Portfolio / index.html
caustino's picture
Update index.html
659b785 verified
Raw
History Blame Contribute Delete
30 kB
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Baltimore Secure Backbone System (BSBS) – Portfolio</title>
<style>
:root {
--outer-harbor: #2E86AB;
--inner-harbor: #3B5998;
--fort-mchenry: #1B2A4A;
--accent: #f4a261;
--bg: #f8f9fa;
--text: #212529;
--table-stripe: #e9ecef;
--box-bg: #ffffff;
}
body {
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background: var(--bg);
color: var(--text);
line-height: 1.6;
margin: 0;
padding: 20px;
}
.container {
max-width: 1000px;
margin: 0 auto;
background: var(--box-bg);
padding: 2rem 3rem;
box-shadow: 0 2px 10px rgba(0,0,0,0.05);
border-radius: 8px;
}
h1, h2, h3 {
font-weight: 600;
}
h1 {
color: var(--fort-mchenry);
border-bottom: 2px solid var(--outer-harbor);
padding-bottom: 0.3em;
}
h2 {
color: var(--inner-harbor);
border-left: 5px solid var(--outer-harbor);
padding-left: 10px;
margin-top: 2em;
}
h3 {
color: var(--fort-mchenry);
}
.section-title {
color: var(--outer-harbor);
font-size: 1.8rem;
margin-top: 1.5em;
}
table {
border-collapse: collapse;
width: 100%;
margin: 1em 0;
font-size: 0.9rem;
}
th {
background-color: var(--outer-harbor);
color: white;
padding: 10px;
text-align: left;
}
td {
padding: 8px 10px;
border-bottom: 1px solid #ddd;
}
tr:nth-child(even) td {
background-color: var(--table-stripe);
}
.code-box, pre {
background: #1e1e1e;
color: #d4d4d4;
padding: 15px;
border-radius: 5px;
overflow-x: auto;
font-family: 'Courier New', monospace;
font-size: 0.85rem;
line-height: 1.4;
border: 1px solid #333;
}
.ascii-diagram {
font-family: 'Courier New', monospace;
white-space: pre;
background: #0d1b2a; /* dark navy background for diagrams */
color: #e0e0e0;
padding: 15px;
border-radius: 6px;
margin: 1em 0;
font-size: 0.8rem;
border-left: 4px solid var(--outer-harbor);
}
.outer { color: #2E86AB; font-weight: bold; }
.inner { color: #3B5998; font-weight: bold; }
.fort { color: #a2c4da; font-weight: bold; } /* lighter blue for navy bg */
.terminal { color: #f4a261; font-weight: bold; }
.hsm { color: #e76f51; font-weight: bold; }
.badge {
display: inline-block;
padding: 2px 8px;
border-radius: 12px;
font-size: 0.75rem;
background: var(--outer-harbor);
color: white;
margin-right: 5px;
}
.acronym-list dd {
margin-bottom: 0.5em;
}
.footer {
margin-top: 3em;
font-size: 0.85rem;
color: #6c757d;
border-top: 1px solid #ccc;
padding-top: 1em;
text-align: center;
}
a {
color: var(--outer-harbor);
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
</style>
</head>
<body>
<div class="container">
<h1>Baltimore Secure Backbone System (BSBS)</h1>
<p><strong>Comprehensive Portfolio Submission</strong><br>
<em>Municipal Cybersecurity Governance, Post‑Quantum Architecture, and Constitutional Compliance</em></p>
<p><strong>Author:</strong> [Your Name] &nbsp;|&nbsp; <strong>Course:</strong> [Capstone / Cybersecurity Governance & Technical Architecture] &nbsp;|&nbsp; <strong>Date:</strong> June 2, 2026 &nbsp;|&nbsp; <strong>Version:</strong> 2.1 (Final Portfolio)</p>
<h2>Table of Contents</h2>
<ol>
<li>Abstract & Portfolio Overview</li>
<li>BSBS Policy Addendum v1.0</li>
<li>Artifact A – NIST SP 800‑53 Rev. 5 Control Mapping</li>
<li>Artifact B – Fourth Amendment Minimization Protocol (Legal Memorandum)</li>
<li>Artifact C – Technical Architecture Diagrams (Vivid ASCII)</li>
<li>Reflective Analysis & Feasibility Assessment</li>
<li>Lessons Learned & Professional Growth</li>
<li>References</li>
<li>Appendix A – Acronym Glossary</li>
<li>Appendix B – Diagram Rendering Notes</li>
</ol>
<!-- ================= 1. Abstract ================= -->
