| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| <meta charset="UTF-8"> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> |
| <title>Baltimore Secure Backbone System (BSBS) – Portfolio</title> |
| <style> |
| :root { |
| --outer-harbor: #2E86AB; |
| --inner-harbor: #3B5998; |
| --fort-mchenry: #1B2A4A; |
| --accent: #f4a261; |
| --bg: #f8f9fa; |
| --text: #212529; |
| --table-stripe: #e9ecef; |
| --box-bg: #ffffff; |
| } |
| body { |
| font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif; |
| background: var(--bg); |
| color: var(--text); |
| line-height: 1.6; |
| margin: 0; |
| padding: 20px; |
| } |
| .container { |
| max-width: 1000px; |
| margin: 0 auto; |
| background: var(--box-bg); |
| padding: 2rem 3rem; |
| box-shadow: 0 2px 10px rgba(0,0,0,0.05); |
| border-radius: 8px; |
| } |
| h1, h2, h3 { |
| font-weight: 600; |
| } |
| h1 { |
| color: var(--fort-mchenry); |
| border-bottom: 2px solid var(--outer-harbor); |
| padding-bottom: 0.3em; |
| } |
| h2 { |
| color: var(--inner-harbor); |
| border-left: 5px solid var(--outer-harbor); |
| padding-left: 10px; |
| margin-top: 2em; |
| } |
| h3 { |
| color: var(--fort-mchenry); |
| } |
| .section-title { |
| color: var(--outer-harbor); |
| font-size: 1.8rem; |
| margin-top: 1.5em; |
| } |
| table { |
| border-collapse: collapse; |
| width: 100%; |
| margin: 1em 0; |
| font-size: 0.9rem; |
| } |
| th { |
| background-color: var(--outer-harbor); |
| color: white; |
| padding: 10px; |
| text-align: left; |
| } |
| td { |
| padding: 8px 10px; |
| border-bottom: 1px solid #ddd; |
| } |
| tr:nth-child(even) td { |
| background-color: var(--table-stripe); |
| } |
| .code-box, pre { |
| background: #1e1e1e; |
| color: #d4d4d4; |
| padding: 15px; |
| border-radius: 5px; |
| overflow-x: auto; |
| font-family: 'Courier New', monospace; |
| font-size: 0.85rem; |
| line-height: 1.4; |
| border: 1px solid #333; |
| } |
| .ascii-diagram { |
| font-family: 'Courier New', monospace; |
| white-space: pre; |
| background: #0d1b2a; |
| color: #e0e0e0; |
| padding: 15px; |
| border-radius: 6px; |
| margin: 1em 0; |
| font-size: 0.8rem; |
| border-left: 4px solid var(--outer-harbor); |
| } |
| .outer { color: #2E86AB; font-weight: bold; } |
| .inner { color: #3B5998; font-weight: bold; } |
| .fort { color: #a2c4da; font-weight: bold; } |
| .terminal { color: #f4a261; font-weight: bold; } |
| .hsm { color: #e76f51; font-weight: bold; } |
| |
| .badge { |
| display: inline-block; |
| padding: 2px 8px; |
| border-radius: 12px; |
| font-size: 0.75rem; |
| background: var(--outer-harbor); |
| color: white; |
| margin-right: 5px; |
| } |
| .acronym-list dd { |
| margin-bottom: 0.5em; |
| } |
| .footer { |
| margin-top: 3em; |
| font-size: 0.85rem; |
| color: #6c757d; |
| border-top: 1px solid #ccc; |
| padding-top: 1em; |
| text-align: center; |
| } |
| a { |
| color: var(--outer-harbor); |
| text-decoration: none; |
| } |
| a:hover { |
| text-decoration: underline; |
| } |
| </style> |
| </head> |
| <body> |
| <div class="container"> |
|
|
| <h1>Baltimore Secure Backbone System (BSBS)</h1> |
| <p><strong>Comprehensive Portfolio Submission</strong><br> |
| <em>Municipal Cybersecurity Governance, Post‑Quantum Architecture, and Constitutional Compliance</em></p> |
