Read-only, evidence-grade automation for FedRAMP 20x (and Rev5) — collect cloud configuration evidence against all 63 Key Security Indicators and 223 requirements, benchmark your infrastructure against NIST SP 800-53 at Low / Moderate / High, and track implementation across your team.

CI License: Apache 2.0 TypeScript Node Bun Deno Tests

This repository contains two complementary projects that together cover the full FedRAMP 20x lifecycle — automated technical evidence on one side, and human-tracked governance state on the other.

• Why this exists
• What you get
• Repository layout
• Architecture at a glance
• Quick start
• The cloud-evidence collector
  • Read-only safety model
  • Impact levels & frameworks
  • NIST 800-53 control benchmark
  • Output artifacts
  • Integrations
  • Production hardening
• The tracker
• Testing
• Documentation index
• Data sources & attribution
• Security
• License

FedRAMP 20x reframes authorization around machine-readable, continuously verified evidence instead of static SSP narratives. The authoritative source of truth is the FedRAMP machine-readable (FRMR) data, which defines Key Security Indicators (KSIs) and FedRAMP Requirements (FRRs).

This tooling turns that source of truth into two practical workflows:

1. Prove it automatically. cloud-evidence logs into your cloud accounts read-only, evaluates the cloud-testable indicators directly against live configuration, and emits signed, schema-valid, OSCAL-mapped evidence — so the evidence is reproducible and auditor-verifiable, not hand-assembled.
2. Track the rest. Not every requirement is cloud-API-testable (a large share are governance/process obligations). The tracker gives your team a shared surface to record status, owners, evidence links, and last-reviewed dates for the full 223-requirement set, with a NIST 800-53 crosswalk for mapping against an existing Rev5 baseline.

Everything is local-first and self-hosted — your evidence and your tracker state never leave infrastructure you control unless you explicitly push them.

• ✅ Complete KSI coverage — all 63 KSIs and 223 requirements are accounted for: cloud collectors where testable, process-artifact evidence for governance requirements, and explicit awareness-only tracking for items that obligate FedRAMP / an agency / a 3PAO.
• 🔒 Provably read-only — every cloud SDK call is enforced read-only by two independent layers (viewer-only IAM and a runtime guardrail Proxy).
• 🎚️ Low / Moderate / High — choose your impact tier; the collector scopes every requirement to that tier (High applicability is derived from NIST 800-53 Rev5 and clearly labeled).
• 📊 NIST 800-53 benchmark — roll findings up to 800-53 controls and score each control, for both the 20x-referenced control set and the full SP 800-53B baseline.
• 🖊️ Tamper-evident — Ed25519-signed manifests + optional RFC 3161 trusted timestamps; an offline verify CLI re-checks every hash and signature.
• 🔁 OSCAL + crosswalks — OSCAL 1.1 Assessment Results, plus NIST → SOC 2 / ISO 27001 / HIPAA crosswalk.
• 🔌 Push anywhere — Paramify, the bundled tracker, Slack/PagerDuty, Jira/ServiceNow/GitHub Issues, SIEM (OCSF), generic HMAC webhook, and optional LLM-drafted remediation PRs.
• 🧰 Operationally hardened — retry/backoff, adaptive concurrency under throttle, append-only run ledger, and a run lock to prevent overlapping runs.

FedRAMP 20x/
├── cloud-evidence/ Read-only AWS+GCP+K8s evidence collector
│ ├── core/ Orchestrator, schema, signing, OSCAL, benchmark, hardening
│ ├── providers/ Per-cloud collectors (aws/, gcp/, k8s/)
│ ├── scripts/ Reproducible data extractors (FRMR, NIST r5, baselines)
│ ├── docs/ Committed generated lookups + IAM permission catalog
│ └── tests/ Vitest suites (38 files, 396 tests)
├── tracker/ Local multi-user web tracker over the FRMR catalog
│ ├── server/ Hono API + better-sqlite3 + RBAC/2FA/audit
│ ├── client/ React + Vite SPA
│ └── tests/ Vitest suites (11 files, 99 tests)
├── ARCHITECTURE.md How the two projects fit together (with diagrams)
├── RUNBOOK.md Operations: setup, IAM, env vars, troubleshooting
├── COST.md Cost model for the collector + integrations
├── GAP-ANALYSIS.md Positioning vs Prowler/ScoutSuite/Wiz/Drata/Vanta/Paramify
├── CHANGELOG.md Version history
├── LICENSE Apache-2.0
└── NOTICE Third-party data attribution
# External reference clones (git-ignored, not part of this repo's code):
├── docs/ Clone of github.com/FedRAMP/docs (FRMR source of truth)
└── nist-r5-data/ NIST 800-53 Rev5 reference data

