NIST COMPLIANCE

A RASPBERRY PI HITTING FEDERAL CYBERSECURITY STANDARDS

PUBLISHED: MARCH 30, 2026 • AUTHOR: GHOSTPORT TECHNOLOGIES

GhostPort Phantom OS is built to the NIST Cybersecurity Framework (CSF 2.0) and maps to 110 NIST SP 800-171 security controls. We score 95/100 on our internal NIST CSF assessment across Identify, Protect, Detect, Respond, and Recover functions, and passed an independent third-party penetration test in April 2026 with no blocking findings. For a consumer privacy router built by a small team on a credit-card-sized computer, that's not a gimmick. That's the real thing.

NIST CSF SCORE

CSF FUNCTIONS

110

NIST 800-171 CONTROLS

PASS

3RD-PARTY PEN TEST

WHAT IS NIST CSF?

The NIST Cybersecurity Framework (CSF 2.0) is the gold standard framework published by the National Institute of Standards and Technology for managing cybersecurity risk. Unlike vendor-specific certifications, NIST CSF is used across government, defense, healthcare, and critical infrastructure — and it’s freely available to anyone who wants to build security correctly.

NIST CSF organizes security into five core functions:

IDENTIFY

Asset inventory, risk assessment, threat modeling. GhostPort: 48-page risk register (NIST SP 800-30), full asset inventory, documented threat model.

PROTECT

Access control, encryption, configuration management. GhostPort: WireGuard AES-256, TOTP 2FA, nftables default-deny, scrypt password hashing, HMAC-signed fleet commands.

DETECT • RESPOND • RECOVER

Real-time monitoring, incident handling, and recovery. GhostPort: Security event logging, fail2ban, watchdog alerts, incident response runbook, automated backups with 7-day retention, OTA auto-updates.

Most consumer electronics companies don’t even think about NIST compliance. GhostPort was built by a USMC veteran (MOS 0671 Data Systems Administrator, NIST cybersecurity trained) who treats security as a product feature, not an afterthought.

WHERE GHOSTPORT STANDS

CORE CONTROLS — LEVEL 1 MET

NIST Domain	Requirement	GhostPort Implementation	Status
Access Control	Limit system access	Passcode auth + TOTP 2FA + session management + 5-attempt lockout	MET
Authentication	Verify identities	Scrypt password hashing, timing-safe comparison, CSRF tokens	MET
Media Protection	Sanitize media before disposal	Factory reset wipes all credentials, hardware is customer-owned	MET
Physical Protection	Limit physical access	Device sits in customer's home, GPIO reset button requires physical access	MET
System Integrity	Update and patch timely	OTA auto-updates every 30 minutes, SHA-256 verified	MET
System Integrity	Provide malicious code protection	Pi-hole (1M+ blocked domains), nftables default-deny firewall, rkhunter	MET

ADVANCED CONTROLS — SNAPSHOT (INFORMATIONAL)

Current state (snapshot): Controls below are where GhostPort already meets or exceeds NIST 800-171. We don't pursue formal CMMC Level 2 certification — it's a DoD-contractor framework scoped for a different product category than a consumer privacy router.

Domain	Control Area	Implementation	Status
AC	Account management	Passcode + TOTP + backup codes + exponential lockout (1m→2m→5m→15m)	MET
AC	Least privilege	Passwordless sudo restricted to specific gp-* commands only, no wildcards	MET
AC	Session management	HttpOnly + SameSite=Strict cookies, 24h TTL, per-session CSRF tokens	MET
AU	Audit logging	Activity log with auth, security, mode changes, system events. Filterable in dashboard.	MET
CM	Configuration management	nftables profiles per mode, hostapd config, .bak files alongside all configs	MET
IA	Authenticator management	TOTP with standard authenticator apps, 8 single-use backup codes (58+ bits entropy)	MET
SC	Boundary protection	nftables default-deny input, per-mode forwarding rules, QUIC blocking	MET
SC	Transmission confidentiality	WireGuard AES-256, DoH encryption, TLS 1.2+ with ECDHE+AESGCM	MET
SC	Cryptographic protection	Hardware AES-256 engine, scrypt for passwords, HMAC-SHA256 for fleet commands	MET
SI	Flaw remediation	255+ bugs found and fixed publicly across 16 audit rounds	MET
SI	System monitoring	Real-time bandwidth, connected devices, DNS block counts, security event log	MET
IR	Incident response plan	Full incident response document in /opt/ghostport/compliance/	MET
RA	Risk assessment	48-page risk register aligned to NIST SP 800-30 Rev. 1	MET
MP	Media transport	All fleet commands HMAC-SHA256 signed, WireGuard tunnel for management	MET

