KNOX BLOCKCHAIN — FEDERAL COMPLIANCE

Federal Compliance Documentation

NIST SP 800-53 control mapping, HIPAA safeguard attestation, and Knox Blockchain architecture documentation for federal procurement review.

Bonis Systems LLC • UEI: R2BPJDC5CBA3 • CAGE: 1TSP2 • NAICS: 541511

Knox Blockchain Architecture

PHASE 1 — DEPLOYED

Local Chain

SHA-256 linked blocks on PostgreSQL + Redis. Taxonomy of 100+ event types across the Bonis portfolio. Immutable audit trail with federal trace IDs. Block proof verification.

PHASE 2 — READY

Google Blockchain Node Engine

Permissioned nodes on Google Cloud. Multi-party consensus for cross-agency verification. FedRAMP-inherited controls.

PHASE 3 — PLANNED

Hyperledger Fabric

Multi-organization consensus network. Smart contracts for automated compliance. Cross-platform interoperability.

Block Structure

{
  "index": 1,
  "timestamp": "2026-04-11T10:00:00.000Z",
  "type": "ORDER_RECEIPT | LICENSE_VERIFY | COA_VERIFY | FEDERAL_AUDIT | ...",
  "data": { "orderId": "...", "vendorId": "...", "buyerId": "..." },
  "previousHash": "a3f2b8c1d4e5f6...",
  "hash": "SHA-256(index + timestamp + type + data + previousHash)",
  "federalTraceId": "UUID — submitted to federal ledger"
}

NIST SP 800-53 Control Mapping

24 of 26 controls fully implemented

AC-2Access ControlAccount ManagementImplemented

NextAuth JWT with role-based access (Admin/Vendor/Buyer). 24-hour session timeout. Account disable capability.

AC-3Access ControlAccess EnforcementImplemented

Server-side session verification on all API routes. Admin/Vendor role checks. API key scoped permissions.

AC-7Access ControlUnsuccessful Logon AttemptsImplemented

Rate limiting: 10 auth attempts per minute per IP. Security PIN lockout after failed attempts.

AC-8Access ControlSystem Use NotificationImplemented

Terms of Service acceptance required. Regulatory notice banner on all pages.

AU-2AuditAudit EventsImplemented

Knox audit trail: 15 action types, 14 entity types. Immutable Redis sorted sets with 1-year retention.

AU-3AuditContent of Audit RecordsImplemented

Each record: userId, action, entity, entityId, before/after diffs, hashed IP, user-agent, timestamp.

AU-6AuditAudit Review & AnalysisImplemented

Admin-only /api/audit endpoint with pagination. Real-time pub/sub for monitoring.

AU-9AuditProtection of Audit InfoImplemented

Knox Blockchain immutable ledger. SHA-256 hash chain prevents tampering. No update/delete on audit records.

AU-10AuditNon-RepudiationImplemented

Knox Blockchain block proofs with cryptographic verification. Federal trace IDs on all transactions.

CA-7AssessmentContinuous MonitoringImplemented

Health endpoint (/api/health) monitors DB connectivity, uptime. Knox middleware logs all requests.

CM-7ConfigurationLeast FunctionalityImplemented

poweredByHeader disabled. No debug endpoints in production. Bot/probe blocking in middleware.

IA-2IdentificationIdentification & AuthenticationImplemented

Email/password with bcrypt hashing. JWT tokens. Security PIN/passphrase as secondary factor.

IA-5IdentificationAuthenticator ManagementImplemented

bcrypt password hashing. SHA-256 for PINs/API keys. httpOnly secure cookies.

IR-4Incident ResponseIncident HandlingPartial

Knox audit logging captures security events. Automated rate limiting and bot blocking. Formal IR plan pending.

MP-6Media ProtectionMedia SanitizationImplemented

No local data storage. Cloud-based (Cloud Run stateless). Database credentials via environment variables only.

PE-17PhysicalAlternate Work SiteImplemented

Fully cloud-hosted on Google Cloud Run. No physical infrastructure required.

