01
Identity and passwords
ASP.NET Core Identity provides account and password handling. LMSOne enforces passwords with uppercase, lowercase, numeric, and symbol characters, protects state-changing forms against cross-site request forgery, and refreshes security state after password changes.
02
RBAC and IAM boundaries
Authenticated routes, business-administrator status, organization memberships, academic-scope assignments, and roles including organization administrator, manager, instructor, and student are checked before protected operations and file access.
03
Protected transport and tokens
Production database connections created from the deployment URL require TLS by default. ASP.NET Core Data Protection secures application tokens and persists its key ring in the LMSOne database. Final encryption-at-rest characteristics depend on the selected hosting and storage configuration.
04
Upload safeguards
Stored learning resources and submissions use authorization checks before access. The application includes asynchronous upload scanning through VirusTotal when that integration is configured.
Tenant isolation and regulated deployments
The current application applies logical tenant boundaries through organization identifiers, memberships, scoped queries, role checks, and file-access authorization. Dedicated or physically isolated tenant infrastructure—including proposed RIC-style deployments for government requirements—is an optional deployment architecture, not a capability verified in this repository. Its controls, responsibilities, and regulatory fit must be specified and validated for each deployment.
MFA status
The identity framework used by LMSOne supports multi-factor authentication patterns, but an end-user MFA enrollment and challenge flow is not currently implemented in this codebase. MFA should therefore be treated as planned or separately configured—not as a generally available LMSOne feature—until it is implemented and tested.
No blanket compliance claim
These safeguards can support an institution's security program, but they do not by themselves establish compliance with a law, standard, procurement rule, or certification. Controls also depend on deployment configuration and institutional administration. LMSOne is intended and supported for higher education; it makes no security or compliance warranty for K–12 use.