📐 Boundary Diagrams NEW
📄

SSP & Policy Generator

AI-powered FedRAMP System Security Plan and Policy & Procedure document generation. Upload your IaC evidence, fill out the intake form, and Forseti generates a complete authorization package — OSCAL-first with DOCX exports.

⚠ BEDROCK OFFLINE
🔒
AWS GovCloud (IL4) Required for Full AI Generation

The SSP Generator uses AWS Bedrock (Claude 3.5 Sonnet) to generate implementation statements and policy narratives from your IaC evidence. This feature requires the AWS GovCloud (us-gov-west-1) environment with a deployed Lambda proxy. Until then, the system operates in stub mode — the full pipeline works end-to-end, but AI-generated text will show placeholder content.

Capabilities
📋
Project Intake
LIVE

System metadata, boundary description, data types, CSP leveraged authorizations, ISSO/AO contacts, and FIPS 199 categorization.

🔍
IaC Evidence Mapper
LIVE

Upload Terraform, CloudFormation, or CDK files. Auto-extracts config values and maps them to NIST 800-53 controls with structured evidence summaries.

🤖
AI Narrative Generation
NEEDS IL4

Claude 3.5 Sonnet generates implementation statements per control from IaC evidence. Outputs in third-person SSP format with specific resource names and config values.

📊
OSCAL SSP Export
LIVE

NIST OSCAL 1.1.0 System Security Plan — primary FedRAMP 20x machine-readable format. Includes all implemented requirements and system characteristics.

📝
SSP DOCX Export
LIVE

FedRAMP SSP v5.0 Word document — cover page, all 13 sections, control implementation table, and appendices. Human-review flagging for sections needing input.

📚
18 P&P Documents
PARTIAL

All 18 NIST 800-53 control family Policy & Procedure documents as individual DOCX files. Templates work now; AI-enhanced content needs Bedrock.

Generation Pipeline
📋
Intake Form
System metadata
📁
IaC Upload
Terraform / CFn
🔍
Evidence Map
Auto control match
🤖
AI Generate
Bedrock (IL4)
📄
Review
Per-control edit
📦
Export
OSCAL + DOCX
Export Formats
📊
OSCAL SSP JSON
NIST 1.1.0 · FedRAMP 20x
📋
OSCAL Assessment Results
Findings + observations
🔑
FedRAMP 20x KSI
Key Security Indicators
📝
SSP DOCX
FedRAMP v5.0 template
📚
18 P&P Documents
Per-family DOCX
📦
Full Bundle ZIP
Complete auth package
Deployment Configuration
// ssp-bedrock.js — Configuration for AWS GovCloud
const FORSETI_BEDROCK_ENABLED = false;  // Set true when Lambda proxy is deployed
const BEDROCK_ENDPOINT     = '/api/bedrock';  // Lambda proxy URL
const BEDROCK_MODEL        = 'anthropic.claude-3-5-sonnet-20241022-v2:0';
// GovCloud endpoint: https://bedrock-runtime.us-gov-west-1.amazonaws.com

The SSP Generator is fully functional in stub mode. You can test the complete pipeline — intake, IaC mapping, generation (stubs), review, and export — right now.

📎

Evidence Analysis Tools Active

Upload artifacts and policy documents to automatically evaluate compliance evidence and update control statuses across all framework cards

Tool Capabilities

Artifact Evidence Scanner

Analyzes configuration files, IaC templates, scripts, and logs for compliance evidence. Pattern-matches against 43 NIST controls and auto-sets Pass on high-confidence matches.

Policy Document Scanner

Scans policy and procedure documents for required sections across 19 NIST control families. Verifies purpose, scope, roles, procedures, and review frequency per FedRAMP requirements.

Dashboard Auto-Apply

Strong evidence automatically sets Pass/Fail on matched GRC controls. Linked family controls cascade — a passing AC-1 policy also passes AC-2 through AC-22. Fail never overridden.

Evidence Mapping

Each finding shows matched keywords, evidence snippets, and confidence scores. Assessors retain full override capability with manual Pass/Fail buttons on every control.

