NIST 800-53 Rev 5 — Moderate Baseline

Enterprise Security & Compliance

Milton is built to enterprise-grade security standards. Every request is authenticated, every sensitive field is encrypted, and every security event is logged — automatically.

35+
Controls Implemented
8
Control Families
AES-256
Encryption Standard
365d
Audit Retention
NIST 800-53 Moderate Baseline
Bearer Token Authentication
AES-256-GCM at Rest
TLS 1.3 in Transit
Role-Based Access Control
Daily Automated Retention

Security Architecture

Six dedicated security modules handle every aspect of data protection, access enforcement, and compliance automatically.

Authentication

IA-2 · IA-4 · IA-5 · AC-11

Every API endpoint is protected by Bearer token authentication enforced at the FastAPI dependency layer. Tokens are bcrypt-hashed and stored with expiration and revocation timestamps.

  • OAuth 2.0 via Google — no local password storage
  • Bearer tokens with 24-hour expiry
  • Immediate token revocation on logout or deletion
  • Device session tracking across platforms

Role-Based Access Control

AC-3 · AC-6 · AC-2

A four-tier role hierarchy (Owner → Admin → Manager → Member) is enforced on every write operation. Access is default-denied — roles must explicitly grant permissions.

  • Permissions matrix cached at startup
  • Least-privilege enforcement on all resources
  • Role resolution: team → resource → default
  • HTTP 403 + audit log on any denial

Encryption at Rest

SC-28 · SC-13 · SC-12

Sensitive fields are encrypted with AES-256-GCM before storage. Each value uses a unique 12-byte nonce; GCM authentication tags detect any tampering. Keys are never hardcoded.

  • AES-256-GCM with unique nonce per value
  • HMAC-SHA256 for searchable encrypted fields
  • Keys loaded from environment — never in code
  • OAuth tokens, API keys, and credentials encrypted

Audit Logging

AU-2 · AU-3 · AU-6 · AU-9

Every security-relevant event is written to an immutable audit_log table. Logs capture actor, action, resource, result, IP address, and user-agent. They cannot be modified.

  • 30+ distinct event types logged
  • Authentication events: login, logout, OAuth, QR
  • Authorization denials automatically recorded
  • 365-day minimum retention, then automated purge

Token Lifecycle

AC-12 · IA-5

Tokens and sessions are actively managed throughout their lifecycle. Expired tokens are cleaned up daily. Any token can be revoked instantly, invalidating access across all devices.

  • Expiration enforced at validation time
  • Revocation stamps: revoked_at + reason
  • Daily automated cleanup of expired tokens
  • "Revoke all sessions" for account takeover response

Data Retention & Deletion

SI-12 · AC-2 · IR-4

All user data has documented retention periods. A nightly job runs at 3 AM UTC to soft-delete expired records and hard-delete data past its grace period. Users can request full deletion.

  • Tiered policies: 90 / 180 / 365 days by data type
  • 30-day grace period before permanent deletion
  • Cascade delete across 16 tables on account removal
  • User data export available on request

How Every Request Is Protected

Each API call passes through multiple security gates before any business logic executes.

1

TLS Termination

All traffic arrives over HTTPS (TLS 1.3). Plaintext connections are rejected at the load balancer. Milton does not expose any HTTP endpoints in production.

2

Bearer Token Validation

The Authorization: Bearer <token> header is extracted and verified against the bcrypt hash stored in api_tokens. Expired or revoked tokens are rejected with HTTP 401.

user_id: str = Depends(get_current_user) # enforced on every protected endpoint
3

Rate Limiting

Sensitive endpoints enforce per-user rate limits (e.g., 20 delegations/hour, 60 chat messages/minute) via slowapi. Abuse attempts return HTTP 429 before reaching business logic.

