Skip to content

Status Dashboard

Single source of truth for what's done, in-flight, and pending. Claude Code updates this file as it authors documents.

Status values: TODO | IN_PROGRESS | DRAFT_REVIEW | APPROVED | RETIRED

Last updated: TBD-YYYY-MM-DD

Policies

ID Title Batch Priority Status Path
AUL-POL-01 Information Security Policy B1 P0 DONE policies/00-governance/01-information-security-policy.md
AUL-POL-02 Roles & Responsibilities Policy B1 P0 DONE policies/00-governance/02-roles-responsibilities-policy.md
AUL-POL-03 Risk Management Policy B1 P0 DONE policies/00-governance/03-risk-management-policy.md
AUL-POL-04 Information Classification & Handling Policy B1 P0 DONE policies/00-governance/04-information-classification-handling-policy.md
AUL-POL-05 Acceptable Use Policy B1 P0 DONE policies/00-governance/05-acceptable-use-policy.md
AUL-POL-06 Code of Conduct & Ethics Policy B2 P0 DONE policies/00-governance/06-code-of-conduct-ethics-policy.md
AUL-POL-07 Policy Exception & Waiver Policy B2 P0 DONE policies/00-governance/07-policy-exception-waiver-policy.md
AUL-POL-08 Personnel Security Policy B2 P0 DONE policies/01-personnel-physical/08-personnel-security-policy.md
AUL-POL-09 Onboarding & Offboarding Policy B2 P0 DONE policies/01-personnel-physical/09-onboarding-offboarding-policy.md
AUL-POL-10 Security Awareness & Training Policy B2 P0 DONE policies/01-personnel-physical/10-security-awareness-training-policy.md
AUL-POL-11 Physical & Environmental Security Policy B3 P0 DONE policies/01-personnel-physical/11-physical-environmental-security-policy.md
AUL-POL-12 Remote Work / Telework Policy B3 P0 DONE policies/01-personnel-physical/12-remote-work-telework-policy.md
AUL-POL-13 Travel Security Policy B3 P1 DONE policies/01-personnel-physical/13-travel-security-policy.md
AUL-POL-14 Insider Threat Program Policy B3 P0 DONE policies/01-personnel-physical/14-insider-threat-program-policy.md
AUL-POL-15 Access Control Policy B3 P0 DONE policies/02-access-identity/15-access-control-policy.md
AUL-POL-16 Identity & Authentication Policy B4 P0 TODO policies/02-access-identity/16-identity-authentication-policy.md
AUL-POL-17 Password & Credential Policy B4 P0 TODO policies/02-access-identity/17-password-credential-policy.md
AUL-POL-18 Multi-Factor Authentication Policy B4 P0 TODO policies/02-access-identity/18-mfa-policy.md
AUL-POL-19 Privileged Access Management Policy B4 P0 TODO policies/02-access-identity/19-privileged-access-management-policy.md
AUL-POL-20 Remote Access Policy B4 P0 TODO policies/02-access-identity/20-remote-access-policy.md
AUL-POL-21 Data Protection & Encryption Policy B5 P0 TODO policies/03-data-protection/21-data-protection-encryption-policy.md
AUL-POL-22 Cryptographic Key Management Policy B5 P0 TODO policies/03-data-protection/22-cryptographic-key-management-policy.md
AUL-POL-23 CUI Handling Policy B5 P0 TODO policies/03-data-protection/23-cui-handling-policy.md
AUL-POL-24 Export Control Policy (ITAR/EAR) B5 P0 TODO policies/03-data-protection/24-export-control-policy.md
AUL-POL-25 Data Retention & Disposal Policy B5 P0 TODO policies/03-data-protection/25-data-retention-disposal-policy.md
