Skip to content

latentarchon/compliance

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

131 Commits
.github/workflows
.github/workflows
 
 
cjis
cjis
 
 
cmd
cmd
 
 
contingency-test
contingency-test
 
 
evidence
evidence
 
 
oscal
oscal
 
 
policies
policies
 
 
sales
sales
 
 
scripts
scripts
 
 
sop
sop
 
 
templates
templates
 
 
training-tracker
training-tracker
 
 
.gitignore
.gitignore
 
 
CODEOWNERS
CODEOWNERS
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
cloudbuild-access-review.yaml
cloudbuild-access-review.yaml
 
 
cloudbuild-audit-review.yaml
cloudbuild-audit-review.yaml
 
 
cloudbuild-evidence.yaml
cloudbuild-evidence.yaml
 
 
cloudbuild-poam-report.yaml
cloudbuild-poam-report.yaml
 
 
cloudbuild-policy-review.yaml
cloudbuild-policy-review.yaml
 
 
cloudbuild.yaml
cloudbuild.yaml
 
 
configuration-management-plan.md
configuration-management-plan.md
 
 
contingency-plan.md
contingency-plan.md
 
 
continuous-monitoring-plan.md
continuous-monitoring-plan.md
 
 
customer-secure-configuration-guide.md
customer-secure-configuration-guide.md
 
 
cybersecurity-education-tracker.md
cybersecurity-education-tracker.md
 
 
fedramp-20x-ksi-summaries.md
fedramp-20x-ksi-summaries.md
 
 
fedramp-ssp-appendix-a-controls.md
fedramp-ssp-appendix-a-controls.md
 
 
fedramp-ssp.md
fedramp-ssp.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
isso-appointment-letter.md
isso-appointment-letter.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
personnel.json
personnel.json
 
 
personnel.schema.json
personnel.schema.json
 
 
privacy-impact-assessment.md
privacy-impact-assessment.md
 
 
red-team-deployment-guide.md
red-team-deployment-guide.md
 
 
red-team-mitre-coverage.md
red-team-mitre-coverage.md
 
 
rules-of-behavior.md
rules-of-behavior.md
 
 
security-whitepaper.md
security-whitepaper.md
 
 
separation-of-duties-matrix.md
separation-of-duties-matrix.md
 
 
supply-chain-risk-management-plan.md
supply-chain-risk-management-plan.md
 
 

Repository files navigation

Latent Archon — Compliance

OSCAL Validation Publish Compliance PDFs Quarterly ConMon Report

Security policies, compliance documentation, OSCAL SSP generation, automated compliance tooling, and sales collateral for the Latent Archon Document Intelligence Platform.

Metric Value
NIST 800-53 Baseline High — 355/355 controls implemented
DoD IL5 Overlay 42 additional controls (397 total)
FedRAMP Target High — full SSP complete, 3PAO engagement Q3 2026
CJIS All 13 policy areas mapped
Red Team 99 automated attacks across 6 MITRE ATT&CK-mapped suites
OSCAL SSP Machine-readable SSP — generated from IaC via automated scanners

OSCAL System Security Plan

The oscal/ssp.json file is a machine-readable NIST OSCAL SSP covering the full FedRAMP High baseline plus DoD IL5 overlay controls. It is generated automatically from infrastructure-as-code using Go-based scanners that inspect Terraform configs, GCP org policies, Cloudflare configurations, and CI/CD pipelines.

npm run generate:oscal    # Regenerate from current IaC state
npm run validate:oscal    # Validate against OSCAL schema
npm run check:drift       # Detect SSP-to-IaC drift

Structure

policies/                          # 13 governance policies (NIST 800-53 aligned)
  information-security.md          # POL-IS-001 — Overarching security program
  access-control.md                # POL-AC-001 — AuthN, AuthZ, data isolation
  change-management.md             # POL-CM-001 — Change control, CI/CD security
  incident-response.md             # POL-IR-001 — IR framework, MITRE mapped
  vendor-risk.md                   # POL-VR-001 — Third-party risk management
  encryption.md                    # POL-EN-001 — Cryptographic standards, KMS
  data-classification.md           # POL-DC-001 — Classification, retention, disposal
  business-continuity.md           # POL-BC-001 — BC/DR, backup, recovery
  risk-management.md               # POL-RM-001 — Risk assessment, register, appetite
  acceptable-use.md                # POL-AU-001 — Acceptable/prohibited use
  security-awareness-training.md   # POL-AT-001 — Training requirements
  physical-security.md             # POL-PE-001 — Physical security (CSP inherited)
  vulnerability-scanning.md        # DOC-VS-001 — Scanning strategy, SLA timelines
cloud/                             # Cloud-specific supplements
  gcp.md                           # GCP service mapping and FedRAMP authorization
sales/                             # Sales and procurement collateral
  capability-statement.md
  pipeline-targets.md
security-whitepaper.md             # Customer-facing security architecture whitepaper
fedramp-ssp.md                     # FedRAMP System Security Plan
fedramp-20x-ksi-summaries.md       # FedRAMP 20x Key Security Indicator summaries
fedramp-ssp-appendix-a-controls.md  # Appendix A: High baseline (IL5) + Appendix A-2: High enhancement controls
ssp-lite-nist-800-53.md            # SSP-Lite NIST 800-53 High control mapping
configuration-management-plan.md   # Configuration management plan
continuous-monitoring-plan.md      # Continuous monitoring plan
contingency-plan.md                # Contingency / disaster recovery plan
privacy-impact-assessment.md       # Privacy impact assessment
supply-chain-risk-management-plan.md # Supply chain risk management plan
vulnerability-scanning-strategy.md # Vulnerability scanning strategy (DOC-VS-001)
red-team-mitre-coverage.md         # Red team MITRE ATT&CK coverage matrix (public)
cjis/                              # CJIS Security Policy v5.9.5 compliance
  compliance-mapping.md            # 13 policy area mapping
  management-control-agreement.md  # MCA template for state CSA engagement
  readiness-checklist.md           # Pre-audit checklist
oscal/                             # Machine-readable OSCAL artifacts
  ssp.json                         # NIST OSCAL SSP (High + IL5)