<h2>1. Abstract & Portfolio Overview</h2>
<p>The Baltimore Secure Backbone System (BSBS) is a multidisciplinary cybersecurity framework that demonstrates upper‑division competency in governance, legal analysis, post‑quantum cryptography, memory‑safe systems programming, and machine‑learning‑driven threat detection. This portfolio artifact positions BSBS not as a theoretical exercise, but as a realistic, jurisprudentially‑informed technical architecture for a mid‑sized American city.</p>
<p><strong>Learning Outcomes Demonstrated:</strong></p>
<ul>
<li>Design and justification of a zero‑trust municipal network segmentation model (Concentric Harbor)</li>
<li>Application of NIST Risk Management Framework (RMF) and control mapping to a moderate‑impact system</li>
<li>Integration of transitional post‑quantum cryptography (Kyber, Dilithium, SPHINCS+) into existing infrastructure</li>
<li>Constitutional compliance engineering: Fourth Amendment minimization protocols and oversight mechanics</li>
<li>Memory‑safe protocol hardening using Rust and formal verification (Kani)</li>
<li>Incident response planning aligned with CJIS, HIPAA, and state breach notification laws</li>
</ul>
<!-- ================= 2. Policy Addendum ================= -->
<h2>2. BSBS Policy Addendum v1.0 – Municipal Cybersecurity Framework</h2>
<h3>2.1 Executive Summary</h3>
<p>The Baltimore Secure Backbone System (BSBS) is a comprehensive cybersecurity governance and technical architecture framework designed to protect the City of Baltimore’s municipal data infrastructure against current cryptographic threats and future post‑quantum adversarial capabilities. BSBS operates as a zero‑trust municipal backbone integrating constitutional privacy safeguards, NIST‑aligned risk management, and transitional post‑quantum cryptographic protocols.</p>
<p><strong>Scope:</strong> All 47 municipal departments, Baltimore City Public Schools data interfaces, Baltimore Police Department (BPD) CJIS‑compliant systems, Baltimore City Health Department genomic/bioinformatics pipelines, and critical infrastructure OT/ICS networks (water, waste, transit).</p>
<p><strong>Authority:</strong> Derived from Baltimore City Code Article 1, Subtitle 40 (Information Technology); Maryland Criminal Procedure Code §10‑301 (CJIS compliance); and Fourth Amendment constraints on municipal data collection and retention.</p>
<h3>2.2 Governance & Legal Architecture</h3>
<table>
<tr><th>Layer</th><th>Entity</th><th>Function</th></tr>
<tr><td>Strategic</td><td>Mayor’s Office of Cybersecurity (MOC)</td><td>Policy authorization, budgetary control, intergovernmental liaison</td></tr>
<tr><td>Tactical</td><td>BSBS Security Operations Center (BSOC)</td><td>24/7 monitoring, incident response, threat intelligence</td></tr>
<tr><td>Operational</td><td>Departmental Information Security Officers (DISOs)</td><td>Department‑level control implementation, user access governance</td></tr>
<tr><td>Audit</td><td>Baltimore City Inspector General (IG) + External NIST 800‑53A assessors</td><td>Annual control assessment, constitutional compliance review</td></tr>
</table>
<p><strong>Constitutional & Statutory Compliance Matrix:</strong></p>
<ul>
<li><strong>Fourth Amendment:</strong> Network monitoring uses metadata‑only analysis with differential privacy; content inspection requires DISO authorization + IG notification.</li>
<li><strong>Maryland Public Information Act (MPIA):</strong> Encryption does not obstruct lawful records requests; retention schedules published.</li>
<li><strong>CJIS Security Policy v5.9:</strong> FIPS 140‑3 Level 2 validated modules for biometric and criminal history data.</li>
