Comprehensive Portfolio Submission
Municipal Cybersecurity Governance, Post‑Quantum Architecture, and Constitutional Compliance
Author: [Your Name] | Course: [Capstone / Cybersecurity Governance & Technical Architecture] | Date: June 2, 2026 | Version: 2.1 (Final Portfolio)
The Baltimore Secure Backbone System (BSBS) is a multidisciplinary cybersecurity framework that demonstrates upper‑division competency in governance, legal analysis, post‑quantum cryptography, memory‑safe systems programming, and machine‑learning‑driven threat detection. This portfolio artifact positions BSBS not as a theoretical exercise, but as a realistic, jurisprudentially‑informed technical architecture for a mid‑sized American city.
Learning Outcomes Demonstrated:
The Baltimore Secure Backbone System (BSBS) is a comprehensive cybersecurity governance and technical architecture framework designed to protect the City of Baltimore’s municipal data infrastructure against current cryptographic threats and future post‑quantum adversarial capabilities. BSBS operates as a zero‑trust municipal backbone integrating constitutional privacy safeguards, NIST‑aligned risk management, and transitional post‑quantum cryptographic protocols.
Scope: All 47 municipal departments, Baltimore City Public Schools data interfaces, Baltimore Police Department (BPD) CJIS‑compliant systems, Baltimore City Health Department genomic/bioinformatics pipelines, and critical infrastructure OT/ICS networks (water, waste, transit).
Authority: Derived from Baltimore City Code Article 1, Subtitle 40 (Information Technology); Maryland Criminal Procedure Code §10‑301 (CJIS compliance); and Fourth Amendment constraints on municipal data collection and retention.
| Layer | Entity | Function |
|---|---|---|
| Strategic | Mayor’s Office of Cybersecurity (MOC) | Policy authorization, budgetary control, intergovernmental liaison |
| Tactical | BSBS Security Operations Center (BSOC) | 24/7 monitoring, incident response, threat intelligence |
| Operational | Departmental Information Security Officers (DISOs) | Department‑level control implementation, user access governance |
| Audit | Baltimore City Inspector General (IG) + External NIST 800‑53A assessors | Annual control assessment, constitutional compliance review |
Constitutional & Statutory Compliance Matrix:
| Threat Vector | Actor | Impact | BSBS Control |
|---|---|---|---|
| Ransomware (OT/ICS) | Criminal syndicates / RaaS | Water treatment disruption, transit halt | Air‑gapped OT enclaves, immutable backup architecture |
| Store‑Now‑Decrypt‑Later (SNDL) | Nation‑state adversaries | Decryption of municipal archives | Post‑quantum hybrid key encapsulation (Kyber768+X25519) |
| Supply Chain (Bioinformatics) | APT targeting genomic pipelines | Tampering of genomic data | Rust‑based memory‑safe emulation, reproducible build verification |
| Insider Threat (Law Enforcement) | Authorized user exfiltration | CJIS data breach, 4th Amendment litigation | Attribute‑Based Encryption (ABE) with judicial logging |
| Municipal IoT Botnet | Distributed attackers | Smart city sensor compromise, DDoS | Micro‑segmentation, device attestation via Dilithium signatures |
Risk Score = (Threat Likelihood × PSI × CLR × FI) / Normalization Factor, where PSI = Public Safety Impact, CLR = Constitutional Litigation Risk, FI = Fiscal Impact.
Network Segmentation: The “Concentric Harbor” Model
Post‑Quantum Cryptographic Implementation:
| Layer | Primitive | Implementation | Purpose |
|---|---|---|---|
| Key Encapsulation | ML‑KEM‑768 (Kyber) | liboqs + custom Rust wrapper | Hybrid KEM with X25519 |
| Digital Signatures | ML‑DSA‑65 (Dilithium) | Pure Rust implementation | Device attestation, code signing, document integrity |
| Hashing / Backup | SHA‑3‑256 + SPHINCS+ | Thales Luna 7 HSM | Long‑term archive integrity |
| OT/ICS | Lightweight PQC (future on‑ramp candidates) | Gateway translation layer | SCADA device protection |
Transitional Strategy (2024‑2035): Phase 1 – Hybrid X25519Kyber768; Phase 2 – Dilithium‑3 for software updates; Phase 3 – Full PQC migration, classical deprecation.
