Pragma FedRAMP — OSCAL-native authoring for commercial CSPs
OSCAL-native, AI-drafted FedRAMP authoring
Generate a NIST 800-53 Rev5 Moderate System Security Plan with grounded, evidence-cited control narratives — human-approved, WORM-audited, and emitted as schema-valid OSCAL 1.1.2.
The SSP-generator wedge
1 · Implementation + evidence
A CSP author writes the implementation statement for a control and attaches evidence artifacts — scanner pulls, SBOMs, or manual uploads — each tagged to the control(s) it supports.
2 · Grounded AI draft
Claude drafts the control-implementation narrative grounded ONLY in the statement + evidence, with inline [ev:id] citations. It lands as pending_human_approval — never auto-approved.
3 · Human approval
The author reviews and approves. Only approved narratives can be emitted. Every draft and approval is written to a per-tenant SHA-256 WORM audit chain.
4 · Specshift pre-flight
Before submitting, run the Specshift submission-readiness pre-flight: it scores the package for OSCAL conformance (does it validate?), completeness (every required control/KSI authored + evidenced?), and readiness — a graded A–F report with the specific gaps to fix.
5 · OSCAL 1.1.2 SSP
Approved narratives are emitted as a schema-valid OSCAL 1.1.2 System Security Plan fragment — the machine-readable format RFC-0024 mandates for all Rev5 providers.
800-53 Rev5 Moderate baseline
323 controls seeded — the full FedRAMP Rev5 Moderate baseline (181 base + 142 enhancements) across all 18 families, resolved from the vendored OSCAL profile + catalog.
- AC43
- AT6
- AU16
- CA14
- CM27
- CP23
- IA27
- IR17
- MA10
- MP7
- PE19
- PL7
- PS10
- RA11
- SA21
- SC29
- SI24
- SR12