azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cascades: master plan + open questions doc (2026-04-23)

Browse Source 
Single-doc consolidation of every Cascades doc in the repo: where we are
(what's done, in-flight, ahead), all 48 open questions grouped by recipient
(Meredith, John, Ashley, internal) with T1/T2/T3 urgency, suggested 4-session
sequencing to unblock most work fastest, license/cost summary, and the
5 items Howard can execute right now without answers.

Replaces the piecemeal view across user-account-rollout-plan,
p2-staff-candidates, staff-working-list, hipaa-review, and risk-register docs.
Those remain the detail source; this is the navigation layer.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Howard Enos
2026-04-23 06:44:28 -07:00
parent 7e2e3a5882
commit 8613d57f6f
1 changed files with 295 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

295
clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-23.md Normal file
View File

@@ -0,0 +1,295 @@
# Cascades of Tucson — Master Plan + Open Questions
**Built:** 2026-04-23 by Howard
**Scope:** Consolidates every Cascades doc in the repo as of this date into a single view of what's been done, what's blocked on whom, and every question that still needs an answer before we can finish the rollout.
---
## Part 1 — Where We Are
### 1.1 Executive status
Cascades is a 236-room, 6-floor assisted-living + memory-care facility with ~70 staff. It's a HIPAA-covered entity handling PHI through ALIS (cloud EHR), M365 email, and local file shares. We inherited this environment from a previous MSP who left it non-compliant (no backups, shared logins, no MFA, wide-open firewall, mismatched AD-vs-M365 identities). The core mission is **get Cascades HIPAA-compliant and onto a stable identity + access foundation**.
**Big-picture sequence:**
1. Initial remediation (backups, firewall, basic MFA) — partially done
2. AD cleanup + identity alignment — **MOSTLY DONE as of 2026-04-22**
3. Entra Connect install (hybrid identity, CA policy fabric) — **CS-SERVER ready, not yet installed**
4. Account rollout waves (departures, new accounts, caregivers) — **staged, waiting on Entra Connect**
5. File-share migration Synology → CS-SERVER — **blocked on open questions**
6. Phase 5 hardening (BitLocker fleet-wide, LAPS, password policy, PHS later) — backlog
### 1.2 What's DONE (chronological, selected)
| When | What | Evidence |
|---|---|---|
| 2026-03 | AD cleanup: former employees deleted, role accounts identified, OU structure tightened | `docs/servers/active-directory.md`, `docs/issues/audit-findings-2026-03-20.md` |
| 2026-03-06 / 03-07 | Guest WiFi VLAN isolation, DNS scavenging, reverse zones, timezone fix, Windows Home→Pro upgrades | `docs/migration/session3-2026-03-07.md` |
| 2026-03-09 | Account lockout policy restored (5 attempts / 30 min), Monica Ramirez removed from Domain Admins | issues log |
| 2026-03-13 → 04-13 | Sharon Edwards folder redirection pilot on DESKTOP-DLTAGOI — Documents + Downloads redirecting to `\\CS-SERVER\homes\sharon.edwards\` | `CONTEXT.md` §48 |
| 2026-04-13 | Tamra.Johnson → Tamra.Matthews AD rename, Alyssa.Shestko → Alyssa.Brooks, Lupe.Sanchez dedup | AD doc |
| 2026-04-14 | Sandra Fish global admin revoked, P2 license removed, sign-in blocked | `docs/cloud/m365.md` |
| 2026-04-16 → 04-22 | Breach checks, phishing sweeps, DMARC policy set to `p=quarantine; pct=100` | `reports/2026-04-2*-*.md` |
| 2026-04-18 | Staff questionnaire HTML editor sent to Meredith/John | `docs/cloud/questionnaires/cascades-staff-editor.html` |
| 2026-04-19 → 04-22 | Intune MDM rollout: MDMS@ service account, Apple MDM push cert, Android enrollment profile, compliance policy, shared phones app config, test Samsung A15 enrolled and compliant | `PROJECT_STATE.md` Intune section |
| 2026-04-20 | Syncro audit upload service account (`svc-audit-upload`) + `\\CS-SERVER\AuditDrop$` share | active-directory.md |
| 2026-04-21 | Post-DMARC spoofing recheck clean for 26h, missed phishes purged | `reports/2026-04-21-post-dmarc-spoofing-recheck.md` |