graph LR
 CSP[CSP environment<br/>AWS + GCP + K8s] --> CE[cloud-evidence<br/>orchestrator]
 CE --> Out[(out/*.json<br/>+ manifest.sig<br/>+ control-benchmark.json<br/>+ assessment-results.json)]
 Out --> Sign[Ed25519 + RFC 3161]
 Out --> Tracker[(tracker DB)]
 Out --> GRC[Paramify / SIEM / Tickets / Webhook]
 Auditor[3PAO / auditor] -. verifies .-> Out
 Tracker --> UI[React SPA]

See ARCHITECTURE.md for the full module maps and data flow.

Prerequisites: Node 22+ (tested on 22 and 24); optionally Bun 1.3+ or Deno 2.8+ for the collector. AWS credentials via aws sso login / AWS_PROFILE, and GCP via gcloud auth application-default login.

git clone git@github.com:kenithphilip/FedPy.git "FedRAMP 20x"
cd "FedRAMP 20x"

cd cloud-evidence
npm install
# Plan only — no SDK calls are made
npm run collect -- --dry-run
# Real collection at Moderate, benchmarked against the 20x-referenced controls
npm run collect -- --impact-level moderate --framework 20x
# Full High-tier run benchmarked against the entire NIST SP 800-53B High baseline,
# with all post-run reports, OSCAL, crosswalk, and signing
npm run collect -- --impact-level high --framework rev5 --all-reports --oscal --crosswalk
# Verify a finished run offline (re-hashes every file, checks the signature)
npm run verify -- ./out

Output goes to ./out/ (git-ignored). See Output artifacts.

# from the repo root, get the FRMR source of truth (if you don't have it)
git clone https://github.com/FedRAMP/docs.git
cd tracker
npm install
npm run ingest # load FRMR.documentation.json into data/tracker.db
npm run dev # API on :4000, web UI on :5173
# open http://localhost:5173 — the first account you create becomes admin

A read-only TypeScript collector for the FedRAMP 20x KSIs across AWS, GCP, and Kubernetes. It runs on Node (via tsx), Bun, or Deno — Bun is recommended for production collection (native TS, faster startup/I/O, better concurrency under throttle); Node + tsx is the default and what the test suite runs on. Deno is also supported via the collect:deno / verify:deno scripts (it needs explicit --allow-* permission flags; see RUNBOOK.md).

The collector must never mutate cloud state, enforced by two independent mechanisms (either one alone would stop a write; both are required to run):

1. Viewer-only IAM. The runner principal is bound to read-only managed policies only (AWS ReadOnlyAccess, GCP viewer/securityReviewer roles, K8s view). The exact least-privilege role list is in RUNBOOK.md and cloud-evidence/docs/IAM-PERMISSIONS-CATALOG.md.
2. Runtime guardrail Proxy. Every SDK client is wrapped at construction by core/readonly-guardrail.ts (AWS) or core/readonly-guardrail-gcp.ts (GCP). Any command whose verb prefix isn't on the read-only allowlist throws ReadOnlyViolationError before the call leaves the process — so even a mis-scoped IAM role or a buggy new collector cannot perform a write.

Pick the tier at setup (config.yaml impact_level:) or per-run (--impact-level low|moderate|high). The collector then scopes all 223 requirements to that tier:

• Cloud-testable KSIs run their collectors against live config.
• Governance requirements emit signed process-artifact evidence, tracked via an attestation register with SLA/deadline monitoring.
• FedRAMP/agency/3PAO obligations are recorded as awareness-only and excluded from your provider pass/fail.

