First stable milestone of the CAC/PIV ICAM portfolio.

What's in v1.0

• Two-tier PKI — Offline Root CA + Enterprise Issuing CA on Lab-DC01
• Smart card MFA end-to-end — VM + physical endpoint (WO02). User LAB\labtech enrolled with TPM Virtual Smart Card; smart card logon confirmed working via RDP
• NIST IA-2(11) protocol evidence — Event 4768 captured with Pre-Auth Type 16 (PKINIT). See Demo-Walkthrough.md Step 3
• SCAP compliance baseline — three hosts scanned with SCC 5.10.2: DC01 44.95% → 42.66%, WS01 42.20% → 42.20%, WO02 37.00% (Win 11 STIG, MAC-1 Classified). Full HTML / XCCDF / OVAL / CKL artifacts staged in Compliance-Reports/
• Phase 8 Zero Trust extension — 21 PowerShell scripts in Lab-Kit/07-ZeroTrust/ (8 working implementations + 13 product-dependent scaffolds) covering tiered admin model, Authentication Policy Silos, device certs, Kerberos lifetimes, microsegmentation, ZT validation; companion Demo-Walkthrough-ZT.md
• RMF artifact package — SAR, POAM, SSP, Annual-STIG-Rescan-SOP populated with real numbers
• DevSecOps scaffolding — GitHub Actions (CodeQL, gitleaks, secret scan, PSScriptAnalyzer), pre-commit hook, local sensitive-pattern scanner, Scrub-Repo.ps1 workflow

Deferred to v1.1 (card-blocked)

• Demo screenshots — lock screen smart-card-only, session lock on card removal, VPN connected (waiting on YubiKey 5 NFC + Hirsch uTrust FIDO2 cards)
• VPN EAP-TLS test from WO02
• Card-Test-Matrix.md with PIV / FIDO2 / reset workflow comparisons

Frameworks

NIST SP 800-53 Rev 5 (AC-2/3/5/6/11/12/17, IA-2/2(11)/3/5, SC-7/8, AU-2/6/12, CA-7, SI-4), NIST SP 800-207, CISA Zero Trust Maturity Model v2.0, FIPS 201-3, DISA STIG.