| 2026-04-22 | Staff questionnaire returned by Meredith/John → working list produced → follow-up email sent | `reports/cascades-staff-2026-04-22.csv`, `docs/cloud/cascades-staff-working-list-2026-04-22.md` |
| 2026-04-22 | HIPAA compliance review done, risk register built, all plan docs reconciled | `docs/security/hipaa-review-2026-04-22.md`, `docs/migration/entra-connect-risk-register-2026-04-22.md` |
| 2026-04-22 | CS-SERVER readiness check → pre-flight remediation (time sync, TLS 1.2, WSB install, reboot) → post-reboot verification clean | `reports/2026-04-22-cs-server-preflight-verification.md` |
| 2026-04-22 | Synology DSM API discovery — 10 shares, 35 users, 4 groups inventoried. 7 shared-credential accounts flagged as HIPAA violation | `docs/migration/synology-permission-inventory.md` |
| 2026-04-22 | G1 AD hygiene executed via GuruRMM — OU=Excluded-From-Sync created, 4 role accounts moved, 34 proxyAddresses populated from live M365 Graph, 16 SG-* groups created, display names fixed | `reports/2026-04-22-g1-execute.md` |
| 2026-04-22 | G1 idempotency verified (0 WOULD entries on dry-run re-play) | `reports/2026-04-22-g1-post-verify.md` |
| 2026-04-22 | AD `howard` orphan account deleted + M365 `howard@azcomputerguru.com` guest deleted. 7 M365 orphan/former-employee accounts deleted (freed 1 Business Standard license from `jodi.ramstack` zombie) | `reports/2026-04-22-howard-account-cleanup.md`, `reports/2026-04-22-m365-orphan-deletes.md` |
| 2026-04-22 | `reliable1@` / `reliable2@` shared-agency-login plan dropped after HIPAA review (§164.312(a)(2)(i) violation) | `docs/cloud/cascades-staff-followup-2026-04-22.md` interpretation notes |
### 1.3 What's IN FLIGHT (not yet done)
**Wave 0.5 Gate G1 — AD hygiene:** DONE. Idempotent.
**Wave 0.5 Gate G2 — M365 orphan deletes:** DONE. Role-account → shared-mailbox conversion **NOT YET** (waiting on delegation decisions).
**Wave 0.5 Gate G3 — Entra Connect install in staging mode:** NOT STARTED. Everything prep-side is ready.
### 1.4 Waves still ahead (high level)
| Wave / Gate | Scope | Blockers |
|---|---|---|
| **Wave 0** (HIPAA pre-flight) | Sign Microsoft BAA, verify ALIS BAA, create break-glass admin, enable SMB3 on homes share, extend M365 audit retention, draft Risk Analysis doc, put Britney mailbox on Litigation Hold | Meredith actions (portal clicks), Howard drafting doc |
| **Wave 0.5 G2** | Convert 6 role-based M365 accounts to shared mailboxes (`accounting@`, `accountingassistant@`, `frontdesk@`, `hr@`, `memcarereceptionist@`, `nurse@`) | Have delegation lists — can execute. Still need Meredith's delegation call for `boadmin@`, `medtech@`, `security@`, `Training@`, `transportation@` |
| **Wave 0.5 G3** | Entra Connect install on CS-SERVER in **staging mode**. Review sync preview. | G2 should ideally finish first; G1 prereq cleanup done |
| **Wave 0.5 G4** | Exit staging, directory sync only (no PHS, no SSO). Users' sign-in unchanged. | Staging preview must be clean |
| **Wave 0.5 G5** | PHS — **deferred indefinitely** per decision. Not needed since users authenticate against M365 cloud passwords today and have no AD passwords. | N/A |
| **Wave 0.5 G6** | CA policies created in **Report-only mode** for 714 days | G4 complete; SG-* groups populated (G1 created them but memberships need filling) |
| **Wave 0.5 G7** | CA enforcement flip. **Preceded by G7a user comms** (48h warning to any user with off-site activity not in allow-list) | G6 log review clean; break-glass account exists |
| **Wave 0.5 G8** | ALIS SSO Enterprise App registration. Optional. | ALIS vendor metadata |
| **Wave 1** | Disable Britney (post-Litigation Hold). Disable 3 driver AD accounts. Create Alma.Montt + Kyla.QuickTiffany. Populate SG-* group memberships. | Wave 0.5 done |
| **Wave 2** | Move existing office accounts into new OU layout, attach to SG-* groups based on persona | Wave 1 smoke-tested. Risk Analysis drafted. |
| **Wave 3** | Bulk create 37 caregiver AD + M365 identities, populate SG-Caregivers, complete shared-phone MSDM rollout | Ederick spelling confirmed. Business Premium licenses purchased. |