<li><strong>HIPAA / 42 CFR Part 2:</strong> Segregated encryption domains for SUD records.</li>
</ul>
<h3>2.3 Threat Model & Risk Framework</h3>
<table>
<tr><th>Threat Vector</th><th>Actor</th><th>Impact</th><th>BSBS Control</th></tr>
<tr><td>Ransomware (OT/ICS)</td><td>Criminal syndicates / RaaS</td><td>Water treatment disruption, transit halt</td><td>Air‑gapped OT enclaves, immutable backup architecture</td></tr>
<tr><td>Store‑Now‑Decrypt‑Later (SNDL)</td><td>Nation‑state adversaries</td><td>Decryption of municipal archives</td><td>Post‑quantum hybrid key encapsulation (Kyber768+X25519)</td></tr>
<tr><td>Supply Chain (Bioinformatics)</td><td>APT targeting genomic pipelines</td><td>Tampering of genomic data</td><td>Rust‑based memory‑safe emulation, reproducible build verification</td></tr>
<tr><td>Insider Threat (Law Enforcement)</td><td>Authorized user exfiltration</td><td>CJIS data breach, 4th Amendment litigation</td><td>Attribute‑Based Encryption (ABE) with judicial logging</td></tr>
<tr><td>Municipal IoT Botnet</td><td>Distributed attackers</td><td>Smart city sensor compromise, DDoS</td><td>Micro‑segmentation, device attestation via Dilithium signatures</td></tr>
</table>
<p><strong>Risk Score</strong> = (Threat Likelihood × PSI × CLR × FI) / Normalization Factor, where PSI = Public Safety Impact, CLR = Constitutional Litigation Risk, FI = Fiscal Impact.</p>
<h3>2.4 Technical Architecture</h3>
<p><strong>Network Segmentation: The “Concentric Harbor” Model</strong></p>
<div class="ascii-diagram">
<span class="outer">┌─────────────────────────────────────────────────────────────┐</span>
<span class="outer">│ OUTER HARBOR (Untrusted Internet / Public WiFi / IoT) │</span>
<span class="outer">│ Post-Quantum TLS 1.3 (Hybrid X25519Kyber768) │</span>
<span class="outer">├─────────────────────────────────────────────────────────────┤</span>
<span class="inner">│ INNER HARBOR (Municipal Enterprise / Dept VLANs) │</span>
<span class="inner">│ mTLS with Dilithium-3 signatures; SDP │</span>
<span class="inner">├─────────────────────────────────────────────────────────────┤</span>
<span class="fort">│ FORT McHENRY (CJIS / Critical Infrastructure / OT) │</span>
<span class="fort">│ Air-gapped or unidirectional data diodes; FIPS 140-3 HSMs │</span>
<span class="fort">│ Classical + PQC hybrid; manual key ceremony for root CAs │</span>
<span class="fort">└─────────────────────────────────────────────────────────────┘</span>
</div>
<p><strong>Post‑Quantum Cryptographic Implementation:</strong></p>
<table>
<tr><th>Layer</th><th>Primitive</th><th>Implementation</th><th>Purpose</th></tr>
<tr><td>Key Encapsulation</td><td>ML‑KEM‑768 (Kyber)</td><td>liboqs + custom Rust wrapper</td><td>Hybrid KEM with X25519</td></tr>
<tr><td>Digital Signatures</td><td>ML‑DSA‑65 (Dilithium)</td><td>Pure Rust implementation</td><td>Device attestation, code signing, document integrity</td></tr>
<tr><td>Hashing / Backup</td><td>SHA‑3‑256 + SPHINCS+</td><td>Thales Luna 7 HSM</td><td>Long‑term archive integrity</td></tr>
<tr><td>OT/ICS</td><td>Lightweight PQC (future on‑ramp candidates)</td><td>Gateway translation layer</td><td>SCADA device protection</td></tr>
</table>
<p><strong>Transitional Strategy (2024‑2035):</strong> Phase 1 – Hybrid X25519Kyber768; Phase 2 – Dilithium‑3 for software updates; Phase 3 – Full PQC migration, classical deprecation.</p>
<p>The <em>Anomalous Pattern Inference Engine (APIE)</em> uses transformer‑based self‑attention to process encrypted traffic metadata (packet timing, entropy) without decryption, preserving Fourth Amendment minimization.</p>
