Module 27 · Compliance & Governance · CGAE
Compliance & Governance
Unified compliance posture across HIPAA · FedRAMP High · FIPS 140-3 · OIG · CAIG AI Governance · ONCLAVE Zero Trust
Overall Compliance Posture
94%
SSP Coverage
418 / 444 controls implemented · +12 since Q1
Open P1 Findings
3
2 due in <14d
3PAO Days Out
42
Coalfire · Aug 2026
AAT Events · 24h
14.2K
100% chained
Bias Monitor
0.94
Within tolerance
HIPAA Security Rule
Pass
100%
45 CFR §164.312
Last review: Apr 14 · BAA active
FedRAMP High
In Prep
89%
395 / 444 controls
3PAO assessment: 42d
FIPS 140-3 Crypto
Validated
100%
CMVP modules · TLS 1.3
Azure Gov FIPS mode on
OIG Audit Defense
3 gaps
96%
RPM/CCM evidence
3 patients missing IC
CAIG AI Governance
Active
100%
DEE · AAT · BFM live
21 OQ items resolved
ONCLAVE Zero Trust
Phase 1
68%
SC-7/SC-8 microseg
DHA ATO reciprocity req
Control Family Coverage
FedRAMP High · NIST 800-53 Rev 5 · 17 families
Full SSP →
AC
25/25
100%
Access Control
ORAK RBAC · MFA · session mgmt · SSO
AU
16/16
100%
Audit & Accountability
CAIG AAT · immutable hash chain · Splunk forwarding
SC
42/47
89%
System & Comm Protection
SC-7/SC-8/SC-28 · ONCLAVE microseg · TLS 1.3 · FIPS
SI
21/23
91%
System & Information Integrity
SIEM · WAF · EDR · IDS/IPS · ConMon scanning
CM
15/16
94%
Configuration Management
Configurator · ORAK change control · CAIG attestation
IR
10/12
83%
Incident Response
PagerDuty · runbooks · ISSO escalation chain
CP
9/13
69%
Contingency Planning
DR runbooks · multi-region failover · BCP test
AI
21/21
100%
AI Governance (CAIG)
Custom: DEE · AAT · BFM · OQ review · model registry
Open Findings — POA&M
Plan of Action & Milestones · 8 active
Full POA&M →
P1
Due 6d
SC-8(1) — 2 home gateways awaiting Onclave certificate renewal
P1
Due 13d
CP-9 — DR multi-region runbook not exercised in past 12 months
P1
Due 23d
OIG — 3 RPM patients missing interactive comm. evidence in 99457 BRR
P2
Due 21d
IR-3 — Tabletop exercise overdue (Q1 cycle)
P2
Due 18d
SI-2 — 12 medium-severity CVEs unpatched on CCPR cluster
P2
Due 30d
AC-2(3) — Stale account review · 8 inactive coordinator accounts >90d
P3
Due 60d
PL-2 — System Security Plan v1.4 needs annual refresh
P3
Due 45d
SA-9 — Third-party SaaS dependency audit pending refresh
⌬
CAIG · AI Governance
DEE · AAT · BFM · 24h window
8.4K
DEE explanations
100%
AAT chained
0.94
BFM parity
Bias Monitor green ✓ — Channel-selection demographic parity at 0.94 (target ≥0.85). Zero
alerts in past 30d. Doppler bucket distribution by race/ethnicity within 4pp of population baseline.
CAIG AAT · Live Audit Trail
Immutable hash-chained · last 8 events
● Streaming
14:42:18
LAT.MOV
Lateral movement blocked — service ppaf-portal-7d8 → ccpr-write
rejected by Onclave Orchestrator policy
…f4a2
14:38:02
AI.DEC
Doppler EMERGENT assignment for MRN 47281-A · DEE explanation:
LACE+ ≥15 post-discharge
…b91e
14:30:55
CERT
Onclave certificate issued · device dexcom-G7-aetnaMR-014 ·
microsegment scope: mdrx-cgm
…2c7d
14:22:31
CFG
Configurator update · LACE+ trigger threshold 15 → 13 ·
user dburns@aetna.com · effective immediately
…9f01
14:18:14
AI.DEC
IRIS background task · auto-populate post-discharge plan ·
patient: Eleanor Markham · 3 meds + 1 fu
…0e84
14:09:45
ACCESS
State Health Authority RHTP read · View 9 export · 248K rows ·
scope: NM-rural-roster
…7b39
14:01:08
DATA
FHIR write-back · 32 Observation resources to Epic ·
CFW · BIM 99454 evidence
…4d62
13:58:22
CERT
Cert revoked · device a&d-bp-aetnaMR-082 · reason:
device returned to inventory · auto-replacement queued
…e15a
Certifications & Accreditations
Active · expiry-tracked
★
HITRUST CSF r2 i1
Issued Jul 2025 · Expires Jul 2027
SOC
SOC 2 Type II
Period: Jan–Dec 2025 · Auditor: Schellman
VA
VA ATO Ready
Sponsor: Valor Healthcare · IHT 2.0
FR
FedRAMP High ATO
3PAO: Coalfire · Assessment Aug 2026
DHA
DHA Reciprocity (via ONCLAVE)
Onclave DHA ATO Jul 2024 · Reciprocity eval
FIPS
FIPS 140-3 Validation
CMVP modules · Azure Gov + AWS GovCloud