Pragma FedRAMP — OSCAL-native authoring for commercial CSPs

OSCAL-native, AI-drafted FedRAMP authoring

Generate a NIST 800-53 Rev5 Moderate System Security Plan with grounded, evidence-cited control narratives — human-approved, WORM-audited, and emitted as schema-valid OSCAL 1.1.2.

The SSP-generator wedge

  1. 1 · Implementation + evidence

    A CSP author writes the implementation statement for a control and attaches evidence artifacts — scanner pulls, SBOMs, or manual uploads — each tagged to the control(s) it supports.

  2. 2 · Grounded AI draft

    Claude drafts the control-implementation narrative grounded ONLY in the statement + evidence, with inline [ev:id] citations. It lands as pending_human_approval — never auto-approved.

  3. 3 · Human approval

    The author reviews and approves. Only approved narratives can be emitted. Every draft and approval is written to a per-tenant SHA-256 WORM audit chain.

  4. 4 · Specshift pre-flight

    Before submitting, run the Specshift submission-readiness pre-flight: it scores the package for OSCAL conformance (does it validate?), completeness (every required control/KSI authored + evidenced?), and readiness — a graded A–F report with the specific gaps to fix.

  5. 5 · OSCAL 1.1.2 SSP

    Approved narratives are emitted as a schema-valid OSCAL 1.1.2 System Security Plan fragment — the machine-readable format RFC-0024 mandates for all Rev5 providers.

800-53 Rev5 Moderate baseline

323 controls seeded — the full FedRAMP Rev5 Moderate baseline (181 base + 142 enhancements) across all 18 families, resolved from the vendored OSCAL profile + catalog.