<h3>2.5 Pure Rust HSPA Emulator: Legacy Protocol Hardening</h3>
<table>
<tr><th>Component</th><th>Specification</th></tr>
<tr><td>Language</td><td>Rust (edition 2021), <code>#![forbid(unsafe_code)]</code> in cryptographic path</td></tr>
<tr><td>Target</td><td>3GPP TS 25.214 (HSPA physical layer), TS 25.322 (RLC/MAC)</td></tr>
<tr><td>Security Features</td><td>Constant‑time operations; formal verification via Kani model checker</td></tr>
<tr><td>Integration</td><td>Legacy HSPA device → Rust emulator → TLS 1.3 + Kyber768 backbone</td></tr>
<tr><td>Constitutional Safeguard</td><td>Warrant buffer with IG notification; audit trail via Merkle tree (Dilithium‑signed)</td></tr>
</table>
<h3>2.6 Incident Response & Resilience (BMIRP aligned with NIST SP 800‑61 Rev. 2)</h3>
<table>
<tr><th>Phase</th><th>BSBS Action</th><th>Constitutional/Legal Check</th></tr>
<tr><td>Detection</td><td>APIE anomaly scoring + BSOC SIEM</td><td>Metadata vs. content review</td></tr>
<tr><td>Analysis</td><td>Forensic imaging to immutable S3 Glacier (Dilithium‑signed)</td><td>IG notification if BPD data involved</td></tr>
<tr><td>Containment</td><td>SDP segmentation; OT air‑gap activation</td><td>Mayor’s Office authorization for citywide actions</td></tr>
<tr><td>Eradication</td><td>Re‑image from SPHINCS+ verified gold‑masters</td><td>Evidence preservation</td></tr>
<tr><td>Recovery</td><td>Phased restoration with enhanced monitoring</td><td>Public notification per Maryland PIPA if PII impacted</td></tr>
<tr><td>Post‑Incident</td><td>After‑action report; APIE retraining</td><td>IG review of any surveillance expansion</td></tr>
</table>
<h3>2.7 Implementation Roadmap</h3>
<table>
<tr><th>Phase</th><th>Timeline</th><th>Deliverable</th><th>Budget Estimate</th></tr>
<tr><td>I. Governance</td><td>Months 1‑3</td><td>MOC charter; DISO appointments; IG audit protocol</td><td>$150K</td></tr>
<tr><td>II. Backbone Hardening</td><td>Months 4‑9</td><td>Concentric Harbor deployment; hybrid PQC TLS</td><td>$2.1M</td></tr>
<tr><td>III. Legacy Emulation</td><td>Months 6‑12</td><td>Rust HSPA emulator; water/SCADA integration</td><td>$890K</td></tr>
<tr><td>IV. AI/ML Security</td><td>Months 10‑15</td><td>APIE deployment; federated learning infrastructure</td><td>$1.2M</td></tr>
<tr><td>V. Full PQC Transition</td><td>2028‑2033</td><td>Classical deprecation; full Dilithium/Kyber authority</td><td>$500K/year</td></tr>
</table>
<h3>2.8 Metrics & Continuous Monitoring</h3>
<ul>
<li><strong>MTTD</strong> &lt;15 minutes for critical infrastructure</li>
<li><strong>MTTR</strong> &lt;2 hours for containment</li>
<li><strong>Post‑Quantum Readiness Score:</strong> 100% hybrid KEM TLS by Q2 2026</li>
<li><strong>Constitutional Compliance Score:</strong> 100% IG audits satisfactory</li>
<li><strong>Legacy System Security Coverage:</strong> 100% non‑replaceable OT devices protected</li>
</ul>
<h3>2.9 Conclusion</h3>
<p>BSBS treats constitutional constraints as design requirements, integrating post‑quantum cryptography, memory‑safe systems, and privacy‑preserving AI into a governance structure accountable to both technical standards and civil liberties.</p>
<!-- ================= 3. NIST Mapping ================= -->
<h2>3. Artifact A – NIST SP 800‑53 Rev. 5 Control Mapping <span class="badge">Moderate Baseline</span></h2>
<p><small>Hyperlinked control IDs open official NIST CSRC definitions in a new tab.</small></p>
<table>
<tr><th>Control ID</th><th>Control Name</th><th>BSBS Implementation</th><th>Evidence / Artifact</th></tr>
<tr><td><a href="https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-3" target="_blank">AC‑3</a></td><td>Access Enforcement</td><td>Concentric Harbor & ABE</td><td>SDP logs, ABE policy files</td></tr>