| **Wave 4** | Synology → CS-SERVER file-share cutover. Decommission Synology shared-login accounts. Repurpose Synology as backup target. | pacs / Activities / Sandra Fish / chat share decisions. MainOffice group membership captured. Phase 2 server-prep script updated with correct SG-* group mappings. |
| **Wave 5** | Phase 5 hardening — full BitLocker fleet, LAPS, password policy, krbtgt rotation, cleanup generic accounts | Previous waves done |
---
## Part 2 — Open Questions
Questions grouped by recipient so Meredith + John can sit down and work through them. Tier (T1/T2/T3) indicates urgency:
- **T1** — blocks the next gate we want to fire (can't proceed without this)
- **T2** — blocks Wave 2 or 3 (user migration / caregiver rollout)
- **T3** — blocks Wave 4 (file-share migration) or is governance cleanup
### 2.1 Questions for Meredith Kuhn
#### Staff roster confirmations (T1 / T2)
1. **Ederick Yuzon (Caregiver, Tower TueSat) — first-name spelling?** Is it `Ederick`, `Edrick`, `Eduardo`, or something else? This is the only remaining name we haven't confirmed and it blocks his caregiver account creation. (Asked 2026-04-22, still pending.)
2. **Stephanie Devin**`Stephanie.Devin@cascadestucson.com` is disabled in M365 with description "Accounting Assist". No AD account. Former employee? OK to delete the mailbox? **If yes**, we'll delete like we did the others (soft-delete recoverable 30 days).
3. **Dax Howard**`dax.howard@cascadestucson.com` has a real Business Standard mailbox (with legacy alias `cara.lespron@` from a former employee). He's NOT on the staff CSV you returned. **Who is he?** Current Cascades executive or regional/corporate? If current, add him to the roster (we'll create an AD account). If former, we'll harvest the license.
4. **Tamra Matthews exit date** — you confirmed June 2026. What's the exact date? We disable her account that morning, harvest her license, and drop her from SG-External-Signin-Allowed. Also remove her from any role-mailbox delegations.
5. **Anyone else leaving in the next 90 days** we should plan account disable for?
#### Role-based shared mailbox delegations (T1 — blocks Gate G2 conversion)
For each of the role-based mailboxes still consuming a license, **who should have access** after we convert them to shared mailboxes? I have clear lists for some already — please confirm these and fill in the blanks:
6. **`accounting@cascadestucson.com`** — proposed delegates: Ashley Jensen, Lauren Hasselman. Correct? Anyone else?
7. **`accountingassistant@cascadestucson.com`** — proposed: Allison Reibschied. Anyone else?
8. **`boadmin@cascadestucson.com`** (Bookkeeping Office) — **who should have access?** Lauren Hasselman? Ashley? External bookkeeper?
9. **`frontdesk@cascadestucson.com`** — proposed: Cathy Kingston, Shontiel Nunn, Kyla QuickTiffany, Michelle Shestko, Sebastian Leon, Sheldon Gardfrey, Ray Rai. Correct list? Should courtesy patrol (Sebastian, Sheldon, Ray) actually have inbox access or just send-as?
10. **`hr@cascadestucson.com`** — proposed: you (Meredith). Anyone else — a payroll/HR partner?
11. **`medtech@cascadestucson.com`** — **who sends/receives as this address?** The MedTech caregivers on duty? A specific nurse?
12. **`memcarereceptionist@cascadestucson.com`** — proposed: Michelle Shestko, Matt Brooks. Correct?
13. **`nurse@cascadestucson.com`** — proposed: Lois Lane, Karen Rossini. (Britney Thompson was on this list but she's departed.) Any MedTechs / MemCare nurses we should add?
14. **`security@cascadestucson.com`** — **who should have access?** Courtesy Patrol? You? John?
15. **`Training@cascadestucson.com`** — **who owns this?** Is it actively used, or can we convert with just you + Ashley as delegates?
16. **`transportation@cascadestucson.com`** — drivers (Richard Adams, Julian Crim, Christopher Holick) are getting their AD accounts disabled (no more Cascades IT accounts per your earlier decision). **Who dispatches rides?** Does this mailbox need delegates, or can we retire it entirely?