| <p><strong>Author:</strong> [Your Name] | <strong>Course:</strong> [Capstone / Cybersecurity Governance & Technical Architecture] | <strong>Date:</strong> June 2, 2026 | <strong>Version:</strong> 2.1 (Final Portfolio)</p> |
|
|
| <h2>Table of Contents</h2> |
| <ol> |
| <li>Abstract & Portfolio Overview</li> |
| <li>BSBS Policy Addendum v1.0</li> |
| <li>Artifact A – NIST SP 800‑53 Rev. 5 Control Mapping</li> |
| <li>Artifact B – Fourth Amendment Minimization Protocol (Legal Memorandum)</li> |
| <li>Artifact C – Technical Architecture Diagrams (Vivid ASCII)</li> |
| <li>Reflective Analysis & Feasibility Assessment</li> |
| <li>Lessons Learned & Professional Growth</li> |
| <li>References</li> |
| <li>Appendix A – Acronym Glossary</li> |
| <li>Appendix B – Diagram Rendering Notes</li> |
| </ol> |
|
|
| |
| <h2>1. Abstract & Portfolio Overview</h2> |
| <p>The Baltimore Secure Backbone System (BSBS) is a multidisciplinary cybersecurity framework that demonstrates upper‑division competency in governance, legal analysis, post‑quantum cryptography, memory‑safe systems programming, and machine‑learning‑driven threat detection. This portfolio artifact positions BSBS not as a theoretical exercise, but as a realistic, jurisprudentially‑informed technical architecture for a mid‑sized American city.</p> |
| <p><strong>Learning Outcomes Demonstrated:</strong></p> |
| <ul> |
| <li>Design and justification of a zero‑trust municipal network segmentation model (Concentric Harbor)</li> |
| <li>Application of NIST Risk Management Framework (RMF) and control mapping to a moderate‑impact system</li> |
| <li>Integration of transitional post‑quantum cryptography (Kyber, Dilithium, SPHINCS+) into existing infrastructure</li> |
| <li>Constitutional compliance engineering: Fourth Amendment minimization protocols and oversight mechanics</li> |
| <li>Memory‑safe protocol hardening using Rust and formal verification (Kani)</li> |
| <li>Incident response planning aligned with CJIS, HIPAA, and state breach notification laws</li> |
| </ul> |
|
|
| |
| <h2>2. BSBS Policy Addendum v1.0 – Municipal Cybersecurity Framework</h2> |
|
|
| <h3>2.1 Executive Summary</h3> |
| <p>The Baltimore Secure Backbone System (BSBS) is a comprehensive cybersecurity governance and technical architecture framework designed to protect the City of Baltimore’s municipal data infrastructure against current cryptographic threats and future post‑quantum adversarial capabilities. BSBS operates as a zero‑trust municipal backbone integrating constitutional privacy safeguards, NIST‑aligned risk management, and transitional post‑quantum cryptographic protocols.</p> |
| <p><strong>Scope:</strong> All 47 municipal departments, Baltimore City Public Schools data interfaces, Baltimore Police Department (BPD) CJIS‑compliant systems, Baltimore City Health Department genomic/bioinformatics pipelines, and critical infrastructure OT/ICS networks (water, waste, transit).</p> |
| <p><strong>Authority:</strong> Derived from Baltimore City Code Article 1, Subtitle 40 (Information Technology); Maryland Criminal Procedure Code §10‑301 (CJIS compliance); and Fourth Amendment constraints on municipal data collection and retention.</p> |
|
|
| <h3>2.2 Governance & Legal Architecture</h3> |
| <table> |
| <tr><th>Layer</th><th>Entity</th><th>Function</th></tr> |