<tr><td><a href="https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-4" target="_blank">AC‑4</a></td><td>Information Flow Enforcement</td><td>Rust HSPA Emulator / Data Diodes</td><td>Kani formal verification</td></tr>
<tr><td><a href="https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-10" target="_blank">AU‑10</a></td><td>Non‑Repudiation</td><td>Dilithium‑3 Signatures</td><td>Merkle‑tree logs with signed roots</td></tr>
<tr><td><a href="https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-9" target="_blank">CP‑9</a></td><td>System Backup</td><td>SPHINCS+ signed backups</td><td>Hash‑validation logs</td></tr>
<tr><td><a href="https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-2" target="_blank">IA‑2</a></td><td>Identification & Authentication</td><td>Hybrid PQC (Kyber768+X25519)</td><td>mTLS handshake logs</td></tr>
<tr><td><a href="https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-8" target="_blank">SC‑8</a></td><td>Transmission Confidentiality</td><td>TLS 1.3 + ML‑KEM</td><td>PQC ciphersuite PCAPs</td></tr>
<tr><td><a href="https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-38" target="_blank">SC‑38</a></td><td>Operations Security</td><td>APIE</td><td>Metadata‑only anomaly reports</td></tr>
<tr><td><a href="https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4" target="_blank">SI‑4</a></td><td>System Monitoring</td><td>Federated Learning / APIE</td><td>Minimization protocol audit logs</td></tr>
</table>
<!-- ================= 4. Fourth Amendment Memo ================= -->
<h2>4. Artifact B – Fourth Amendment Minimization Protocol (Legal Memorandum)</h2>
<p><strong>TO:</strong> Departmental Information Security Officers (DISOs), Baltimore City Public Schools, BPD<br>
<strong>FROM:</strong> Office of the General Counsel / Mayor’s Office of Cybersecurity (MOC)<br>
<strong>SUBJECT:</strong> Minimization Protocols for BSBS Network Monitoring and Data Retention<br>
<strong>DATE:</strong> May 23, 2024</p>
<h3>4.1 Purpose</h3>
<p>To ensure that BSBS provides robust cybersecurity while strictly adhering to the Fourth Amendment and the Baltimore City Charter regarding citizen privacy.</p>
<h3>4.2 Data Segregation and Minimization</h3>
<ul>
<li><strong>Metadata vs. Content:</strong> The APIE is prohibited from performing Deep Packet Inspection (DPI) on encrypted traffic content without a specific DISO‑issued warrant. Monitoring is restricted to network flow metadata.</li>
<li><strong>Differential Privacy:</strong> When aggregating threat intelligence, the APIE must apply a Laplacian noise mechanism to prevent reconstruction of any individual user’s behavior.</li>
</ul>
<h3>4.3 Warrant Requirements</h3>
<p>If decryption of traffic is required (using BSBS escrowed keys), the following must be documented:</p>
<ul>
<li>Probable cause of active malicious exfiltration or system compromise.</li>
<li>Narrow tailoring: specific enclave, IP range, and timeframe.</li>
<li>Automated notification to the City Inspector General within 4 hours.</li>
</ul>
<h3>4.4 Retention Limits</h3>
<p>Encryption‑related metadata purged every 90 days unless flagged in an active investigation. Long‑term SPHINCS+‑signed backups are strictly for disaster recovery and are not searchable for law enforcement without a judicial order.</p>
<!-- ================= 5. Diagrams (Vivid ASCII) ================= -->
<h2>5. Artifact C – Technical Architecture Diagrams <span class="badge">Vivid ASCII</span></h2>
<p>The following diagrams use terminal‑friendly color classes. When viewed in a terminal that supports ANSI, the colors will be vivid; here they are rendered with HTML span colors matching the harbor palette.</p>