#### HIPAA compliance decisions (T1)
17. **Sign the Microsoft HIPAA BAA** — this takes 5 minutes in Microsoft 365 Admin Center → Settings → Org Settings → Security & Privacy → **HIPAA BAA** → accept terms. **Until this is signed, every day M365 handles PHI for Cascades is a Security Rule violation.** Biggest-value 5 minutes on this whole list.
18. **ALIS BAA** — do you have a signed BAA with go-alis.com? If not, contact ALIS support and request one. **Ask:** "Please send me the Business Associate Agreement for Cascades of Tucson." They'll have a template.
19. **Risk-acceptance posture for Synology shared-credential accounts** (`Accounting`, `Front Desk`, `mcnurse`, `memcarenurse`, `Memcare Receptionist`, `Nurse Tower`, `Dining Manager`) — these shared logins on the Synology currently access PHI-containing shares (`pacs`, `Management`, `homes`). They violate §164.312(a)(2)(i) **today, every day** until Phase 4 Synology retirement. Three options — which do you pick?
- **(a) Accelerate disable** — force users onto personal AD-synced accounts immediately. Risky: breaks known workflows on shared workstations.
- **(b) Documented risk acceptance** — sign a residual-risk acknowledgment: "Until Phase 4 cutover on [date], these 7 shared accounts stay operational. Compensating controls: locked building, sign-in sheets, monthly SMB access-log review." **Most common MSP posture** — requires your signature.
- **(c) Hybrid** — disable the highest-sensitivity ones (`mcnurse`, `memcarenurse`, `Nurse Tower` if they touch `pacs`) immediately, accept risk on lower-sensitivity.
20. **Purchase Microsoft Purview Audit Premium** ($$ per user, 10-year audit log retention) **OR** configure a 7-year retention policy via M365 Compliance — which path? Either satisfies §164.312(b) Audit Controls + §164.316(b)(2) retention. Default M365 audit log retention is 1 year — insufficient for HIPAA.
#### License decisions (T1 — blocks purchase)
21. **Business Premium tenant-wide** (simplest, cleanest CA coverage) vs. **mixed SKUs** (save on courtesy patrol / reception / drivers who don't need full Office)? The cleanest HIPAA posture is Premium-tenant-wide. Rough sizing:
- **Business Premium: 58 seats** (19 office-PHI external + 2 office-PHI internal + 1 Matt + 37 caregivers — minus any seats freed from orphan deletes / generics conversion)
- **Business Standard: 8** (1 Ramon, 3 Courtesy Patrol, 4 Reception)
- **F3 or none: 0** (drivers have no accounts now)
- **Premium delta over current:** ~$340900/mo depending on mixed vs tenant-wide
22. **Your call on Option A vs B** above determines whether we issue a PO now.
#### Breake-glass + emergency access (T1)
23. **Your FIDO2 security key** — do you have one, or do I need to order one? Creating a break-glass cloud-only admin account is required before we flip CA enforcement (Gate G7). The break-glass account uses a FIDO2 key (hardware key) instead of Authenticator-on-phone — that way, if your phone breaks, you can still unlock access. Recommend you buy a YubiKey 5C NFC (~$55).
24. **Second break-glass holder** — who's your backup if you're traveling / unavailable? Ashley? John? We'd want a second FIDO2 key held by a trusted person.
#### Business Associate / Vendor scope (T2)
25. **Reliable Agency staffing contract** — can you send me the staffing contract? I need to confirm the contract says agency caregivers work under Cascades direct clinical/operational control during shifts. If yes = they're *workforce* (no BAA needed, per-person accounts OK). If no = Reliable is a Business Associate and we need a BAA with them.
26. **Any other vendors that touch PHI?** Examples: billing company, medical records / audit service, transcription, third-party clinical consult? We need BAAs with each.
#### Training + policy (T2)
27. **Annual HIPAA training** — has this been run in the last 12 months? For everyone including drivers? HR records?
28. **Sanctions policy** — do you have a written policy for workforce members who violate Privacy/Security rules? Required per §164.308(a)(1)(ii)(C).
29. **Termination procedures** — written procedure for access revocation when an employee leaves? Required per §164.308(a)(3)(ii)(C). (This is what we're building into the rollout; if there's a paper version too, I'd like a copy for the compliance file.)