The Anomalous Pattern Inference Engine (APIE) uses transformer‑based self‑attention to process encrypted traffic metadata (packet timing, entropy) without decryption, preserving Fourth Amendment minimization.
| Component | Specification |
|---|---|
| Language | Rust (edition 2021), #![forbid(unsafe_code)] in cryptographic path |
| Target | 3GPP TS 25.214 (HSPA physical layer), TS 25.322 (RLC/MAC) |
| Security Features | Constant‑time operations; formal verification via Kani model checker |
| Integration | Legacy HSPA device → Rust emulator → TLS 1.3 + Kyber768 backbone |
| Constitutional Safeguard | Warrant buffer with IG notification; audit trail via Merkle tree (Dilithium‑signed) |
| Phase | BSBS Action | Constitutional/Legal Check |
|---|---|---|
| Detection | APIE anomaly scoring + BSOC SIEM | Metadata vs. content review |
| Analysis | Forensic imaging to immutable S3 Glacier (Dilithium‑signed) | IG notification if BPD data involved |
| Containment | SDP segmentation; OT air‑gap activation | Mayor’s Office authorization for citywide actions |
| Eradication | Re‑image from SPHINCS+ verified gold‑masters | Evidence preservation |
| Recovery | Phased restoration with enhanced monitoring | Public notification per Maryland PIPA if PII impacted |
| Post‑Incident | After‑action report; APIE retraining | IG review of any surveillance expansion |
| Phase | Timeline | Deliverable | Budget Estimate |
|---|---|---|---|
| I. Governance | Months 1‑3 | MOC charter; DISO appointments; IG audit protocol | $150K |
| II. Backbone Hardening | Months 4‑9 | Concentric Harbor deployment; hybrid PQC TLS | $2.1M |
| III. Legacy Emulation | Months 6‑12 | Rust HSPA emulator; water/SCADA integration | $890K |
| IV. AI/ML Security | Months 10‑15 | APIE deployment; federated learning infrastructure | $1.2M |
| V. Full PQC Transition | 2028‑2033 | Classical deprecation; full Dilithium/Kyber authority | $500K/year |
BSBS treats constitutional constraints as design requirements, integrating post‑quantum cryptography, memory‑safe systems, and privacy‑preserving AI into a governance structure accountable to both technical standards and civil liberties.
Hyperlinked control IDs open official NIST CSRC definitions in a new tab.
| Control ID | Control Name | BSBS Implementation | Evidence / Artifact |
|---|---|---|---|
| AC‑3 | Access Enforcement | Concentric Harbor & ABE | SDP logs, ABE policy files |
| AC‑4 | Information Flow Enforcement | Rust HSPA Emulator / Data Diodes | Kani formal verification |
| AU‑10 | Non‑Repudiation | Dilithium‑3 Signatures | Merkle‑tree logs with signed roots |
| CP‑9 | System Backup | SPHINCS+ signed backups | Hash‑validation logs |
| IA‑2 | Identification & Authentication | Hybrid PQC (Kyber768+X25519) | mTLS handshake logs |
| SC‑8 | Transmission Confidentiality | TLS 1.3 + ML‑KEM | PQC ciphersuite PCAPs |
| SC‑38 | Operations Security | APIE | Metadata‑only anomaly reports |
| SI‑4 | System Monitoring | Federated Learning / APIE | Minimization protocol audit logs |
TO: Departmental Information Security Officers (DISOs), Baltimore City Public Schools, BPD
FROM: Office of the General Counsel / Mayor’s Office of Cybersecurity (MOC)
SUBJECT: Minimization Protocols for BSBS Network Monitoring and Data Retention
DATE: May 23, 2024
To ensure that BSBS provides robust cybersecurity while strictly adhering to the Fourth Amendment and the Baltimore City Charter regarding citizen privacy.
If decryption of traffic is required (using BSBS escrowed keys), the following must be documented:
Encryption‑related metadata purged every 90 days unless flagged in an active investigation. Long‑term SPHINCS+‑signed backups are strictly for disaster recovery and are not searchable for law enforcement without a judicial order.