Interactive demonstrations of Forseti capabilities. Explore each feature below — all demos run with live sample data, no setup required.
🌐 Crosswalk Compliance Engine NEW
Assess your NIST 800-53 controls once, and Forseti automatically derives your compliance posture across 5 additional frameworks — ISO 27001, SOC 2, HIPAA, PCI DSS, and CIS Controls v8. 292 requirements crosswalk-mapped to the authoritative 800-53 baseline.
Click to simulate assessing 800-53 controls and watch compliance cascade across all frameworks
🌐 ISO 27001:2022
ISO/IEC · 93 Annex A requirements
0%
0 met · 0 partial · 93 gaps
🛡️ SOC 2 Type II
AICPA · 64 Trust Services Criteria
0%
0 met · 0 partial · 64 gaps
🏥 HIPAA Security Rule
HHS/OCR · 42 safeguards (45 CFR 164)
0%
0 met · 0 partial · 42 gaps
💳 PCI DSS v4.0
PCI SSC · 37 requirements
0%
0 met · 0 partial · 37 gaps
📊 CIS Controls v8
CIS · 56 safeguards across 18 groups
0%
0 met · 0 partial · 56 gaps
Control Assessment → Cross-Framework Impact Feed
Waiting for demo…
How it works: The Crosswalk Engine maps each framework requirement to one or more NIST 800-53 controls. When you assess a control (e.g., set AC-2 to "Satisfied"), the engine cascades that status to every framework requirement that depends on AC-2 — ISO A.5.15, A.5.18, SOC 2 CC6.1, CC6.2, CC6.5, HIPAA §164.308(a)(4), PCI DSS 7.1, 8.2, CIS 5.1, 5.3, 6.1, 6.2. One assessment action, 13 requirements resolved across 5 frameworks.
🎯 Platform Demos
Interactive demos of core Forseti capabilities — click any tab to explore.
0
Satisfied
0
Inherited
0
Partial
0
OTS
0
Pending
0%
Score
Wingman scans a host, evaluates rules, and feeds Satisfied/OTS results directly into dashboard controls. Click Run Scan to see controls update in real-time.
Target: 10.0.1.42 — Platform: Linux — 6 sample rules
POA&Ms flow through a four-stage approval chain: Open → CSP submits → Assessor Verifies → AO Approves. Click a status to advance.
ID
Control
Finding
Sev
Status
Due
AI-powered FedRAMP SSP and 18 P&P document generation. Click Generate SSP to see the pipeline.
Ready
0
Controls
0
With Evidence
0
AI Generated
0
P&P Docs
Waiting…
Click to simulate a Wingman compliance scan
Available Export Formats
📊
OSCAL SSP JSON
NIST OSCAL 1.1.0 Machine-readable
🔑
FedRAMP 20x KSI
Key Security Indicators Automated validation
📝
SSP (DOCX)
FedRAMP SSP v5.0 AI narratives
📄
FedRAMP SAR
Assessment Report Template v4.0
📚
18 P&P Docs
All families DOCX + ZIP bundle
📦
Full Bundle ZIP
All formats Complete package
Create isolated projects for each assessment phase. Control states and POA&Ms carry forward automatically.
Click to simulate the FedRAMP lifecycle
🚀
Initial
🔄
ConMon
📅
Annual
Waiting…
CSP → 3PAO → AO tri-party authorization chain. Click Run Workflow to see the full ATO process.
Click to simulate the CSP → 3PAO → AO authorization chain
1
2
3
4
5
6
7
8
Waiting for workflow…
FedRAMP Seven-State Disposition Model
✓
Satisfied
Control fully met with evidence
◐
Partially Satisfied
Partial implementation, POA&M required
✗
Other Than Satisfied
Not met, finding generated
↓
Inherited
Fully inherited from CSP/IaaS
⇊
Partially Inherited
Shared responsibility model
—
Not Applicable
Control scoped out with justification
⏳
Pending
Not yet assessed
Annual Assessment Scope Builder
FedRAMP annual assessments require re-testing at least 1/3 of controls. Forseti auto-generates the scope based on risk-weighted selection.
