Skip to content

cognis-digital/fedramplens

Repository files navigation

FEDRAMPLENS

FEDRAMPLENS

FedRAMP boundary visualizer & OSCAL-format SSP/POAM generator

PyPI CI License: COCL 1.0 Suite

Federal / Compliance — NIST, CMMC, FedRAMP, and SBIR/GSA workflows.

pip install cognis-fedramplens
fedramplens scan .            # → prioritized findings in seconds

Watch the walkthrough

A full narrated tour — setup, the tool in action, and every demo scenario:

Watch the fedramplens walkthrough

Watch the walkthrough (MP4)

🔎 Example output

Real, reproducible output from the tool — runs offline:

$ fedramplens-emit --version
fedramplens 0.4.9
$ fedramplens-emit --help
usage: fedramplens [-h] [--version] [--format {table,json,sarif}]
                   {analyze,diagram,ssp,poam,feeds} ...

FedRAMP boundary visualizer & OSCAL SSP/POA&M generator.

positional arguments:
  {analyze,diagram,ssp,poam,feeds}
    analyze             analyze boundary integrity & coverage
    diagram             emit Graphviz DOT for the boundary
    ssp                 generate OSCAL-style SSP (JSON)
    poam                generate OSCAL-style POA&M (JSON)
    feeds               manage the NIST 800-53 OSCAL data feed
                        (list|update|get)

options:
  -h, --help            show this help message and exit
  --version             show program's version number and exit
  --format {table,json,sarif}
                        output format for analyze: table | json | sarif 2.1.0
                        (default: table; ignored for dot/ssp/poam)

Blocks above are real fedramplens output — reproduce them from a clone.

Sample result format (illustrative values — run on your own data for real findings):

{
"feed_id": "1234567890",
"platform": "stix",
"findings": [
    {
        "id": "F-20230201-001",
        "title": "Suspicious Network Traffic",
        "description": "Unusual network traffic detected from 192.168.1.100 to 8.8.8.8",
        "created": "2023-02-01T14:30:00Z"
    },
    {
        "id": "F-20230201-002",
        "title": "Malware Detection",
        "description": "Malware detected on endpoint 192.168.1.100",
        "created": "2023-02-01T14:31:00Z"
    }
]
}

Usage — step by step

  1. Install the tool:

    pip install cognis-fedramplens
  2. Analyze a boundary JSON for integrity and control coverage:

    fedramplens analyze boundary.json
  3. Generate artifacts from the same boundary file — a Graphviz diagram, an OSCAL-style SSP, or a POA&M:

    fedramplens diagram boundary.json | dot -Tpng -o boundary.png
    fedramplens ssp boundary.json  > ssp.json
    fedramplens poam boundary.json > poam.json
  4. Read the result. analyze reports impact level, controls implemented vs. baseline (coverage %), boundary components/flows, and open/overdue POA&M items. Add --format json for the full summary, or --format sarif for a SARIF 2.1.0 log that uploads straight to GitHub code-scanning. Exit 0 when authorization-ready (no high/critical findings), 1 otherwise.

    fedramplens analyze boundary.json --format sarif > fedramplens.sarif
  5. Gate in CI. Fail the pipeline until the boundary is authorization-ready:

    fedramplens analyze boundary.json --format json | jq '.authorization_ready'

Demos

Runnable, real-world scenarios live in demos/. Each folder has a boundary.json in the tool's input format and a SCENARIO.md explaining where the data comes from, the exact command, the expected output, and how to act:

Demo Impact Illustrates
01-basic Moderate Three-tier SaaS with one unencrypted SSO flow + overdue POA&M
02-clean-low-saas Low Authorization-ready baseline (exit 0, empty SARIF)
03-boundary-creep Moderate Production data leaving the boundary to a commercial warehouse
04-overdue-poam-backlog High Slipped POA&M milestones + risk roll-up; completed items excluded
05-dangling-flow-typo Moderate Flow references an undeclared component (doc drift)
06-orphan-component Low In-boundary component with no data flows
07-high-baseline-ready High Clean High-baseline package, SIEM-integrated
08-bad-poam-date Moderate Non-ISO POA&M date surfaced instead of silently ignored
09-multi-external-deps Moderate Multiple external interconnections; one unencrypted ACH flow
10-oscal-enrichment Moderate Resolve NIST 800-53 rev5 control titles from the OSCAL data feed, offline
python -m fedramplens analyze demos/04-overdue-poam-backlog/boundary.json
python -m fedramplens --format sarif analyze demos/03-boundary-creep/boundary.json
python -m fedramplens analyze demos/10-oscal-enrichment/boundary.json --enrich --offline

Runnable scenarios — narrated, by audience

Five self-contained Python walkthroughs in demos/ drive the real API over the bundled boundary fixtures, fully offline. Each targets a different audience, prints narrated output, and exits 0 (so they double as smoke tests). Full write-up in docs/DEMOS.md; architecture in docs/ARCHITECTURE.md.