Policy Inventory

ID Policy NIST Controls Domain
POL-IS-001 Information Security PL-1, PL-2, PM-1, PM-9 Program governance
POL-AC-001 Access Control AC-1 through AC-22 Authentication, authorization, isolation
POL-CM-001 Change Management CM-1 through CM-8 Change control, CI/CD, configuration
POL-IR-001 Incident Response IR-1 through IR-9 Detection, response, recovery
POL-VR-001 Vendor Risk Management SA-1 through SA-11 Third-party, supply chain
POL-EN-001 Encryption SC-8, SC-12, SC-13, SC-28 Cryptographic protection
POL-DC-001 Data Classification & Retention RA-2, MP-1, SI-12, AU-11 Classification, handling, disposal
POL-BC-001 Business Continuity & DR CP-1 through CP-10 Backup, recovery, continuity
POL-RM-001 Risk Management RA-1, RA-2, RA-3, PM-9 Risk assessment, treatment
POL-AU-001 Acceptable Use PL-4, AC-8, AT-2 System use, prohibited activities
POL-AT-001 Security Awareness & Training AT-1 through AT-4 Training, awareness program
POL-PE-001 Physical Security PE-1 through PE-6, MA-1 Physical controls (CSP inherited)

Audience

Document Audience Purpose
policies/* Internal / ATO package Written governance policies for NIST compliance
cloud/* Internal / ATO package Cloud-specific implementation details (GCP)
security-whitepaper.md Customers / procurement Technical security architecture overview
fedramp-ssp.md ATO / compliance officers FedRAMP System Security Plan
fedramp-ssp-appendix-a-controls.md ATO / compliance officers / 3PAO NIST 800-53 control implementations (High baseline, IL5 + enhancement controls in Appendix A-2)
ssp-lite-nist-800-53.md ATO / compliance officers Control-by-control NIST 800-53 mapping
sales/capability-statement.md Contracting officers Company capability one-pager

PDF Generation

PDFs are generated from markdown sources and hosted on the marketing site for download.

npm install
npm run build:pdfs

CI/CD Pipeline

On push to main, the publish-pdfs workflow:

  1. Builds PDFs from all markdown sources
  2. Uploads them as a GitHub Actions artifact (90-day retention)

The marketing site (latentarchon/marketing) checks out this repo at build time, builds PDFs, and copies them to public/docs/ before deploying to Firebase Hosting. No PDFs are committed to either repo.

Technical Maturity Evidence

This repository serves as feasibility evidence for government R&D programs (SBIR/STTR D2P2, OTAs). All work is self-funded — no prior government funding.

Evidence Description
OSCAL SSP Machine-readable SSP with 397 controls, generated from IaC
FedRAMP SSP Full narrative SSP at High baseline with IL5 overlay
Appendix A Controls 2,600-line control-by-control implementation details
Go Compliance Tooling SSP generator, OSCAL scanner, access/audit review, POA&M reporting, drift checker
Automated ConMon Monthly Cloud Build pipeline: scanning, evidence collection, KSI updates
13 Security Policies NIST-aligned governance policies with annual review cycle

| CJIS Mapping | All 13 CJIS policy areas with MCA template | | Red Team Program | 99 automated attacks across 6 MITRE ATT&CK-mapped suites |

Compliance Automation Pipeline

IaC (Terraform/Terragrunt)
  → Go OSCAL Scanner (VPC-SC, CMEK, CI/CD, DLP, RLS, IDP, WAF adapters)
    → oscal/ssp.json (machine-readable)
    → fedramp-ssp.md (human-readable)
    → evidence/ (verified controls, tier summaries)
      → GCS evidence bucket (Cloud Build archive)
      → 3PAO assessment portal
      → Cloud Build monthly ConMon

Review Cycle

All policies are reviewed annually. Next review: March 2027.

About

FedRAMP High + IL5 compliance-as-code: OSCAL SSP, 397 NIST controls, 13 policies, automated ConMon, Drata integration

Topics

fedramp govtech compliance-as-code oscal fedramp-high nist-800-53 cjis fedramp-20x il5

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v2.0.0 — 100% FedRAMP High + IL5 Overlay Latest
Apr 19, 2026

Packages

 
 
 

Contributors

Languages