Compliance Documents

FedRAMP SSP/POA&M/SAR Generation, SOC 2 Evidence Export, CMMC Assessment, and Cloud Evidence Collection

Complete

FedRAMP SSP/POA&M/SAR

Auto-generated FedRAMP authorization documents in JSON and HTML

Complete

SOC 2 Evidence Export

Audit evidence package in JSON and CSV for auditors

Complete

CMMC Assessment

Level 2 self-assessment with domain readiness scores

Complete

Cloud Evidence

Real-time Azure/AWS evidence collection via cloud APIs

Overview

The Compliance Documents module generates audit-ready compliance documents from the Compliance Engine's live state. It bridges the gap between automated compliance monitoring and the formal documents required for government authorization (FedRAMP ATO), SOC 2 audits, and CMMC certification.

Compliance officers need to produce SSPs, POA&Ms, SARs, audit evidence packages, and self-assessment questionnaires. Producing these manually from compliance dashboards is time-consuming and error-prone. This module automates the entire document generation pipeline, pulling live data from the compliance engine and formatting it into framework-specific documents.

What Was Proposed

Automated FedRAMP SSP, POA&M, and SAR document generation
SOC 2 Type II audit evidence export (JSON and CSV formats)
CMMC Level 2 self-assessment with domain readiness scoring
Real cloud evidence collection from Azure and AWS APIs
Compliance officer dashboard aggregating all data

What's Built Complete

Document Generators

File: platform/api/app/services/compliance/document_generator.py (~1200 lines)

FedRAMPDocumentGenerator: Generates SSP (JSON + HTML), POA&M with remediation milestones, and SAR with executive summary, findings per control family, and risk rating
SOC2AuditExporter: Exports full evidence package (JSON) and auditor-friendly CSV with control-level evidence rows
CMMCAssessmentGenerator: Generates CMMC Level 2 assessment with domain readiness scores, self-assessment questionnaire with automated responses, and practice-to-control mapping
All documents include SHA-256 integrity hashes, document IDs, generation timestamps, and version metadata

Cloud Evidence Collectors

File: platform/api/app/services/compliance/cloud_evidence.py (~800 lines)

AzureEvidenceCollector: Connects to Azure Resource Graph (policy compliance), Microsoft Graph API (MFA enrollment), Azure Network Management (NSG rules), Key Vault (access policies), Storage accounts (encryption status), and SQL databases (TDE)
AWSEvidenceCollector: Stub with simulated evidence for Config, IAM, Security Groups, and encryption (S3/RDS/EBS)
BaseEvidenceCollector: Abstract base class ensuring all collectors implement collect_policy_compliance, collect_identity_mfa_status, collect_network_rules, and collect_encryption_status
All collectors return EvidenceRecord objects with confidence scores (0.98 for real API data, 0.70 for simulated)
Graceful fallback: when Azure SDK or credentials are unavailable, collectors generate simulated evidence

Compliance Officer Dashboard

The /officer/dashboard endpoint aggregates:

Per-framework compliance scores and control breakdowns
Active drift alerts (critical, high counts)
Evidence health metrics (total records, high-confidence records)
Cloud provider status (configured vs simulated)
Document generation readiness flags per document type
30-day trend data

Frontend UI

File: platform/frontend/src/app/compliance-docs/page.tsx (~530 lines)

Framework compliance score cards with trend arrows and progress bars
Control status heatmap table with coverage percentages
Evidence collection panel with live progress, pass/fail indicators, and source tagging
Document generation cards (SSP, POA&M, SOC 2) with generate/download workflow
CMMC assessment section with per-domain horizontal bar charts and overall readiness score

Architecture

Frontend (Next.js)                     API (FastAPI)
+----------------------------+   +--------------------------------------+
| /compliance-docs           |   | /api/v1/compliance/*                 |
| - Framework Score Cards    |-->|                                      |
| - Control Heatmap          |   | FedRAMPDocumentGenerator             |
| - Evidence Collection UI   |   |   generate_ssp() / generate_poam()   |
| - Document Gen Cards       |   |   generate_sar()                     |
| - CMMC Domain Bars         |   | SOC2AuditExporter                    |
+----------------------------+   |   export_evidence_package() / csv()  |
                                 | CMMCAssessmentGenerator              |
                                 |   generate_assessment()              |
                                 | AzureEvidenceCollector               |
                                 |   Resource Graph, Graph API, ARM     |
                                 | AWSEvidenceCollector (stub)          |
                                 +--------------------------------------+
                                         |
                                 ComplianceAutomationEngine (shared state)

Routing

Type	Path	Description
Frontend	`/compliance-docs`	Document generation and evidence collection UI
API Prefix	`/api/v1/compliance`	All compliance document endpoints

API Endpoints

Method	Endpoint	Description
`POST`	`/generate/ssp`	Generate FedRAMP SSP (format=json\|html)
`POST`	`/generate/poam`	Generate FedRAMP POA&M
`POST`	`/generate/sar`	Generate FedRAMP SAR summary
`GET`	`/export/soc2`	Export SOC 2 evidence (format=json\|csv)
`GET`	`/export/cmmc`	Export CMMC Level 2 self-assessment
`GET`	`/evidence/collect`	Trigger real-time cloud evidence collection
`GET`	`/officer/dashboard`	Compliance officer dashboard data

Prerequisites

Compliance Engine must be running (provides shared state via compliance_engine singleton)
For real Azure evidence: azure_tenant_id, azure_client_id, azure_client_secret in settings
Optional: azure-identity and aiohttp Python packages for live Azure API calls
AWS evidence collection is stubbed -- returns simulated data pending future integration

Data Model

Document Output Structures

Document	Key Fields
FedRAMP SSP	`document_id`, `system_info`, `security_controls` (per family), `authorization_boundary`, `data_flow`, SHA-256 hash
FedRAMP POA&M	`document_id`, `poam_items[]` (control_id, weakness, remediation_plan, milestones, scheduled_completion), `summary`
FedRAMP SAR	`document_id`, `executive_summary` (overall_risk_rating), `findings_by_family[]`, `assessment_methodology`
SOC 2 Evidence	`document_id`, `trust_service_criteria[]`, `evidence_records[]`, `control_mapping`, CSV export with tabular rows
CMMC Assessment	`document_id`, `executive_summary` (overall_readiness_score), `domain_scores[]`, `questionnaire[]`, `practice_mapping[]`

Evidence Record

Field	Type	Description
`control_id`	string	Mapped control family (AC, SC, etc.)
`evidence_type`	EvidenceType	Category of evidence collected
`data`	dict	Source-specific evidence data (policy counts, MFA status, etc.)
`collector_name`	string	Name of the collector that gathered this evidence
`confidence_score`	float	0.0-1.0 confidence (0.98 for real API, 0.70 for simulated)

UI Description

The Compliance Documents page uses the ThreatOps white-and-orange design system and is organized into five sections:

Framework Compliance Scores: Four cards (FedRAMP, SOC 2, NIST 800-53, CMMC L2) showing percentage scores with colored progress bars and trend arrows
Control Status Heatmap: Table with categories (Access Control, Audit, Security Assessment, etc.) showing implemented/partial/not-implemented counts and coverage percentage bars
Evidence Collection: Panel with "Collect Evidence" button that triggers cloud API calls and shows progressive results with pass/fail/collecting status icons, source labels, and timestamps
Document Generation: Three cards (SSP, POA&M, SOC 2) each with idle/generating/complete/error states and generate/download buttons
CMMC Assessment: Domain-level horizontal bar chart showing 10 CMMC domains with readiness percentage bars (green ≥ 85, orange ≥ 70, red below) and an overall readiness score