PYTHONUTF8=1 python demos/run_all.py            # all five, end to end
PYTHONUTF8=1 python demos/02_assessor_sarif_review.py   # or just one
# Scenario Audience Shows
1 01_pm_authorization_readiness.py FedRAMP / Agency PMs Portfolio ATO-readiness gate + escalation list
2 02_assessor_sarif_review.py 3PAOs / assessors Findings as a SARIF 2.1.0 log for code-scanning
3 03_platform_engineer_boundary_map.py Cloud platform engineers Mermaid + DOT boundary map; unencrypted crossings (SC-8)
4 04_isso_oscal_packages.py ISSOs Generate + inspect the OSCAL SSP and POA&M
5 05_offline_control_enrichment.py ISSOs / air-gap Resolve real NIST 800-53 rev5 titles offline; graceful degrade

One input — a boundary definition — fans out into findings, a visual map, SARIF, and OSCAL SSP/POA&M:

flowchart LR
    BJSON["boundary.json"] --> LOAD["load_boundary()"]
    LOAD --> ANALYZE["analyze_boundary()"]
    LOAD --> DOT["generate_dot()"]
    LOAD --> SSP["generate_ssp()"]
    LOAD --> POAM["generate_poam()"]
    ANALYZE --> SARIF["to_sarif()<br/>SARIF 2.1.0"]
    CACHE[("OSCAL 800-53 rev5<br/>cache (offline)")] -. "resolve_titles" .-> ANALYZE
    CACHE -. "resolve_titles" .-> SSP
    DOT --> MAP["boundary map"]
    SSP --> OSCAL["OSCAL package"]
    POAM --> OSCAL
Loading

Data feeds — real NIST 800-53, edge / air-gap deployable

Findings and OSCAL output speak in NIST SP 800-53 control ids (AC-2, SC-8, SC-13, …). The data-feed layer turns those opaque ids into their official control titles by loading the authoritative catalog NIST itself publishes as native OSCAL JSON.

Feed id Source What it enriches
oscal-800-53-rev5-catalog NIST SP 800-53 rev5 catalog (OSCAL) — https://github.com/usnistgov/oscal-content (.../SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json) Resolves every control id in findings + SSP to its real title/family

The fetcher is standard-library only (no pip deps), caches each feed to disk, and re-serves it offline — so the tool keeps working on disconnected, edge, or air-gapped gear.

# list the feeds this tool consumes (+ cache freshness)
fedramplens feeds list

# (connected, once) fetch + cache the real NIST catalog
fedramplens feeds update oscal-800-53-rev5-catalog

# print the cached feed without touching the network
fedramplens feeds get oscal-800-53-rev5-catalog --offline

# analyze with control titles resolved straight from the cache
fedramplens analyze boundary.json --enrich --offline
fedramplens ssp     boundary.json --enrich --offline   # titles as OSCAL props

If the catalog is unavailable, enrichment degrades gracefully — ids are kept as-is and analysis never fails.

Air-gap (sneakernet) workflow

Cache on a connected box, carry the snapshot into the enclave, import, run offline:

# connected jump box
fedramplens feeds update oscal-800-53-rev5-catalog
python -m fedramplens.datafeeds snapshot-export oscal-feeds.tar.gz

# inside the air-gapped enclave
python -m fedramplens.datafeeds snapshot-import oscal-feeds.tar.gz
fedramplens analyze boundary.json --enrich --offline

The cache location is configurable via COGNIS_FEEDS_CACHE (default ~/.cache/cognis-feeds). Tests ship a trimmed catalog fixture and run with zero network access.

Contents

Why fedramplens?

FedRAMP boundary visualizer & OSCAL-format SSP/POAM generator — without standing up heavyweight infrastructure.

fedramplens is single-purpose, scriptable, and self-hostable: point it at a target, get prioritized results in the format your workflow already speaks (table · JSON · SARIF), gate CI on it, and let agents drive it over MCP.