| <tr><td>Strategic</td><td>Mayor’s Office of Cybersecurity (MOC)</td><td>Policy authorization, budgetary control, intergovernmental liaison</td></tr> |
| <tr><td>Tactical</td><td>BSBS Security Operations Center (BSOC)</td><td>24/7 monitoring, incident response, threat intelligence</td></tr> |
| <tr><td>Operational</td><td>Departmental Information Security Officers (DISOs)</td><td>Department‑level control implementation, user access governance</td></tr> |
| <tr><td>Audit</td><td>Baltimore City Inspector General (IG) + External NIST 800‑53A assessors</td><td>Annual control assessment, constitutional compliance review</td></tr> |
| </table> |
| <p><strong>Constitutional & Statutory Compliance Matrix:</strong></p> |
| <ul> |
| <li><strong>Fourth Amendment:</strong> Network monitoring uses metadata‑only analysis with differential privacy; content inspection requires DISO authorization + IG notification.</li> |
| <li><strong>Maryland Public Information Act (MPIA):</strong> Encryption does not obstruct lawful records requests; retention schedules published.</li> |
| <li><strong>CJIS Security Policy v5.9:</strong> FIPS 140‑3 Level 2 validated modules for biometric and criminal history data.</li> |
| <li><strong>HIPAA / 42 CFR Part 2:</strong> Segregated encryption domains for SUD records.</li> |
| </ul> |
|
|
| <h3>2.3 Threat Model & Risk Framework</h3> |
| <table> |
| <tr><th>Threat Vector</th><th>Actor</th><th>Impact</th><th>BSBS Control</th></tr> |
| <tr><td>Ransomware (OT/ICS)</td><td>Criminal syndicates / RaaS</td><td>Water treatment disruption, transit halt</td><td>Air‑gapped OT enclaves, immutable backup architecture</td></tr> |
| <tr><td>Store‑Now‑Decrypt‑Later (SNDL)</td><td>Nation‑state adversaries</td><td>Decryption of municipal archives</td><td>Post‑quantum hybrid key encapsulation (Kyber768+X25519)</td></tr> |
| <tr><td>Supply Chain (Bioinformatics)</td><td>APT targeting genomic pipelines</td><td>Tampering of genomic data</td><td>Rust‑based memory‑safe emulation, reproducible build verification</td></tr> |
| <tr><td>Insider Threat (Law Enforcement)</td><td>Authorized user exfiltration</td><td>CJIS data breach, 4th Amendment litigation</td><td>Attribute‑Based Encryption (ABE) with judicial logging</td></tr> |
| <tr><td>Municipal IoT Botnet</td><td>Distributed attackers</td><td>Smart city sensor compromise, DDoS</td><td>Micro‑segmentation, device attestation via Dilithium signatures</td></tr> |
| </table> |
| <p><strong>Risk Score</strong> = (Threat Likelihood × PSI × CLR × FI) / Normalization Factor, where PSI = Public Safety Impact, CLR = Constitutional Litigation Risk, FI = Fiscal Impact.</p> |
|
|
| <h3>2.4 Technical Architecture</h3> |
| <p><strong>Network Segmentation: The “Concentric Harbor” Model</strong></p> |
| <div class="ascii-diagram"> |
| <span class="outer">┌─────────────────────────────────────────────────────────────┐</span> |
| <span class="outer">│ OUTER HARBOR (Untrusted Internet / Public WiFi / IoT) │</span> |
| <span class="outer">│ Post-Quantum TLS 1.3 (Hybrid X25519Kyber768) │</span> |
| <span class="outer">├─────────────────────────────────────────────────────────────┤</span> |
| <span class="inner">│ INNER HARBOR (Municipal Enterprise / Dept VLANs) │</span> |
| <span class="inner">│ mTLS with Dilithium-3 signatures; SDP │</span> |