Controls not currently met (informational): These are NIST 800-171 areas where current implementation doesn't fully satisfy the standard. We publish them for transparency; formal compliance against this specific standard isn't a product target.

Domain	Gap	What's Needed	Status
AU	Centralized log monitoring	SIEM or log aggregation service (currently logs are local only)	PLANNED
CA	Plan of Action & Milestones	Formal POAM document tracking remediation timelines	PLANNED
CA	Security assessment	Formal third-party penetration test	MET — Passed April 2026
AT	Security awareness training	Documented training program (currently founder-only team)	PLANNED
PE	Visitor management	N/A for consumer device, but fleet infrastructure needs documented access policy	PLANNED
MA	Maintenance controls	Formalized maintenance window procedures and change management	PLANNED
SI	Automated vulnerability scanning	Scheduled automated scans (currently manual audit rounds)	PLANNED
SC	Network segmentation	VLAN isolation between management and client traffic	PLANNED

WHY THIS MATTERS FOR A CONSUMER ROUTER

Nobody expects a $290 privacy router to hit federal cybersecurity standards. That's exactly the point.

NIST compliance isn’t a checkbox exercise for GhostPort — it’s the natural result of building a privacy product correctly from day one. When your founder has NIST cybersecurity training and a decade of military data systems experience, security architecture isn’t bolted on after launch. It’s the foundation.

WHAT COMPETITORS DON'T PUBLISH

Their bug count (ours: 311+ found, all public)
Their audit rounds (ours: 16 completed)
Their risk register (ours: 48 pages, NIST SP 800-30 aligned)
Their firewall policy (ours: default-deny, open source)
Their compliance level (ours: NIST CSF 95/100, 110 controls mapped)
Their pen test results (ours: passed, April 2026)
Their password hashing algorithm (ours: scrypt with timing-safe comparison)

Transparency isn't a vulnerability. It's proof of work.

THE ROAD TO 100/100

Full NIST CSF compliance is on the GhostPort roadmap. The remaining gaps are primarily procedural and documentation-based rather than technical. The hard part — actually building a secure system — is done. The remaining work is formalizing what already exists into audit-ready documentation.

NIST CSF ROADMAP

Q2 2026: POAM document, formal change management process, automated vulnerability scanning
Q3 2026: Centralized log aggregation, VLAN segmentation for fleet infrastructure
Q4 2026: Third-party penetration test, formal security assessment report — Completed April 2026, passed with no blocking findings
2027: Full NIST CSF self-assessment publication

COMPLIANCE DOCUMENTATION ON FILE

The following compliance documents have been created, reviewed, and are maintained in the GhostPort Phantom OS repository:

Document	Standard	Created
Risk Register (48 pages)	NIST SP 800-30 Rev. 1	March 24, 2026
Incident Response Plan	NIST CSF Respond	March 24, 2026
Data Classification Policy	NIST SP 800-60	March 24, 2026
Asset Inventory	NIST CSF Identify	March 24, 2026
Communication Plan	NIST CSF Respond	March 24, 2026
Security Development Guide	OWASP Top 10	March 24, 2026
Dependency Audit	Supply Chain Risk	March 24, 2026
Restore Runbook	NIST CSF Recover	March 24, 2026

    Bottom line: GhostPort is a consumer privacy router that holds itself to defense contractor cybersecurity standards. Not because anyone requires it. Because your privacy deserves it.
  

The FCC Just Signed Advertisers' Death Warrants — Why American-Made Routers Win Our Response to the Claude Code Source Leak — AI Hardening Playbook How We Secure AI-to-AI Communication RAM-Only Servers — Why Your Data Should Never Touch a Disk