Overview#
A full-stack, multi-tenant SaaS that helps FedRAMP-authorized cloud service providers run their ongoing continuous monitoring obligations: vulnerability and POA&M management, deviation and significant-change requests, incident reporting, system inventory, control implementation tracking, and generation of FedRAMP and OSCAL deliverables.
Built end to end with Next.js 15, Supabase (Postgres with row-level security), and a CI/CD pipeline that runs SAST, DAST, dependency auditing, type checking, linting, and tests on every change.
The problem it solves#
FedRAMP authorization is not a one-time event. Authorized providers must continuously monitor their systems and deliver monthly evidence to the FedRAMP PMO and their agency Authorizing Official: an updated POA&M, vulnerability scan results, deviation requests, inventory, significant changes, and incident summaries, with strict remediation timelines and increasingly with machine-readable OSCAL artifacts.
Most teams run this in spreadsheets and email. This platform turns it into a structured, auditable, automation-friendly workflow.
Key capabilities#
| Area | What it does | Control family |
|---|---|---|
| Vulnerability ingestion | Parses Nessus, Qualys, OWASP ZAP, Burp, and database scan exports; deduplicates findings; auto-creates POA&M items | RA-5, SI-2 |
| POA&M lifecycle | Severity, SLA tracking (30 / 90 / 180-day windows), milestones, aging, deviation linkage, FedRAMP template export | CA-5 |
| KEV / BOD 22-01 | Syncs the CISA Known Exploited Vulnerabilities catalog and applies the 14-day remediation deadline | RA-5, BOD 22-01 |
| Deviation requests | Risk Adjustment, False Positive, and Operational Requirement workflows with reviewer and AO concurrence | CA-5 |
| Significant change | SCR lifecycle with 3PAO consultation and post-implementation testing | CM-3, CA-6 |
| Incidents | US-CERT / CISA reporting on the 1-hour timeline with the current NCISS impact taxonomy | IR-6 |
| Inventory and boundary | CM-8 hardware and software inventory with authorization boundary and ISA tracking | CM-8, CA-3 |
| Control implementations | Per-control status, inheritance origin, parameters, and evidence | CA-7 |
| OSCAL output | Generates OSCAL 1.1.2 POA&M, SSP, SAP, and SAR; imports OSCAL POA&Ms for round-tripping | FedRAMP automation |
Architecture#
- Next.js 15 App Router (React 19, Server Components, Server Actions) on Vercel
- Supabase (Postgres, Auth, Storage, pg_cron) with row-level security on every tenant table
- NIST SP 800-53 Rev 5 baselines generated from authoritative NIST OSCAL content
- react-pdf and ExcelJS for document generation; fast-xml-parser for OSCAL
- Resend for transactional email, Stripe for billing
- Vitest for tests, GitHub Actions for CI/CD
Security engineering#
- Multi-tenant isolation enforced by Postgres RLS, scoped to organization on every read
- Enforced MFA (TOTP) with WebAuthn passkey support
- Tamper-evident audit log: per-organization SHA-256 hash chain covering each change payload, with database triggers that reject update, delete, and truncate for all roles
- Application-layer envelope encryption (AES-256-GCM, per-tenant key derivation) as the seam for future customer-managed keys
- Server-side evidence integrity hashing and authorization checks on every privileged write
- Documentation set: System Security Plan, NIST SP 800-218 SSDF attestation mapped to the CI pipeline, BCP / DR and retention policies, trust center
Quality#
- Unit test suite (Vitest) covering severity mapping, SLA math, POA&M numbering, scan parsers, and OSCAL conformance
- CI gates on every PR: dependency audit (zero production vulnerabilities), TypeScript, ESLint, build, tests, CodeQL static analysis, ZAP dynamic scan against the preview deployment
Honest status#
This is a working platform and a portfolio project. It is not yet hosted in a FedRAMP-authorized boundary and is not itself FedRAMP authorized. The cryptography uses FIPS-approved algorithms; FIPS module validation and a move to FedRAMP-authorized infrastructure are the next phase.