AUL-POL-26 Data Loss Prevention Policy B6 P1 TODO policies/03-data-protection/26-data-loss-prevention-policy.md
AUL-POL-27 Privacy Policy (Internal) B6 P1 TODO policies/03-data-protection/27-privacy-policy.md
AUL-POL-28 Backup & Recovery Policy B6 P0 TODO policies/03-data-protection/28-backup-recovery-policy.md
AUL-POL-29 Network Security Policy B6 P0 TODO policies/04-system-network/29-network-security-policy.md
AUL-POL-30 Endpoint Security Policy B6 P0 TODO policies/04-system-network/30-endpoint-security-policy.md
AUL-POL-31 Mobile Device Management Policy B7 P1 TODO policies/04-system-network/31-mobile-device-management-policy.md
AUL-POL-32 Server & Infrastructure Hardening Policy B7 P0 TODO policies/04-system-network/32-server-infrastructure-hardening-policy.md
AUL-POL-33 Cloud Security Policy B7 P0 TODO policies/04-system-network/33-cloud-security-policy.md
AUL-POL-34 Email & Messaging Security Policy B7 P0 TODO policies/04-system-network/34-email-messaging-security-policy.md
AUL-POL-35 Wireless & IoT Policy B7 P1 TODO policies/04-system-network/35-wireless-iot-policy.md
AUL-POL-36 Configuration Management Policy B8 P0 TODO policies/05-operations-change/36-configuration-management-policy.md
AUL-POL-37 Change Management Policy B8 P0 TODO policies/05-operations-change/37-change-management-policy.md
AUL-POL-38 Patch & Vulnerability Management Policy B8 P0 TODO policies/05-operations-change/38-patch-vulnerability-management-policy.md
AUL-POL-39 Asset Management Policy B8 P0 TODO policies/05-operations-change/39-asset-management-policy.md
AUL-POL-40 Logging & Monitoring Policy B8 P0 TODO policies/05-operations-change/40-logging-monitoring-policy.md
AUL-POL-41 Audit & Accountability Policy B9 P0 TODO policies/05-operations-change/41-audit-accountability-policy.md
AUL-POL-42 Capacity & Availability Management Policy B9 P2 TODO policies/05-operations-change/42-capacity-availability-management-policy.md
AUL-POL-43 Secure Software Development Policy (SSDLC) B9 P0 TODO policies/06-software-ai/43-secure-software-development-policy.md
AUL-POL-44 Secure Coding Standards Policy B9 P0 TODO policies/06-software-ai/44-secure-coding-standards-policy.md
AUL-POL-45 Code Review & Branch Protection Policy B9 P0 TODO policies/06-software-ai/45-code-review-branch-protection-policy.md
AUL-POL-46 Source Code Management & Repository Policy B10 P0 TODO policies/06-software-ai/46-source-code-management-policy.md
AUL-POL-47 CI/CD Pipeline Security Policy B10 P0 TODO policies/06-software-ai/47-cicd-pipeline-security-policy.md
AUL-POL-48 Application Security Testing Policy B10 P0 TODO policies/06-software-ai/48-application-security-testing-policy.md
AUL-POL-49 AI/ML Model Governance Policy B10 P0 TODO policies/06-software-ai/49-ai-ml-model-governance-policy.md
AUL-POL-50 AI/ML Security Policy B10 P0 TODO policies/06-software-ai/50-ai-ml-security-policy.md
AUL-POL-51 Training Data Governance Policy B11 P0 TODO policies/06-software-ai/51-training-data-governance-policy.md
AUL-POL-52 Generative AI / Third-Party AI Tool Use Policy B11 P0 TODO policies/06-software-ai/52-generative-ai-tool-use-policy.md
AUL-POL-53 API Security Policy B11 P1 TODO policies/06-software-ai/53-api-security-policy.md