| <span class="inner">├─────────────────────────────────────────────────────────────┤</span> |
| <span class="fort">│ FORT McHENRY (CJIS / Critical Infrastructure / OT) │</span> |
| <span class="fort">│ Air-gapped or unidirectional data diodes; FIPS 140-3 HSMs │</span> |
| <span class="fort">│ Classical + PQC hybrid; manual key ceremony for root CAs │</span> |
| <span class="fort">└─────────────────────────────────────────────────────────────┘</span> |
| </div> |
|
|
| <p><strong>Post‑Quantum Cryptographic Implementation:</strong></p> |
| <table> |
| <tr><th>Layer</th><th>Primitive</th><th>Implementation</th><th>Purpose</th></tr> |
| <tr><td>Key Encapsulation</td><td>ML‑KEM‑768 (Kyber)</td><td>liboqs + custom Rust wrapper</td><td>Hybrid KEM with X25519</td></tr> |
| <tr><td>Digital Signatures</td><td>ML‑DSA‑65 (Dilithium)</td><td>Pure Rust implementation</td><td>Device attestation, code signing, document integrity</td></tr> |
| <tr><td>Hashing / Backup</td><td>SHA‑3‑256 + SPHINCS+</td><td>Thales Luna 7 HSM</td><td>Long‑term archive integrity</td></tr> |
| <tr><td>OT/ICS</td><td>Lightweight PQC (future on‑ramp candidates)</td><td>Gateway translation layer</td><td>SCADA device protection</td></tr> |
| </table> |
| <p><strong>Transitional Strategy (2024‑2035):</strong> Phase 1 – Hybrid X25519Kyber768; Phase 2 – Dilithium‑3 for software updates; Phase 3 – Full PQC migration, classical deprecation.</p> |
| <p>The <em>Anomalous Pattern Inference Engine (APIE)</em> uses transformer‑based self‑attention to process encrypted traffic metadata (packet timing, entropy) without decryption, preserving Fourth Amendment minimization.</p> |
|
|
| <h3>2.5 Pure Rust HSPA Emulator: Legacy Protocol Hardening</h3> |
| <table> |
| <tr><th>Component</th><th>Specification</th></tr> |
| <tr><td>Language</td><td>Rust (edition 2021), <code>#![forbid(unsafe_code)]</code> in cryptographic path</td></tr> |
| <tr><td>Target</td><td>3GPP TS 25.214 (HSPA physical layer), TS 25.322 (RLC/MAC)</td></tr> |
| <tr><td>Security Features</td><td>Constant‑time operations; formal verification via Kani model checker</td></tr> |
| <tr><td>Integration</td><td>Legacy HSPA device → Rust emulator → TLS 1.3 + Kyber768 backbone</td></tr> |
| <tr><td>Constitutional Safeguard</td><td>Warrant buffer with IG notification; audit trail via Merkle tree (Dilithium‑signed)</td></tr> |
| </table> |
|
|
| <h3>2.6 Incident Response & Resilience (BMIRP aligned with NIST SP 800‑61 Rev. 2)</h3> |
| <table> |
| <tr><th>Phase</th><th>BSBS Action</th><th>Constitutional/Legal Check</th></tr> |
| <tr><td>Detection</td><td>APIE anomaly scoring + BSOC SIEM</td><td>Metadata vs. content review</td></tr> |
| <tr><td>Analysis</td><td>Forensic imaging to immutable S3 Glacier (Dilithium‑signed)</td><td>IG notification if BPD data involved</td></tr> |
| <tr><td>Containment</td><td>SDP segmentation; OT air‑gap activation</td><td>Mayor’s Office authorization for citywide actions</td></tr> |
| <tr><td>Eradication</td><td>Re‑image from SPHINCS+ verified gold‑masters</td><td>Evidence preservation</td></tr> |
| <tr><td>Recovery</td><td>Phased restoration with enhanced monitoring</td><td>Public notification per Maryland PIPA if PII impacted</td></tr> |
| <tr><td>Post‑Incident</td><td>After‑action report; APIE retraining</td><td>IG review of any surveillance expansion</td></tr> |
