Governance & Program Info
Smart City & Municipal AI Hosting — Governance
Cross-builder institution context and per-item ownership, due dates, status, and next actions for the governance-relevant checklist items in this builder.
Institution context
Program info
Applies across every builder in the app. Stored locally; nothing leaves the browser.
Checklist governance
Items (0 of 14 marked complete)
Annotate ownership, due date, status, and next action. Items on the left come from the builder's governance / compliance phases.
05 · Governance & Compliance
Map FedRAMP Moderate / High controls to the stack
Identify which NIST SP 800-53 control baseline applies and which controls the tower-edge stack inherits vs. implements.
05 · Governance & Compliance
StateRAMP alignment for state-grant workloads
Confirm StateRAMP baseline when the procurement references it.
05 · Governance & Compliance
CJIS Security Policy control mapping
Personnel screening, advanced authentication, physical-protection, audit, and incident-response controls for any CJIS-adjacent workload.
05 · Governance & Compliance
Encryption-at-rest and in-transit with FIPS validation
FIPS 140-2 / 140-3 validated cryptographic modules end-to-end — from sensor to model to analyst console.
05 · Governance & Compliance
Vulnerability management and patch SLAs
Patch cadence commitment per severity class — the streetside form factor does not excuse it.
05 · Governance & Compliance
CCPA / CPRA compliance for resident PII captured in public spaces
Even without identifiers, captured biometric or location-adjacent data can meet the CPRA personal-information definition.
05 · Governance & Compliance
Map state public records / sunshine-act obligations
Most states treat municipal AI outputs as public records by default — retention, release, and redaction must be defensible.
05 · Governance & Compliance
Privacy impact assessment per workload
A dedicated PIA for each workload — traffic, public safety, environmental, 311 — not a single umbrella PIA.
05 · Governance & Compliance
Retention and deletion schedule per data class
Video retention, sensor telemetry retention, and derived-event retention may each carry different clocks.
05 · Governance & Compliance
Model risk documentation package per workload
Purpose, data lineage, assumptions, limitations, known failure modes, validation results — one package per workload family.
05 · Governance & Compliance
Independent model validation
Second-line or external validation team independent of development reviews logic, data, and performance claims.
05 · Governance & Compliance
Section 508 / WCAG conformance reporting (ACR / VPAT)
Produce and keep current an Accessibility Conformance Report for every citizen-facing surface.
05 · Governance & Compliance
Change management and model versioning
Who approves model updates, what testing is required, how are changes versioned and rolled back, and who sees the audit trail.
05 · Governance & Compliance
Council and community oversight cadence
Regular reporting to city council and, where applicable, a community review body. Often required by local AI ordinances.