AUL-POL-54 Open Source Software Policy B11 P1 TODO policies/06-software-ai/54-open-source-software-policy.md
AUL-POL-55 Third-Party / Vendor Risk Management Policy B11 P0 TODO policies/07-third-party-supply-chain/55-vendor-risk-management-policy.md
AUL-POL-56 Supply Chain Risk Management Policy B12 P0 TODO policies/07-third-party-supply-chain/56-supply-chain-risk-management-policy.md
AUL-POL-57 Subcontractor Flow-Down Policy B12 P0 TODO policies/07-third-party-supply-chain/57-subcontractor-flow-down-policy.md
AUL-POL-58 Customer Data Handling Policy B12 P0 TODO policies/07-third-party-supply-chain/58-customer-data-handling-policy.md
AUL-POL-59 Incident Response Policy B12 P0 TODO policies/08-incident-continuity/59-incident-response-policy.md
AUL-POL-60 Cyber Incident Reporting Policy (DFARS) B12 P0 TODO policies/08-incident-continuity/60-cyber-incident-reporting-policy.md
AUL-POL-61 Breach Notification Policy B13 P1 TODO policies/08-incident-continuity/61-breach-notification-policy.md
AUL-POL-62 Business Continuity Policy B13 P0 TODO policies/08-incident-continuity/62-business-continuity-policy.md
AUL-POL-63 Disaster Recovery Policy B13 P0 TODO policies/08-incident-continuity/63-disaster-recovery-policy.md
AUL-POL-64 Pandemic / Site-Loss Continuity Annex B13 P2 TODO policies/08-incident-continuity/64-pandemic-site-loss-annex.md
AUL-POL-65 Forensics & Evidence Handling Policy B13 P1 TODO policies/08-incident-continuity/65-forensics-evidence-handling-policy.md
AUL-POL-66 Compliance Management Policy B14 P0 TODO policies/09-compliance-audit/66-compliance-management-policy.md
AUL-POL-68 POA&M Policy B14 P0 TODO policies/09-compliance-audit/68-poam-policy.md
AUL-POL-69 Continuous Monitoring Policy B14 P0 TODO policies/09-compliance-audit/69-continuous-monitoring-policy.md
AUL-POL-70 Internal Audit Policy B14 P1 TODO policies/09-compliance-audit/70-internal-audit-policy.md
AUL-POL-71 External Audit & Assessment Policy B14 P1 TODO policies/09-compliance-audit/71-external-audit-policy.md
AUL-POL-72 OPSEC Policy B15 P0 TODO policies/10-defense-specific/72-opsec-policy.md
AUL-POL-73 FOCI Policy B15 P0 TODO policies/10-defense-specific/73-foci-policy.md
AUL-POL-74 Classified Information Handling (Placeholder) B15 P3 TODO policies/10-defense-specific/74-classified-information-handling-policy.md
AUL-POL-75 Controlled Technical Information (CTI) Policy B15 P0 TODO policies/10-defense-specific/75-controlled-technical-information-policy.md
AUL-POL-76 Research Data & Publication Review Policy B15 P1 TODO policies/10-defense-specific/76-research-publication-review-policy.md
AUL-POL-77 Collaboration & Information Sharing Policy B16 P1 TODO policies/10-defense-specific/77-collaboration-information-sharing-policy.md
AUL-POL-78 Acquisition & Procurement Security Policy B16 P1 TODO policies/11-acquisition-legal/78-acquisition-procurement-security-policy.md
AUL-POL-79 Software Procurement & Licensing Policy B16 P1 TODO policies/11-acquisition-legal/79-software-procurement-licensing-policy.md
AUL-POL-80 Legal Hold & E-Discovery Policy B16 P2 TODO policies/11-acquisition-legal/80-legal-hold-ediscovery-policy.md
AUL-POL-81 Whistleblower & Reporting Policy B16 P1 TODO policies/11-acquisition-legal/81-whistleblower-reporting-policy.md