4

RBAC Permission Check

Every write operation verifies the authenticated user holds the required role for the target resource. Failures raise HTTP 403 and are immediately written to the audit log.

permission_service.require_team_permission(user_id, "delegation", "create")
5

Business Logic & Audit

The operation executes. On success, an audit log entry records the actor, action, resource, result, IP address, and timestamp. The audit log is write-only — entries cannot be modified or deleted within their retention window.

NIST 800-53 Control Matrix

Implementation status across all applicable control families for the NIST 800-53 Rev 5 Moderate baseline.

Control ID Title Status Implementation
AC-1 Access Control Policy Implemented Formal policy document; annual review cycle
AC-2 Account Management Implemented OAuth-based creation; 30-day deletion grace; cascade removal
AC-3 Access Enforcement Implemented permission_service.py; 23+ RBAC checks across all routes
AC-6 Least Privilege Implemented Default-deny; role hierarchy: owner → admin → manager → member
AC-11 Device Lock / Session Timeout Implemented 24-hour token expiry; revocation on demand
AC-12 Session Termination Implemented token_service.revoke_all_user_sessions(); immediate invalidation
AU-2 Event Logging Implemented audit_service.py; 30+ event types; auth, CRUD, delegation, OAuth
AU-3 Content of Audit Records Implemented actor_id, action, resource, result, detail, IP, user-agent, timestamp
AU-6 Audit Review & Analysis Implemented audit_query() and audit_security_summary() for reviews
AU-9 Protection of Audit Information Implemented Write-only log; 365-day retention; encrypted at rest
CM-2 Baseline Configuration Implemented Git version control; Render.com immutable deployments
CM-7 Least Functionality Implemented No debug mode in production; minimal exposed services
IA-2 Identification & Authentication Implemented OAuth 2.0 (Google); Bearer token enforced on all protected endpoints
IA-4 Identifier Management Implemented UUID user_id; never recycled; unique per account
IA-5 Authenticator Management Implemented bcrypt hashing; expiry; revocation; no plaintext storage
SC-7 Boundary Protection Implemented HTTPS-only; CORS restricted to miltonspeaks.com; DDoS mitigation
SC-8 Transmission Confidentiality Implemented TLS 1.3 enforced end-to-end; no plaintext APIs in production
SC-13 Cryptographic Protection Implemented AES-256-GCM; HMAC-SHA256; bcrypt; TLS 1.3
SC-28 Protection of Information at Rest Implemented AES-256-GCM for sensitive fields; encrypted DB backups
SI-2 Flaw Remediation Implemented Dependabot alerts; security advisory tracking; patching SLA
SI-4 System Monitoring Implemented Application logs; failed auth tracking; Render.com metrics
SI-12 Information Management & Retention Implemented retention_service.py; automated nightly job at 3 AM UTC
IR-4 Incident Handling Implemented Documented incident response plan; contact procedures defined
IR-6 Incident Reporting Implemented Security incident notification within 72 hours

Data Retention Policy

All data types have documented retention periods. A nightly automated job soft-deletes expired records, and permanently removes data after its grace period expires.

90
Days — Delegations & Responses
90
Days — Conversation History
180
Days — Memory & Context
365
Days — Audit Logs (minimum)
30
Days — Account Deletion Grace

Infrastructure & Transmission Security

Data in transit is protected by TLS 1.3. Production infrastructure is hosted on Render.com with automated certificate management.

TLS 1.3

  • TLS 1.3 enforced for all connections
  • Let's Encrypt certificates, auto-renewed
  • HTTP connections rejected at load balancer
  • HSTS headers enforced

Production Hosting

  • Render.com managed infrastructure
  • Immutable deployments from Git
  • PostgreSQL with encrypted backups
  • No secrets committed to version control

API Boundary Protection

  • CORS restricted to miltonspeaks.com
  • Rate limiting on all sensitive endpoints
  • DDoS mitigation via Render.com
  • Parameterized SQL — no injection vectors

Milton Security — NIST 800-53 Rev 5, Moderate Baseline

Last compliance review: February 2026  ·  Next review: February 2027

security@miltonspeaks.com Back to Milton