<h3>Diagram A: Concentric Harbor Network Segmentation</h3>
<div class="ascii-diagram">
<span class="outer"> OUTER HARBOR (Untrusted) </span>
<span class="outer"> Public WiFi IoT Sensors </span>
<span class="outer"> | | </span>
<span class="outer"> +--------+---------+ </span>
<span class="outer"> | </span>
<span class="outer"> Hybrid TLS 1.3 Gateway </span>
<span class="outer"> | </span>
<span class="inner"> INNER HARBOR (Enterprise) </span>
<span class="inner"> | </span>
<span class="inner"> SDP Controller </span>
<span class="inner"> / \ </span>
<span class="inner"> Dept VLANs Health Dept / Genomic </span>
<span class="inner"> | | </span>
<span class="inner"> | | </span>
<span class="fort"> FORT McHENRY (Critical/OT) </span>
<span class="fort"> | | </span>
<span class="fort"> Data Diode Rust HSPA Emulator </span>
<span class="fort"> | | </span>
<span class="fort">SCADA/Water Legacy Bioinformatics </span>
<span class="fort"> | | </span>
<span class="fort"> +---- FIPS 140-3 HSM ----+ </span>
</div>
<h3>Diagram B: Post‑Quantum Hybrid Handshake Flow</h3>
<div class="ascii-diagram">
<span class="terminal"> Municipal Endpoint </span> <span class="outer"> BSBS Gateway (Rust) </span> <span class="hsm"> Thales Luna HSM </span>
| | |
| ClientHello | |
| (ECDHE_X25519 + | |
| ML-KEM-768) | |
|------------------------->| |
| | |
| | Request Private Key Op |
| |------------------------->|
| | |
| | Signed Response |
| | (ML-DSA-65) |
| |<-------------------------|
| | |
| ServerHello + | |
| ML-KEM Encapsulated Key| |
|<-------------------------| |
| | |
| Derive Shared Secret | |
| (Hybrid KEM) | |
| | |
| Finished (encrypted) | |
|------------------------->| |
| | |
| Finished | |
|<-------------------------| |
| | |
Secure Session Established | |
</div>
<!-- ================= 6. Reflective Analysis ================= -->
<h2>6. Reflective Analysis & Feasibility Assessment</h2>
<p><strong>Failure Mode Engineering:</strong> Fort McHenry (OT/CJIS) fails <em>closed</em> – data diodes sever if PQC latency exceeds threshold. Outer Harbor fails <em>open</em> – degrades to classical TLS 1.2 with heightened monitoring, ensuring public service continuity.</p>
<p><strong>Fiscal Sustainability:</strong> Open‑source PQC libraries and Rust avoid vendor lock‑in; HSPA emulator saves ~$4.2M over physical device replacement.</p>
<p><strong>Technical Validation:</strong> The Rust emulator is <code>#![forbid(unsafe_code)]</code> and formally verified with Kani, giving mathematical memory‑safety proof.</p>
<p><strong>Constitutional Robustness:</strong> Metadata‑only monitoring, warrant buffers, and IG notification align with <em>Carpenter v. United States</em> principles.</p>
<!-- ================= 7. Lessons Learned ================= -->
<h2>7. Lessons Learned & Professional Growth</h2>
<ul>
<li><strong>Governance is not an afterthought:</strong> Charter, audit, and budget are as critical as Kyber768.</li>
<li><strong>Legacy systems cannot be ignored:</strong> The emulator shows how to secure what cannot be replaced.</li>
<li><strong>Privacy is a design constraint:</strong> APIE proves threat detection can coexist with the Fourth Amendment.</li>
<li><strong>Integration matters:</strong> Combining policy, code, and law transforms assignments into professional artifacts.</li>
</ul>
<!-- ================= 8. References ================= -->
<h2>8. References</h2>
<ul>
<li>NIST. (2020). <em>NIST SP 800‑53 Rev. 5</em>. <a href="https://doi.org/10.6028/NIST.SP.800-53r5" target="_blank">https://doi.org/10.6028/NIST.SP.800-53r5</a></li>