Plans

ID Title Status Path
AUL-PLN-01 System Security Plan (SSP) TODO plans/01-system-security-plan.md
AUL-PLN-02 Incident Response Plan TODO plans/02-incident-response-plan.md
AUL-PLN-03 Business Continuity Plan TODO plans/03-business-continuity-plan.md
AUL-PLN-04 Disaster Recovery Plan TODO plans/04-disaster-recovery-plan.md
AUL-PLN-05 Insider Threat Program Plan TODO plans/05-insider-threat-program-plan.md
AUL-PLN-06 Supply Chain Risk Management Plan TODO plans/06-scrm-plan.md
AUL-PLN-07 Continuous Monitoring Plan TODO plans/07-continuous-monitoring-plan.md
AUL-PLN-08 Configuration Management Plan TODO plans/08-configuration-management-plan.md
AUL-PLN-09 Contingency Plan TODO plans/09-contingency-plan.md

Standards

ID Title Status Path
AUL-STD-01 Encryption Standard TODO standards/01-encryption-standard.md
AUL-STD-02 Logging Standard TODO standards/02-logging-standard.md
AUL-STD-03 Hardening Standard TODO standards/03-hardening-standard.md
AUL-STD-04 Password Standard TODO standards/04-password-standard.md
AUL-STD-05 MFA Standard TODO standards/05-mfa-standard.md
AUL-STD-06 Network Architecture Standard TODO standards/06-network-architecture-standard.md
AUL-STD-07 CUI Marking Standard TODO standards/07-cui-marking-standard.md
AUL-STD-08 Secure Coding Standard TODO standards/08-secure-coding-standard.md
AUL-STD-09 AI/ML Model Card Standard TODO standards/09-ai-ml-model-card-standard.md
AUL-STD-10 Vulnerability Severity & SLA Standard TODO standards/10-vulnerability-sla-standard.md

Procedures (SOPs)

ID Title Status Path
AUL-SOP-01 Onboarding SOP TODO procedures/01-onboarding-sop.md
AUL-SOP-02 Offboarding SOP TODO procedures/02-offboarding-sop.md
AUL-SOP-03 Access Review SOP TODO procedures/03-access-review-sop.md
AUL-SOP-04 Incident Response Runbook TODO procedures/04-incident-response-runbook.md
AUL-SOP-05 DFARS 72-Hour Cyber Incident Reporting Runbook TODO procedures/05-dfars-72hr-reporting-runbook.md
AUL-SOP-06 CUI Spillage Procedure TODO procedures/06-cui-spillage-procedure.md
AUL-SOP-07 Backup Restoration SOP TODO procedures/07-backup-restoration-sop.md
AUL-SOP-08 Vulnerability Triage SOP TODO procedures/08-vulnerability-triage-sop.md
AUL-SOP-09 Vendor Onboarding Security SOP TODO procedures/09-vendor-onboarding-security-sop.md
AUL-SOP-10 Foreign Travel Pre/Post-Briefing SOP TODO procedures/10-foreign-travel-briefing-sop.md
AUL-SOP-11 Patch Deployment SOP TODO procedures/11-patch-deployment-sop.md
AUL-SOP-12 Phishing Reporting SOP TODO procedures/12-phishing-reporting-sop.md

Registers

Name Status Path
Risk Register TODO registers/risk-register.md
Asset Register TODO registers/asset-register.md
Vendor Register TODO registers/vendor-register.md
Exception Register TODO registers/exception-register.md
Incident Log TODO registers/incident-log.md
Change Log TODO registers/change-log.md
POA&M TODO registers/poam.md
Training Records TODO registers/training-records.md

Summary

  • Total policies: 80 (POL-01..81, excluding POL-67 which is the SSP plan)
  • Total plans: 9
  • Total standards: 10
  • Total SOPs: 12
  • Total registers: 8

Counts by status:

  • TODO: all
  • IN_PROGRESS: 0
  • DRAFT_REVIEW: 0
  • APPROVED: 0

Decision Points Awaiting Review

Claude Code: append DECISION POINT callouts here as you author. Format: - [AUL-POL-NN] Brief description of the decision and the option chosen.

  • [AUL-POL-01] CTO/ISSM serving dual role as acting ISSO at ~5 personnel. Dedicated ISSO to be appointed when headcount exceeds 10 or CUI processing begins.
  • [AUL-POL-02] CTO/ISSM dual-role as ISSO compensated by CEO quarterly independent review. Same trigger for dedicated ISSO appointment.
  • [AUL-POL-03] Risk appetite set to "low" for CUI/ITAR/DFARS, "moderate" for general operational. CEO should formally approve.
  • [AUL-POL-04] CUI Enclave (AWS GovCloud) not yet operational. Interim CUI storage in segregated encrypted Google Drive folder (CTO/ISSM access only) as compensating control. Needs POA&M entry with GovCloud target date.
  • [AUL-POL-10] At ~5 personnel, CTO/ISSM delivers training via internal briefings rather than commercial SAT platform. Adopt commercial SAT when headcount exceeds 15 or C3PAO assessment is imminent.
  • [AUL-POL-11] Omaha office is shared accelerator space (Werner Exchange). Physical security controls apply to Aulendur's dedicated workspace only. CUI shall not be processed at this location unless adequate isolation is confirmed. Needs assessment and POA&M entry.
  • [AUL-POL-14] CTO/ISSM serves as ITPSO at ~5 personnel. CEO provides independent oversight. Formal working group needed when headcount exceeds 15 or NISPOM facility clearance pursued.

