← All modules

CyberShield™

REALIGN's NIST CSF 2.0 + CISA K-12 v4 control board. Every control links to the live config that satisfies it. Districts use this for board reviews + insurance attestations.

Total controls
19
Configured
2
Partial
4
Planned
13

Locked security stack

The infrastructure layer that backs every control below.

Ubuntu 24.04
LUKS2 disk crypto
WireGuard mesh
Wazuh SIEM
Falco runtime IDS
CrowdSec collab IDS
OpenCanary tarpit
ZFS snapshots
Restic offsite backup
OpenBao secrets
Docker rootless
Keycloak SSO
Caddy + auto-TLS
nftables default-deny
K8s (cycle 3)

GV — GOVERN — district-level cyber strategy

  • GV.OC
    Org context definedpartial

    Per-district settings in tenants.settings JSONB. Risk register and DPO designation are doc-only for v1.

  • GV.RM
    Risk management strategyplanned

    CISA K-12 self-assessment baked into onboarding wizard — planned for cycle 2.

  • GV.PO
    Cybersecurity policiesplanned

    Policy templates (acceptable use, incident response, data classification) shipped as defaults.

  • GV.OV
    Cybersecurity supply chainpartial

    All third-party vendors (Anthropic, Neon, LiveKit) reviewed; lockfile pinned; npm provenance enabled on CI.

ID — IDENTIFY — what we have + who can touch it

  • ID.AM
    Asset managementplanned

    VPS inventory in infra/hostinger/hosts.yml; Hostinger API token (rotated) reads live state.

  • ID.RA
    Risk assessmentplanned

    NIST SP 800-30 worksheet ships with district onboarding; results land in risk_assessments table.

  • ID.IM
    Improvement (post-incident)planned

    After-action template + retrospective UI — planned.

PR — PROTECT — guardrails on the running system

  • PR.AA
    Identity + access mgmtplanned

    Keycloak SSO per district + RBAC per role. SAML + OIDC supported.

  • PR.AT
    Awareness + trainingplanned

    Annual security training assigned via the cyber product (sibling).

  • PR.DS
    Data security (encryption)configured

    PII columns encrypted at rest via AES-GCM (packages/db crypto). TLS 1.3 via Caddy at the edge.

  • PR.PS
    Platform securityconfigured

    nftables default-deny; only 2222/80/443/51820 open. unattended-upgrades for security pocket. Caddy with resilience drop-in + ACME lock sweep.

  • PR.IR
    Tech infrastructure resiliencepartial

    systemd Restart=always on every REALIGN unit. Backups: Restic (planned). HA: K8s in cycle 3.

DE — DETECT — knowing when something is wrong

  • DE.CM
    Continuous monitoringplanned

    Wazuh agent + dashboard planned. Today: systemd journal + Caddy access log to journald.

  • DE.AE
    Adverse event analysispartial

    Audit table (audit_log) records every mutating action with actor + IP + UA. AI-event log in ai_audit + ai_transparency.

RS — RESPOND — when an incident lands

  • RS.MA
    Incident managementplanned

    Playbooks + on-call rotation tracker in cycle 2. PagerDuty/Opsgenie webhook integration deferred.

  • RS.AN
    Incident analysisplanned

    Forensic capture toolkit; reproducible timeline export for post-mortems.

  • RS.CO
    Incident response commsplanned

    District legal + parents + DOE notification templates.

RC — RECOVER — getting back online

  • RC.RP
    Incident recovery planplanned

    Restic snapshot restore + idempotent bootstrap script (already battle-tested today) = recovery floor.

  • RC.CO
    Recovery commsplanned

    Public status page (statuspage.realignlearningplatform.com — planned).