<li>NIST. (2023). <em>FIPS 203, 204, 205</em>. <a href="https://csrc.nist.gov/projects/post-quantum-cryptography" target="_blank">PQC Project</a></li>
<li>Baltimore City Code, Article 1, Subtitle 40.</li>
<li>Maryland Criminal Procedure Code §10‑301.</li>
<li><em>Carpenter v. United States</em>, 585 U.S. ___ (2018).</li>
<li>Open Quantum Safe. <em>liboqs</em>. <a href="https://openquantumsafe.org/" target="_blank">openquantumsafe.org</a></li>
<li>Rust Foundation. <em>The Rust Programming Language</em>. <a href="https://doc.rust-lang.org/book/" target="_blank">doc.rust-lang.org</a></li>
<li>Kani Rust Verifier. <a href="https://model-checking.github.io/kani/" target="_blank">model-checking.github.io/kani</a></li>
</ul>
<!-- ================= 9. Acronym Glossary ================= -->
<h2>9. Appendix A – Acronym Glossary</h2>
<dl class="acronym-list">
<dt><strong>ABE</strong></dt><dd>Attribute‑Based Encryption</dd>
<dt><strong>APIE</strong></dt><dd>Anomalous Pattern Inference Engine</dd>
<dt><strong>BSBS</strong></dt><dd>Baltimore Secure Backbone System</dd>
<dt><strong>CJIS</strong></dt><dd>Criminal Justice Information Services</dd>
<dt><strong>DISO</strong></dt><dd>Departmental Information Security Officer</dd>
<dt><strong>FIPS</strong></dt><dd>Federal Information Processing Standards</dd>
<dt><strong>HSM</strong></dt><dd>Hardware Security Module</dd>
<dt><strong>IG</strong></dt><dd>Inspector General</dd>
<dt><strong>KEM</strong></dt><dd>Key Encapsulation Mechanism</dd>
<dt><strong>ML‑KEM</strong></dt><dd>Module‑Lattice‑based KEM (Kyber)</dd>
<dt><strong>ML‑DSA</strong></dt><dd>Module‑Lattice‑based Digital Signature Algorithm (Dilithium)</dd>
<dt><strong>MOC</strong></dt><dd>Mayor’s Office of Cybersecurity</dd>
<dt><strong>MPIA</strong></dt><dd>Maryland Public Information Act</dd>
<dt><strong>mTLS</strong></dt><dd>Mutual Transport Layer Security</dd>
<dt><strong>NIST</strong></dt><dd>National Institute of Standards and Technology</dd>
<dt><strong>OT/ICS</strong></dt><dd>Operational Technology / Industrial Control Systems</dd>
<dt><strong>PIPA</strong></dt><dd>Personal Information Protection Act (Maryland)</dd>
<dt><strong>PQC</strong></dt><dd>Post‑Quantum Cryptography</dd>
<dt><strong>PSI</strong></dt><dd>Public Safety Impact</dd>
<dt><strong>SDP</strong></dt><dd>Software‑Defined Perimeter</dd>
<dt><strong>SNDL</strong></dt><dd>Store‑Now‑Decrypt‑Later</dd>
<dt><strong>SPHINCS+</strong></dt><dd>Stateless hash‑based digital signature scheme</dd>
<dt><strong>SUD</strong></dt><dd>Substance Use Disorder</dd>
<dt><strong>TLS</strong></dt><dd>Transport Layer Security</dd>
</dl>
<!-- ================= 10. Diagram Rendering Notes ================= -->
<h2>10. Appendix B – Diagram Rendering Notes</h2>
<p>The ASCII diagrams above use the Baltimore “harbor” palette:</p>
<ul>
<li><span style="color:#2E86AB; font-weight:bold;">Outer Harbor (Teal #2E86AB)</span></li>
<li><span style="color:#3B5998; font-weight:bold;">Inner Harbor (Steel Blue #3B5998)</span></li>
<li><span style="color:#1B2A4A; font-weight:bold;">Fort McHenry (Navy #1B2A4A) – shown as lighter blue on dark background for readability</span></li>
<li><span style="color:#f4a261; font-weight:bold;">Municipal Endpoint (Orange #f4a261)</span></li>
<li><span style="color:#e76f51; font-weight:bold;">HSM (Dark Red #e76f51)</span></li>
</ul>
<p>These colors are applied via CSS classes in this HTML document. For terminal ANSI rendering, equivalent escape codes are used.</p>
<div class="footer">
<p>Baltimore Secure Backbone System (BSBS) – Portfolio v2.1 &nbsp;|&nbsp; [Your Name] &nbsp;|&nbsp; Capstone Submission June 2026</p>
</div>
</div>
</body>
</html>