149
Year 1 Controls
All critical + high-risk
149
Year 2 Controls
Medium risk + POA&M closures
149
Year 3 Controls
Remaining + newly scoped
📋 Auto-Scope Logic: Controls with POA&M items → always in scope. Controls modified since last annual → in scope. Remaining controls distributed evenly across the 3-year cycle. Inherited controls excluded from direct testing.
Customer Responsibility Matrix
Maps shared responsibility between CSP and customer for each control family. Auto-generated from inheritance designations.
Family
Description
CSP Resp.
Customer
Type
AC
Access Control
Platform
Application
Shared
AU
Audit & Accountability
Full
Config
Shared
PE
Physical & Environmental
Full
N/A
Inherited
SC
System & Communications
Network
App-layer
Shared
Deviation Request Management
Track false positives, operational requirements, and risk-accepted deviations through the CSP → 3PAO → AO approval chain.
DR ID
Control
Justification
Type
Status
DR-2026-001
SC-28
EBS volumes use AWS-managed encryption (SSE-S3) — LUKS not applicable for cloud-native storage
False Positive
AO Approved
DR-2026-002
AC-8
Login banner implemented via SSO IdP splash page — /etc/issue not applicable for headless instances
Oper. Req.
3PAO Review
DR-2026-003
SI-2
3 pending patches deferred to next maintenance window (30 days) — compensating monitoring in place
Risk Accept
CSP Submitted
Assessment Test Procedures (ATP)
Per-control NIST 800-53A assessment procedures with Examine, Interview, and Test steps. Auto-generated for all 588+ controls.
AC-2Account Management7/9 ATP
▸📄 Examine(4 steps)4/4
📄AC-2-E1Access Control policy and procedures addressing account management
Reviewed Access Control Policy v4.2, dated 2026-01-15. Covers all AC requirements including account types, provisioning, and lifecycle management.
📄AC-2-E2System security plan section for AC-2 — Account Management
📄AC-2-E3Access authorization records and account inventory
Okta admin console export showing 142 active users, 8 service accounts, 3 shared accounts. Last quarterly review: 2026-04-01.
📄AC-2-E4Account management compliance review records
Q1 2026 access review ticket #ITSM-4821 — all managers confirmed or revoked access within 5 business days.
▸🎤 Interview(2 steps)2/2
🎤AC-2-I1System administrator responsible for account provisioning and lifecycle
ISSO J. Martinez confirmed automated provisioning via Okta SCIM. De-provisioning triggers from HR termination workflow in ServiceNow.
📎 TRANSCRIPT EXCERPT
Q: How are new user accounts provisioned?
A: "All provisioning is automated through Okta SCIM. When HR creates a new employee in Workday, it triggers an Okta workflow that provisions accounts across all integrated applications within 15 minutes. We don't do any manual account creation."
Q: What happens when someone leaves the organization?
A: "HR submits a termination in ServiceNow which triggers immediate Okta deactivation. The account is suspended within 1 hour and fully deprovisioned after 30 days."
🎤AC-2-I2ISSO on account review frequency and deprovisioning workflow
ISSO confirmed quarterly access reviews per FedRAMP requirement. 35-day inactivity disable configured in Okta lifecycle policies.
▸🔧 Test(3 steps)1/3
🔧AC-2-T1Verify automated account disable after 35 days inactivity🤖 Auto
🔧AC-2-T2Verify quarterly access review process and evidence
⏳ Pending — awaiting Q2 review evidence
🔧AC-2-T3Verify shared/group account authenticator change process
⏳ Pending — 3 shared accounts identified, need rotation evidence
Finding Statement
AC-2 is implemented as described in the SSP. Automated provisioning and deprovisioning via Okta SCIM is confirmed. Quarterly access reviews are conducted with evidence in ServiceNow (ITSM-4821). Two test steps remain pending for Q2 review completion and shared account rotation evidence.
Sarah Chen, Lead Assessor
2026-05-20
📊
SRTM CSV Export
FedRAMP Excel-compatible
📋
OSCAL Assessment Results
Per-step observations with methods
🤖
Auto-Generated
588+ controls from metadata
FedRAMP Boundary Diagram Builder
Wizard-driven authorization boundary diagrams with drag-and-drop components, protocol/encryption labels, and SVG/PNG export.