AU · Tamper-evident audit logging

CloudTrail captures management + Lambda + DynamoDB + S3 data events. The audit log bucket has Object Lock GOVERNANCE mode with 7-year retention — DoD audit requirement, no deletion path even with admin credentials.

IA · Hardware-rooted tag identity

Every IoT tag carries a unique X.509 certificate provisioned at manufacture. Certificate revocation cuts a tag off within 60 seconds. The IoT policy restricts each certificate to its own token-id topic prefix.

SC · Cryptography

TLS 1.2 minimum on all data in transit. AWS-managed KMS encryption at rest for every DynamoDB table, S3 bucket, and Secrets Manager entry. FIPS 140-3 validated endpoints throughout the GovCloud deployment.

CM · Infrastructure as code only

Every AWS resource is defined in AWS CDK v2. Nothing is created manually in the console. Drift is caught by AWS Config managed rules — including encrypted-volumes, iam-no-inline-policy, and s3-bucket-public-write-prohibited.

SI · Continuous monitoring

GuardDuty (account-wide), Security Hub (NIST 800-53 Rev 5 standard), Macie (S3 sensitive-data discovery), Inspector v2 (Lambda + ECR vulnerability scanning). High-severity findings escalate within 30 days; critical within 7.

Data handling

  • Location data: 90-day TTL in the hot DynamoDB location-history table. Permanent custody records are in a separate table with no TTL.
  • EMCON events: permanent. Never deleted. Never summarized. Subject to a CloudWatch alarm if the dead-letter queue ever sees depth > 0.
  • PII / coordinates: never logged to CloudWatch. Per implementation rule §3, log statements carry token IDs, event types, and error codes only — never positions or custodian names.
  • Reports: stored encrypted in S3 with KMS, surfaced only via 1-hour presigned URLs. Reports are never emailed or stored unencrypted, per Phase 2 implementation rule §5.

Need the SSP or full control matrix?

The TRACE FedRAMP package is held in escrow until authorization completes. Authorized 3PAOs and government sponsors can request early access under NDA.

Request access →Read the architecture →