| </table> |
|
|
| <h3>2.7 Implementation Roadmap</h3> |
| <table> |
| <tr><th>Phase</th><th>Timeline</th><th>Deliverable</th><th>Budget Estimate</th></tr> |
| <tr><td>I. Governance</td><td>Months 1‑3</td><td>MOC charter; DISO appointments; IG audit protocol</td><td>$150K</td></tr> |
| <tr><td>II. Backbone Hardening</td><td>Months 4‑9</td><td>Concentric Harbor deployment; hybrid PQC TLS</td><td>$2.1M</td></tr> |
| <tr><td>III. Legacy Emulation</td><td>Months 6‑12</td><td>Rust HSPA emulator; water/SCADA integration</td><td>$890K</td></tr> |
| <tr><td>IV. AI/ML Security</td><td>Months 10‑15</td><td>APIE deployment; federated learning infrastructure</td><td>$1.2M</td></tr> |
| <tr><td>V. Full PQC Transition</td><td>2028‑2033</td><td>Classical deprecation; full Dilithium/Kyber authority</td><td>$500K/year</td></tr> |
| </table> |
|
|
| <h3>2.8 Metrics & Continuous Monitoring</h3> |
| <ul> |
| <li><strong>MTTD</strong> <15 minutes for critical infrastructure</li> |
| <li><strong>MTTR</strong> <2 hours for containment</li> |
| <li><strong>Post‑Quantum Readiness Score:</strong> 100% hybrid KEM TLS by Q2 2026</li> |
| <li><strong>Constitutional Compliance Score:</strong> 100% IG audits satisfactory</li> |
| <li><strong>Legacy System Security Coverage:</strong> 100% non‑replaceable OT devices protected</li> |
| </ul> |
|
|
| <h3>2.9 Conclusion</h3> |
| <p>BSBS treats constitutional constraints as design requirements, integrating post‑quantum cryptography, memory‑safe systems, and privacy‑preserving AI into a governance structure accountable to both technical standards and civil liberties.</p> |
|
|
| |
| <h2>3. Artifact A – NIST SP 800‑53 Rev. 5 Control Mapping <span class="badge">Moderate Baseline</span></h2> |
| <p><small>Hyperlinked control IDs open official NIST CSRC definitions in a new tab.</small></p> |
| <table> |
| <tr><th>Control ID</th><th>Control Name</th><th>BSBS Implementation</th><th>Evidence / Artifact</th></tr> |
| <tr><td><a href="https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-3" target="_blank">AC‑3</a></td><td>Access Enforcement</td><td>Concentric Harbor & ABE</td><td>SDP logs, ABE policy files</td></tr> |
| <tr><td><a href="https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-4" target="_blank">AC‑4</a></td><td>Information Flow Enforcement</td><td>Rust HSPA Emulator / Data Diodes</td><td>Kani formal verification</td></tr> |
| <tr><td><a href="https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-10" target="_blank">AU‑10</a></td><td>Non‑Repudiation</td><td>Dilithium‑3 Signatures</td><td>Merkle‑tree logs with signed roots</td></tr> |
| <tr><td><a href="https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-9" target="_blank">CP‑9</a></td><td>System Backup</td><td>SPHINCS+ signed backups</td><td>Hash‑validation logs</td></tr> |
| <tr><td><a href="https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-2" target="_blank">IA‑2</a></td><td>Identification & Authentication</td><td>Hybrid PQC (Kyber768+X25519)</td><td>mTLS handshake logs</td></tr> |
| <tr><td><a href="https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-8" target="_blank">SC‑8</a></td><td>Transmission Confidentiality</td><td>TLS 1.3 + ML‑KEM</td><td>PQC ciphersuite PCAPs</td></tr> |