---
### 2.2 Questions for John Trozzi
#### Synology-side infrastructure (T3 — blocks Phase 4 file-share cutover)
30. **`CasAdmin201`** on the Synology — who is/was this account? Has admin rights on every share. Legacy previous-MSP admin? Current in-use? We want to disable it unless it's actively needed.
31. **`pacs` share on Synology** (`/volume1/pacs`) — what's in it? Is this live medical imaging (Picture Archiving and Communication System)? Who accesses it? If PHI, it gets highest-protection treatment on CS-SERVER (strict ACLs + SMB3 encryption + audit logging).
32. **`Activities` share** — what content? Life Enrichment? Has access denied for most users currently — what's the intent?
33. **`chat` share** — still used? By what app? If unused, we retire it when we move to CS-SERVER.
34. **`Sandra Fish` share** — former director's personal folder. Options: archive to CS-SERVER `Archive\Former-Director-Sandra-Fish\` with Meredith-only access, or delete outright (check with Meredith first). What's the retention requirement — any subpoena risk?
35. **`MainOffice` Synology group membership** — the DSM API didn't let me pull the member list (error 3201). Can you log into DSM web UI → Control Panel → User & Group → Group → `MainOffice` → Members tab, and tell me who's in it? Or I can enable SSH temporarily and pull it that way.
#### Maintenance and facilities (T2)
36. **Your own M365 account**`john.trozzi@cascadestucson.com` has no mail/proxy in AD yet (we set that tonight but no real mailbox activity — you haven't signed in to set a password per `PasswordLastSet=NULL`). Do you actively use Cascades email, or do you prefer to communicate via text / phone? This determines whether we enable external sign-in for you.
37. **Matt Brooks** — he works in both Maintenance AND MC Receptionist per the staff questionnaire. Does he need to toggle between roles in email / shared mailboxes? Do we give him `memcarereceptionist@` delegation AND Maintenance-related delegations?
#### Network + infrastructure (T3)
38. **pfSense WAN IP stability** — CA policies will target Cascades' public IP as a "Named Location" in Entra. Is the Cox fiber WAN IP reserved/static, or does it change? If it changes, we need to update the Named Location each time.
39. **Dell PowerEdge R610 replacement** — this 2009-era hardware is CS-SERVER (DC + everything). When are we planning to replace it? (Not blocking any current wave, but it's ticking.)
---
### 2.3 Questions for Ashley Jensen
40. **Accounting workflow** — when we convert `accounting@cascadestucson.com` and `accountingassistant@cascadestucson.com` to shared mailboxes, is the current pattern: everyone sends as `accounting@`, and you + Lauren receive there? Or does Lauren primarily manage `boadmin@` and you manage `accounting@`? I want to make sure we set delegates correctly so nothing goes unread.
41. **External auditors / CPA** — do they email you, or send to `accounting@` / `boadmin@`? Are they a vendor with PHI scope?
---
### 2.4 Questions that Howard / Mike answer internally (no Meredith/John required)
42. **Synology SSH enable** — should I ask John to enable SSH temporarily so I can pull the full `synoacltool` per-folder ACL dump (more detail than the DSM API gave us)? Alternative: walk through DSM web UI with John on a screen-share. Safer, slower.
43. **SMB3 encryption on `\\CS-SERVER\homes` share** — I can fire this right now via GuruRMM (one-line PowerShell, no user impact). Should I do it tonight as part of Wave 0 HIPAA pre-flight without needing Meredith's go-ahead?
44. **Microsoft Defender Recipient Blocklists** — Mike's post-DMARC cleanup removed IP blocks since DMARC quarantines now. Should we explicitly document the current spam/phishing defense posture in `docs/security/hipaa.md` as the compensating control for §164.312(e)(1) Transmission Security?
45. **Risk Analysis document** — I can draft this in 23 hours of work, pulling from everything we've captured. Mike or Howard signs as "designated Security Official". Need Meredith's counter-sign as CE leadership. Should I start the draft on the next session?
---
### 2.5 Questions specifically about the working list / staff questionnaire answers
These are latent items from the returned CSV that haven't been fully resolved yet:
46. **Christine Nyanzunda** — confirmed as one person (MC Admin + part-time Sun/Mon MedTech). Single account covers both roles. **Does her CA policy treatment need to flip based on shift?** Current plan: default Office-PHI CA (external-OK) covers her both ways; if the shared-phone CA blocks her MedTech sign-in, we add her to a caregiver exception group. Testing this at first caregiver phone enrollment will answer it.