RA-5Risk AssessmentVulnerability MonitoringPartial

Dependency auditing via npm. CI/CD security scanning. Formal pen test pending.

SC-7System & CommsBoundary ProtectionImplemented

CSP headers, CORS restrictions, rate limiting, bot detection, probe blocking.

SC-8System & CommsTransmission ConfidentialityImplemented

TLS 1.3 enforced. HSTS with preload. All API traffic encrypted.

SC-12System & CommsCryptographic Key ManagementImplemented

SHA-256 for blockchain/API keys. bcrypt for passwords. Keys in environment variables, never in code.

SC-13System & CommsCryptographic ProtectionImplemented

SHA-256 blockchain integrity. TLS 1.3. bcrypt password hashing. End-to-end encryption on sensitive data.

SC-28System & CommsProtection of Information at RestImplemented

Database encryption via Cloud SQL/Railway TLS. No plaintext credentials stored. API keys SHA-256 hashed.

SI-2System & InfoFlaw RemediationImplemented

CI/CD pipeline with automated builds. npm audit on every push. GitHub Actions security scanning.

SI-3System & InfoMalicious Code ProtectionImplemented

Input sanitization (sanitize-html). Zod schema validation. CSP prevents script injection.

SI-4System & InfoInformation System MonitoringImplemented

Knox middleware request logging. Health endpoint. Rate limit monitoring. Audit trail pub/sub.

SI-10System & InfoInformation Input ValidationImplemented

Zod schemas on all API endpoints. sanitize-html for user content. SQL injection proof via Prisma ORM.

HIPAA Security Rule Safeguards

BAA-ready attestation for Business Associate Agreement execution

Administrative
Security Management ProcessImplemented

Knox Blockchain audit trail, risk-based access controls, security incident logging

Administrative
Assigned Security ResponsibilityImplemented

Platform-level security managed by Bonis Systems LLC engineering team

Administrative
Workforce SecurityImplemented

Role-based access: Admin, Vendor, Buyer. Principle of least privilege on all API routes

Administrative
Information Access ManagementImplemented

JWT session tokens, API key scoping, admin-only endpoints, vendor isolation

Administrative
Security Awareness TrainingPlanned

Documentation and training materials under development

Administrative
Contingency PlanPartial

Cloud Run auto-scaling and failover. Formal DR plan under development

Administrative
EvaluationPartial

Internal security audits completed. Third-party audit pending

Physical
Facility Access ControlsN/A — Cloud

Fully cloud-hosted on Google Cloud Platform. GCP maintains SOC 2/ISO 27001 for facilities

Physical
Workstation SecurityN/A — Cloud

No on-premise servers. Cloud Run containers are stateless and ephemeral

Technical
Access ControlImplemented

Unique user IDs, JWT authentication, auto-logout (24hr), role-based permissions

Technical
Audit ControlsImplemented

Knox Blockchain immutable audit trail. 15 action types, 1-year retention, tamper-proof

Technical
Integrity ControlsImplemented

SHA-256 blockchain hash verification. Zod input validation. Prisma ORM (no SQL injection)

Technical
Transmission SecurityImplemented

TLS 1.3 enforced. HSTS preload. End-to-end encryption. No plaintext data transmission

Knox Platform Products

HealthAgentCare.com

AI Healthcare Companion

AI-powered health companion for Medicare, Medicaid, and VA beneficiaries. End-to-end encryption. Knox Blockchain patient data ownership.

TerraVaultHQ.com

B2B Hemp & Cannabis Marketplace

Compliant wholesale marketplace surface with license/COA verification, seed-to-sale tracking, and vendor-direct settlement. Medical supply chain capabilities.

DealMatcherApp.com

AI Deal Matching Platform

Bruce AI agent scans markets daily for business/real estate deals. Smart-contract NDAs and procurement matchmaking. Counterparties settle directly off-platform.

Federal Procurement Inquiries

[email protected]

Knox Blockchain v1.0 • Bonis Systems LLC • UEI: R2BPJDC5CBA3 • CAGE: 1TSP2 • NAICS: 541511