| <tr><td><a href="https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-38" target="_blank">SC‑38</a></td><td>Operations Security</td><td>APIE</td><td>Metadata‑only anomaly reports</td></tr> |
| <tr><td><a href="https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4" target="_blank">SI‑4</a></td><td>System Monitoring</td><td>Federated Learning / APIE</td><td>Minimization protocol audit logs</td></tr> |
| </table> |
|
|
| |
| <h2>4. Artifact B – Fourth Amendment Minimization Protocol (Legal Memorandum)</h2> |
| <p><strong>TO:</strong> Departmental Information Security Officers (DISOs), Baltimore City Public Schools, BPD<br> |
| <strong>FROM:</strong> Office of the General Counsel / Mayor’s Office of Cybersecurity (MOC)<br> |
| <strong>SUBJECT:</strong> Minimization Protocols for BSBS Network Monitoring and Data Retention<br> |
| <strong>DATE:</strong> May 23, 2024</p> |
|
|
| <h3>4.1 Purpose</h3> |
| <p>To ensure that BSBS provides robust cybersecurity while strictly adhering to the Fourth Amendment and the Baltimore City Charter regarding citizen privacy.</p> |
|
|
| <h3>4.2 Data Segregation and Minimization</h3> |
| <ul> |
| <li><strong>Metadata vs. Content:</strong> The APIE is prohibited from performing Deep Packet Inspection (DPI) on encrypted traffic content without a specific DISO‑issued warrant. Monitoring is restricted to network flow metadata.</li> |
| <li><strong>Differential Privacy:</strong> When aggregating threat intelligence, the APIE must apply a Laplacian noise mechanism to prevent reconstruction of any individual user’s behavior.</li> |
| </ul> |
|
|
| <h3>4.3 Warrant Requirements</h3> |
| <p>If decryption of traffic is required (using BSBS escrowed keys), the following must be documented:</p> |
| <ul> |
| <li>Probable cause of active malicious exfiltration or system compromise.</li> |
| <li>Narrow tailoring: specific enclave, IP range, and timeframe.</li> |
| <li>Automated notification to the City Inspector General within 4 hours.</li> |
| </ul> |
|
|
| <h3>4.4 Retention Limits</h3> |
| <p>Encryption‑related metadata purged every 90 days unless flagged in an active investigation. Long‑term SPHINCS+‑signed backups are strictly for disaster recovery and are not searchable for law enforcement without a judicial order.</p> |
|
|
| |
| <h2>5. Artifact C – Technical Architecture Diagrams <span class="badge">Vivid ASCII</span></h2> |
| <p>The following diagrams use terminal‑friendly color classes. When viewed in a terminal that supports ANSI, the colors will be vivid; here they are rendered with HTML span colors matching the harbor palette.</p> |
|
|
| <h3>Diagram A: Concentric Harbor Network Segmentation</h3> |
| <div class="ascii-diagram"> |
| <span class="outer"> OUTER HARBOR (Untrusted) </span> |
| <span class="outer"> Public WiFi IoT Sensors </span> |
| <span class="outer"> | | </span> |
| <span class="outer"> +--------+---------+ </span> |
| <span class="outer"> | </span> |
| <span class="outer"> Hybrid TLS 1.3 Gateway </span> |
| <span class="outer"> | </span> |
| <span class="inner"> INNER HARBOR (Enterprise) </span> |
| <span class="inner"> | </span> |
| <span class="inner"> SDP Controller </span> |
| <span class="inner"> / \ </span> |
| <span class="inner"> Dept VLANs Health Dept / Genomic </span> |
| <span class="inner"> | | </span> |
| <span class="inner"> | | </span> |