47. **`Sharon Edwards` and `Allison Reibschied` — in-building only, ALIS=Y** — these two are Outside=N per Meredith's CSV return. That's unusual for staff with ALIS access. Is it because they genuinely don't work from home, or because the questionnaire was interpreted conservatively? If they ever DO check email from home, we'd want to move them to `SG-External-Signin-Allowed`.
48. **Agency caregivers per-person identities** — we've deferred `reliable1@`/`reliable2@` shared logins. The long-term path is: Reliable Agency provides individual names before each shift, we create per-person accounts (F1 Frontline license cheapest option). **Does the agency actually send a schedule / roster ahead of shifts?** Or are caregivers dispatched day-of? That determines whether per-person provisioning is feasible.
---
## Part 3 — Suggested sequencing of answers
If Meredith and John want to batch-answer these in one sitting, here's the order that unblocks the most work fastest:
### Session 1 — 15 minutes with Meredith (T1 only, unblocks next week)
- **Q 17 (sign MS BAA)** — 5 min in portal
- **Q 2122 (license decision)** — Business Premium tenant-wide yes/no
- **Q 2324 (break-glass FIDO2)** — order yes/no, backup person
- **Q 616 (shared mailbox delegations)** — walk through the 11 role accounts list
- **Q 19 (Synology risk acceptance)** — which option (a/b/c)
- **Q 20 (audit retention path)** — Purview Premium or Compliance retention policy
### Session 2 — 30 minutes on the phone with John, walking through Synology DSM
- **Q 3035** — Synology share / user / group questions. Can be done onsite or via screen-share.
### Session 3 — async / email back (T1 + T2)
- **Q 15** — Staff roster confirmations (Ederick, Stephanie, Dax, Tamra exit date, upcoming departures)
- **Q 18 (ALIS BAA)** — Meredith contacts ALIS support
- **Q 2529 (workforce + BAA governance)** — paper trail questions
### Session 4 — internal (Howard / Mike decide)
- **Q 4245** — Synology SSH, SMB3 flip, Defender docs, Risk Analysis kickoff
---
## Part 4 — License + cost summary
As of tonight after cleanups:
| SKU | Count | Monthly |
|---|---|---|
| Business Standard (currently licensed) | 33 *(was 34, freed 1 from Jodi Ramstack zombie delete)* | $412.50 |
| Business Standard in use by real staff | ~23 | $287.50 |
| Business Standard wasted on role-based licensed mailboxes | 11 (about to be freed by G2 conversion) | $137.50 |
| Exchange Online Essentials | 4 | ~$16 |
| Entra ID P2 | 1 (unassigned — was Sandra Fish) | — |
After Gate G2 conversion complete: ~23 Business Standard seats needed for currently-licensed staff. **11 seats freed** worth $137.50/mo ongoing.
For the full rollout we need:
- Business Premium purchase decision (see Q21)
- Caregiver rollout: +37 Premium seats if we go Premium tenant-wide
---
## Part 5 — What we can do right now (no answers needed)
Things that don't block on Meredith/John and can be executed at any time:
1. **SMB3 encryption on `\\CS-SERVER\homes` share** — one command, zero user impact. Closes HIPAA risk H3.
2. **Draft Risk Analysis document** — Howard does drafting, circulates for sign-off.
3. **Create Cascades Named Location in Entra** — define the public IP range for trusted-location CA. Does nothing until CA policies reference it.
4. **Security Rule Implementation Register** — the `docs/security/implementation-register.md` compliance artifact. Howard drafts.
5. **Clean up `cara.lespron@` alias on Dax Howard's mailbox** — if confirmed he doesn't use it (Q3 dependent).
---
## Part 6 — Living document notes
This doc supersedes the piecemeal view across:
- `docs/cloud/user-account-rollout-plan.md`
- `docs/cloud/p2-staff-candidates.md`
- `docs/cloud/cascades-staff-working-list-2026-04-22.md`
- `docs/security/hipaa-review-2026-04-22.md`
- `docs/migration/entra-connect-risk-register-2026-04-22.md`
When a question here is answered, update the relevant detail doc AND cross out / strike the question here. When a wave completes, update Part 1.
**Revision history:**
- 2026-04-23 — initial consolidation by Howard