Forthcoming References

Claude Code: when a policy references a not-yet-written companion doc, list it here so future batches can resolve.

  • ~~AUL-POL-07 — Policy Exception & Waiver Policy (referenced by AUL-POL-01)~~ DONE
  • AUL-PLN-01 — System Security Plan (referenced by AUL-POL-01)
  • AUL-POL-66 — Compliance Management Policy (referenced by AUL-POL-01)
  • AUL-POL-81 — Whistleblower & Reporting Policy (referenced by AUL-POL-01)
  • ~~AUL-POL-09 — Onboarding & Offboarding Policy (referenced by AUL-POL-02)~~ DONE
  • AUL-POL-25 — Data Retention & Disposal Policy (referenced by AUL-POL-02)
  • AUL-POL-38 — Patch & Vulnerability Management Policy (referenced by AUL-POL-03)
  • AUL-POL-68 — POA&M Policy (referenced by AUL-POL-03)
  • AUL-STD-10 — Vulnerability Severity & SLA Standard (referenced by AUL-POL-03)
  • Risk Register (referenced by AUL-POL-03)
  • AUL-POL-23 — CUI Handling Policy (referenced by AUL-POL-04)
  • AUL-POL-24 — Export Control Policy (referenced by AUL-POL-04)
  • AUL-STD-07 — CUI Marking Standard (referenced by AUL-POL-04)
  • AUL-SOP-06 — CUI Spillage Procedure (referenced by AUL-POL-04)
  • Asset Register (referenced by AUL-POL-04)
  • ~~AUL-POL-12 — Remote Work / Telework Policy (referenced by AUL-POL-05)~~ DONE
  • AUL-POL-17 — Password & Credential Policy (referenced by AUL-POL-05)
  • AUL-POL-18 — MFA Policy (referenced by AUL-POL-05)
  • AUL-POL-52 — Generative AI / Third-Party AI Tool Use Policy (referenced by AUL-POL-05)
  • AUL-SOP-12 — Phishing Reporting SOP (referenced by AUL-POL-05, AUL-POL-10)
  • ~~AUL-POL-14 — Insider Threat Program Policy (referenced by AUL-POL-08, AUL-POL-10)~~ DONE
  • AUL-SOP-01 — Onboarding SOP (referenced by AUL-POL-08, AUL-POL-09)
  • AUL-SOP-02 — Offboarding SOP (referenced by AUL-POL-09)
  • AUL-SOP-03 — Access Review SOP (referenced by AUL-POL-09)
  • Training Records register (referenced by AUL-POL-10)
  • Exception Register (referenced by AUL-POL-07)
  • AUL-POL-20 — Remote Access Policy (referenced by AUL-POL-12)
  • AUL-POL-30 — Endpoint Security Policy (referenced by AUL-POL-11, AUL-POL-12)
  • AUL-POL-24 — Export Control Policy (referenced by AUL-POL-12, AUL-POL-13)
  • AUL-SOP-10 — Foreign Travel Pre/Post-Briefing SOP (referenced by AUL-POL-13)
  • AUL-PLN-05 — Insider Threat Program Plan (referenced by AUL-POL-14)
  • AUL-POL-40 — Logging & Monitoring Policy (referenced by AUL-POL-14)
  • AUL-POL-16 — Identity & Authentication Policy (referenced by AUL-POL-15)
  • AUL-POL-19 — Privileged Access Management Policy (referenced by AUL-POL-15)