| <span class="fort"> FORT McHENRY (Critical/OT) </span> |
| <span class="fort"> | | </span> |
| <span class="fort"> Data Diode Rust HSPA Emulator </span> |
| <span class="fort"> | | </span> |
| <span class="fort">SCADA/Water Legacy Bioinformatics </span> |
| <span class="fort"> | | </span> |
| <span class="fort"> +---- FIPS 140-3 HSM ----+ </span> |
| </div> |
|
|
| <h3>Diagram B: Post‑Quantum Hybrid Handshake Flow</h3> |
| <div class="ascii-diagram"> |
| <span class="terminal"> Municipal Endpoint </span> <span class="outer"> BSBS Gateway (Rust) </span> <span class="hsm"> Thales Luna HSM </span> |
| | | | |
| | ClientHello | | |
| | (ECDHE_X25519 + | | |
| | ML-KEM-768) | | |
| |------------------------->| | |
| | | | |
| | | Request Private Key Op | |
| | |------------------------->| |
| | | | |
| | | Signed Response | |
| | | (ML-DSA-65) | |
| | |<-------------------------| |
| | | | |
| | ServerHello + | | |
| | ML-KEM Encapsulated Key| | |
| |<-------------------------| | |
| | | | |
| | Derive Shared Secret | | |
| | (Hybrid KEM) | | |
| | | | |
| | Finished (encrypted) | | |
| |------------------------->| | |
| | | | |
| | Finished | | |
| |<-------------------------| | |
| | | | |
| Secure Session Established | | |
| </div> |
|
|
| |
| <h2>6. Reflective Analysis & Feasibility Assessment</h2> |
| <p><strong>Failure Mode Engineering:</strong> Fort McHenry (OT/CJIS) fails <em>closed</em> – data diodes sever if PQC latency exceeds threshold. Outer Harbor fails <em>open</em> – degrades to classical TLS 1.2 with heightened monitoring, ensuring public service continuity.</p> |
| <p><strong>Fiscal Sustainability:</strong> Open‑source PQC libraries and Rust avoid vendor lock‑in; HSPA emulator saves ~$4.2M over physical device replacement.</p> |
| <p><strong>Technical Validation:</strong> The Rust emulator is <code>#![forbid(unsafe_code)]</code> and formally verified with Kani, giving mathematical memory‑safety proof.</p> |
| <p><strong>Constitutional Robustness:</strong> Metadata‑only monitoring, warrant buffers, and IG notification align with <em>Carpenter v. United States</em> principles.</p> |
|
|
| |
| <h2>7. Lessons Learned & Professional Growth</h2> |
| <ul> |
| <li><strong>Governance is not an afterthought:</strong> Charter, audit, and budget are as critical as Kyber768.</li> |
| <li><strong>Legacy systems cannot be ignored:</strong> The emulator shows how to secure what cannot be replaced.</li> |
| <li><strong>Privacy is a design constraint:</strong> APIE proves threat detection can coexist with the Fourth Amendment.</li> |
| <li><strong>Integration matters:</strong> Combining policy, code, and law transforms assignments into professional artifacts.</li> |
| </ul> |
|
|
| |
| <h2>8. References</h2> |
| <ul> |
| <li>NIST. (2020). <em>NIST SP 800‑53 Rev. 5</em>. <a href="https://doi.org/10.6028/NIST.SP.800-53r5" target="_blank">https://doi.org/10.6028/NIST.SP.800-53r5</a></li> |
| <li>NIST. (2023). <em>FIPS 203, 204, 205</em>. <a href="https://csrc.nist.gov/projects/post-quantum-cryptography" target="_blank">PQC Project</a></li> |
| <li>Baltimore City Code, Article 1, Subtitle 40.</li> |
| <li>Maryland Criminal Procedure Code §10‑301.</li> |
| <li><em>Carpenter v. United States</em>, 585 U.S. ___ (2018).</li> |
| <li>Open Quantum Safe. <em>liboqs</em>. <a href="https://openquantumsafe.org/" target="_blank">openquantumsafe.org</a></li> |
