First feature release on top of the 0.1.0 scaffold. The collector now accounts for the entire 223-requirement FedRAMP 20x set (all 63 KSIs), lets you pick an impact tier, and benchmarks your cloud against NIST 800-53.

Highlights

• Full Low / Moderate / High coverage — --impact-level selector scopes all 223 requirements; High applicability is derived from NIST 800-53 Rev5 and labeled as such. 44 KSIs run live cloud collectors; the rest emit signed process-artifact evidence or are tracked awareness-only.
• NIST 800-53 control benchmark (control-benchmark.json) — roll findings up to controls and score each one, in two framings: --framework 20x (controls the KSIs reference) or --framework rev5 (full SP 800-53B baseline: Low 149 / Moderate 287 / High 370).
• Tamper-evident evidence — Ed25519-signed manifests + optional RFC 3161 timestamps; offline verify CLI. OSCAL 1.1 Assessment Results + NIST→SOC2/ISO27001/HIPAA crosswalk.
• Production hardening — retry/backoff, adaptive concurrency under throttle, append-only run ledger, run lock.
• Runtimes — collector runs on Node (tsx), Bun (recommended), and Deno 2.8+.
• Tracker security suite — TOTP 2FA, granular RBAC, audit-log search, backup/restore, evidence uploads, collector-runs view with the benchmark headline.
• Quality gates — 495 tests (cloud-evidence 396 + tracker 99) and a push/PR CI workflow (Node 22 + 24).

See CHANGELOG.md for the full list.

Install

```bash
git clone git@github.com:kenithphilip/FedPy.git "FedRAMP 20x" && cd "FedRAMP 20x"
cd cloud-evidence && npm install && npm run collect -- --dry-run
```

Licensed under Apache-2.0.