Coverage

43
Artifact Controls
19
Policy Families
200+
Linked Controls
15+
File Formats
📖 How to Use Click to expand

📎 Upload Artifacts

Drop configuration files, IaC templates, scripts, or logs here

Analyzes for compliance evidence and auto-maps to NIST 800-53 controls

PDFTXTJSON YAMLCSV.tf .py.ps1.sh .conf.xml.yml
Injects a synthetic Terraform + audit config to test the engine

📄 Upload Policy Documents

Drop policy documents here

Scans for required sections: purpose, scope, roles, procedures, review frequency

PDFTXTDOCX MDRTF
Injects a synthetic AC + IA + AU policy to test doc scanning

Phase 1: Keyword/pattern matching. Phase 2 (GovCloud): Semantic analysis via AWS Bedrock for narrative completeness and gap detection.

Wingman Compliance Scanner Offline — Environment Not Configured

AI-powered compliance scanner with Bedrock integration — scans targets, evaluates controls, and feeds Pass/Fail results directly into the GRC assessment dashboard

AWS Environment Required
Wingman requires AWS Bedrock access (Claude Sonnet) and target system connectivity. Configure AWS credentials and deploy the scanning infrastructure to enable.

Scanner Capabilities

Automated Technical Checks

Executes 135 commands across 14 control families with 652 individual compliance checks. Covers Linux, Windows, AWS, Azure, GCP, and Kubernetes platforms.

Bedrock AI Analysis

Uses AWS Bedrock (Claude Sonnet) to analyze findings, generate SAR-ready narratives, provide remediation guidance, and answer assessor questions in real-time.

OSCAL Output

Produces OSCAL Assessment Results JSON files compliant with the FedRAMP machine-readable schema. Maps every finding to NIST 800-53 Rev 5 controls.

Multi-Transport

Supports SSH (Linux), SSM Run Command (GovCloud), and local execution for testing. No SSH keys needed in production — uses IAM-based SSM.

Dashboard Integration

Import scan results to automatically set Pass/Fail on matched GRC controls. 105 rules mapped to NIST control IDs — updates propagate across all framework cards simultaneously.

Rule Coverage

135
Rules
652
Checks
14
Families
6
Platforms
59
Rule Files

CLI Usage

# Scan a Linux host with Bedrock AI analysis
$ wingman scan --host 10.0.0.5 --user auditor --key ~/.ssh/id_rsa
# Scan specific control families
$ wingman scan --host 10.0.0.5 --families AC,IA,AU
# Local test scan (no SSH needed)
$ wingman scan --local --platform linux --no-ai
# Generate SAR narrative from results
$ wingman report --input results.json --output narrative.md
# Interactive assessor Q&A
$ wingman ask --input results.json

Scan Outputs

📊 Console Report

Color-coded terminal output with pass/fail tables, family breakdown, and finding severity

📄 OSCAL JSON

FedRAMP-compliant Assessment Results with findings, observations, and control mappings

📝 AI Narrative

Bedrock-generated SAR narrative with findings, risk analysis, and remediation recommendations

GovCloud Target Architecture

Scan Engine
• Lambda functions (Scanner, Parser, Reporter)
• SSM Run Command for host execution
• DynamoDB for results history
• S3 for OSCAL exports + evidence
AI Layer
• Bedrock Agent orchestration
• Claude Sonnet for narrative generation
• Knowledge Base for control references
• Guardrails for CUI/PII filtering
Security
• FIPS 140-2 endpoints (PrivateLink)
• KMS CMK encryption (at rest + transit)
• VPC with private subnets only
• CloudTrail for all API activity
Targets Supported
• Linux (RHEL, Ubuntu, Amazon Linux)
• Windows Server (2019, 2022)
• AWS, Azure, GCP cloud services
• Kubernetes clusters
📖 Assessor Run Guide Click to expand

Import Scan Results

Drop Wingman scan results here
Accepts OSCAL Assessment Results JSON from wingman scan --output results.json
OSCAL JSON Raw JSON
How it works: Wingman maps each finding to NIST 800-53 controls. Importing results automatically sets the Pass/Fail status on all matched controls across every framework card. Fail results override Pass (conservative assessment).

Wingman v0.1.0 — Built for AWS GovCloud (us-gov-west-1). Local scanning available in offline mode via wingman scan --local --no-ai