High applicability is derived from the NIST 800-53 Rev5 baseline (there is no separately published 20x High) and always labeled derived-rev5.

Every run rolls findings up to NIST 800-53 controls and scores each control at the chosen impact level, so you can benchmark your cloud infrastructure against the baseline. Two framings via --framework:

Each control gets a status — satisfied (all mapping findings passed), partially-satisfied (mixed), not-satisfied (all failed), or not-assessed (no automated evidence). The report (control-benchmark.json) gives two rates: assessed_pass_rate (satisfied ÷ controls with evidence) and baseline_coverage_rate (satisfied ÷ whole in-scope set). Awareness-only attestations are listed under a control but never satisfy it on their own.

Baseline membership ships committed (cloud-evidence/docs/nist-r5-baselines.generated.json, sourced from NIST's official OSCAL resolved-profile catalogs) so there is no network at runtime; refresh it with node scripts/extract-nist-baselines.mjs.

A single run writes to ./out/:

All opt-in (require their own env vars; see RUNBOOK.md):

Paramify · the bundled tracker (--push-tracker) · Slack / PagerDuty (--notify-on-drift) · Jira / ServiceNow / GitHub Issues (--ticket-push) · SIEM via OCSF (--siem-url) · generic HMAC-signed webhook (--webhook-url) · Anthropic Claude remediation PR drafts (--llm-generate-prs) · Powerpipe mod (--powerpipe) · SBOM ingest (--sbom-dir).

• Retry/backoff on every SDK call (configurable attempts/backoff caps).
• Adaptive concurrency — a token bucket + AIMD limiter that backs off under throttling and recovers, plus in-run TTL memoization.
• Append-only run ledger — crash-durable JSONL of every action and outcome.
• Run lock — prevents two runs clobbering the same output dir (TTL + PID-liveness; auto-released on exit).

A local, multi-user web dashboard that ingests the FRMR catalog and lets your team track implementation status against every 20x requirement and KSI. It sits next to a clone of the upstream FedRAMP docs and re-ingests on demand, preserving your status, owner, notes, and evidence (state is keyed by stable FRMR IDs).

Highlights: dashboard with "next 10 to tackle", gap analysis, requirement & KSI browsers, full item detail with FRD-term tooltips, a NIST 800-53 crosswalk, a collector-runs view (impact level + benchmark headline), CSV/JSON export, and multi-user accounts with sessions, TOTP 2FA, role-based access control, per-item audit log, and online backup/restore.

See tracker/README.md for the full feature list and API.

# cloud-evidence — 38 files, 396 tests
cd cloud-evidence && npm test && npm run typecheck
# tracker — 11 files, 99 tests
cd tracker && npm test && npm run typecheck

Both projects typecheck clean and the full suite (495 tests) passes. CI-style one-liner from the repo root:

(cd cloud-evidence && npm test) && (cd tracker && npm test)

This repo derives committed lookup files from public sources (regenerated by the scripts in cloud-evidence/scripts/, not re-licensed):

• FedRAMP FRMR — github.com/FedRAMP/docs (U.S. Government source of truth for 20x/Rev5 requirements & KSIs).
• NIST SP 800-53 Rev5 control catalog — control names/families via GovReady/nist-sp-800-53-r5-data.
• NIST SP 800-53B Rev5 baselines — Low/Moderate/High membership from usnistgov/oscal-content.

See NOTICE for full attribution. These sources remain governed by their own terms.

• The collector is read-only by construction (see the safety model); a ReadOnlyViolationError is a bug in a collector, never something to work around.
• Evidence is tamper-evident (Ed25519 manifest + optional RFC 3161 timestamp) and independently verifiable offline via npm run verify -- ./out.
• The tracker stores passwords with scrypt, uses HttpOnly/SameSite session cookies, supports TOTP 2FA and RBAC, and records every mutation in an audit log.

If you discover a security issue, please open a private report rather than a public issue.

Licensed under the Apache License 2.0. © 2026 Kenith Philip.