| <li>Rust Foundation. <em>The Rust Programming Language</em>. <a href="https://doc.rust-lang.org/book/" target="_blank">doc.rust-lang.org</a></li> |
| <li>Kani Rust Verifier. <a href="https://model-checking.github.io/kani/" target="_blank">model-checking.github.io/kani</a></li> |
| </ul> |
|
|
| |
| <h2>9. Appendix A – Acronym Glossary</h2> |
| <dl class="acronym-list"> |
| <dt><strong>ABE</strong></dt><dd>Attribute‑Based Encryption</dd> |
| <dt><strong>APIE</strong></dt><dd>Anomalous Pattern Inference Engine</dd> |
| <dt><strong>BSBS</strong></dt><dd>Baltimore Secure Backbone System</dd> |
| <dt><strong>CJIS</strong></dt><dd>Criminal Justice Information Services</dd> |
| <dt><strong>DISO</strong></dt><dd>Departmental Information Security Officer</dd> |
| <dt><strong>FIPS</strong></dt><dd>Federal Information Processing Standards</dd> |
| <dt><strong>HSM</strong></dt><dd>Hardware Security Module</dd> |
| <dt><strong>IG</strong></dt><dd>Inspector General</dd> |
| <dt><strong>KEM</strong></dt><dd>Key Encapsulation Mechanism</dd> |
| <dt><strong>ML‑KEM</strong></dt><dd>Module‑Lattice‑based KEM (Kyber)</dd> |
| <dt><strong>ML‑DSA</strong></dt><dd>Module‑Lattice‑based Digital Signature Algorithm (Dilithium)</dd> |
| <dt><strong>MOC</strong></dt><dd>Mayor’s Office of Cybersecurity</dd> |
| <dt><strong>MPIA</strong></dt><dd>Maryland Public Information Act</dd> |
| <dt><strong>mTLS</strong></dt><dd>Mutual Transport Layer Security</dd> |
| <dt><strong>NIST</strong></dt><dd>National Institute of Standards and Technology</dd> |
| <dt><strong>OT/ICS</strong></dt><dd>Operational Technology / Industrial Control Systems</dd> |
| <dt><strong>PIPA</strong></dt><dd>Personal Information Protection Act (Maryland)</dd> |
| <dt><strong>PQC</strong></dt><dd>Post‑Quantum Cryptography</dd> |
| <dt><strong>PSI</strong></dt><dd>Public Safety Impact</dd> |
| <dt><strong>SDP</strong></dt><dd>Software‑Defined Perimeter</dd> |
| <dt><strong>SNDL</strong></dt><dd>Store‑Now‑Decrypt‑Later</dd> |
| <dt><strong>SPHINCS+</strong></dt><dd>Stateless hash‑based digital signature scheme</dd> |
| <dt><strong>SUD</strong></dt><dd>Substance Use Disorder</dd> |
| <dt><strong>TLS</strong></dt><dd>Transport Layer Security</dd> |
| </dl> |
|
|
| |
| <h2>10. Appendix B – Diagram Rendering Notes</h2> |
| <p>The ASCII diagrams above use the Baltimore “harbor” palette:</p> |
| <ul> |
| <li><span style="color:#2E86AB; font-weight:bold;">Outer Harbor (Teal #2E86AB)</span></li> |
| <li><span style="color:#3B5998; font-weight:bold;">Inner Harbor (Steel Blue #3B5998)</span></li> |
| <li><span style="color:#1B2A4A; font-weight:bold;">Fort McHenry (Navy #1B2A4A) – shown as lighter blue on dark background for readability</span></li> |
| <li><span style="color:#f4a261; font-weight:bold;">Municipal Endpoint (Orange #f4a261)</span></li> |
| <li><span style="color:#e76f51; font-weight:bold;">HSM (Dark Red #e76f51)</span></li> |
| </ul> |
| <p>These colors are applied via CSS classes in this HTML document. For terminal ANSI rendering, equivalent escape codes are used.</p> |
|
|
| <div class="footer"> |
| <p>Baltimore Secure Backbone System (BSBS) – Portfolio v2.1 | [Your Name] | Capstone Submission June 2026</p> |
| </div> |
|
|
| </div> |
| </body> |
| </html> |