Features

  • ✅ Load Boundary
  • ✅ Analyze Boundary
  • ✅ Generate Dot
  • ✅ Generate Ssp
  • ✅ Generate Poam
  • ✅ SARIF 2.1.0 export (analyze --format sarif) for GitHub code-scanning
  • ✅ Real NIST 800-53 rev5 control-title enrichment via the OSCAL data feed (--enrich)
  • ✅ Edge / air-gap data feeds: keyless fetch → disk cache → --offline re-serve → snapshot export/import
  • ✅ Runs on Linux/macOS/Windows · Docker · devcontainer
  • ✅ Ports in Python, JavaScript, Go, and Rust (ports/)

Quick start

pip install cognis-fedramplens
fedramplens --version
fedramplens scan .                       # scan current project
fedramplens scan . --format json         # machine-readable
fedramplens scan . --fail-on high        # CI gate (non-zero exit)

Example

$ fedramplens scan .
  [HIGH    ] FED-001  example finding             (./src/app.py)
  [MEDIUM  ] FED-002  another signal              (./config.yaml)

  2 findings · risk score 5 · 38ms

Architecture

flowchart LR
  IN[input] --> P[fedramplens<br/>analyze + score]
  P --> OUT[report]
Loading

Use it from any AI stack

fedramplens is interoperable with every popular way of using AI:

  • MCP serverfedramplens mcp (Claude Desktop, Cursor, Cognis.Studio, uncensored-fleet)
  • OpenAI-compatible / JSON — pipe fedramplens scan . --format json into any agent or LLM
  • LangChain · CrewAI · AutoGen · LlamaIndex — wrap the CLI/JSON as a tool in one line
  • CI / scripts — exit codes + SARIF for non-AI pipelines

How it compares

Cognis fedramplens GSA
Self-hostable, no account varies
Single command, zero config ⚠️
JSON + SARIF for CI varies
MCP-native (AI agents)
Polyglot ports (JS/Go/Rust)
Open license ✅ COCL varies

Built in the spirit of GSA/fedramp-automation, re-framed the Cognis way. Missing a credit? Open a PR.

Integrations

Pipes into your stack: SARIF for code-scanning, JSON for anything, an MCP server (fedramplens mcp) for AI agents, and a webhook forwarder for SIEM/Slack/Jira. See docs/INTEGRATIONS.md.

Install — every way, every platform

pip install "git+https://github.com/cognis-digital/fedramplens.git"    # pip (works today)
pipx install "git+https://github.com/cognis-digital/fedramplens.git"   # isolated CLI
uv tool install "git+https://github.com/cognis-digital/fedramplens.git" # uv
pip install cognis-fedramplens                                          # PyPI (when published)
docker run --rm ghcr.io/cognis-digital/fedramplens:latest --help        # Docker
brew install cognis-digital/tap/fedramplens                             # Homebrew tap
curl -fsSL https://raw.githubusercontent.com/cognis-digital/fedramplens/main/install.sh | sh
Linux macOS Windows Docker Cloud
scripts/setup-linux.sh scripts/setup-macos.sh scripts/setup-windows.ps1 docker run ghcr.io/cognis-digital/fedramplens DEPLOY.md (AWS/Azure/GCP/k8s)

Related Cognis tools

  • checkpoint-ai — NIST AI RMF / EU AI Act / ISO 42001 self-assessment & SSP generator
  • cmmcmap — CMMC Level 2 practice mapper — stack-aware SSP skeleton generator
  • sbirscout — SBIR/STTR topic discovery — DSIP + SBIR.gov + NIH digest with bid scoring
  • gsafinder — GSA Schedule opportunity surveyor — SAM.gov + eBuy + FedConnect
  • clearancepath — Personnel clearance hygiene tracker — SF-86, SEAD-3/4, training currency

Explore the suite → 🗂️ all 170+ tools · ⭐ awesome-cognis · 🔗 cognis-sources · 🤖 uncensored-fleet · 🧠 engram

Contributing

PRs, new rules, and demo scenarios are welcome under the collaboration-pull model — see CONTRIBUTING.md and SECURITY.md.

⭐ If fedramplens saved you time, star it — it genuinely helps others find it.

Interoperability

{} composes with the 300+ tool Cognis suite — JSON in/out and a shared OpenAI-compatible /v1 backbone. See INTEROP.md for the suite map, composition patterns, and reference stacks.

License

Source-available under the Cognis Open Collaboration License (COCL) v1.0 — free for personal, internal-evaluation, research, and educational use; commercial / production use requires a license (licensing@cognis.digital). See LICENSE.


Cognis Digital · one of 170+ tools in the Cognis Neural Suite · Making Tomorrow Better Today