Security Compliance¶
This guide maps Novelty security features to NIST SP 800-53 Rev. 5 controls. Use this as a reference when completing security assessments or compliance documentation.
For cryptographic requirements, Novelty supports FIPS 140-3 validated modules when deployed on FIPS-enabled operating systems (see Cryptographic Controls).
Novelty requires an OpenID Connect (OIDC)-compliant identity provider for authentication. If your organization does not have an existing provider, Keycloak is an open-source option that integrates well with Novelty.
Control Mapping¶
Access Control (AC)¶
| Control | Description | Novelty Feature | Documentation |
|---|---|---|---|
| AC-3 | Access Enforcement | Role-based access control (RBAC) with configurable roles | OIDC/RBAC Setup |
| AC-4 | Information Flow Enforcement | Contexts for data separation | Contexts |
| AC-6(4) | Separate Processing Domains | Contexts isolation | Contexts |
| AC-7 | Unsuccessful Logon Attempts | Delegated to identity provider (IdP) | OIDC/RBAC Setup |
| AC-9(1) | Previous Logon Notification | Delegated to identity provider (IdP) | OIDC/RBAC Setup |
| AC-12 | Session Termination | Configurable session timeout | OIDC/RBAC Setup |
| AC-17 | Remote Access | HTTPS with TLS 1.2+ | TLS Configuration |
| AC-17(2) | Encryption of Remote Access | Encrypted communications via TLS | TLS Configuration |
Audit and Accountability (AU)¶
| Control | Description | Novelty Feature | Documentation |
|---|---|---|---|
| AU-3 | Content of Audit Records | Structured audit logs with user, action, timestamp | Audit Logging |
| AU-3(3) | Limit PII in Audit Records | Safe logging with configurable redaction | Log Redaction |
| AU-8 | Time Stamps | ISO 8601 timestamps in audit records | Audit Logging |
| AU-10 | Non-repudiation | Authenticated user identity in audit records | Audit Logging |
| AU-12 | Audit Record Generation | Automatic audit logging for API operations | Audit Logging |
System and Communications Protection (SC)¶
| Control | Description | Novelty Feature | Documentation |
|---|---|---|---|
| SC-8 | Transmission Confidentiality and Integrity | TLS 1.2+ for all HTTP communications | TLS Configuration |
| SC-13 | Cryptographic Protection | FIPS 140-3 validated modules (on FIPS-enabled OS) | Cryptographic Controls |
| SC-18 | Mobile Code | JavaScript-based web UI | Mobile Code |
| SC-23 | Session Authenticity | Signed session tokens with secure cookies | OIDC/RBAC Setup |
| SC-28 | Protection of Information at Rest | Persistence layer encryption | Encryption at Rest |
| SC-28(1) | Cryptographic Protection at Rest | Disk/volume encryption for data stores | Encryption at Rest |
| SC-32 | System Partitioning | Contexts separation | Contexts |
| SC-38 | Operations Security | Safe logging and operational monitoring | Log Redaction, Metrics, Executable Integrity |
System and Information Integrity (SI)¶
| Control | Description | Novelty Feature | Documentation |
|---|---|---|---|
| SI-4 | System Monitoring | Audit logging, metrics endpoints | Audit Logging, Metrics |
| SI-7 | Software Integrity | Tamper detection and code protection | Executable Integrity |
| SI-10 | Information Input Validation | Request parameter validation | Input Validation |
| SI-11 | Error Handling | Sanitized error messages | REST API Reference |
Configuration Management (CM)¶
| Control | Description | Novelty Feature | Documentation |
|---|---|---|---|
| CM-7 | Least Functionality | File ingest restricted to whitelisted directories | File Ingest Security |
| CM-8 | System Component Inventory | Software Bill of Materials (SBOM) | Component Inventory |
| CM-10 | Software Usage Restrictions | License inventory | Component Inventory |
Implementation Details¶
TLS Configuration (External)¶
Novelty supports TLS 1.2 and TLS 1.3 for external HTTP interfaces (REST API, web UI). TLS can be enabled using environment variables or JVM system properties.
Using environment variables:
export SSL_KEYSTORE_PATH="/path/to/keystore.jks"
export SSL_KEYSTORE_PASSWORD="your-keystore-password"
java -jar novelty.jar
Using JVM system properties:
java -Djavax.net.ssl.keyStore=/path/to/keystore.jks \
-Djavax.net.ssl.keyStorePassword=your-keystore-password \
-jar novelty.jar
Using configuration file:
thatdot.novelty.webserver {
use-tls = yes
}
When use-tls is enabled, the keystore must be configured via environment variables or JVM system properties as shown above. We recommend using a reverse proxy for TLS termination instead, as it provides more flexibility and better performance.
For cipher suite customization, use JVM system properties:
java -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 \
-Dhttps.cipherSuites=TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256 \
-jar novelty.jar
For FIPS-compliant deployments, see Cryptographic Controls.
Cryptographic Controls¶
Novelty uses the JVM's cryptographic providers. For FIPS 140-3 compliance:
- Deploy on a FIPS-enabled operating system (e.g., RHEL 9 with FIPS mode enabled)
- Use a FIPS-validated JVM (e.g., Red Hat build of OpenJDK with FIPS provider)
- The JVM automatically uses FIPS-validated cryptographic modules when the OS is in FIPS mode
No application-level configuration is required—Novelty inherits FIPS compliance from the underlying platform.
Encryption at Rest¶
For RocksDB persistence (default), enable encryption at the storage layer:
- Disk/volume encryption: Use LUKS, dm-crypt, or cloud provider encryption (AWS EBS, GCP PD)
- Configure encrypted storage for the
filepathspecified inthatdot.novelty.store
See Configuration Reference for persistence configuration options.
Log Redaction¶
Configure log redaction to limit sensitive information in logs:
thatdot.novelty.log-config {
# Hide potentially sensitive information (e.g., values from ingested records)
show-unsafe = no
# Control exception logging (may contain sensitive data or verbose stacktraces)
show-exceptions = no
# Redaction method: replaces sensitive information with "**REDACTED**"
redactor {
type = redact-hide
}
}
When show-unsafe = no (the default), potentially sensitive values are replaced with **REDACTED** in log output. This includes values derived from ingested data that could contain PII.
See Configuration Reference for additional logging options.
File Ingest Security¶
Novelty restricts file-based data ingestion to whitelisted directories:
thatdot.novelty.file-ingest {
# Whitelist of allowed directories for file ingests
# Empty list = no file ingests allowed (except from recipes)
allowed-directories = ["file_ingests"]
# File resolution mode:
# - "static": Only files present at startup are allowed
# - "dynamic": Any file in allowed directories is allowed
resolution-mode = "static"
}
This prevents unauthorized file access and limits the attack surface for file-based ingestion.
See Configuration Reference for additional file ingest options.
Mobile Code¶
Novelty provides a web-based user interface that uses JavaScript. Organizations with policies governing mobile code (SC-18) should evaluate this against their requirements. The JavaScript is served directly from the Novelty application and does not load external scripts.
Input Validation¶
Novelty validates all API inputs and request parameters. Ensure data is sanitized before streaming to Novelty endpoints.
See Configuration Reference for detailed configuration options.
Executable Integrity¶
Novelty binaries include built-in protections against tampering and reverse engineering. These protections are applied during the build process and require no user configuration.
Component Inventory¶
Software Bill of Materials (SBOM) and license inventory are available upon request. Contact support@thatdot.com to obtain these documents for your deployment.