Compliance Engine

Continuous Compliance Automation for FedRAMP High, SOC 2 Type II, NIST 800-53, and CMMC Level 2

Complete

Automated Scanning

Hourly control monitoring with zero manual intervention

Complete

4 Frameworks

FedRAMP High, SOC 2 Type II, NIST 800-53, CMMC L2

Complete

Drift Detection

Real-time drift alerts with auto-remediation

Complete

Evidence Collection

16+ evidence types with confidence scoring

Overview

The Compliance Engine is ThreatOps's automated compliance posture management system. It provides continuous monitoring of security controls across four major compliance frameworks, automatically collecting evidence, scoring controls, detecting compliance drift, and generating framework-specific reports -- all without manual intervention.

SOCaaS platforms must demonstrate compliance to win government and enterprise contracts. Manual compliance tracking is error-prone, slow, and fails audits. The Compliance Engine automates this entire lifecycle: from evidence collection through scoring, drift detection, and report generation.

What Was Proposed

Continuous automated compliance monitoring for FedRAMP, SOC 2, NIST 800-53, and CMMC
Automated evidence collection from cloud infrastructure (Azure, AWS)
Per-framework scoring with control-level granularity
Compliance drift detection and alerting
Trend analysis and daily score snapshots
Framework-specific compliance report generation

What's Built Complete

Backend Service: ComplianceAutomationEngine

The core engine (compliance_engine.py, ~1600 lines) is a production-grade background service with the following capabilities:

4 Frameworks with full control definitions: FedRAMP High (18 families, 325+ controls), SOC 2 Type II (5 Trust Service Criteria), NIST 800-53 Rev 5 (20 families), CMMC Level 2 (14 domains)
16+ Evidence Types: access_list, role_assignment, mfa_status, login_audit, audit_log_stats, log_retention, log_completeness, encryption_status, network_policy, firewall_rules, incident_metrics, playbook_stats, deploy_config, image_scan, and more
Automated Evidence Collectors: Multiple collector classes that gather evidence from platform telemetry, compute confidence scores, and map evidence to controls
Control Scoring: Weighted scoring per control with status states: compliant, non-compliant, partial, not-assessed
Drift Detection: Automatic detection when a control status regresses, with severity classification (critical/high/medium/low) and optional auto-remediation
Daily Snapshots: Score trend data stored for 30-day trend visualization
Background Scheduler: Hourly scans with manual scan trigger support

API Router: 10 Endpoints

File: platform/api/app/routers/compliance_engine.py

Frontend: Full Dashboard UI

File: platform/frontend/src/app/compliance-engine/page.tsx (~780 lines)

Circular gauge for overall compliance posture score
4 framework cards with score bars, trend mini-charts, and export buttons
30-day compliance score trend chart
Collapsible drift alerts panel with severity badges, acknowledgment actions, and auto-remediation indicators
Filterable control status table (search, status filter, framework filter) with inline score bars
Evidence collection timeline with confidence percentages
Quick export buttons per framework
Auto-refresh every 60 seconds

Architecture

Frontend (Next.js)                          API (FastAPI)
+----------------------------+     +----------------------------------+
| /compliance-engine         | --> | /api/v1/compliance-engine/*      |
| - CircularGauge            |     |                                  |
| - FrameworkCards            |     |  ComplianceAutomationEngine      |
| - TrendChart               |     |  +----------------------------+  |
| - DriftAlerts              |     |  | Evidence Collectors (16+)  |  |
| - ControlTable (filterable)|     |  | Control Scorer             |  |
| - EvidenceTimeline         |     |  | Drift Detector             |  |
+----------------------------+     |  | Daily Snapshot Store       |  |
                                   |  | Framework Definitions      |  |
                                   |  +----------------------------+  |
                                   +----------------------------------+

Routing

Type	Path	Description
Frontend	`/compliance-engine`	Full compliance engine dashboard
API Prefix	`/api/v1/compliance-engine`	All compliance engine endpoints

API Endpoints

Method	Endpoint	Description
`GET`	`/dashboard`	Overall compliance posture: scores per framework, trend data, control counts
`GET`	`/frameworks`	List all frameworks with scores and control counts
`GET`	`/frameworks/{id}/controls`	Controls for a specific framework with evidence status
`GET`	`/controls/{id}/evidence`	Evidence history for a specific control
`POST`	`/scan`	Trigger a manual compliance scan
`GET`	`/evidence-log`	Recent evidence collection log (limit param, max 200)
`GET`	`/drift-alerts`	Current compliance drift alerts (include_acknowledged param)
`POST`	`/drift-alerts/{id}/acknowledge`	Acknowledge a drift alert
`GET`	`/report/{framework_id}`	Generate compliance report for a framework (JSON)
`GET`	`/metrics`	Compliance metrics: scores over time, evidence stats, drift frequency

Prerequisites

FastAPI backend running with the compliance engine router registered
No external database required -- the engine maintains in-memory state with periodic snapshots
Optional: Azure/AWS credentials for real cloud evidence collection (falls back to simulated evidence)

Data Model

Enums

Enum	Values
`ControlStatus`	`compliant`, `non-compliant`, `partial`, `not-assessed`
`EvidenceType`	16 types: `access_list`, `role_assignment`, `mfa_status`, `login_audit`, `audit_log_stats`, `log_retention`, `log_completeness`, `encryption_status`, `network_policy`, `firewall_rules`, `incident_metrics`, `playbook_stats`, `deploy_config`, `image_scan`, etc.
`Framework`	`fedramp_high`, `soc2_type2`, `nist_800_53`, `cmmc_l2`

Key Structures

Structure	Fields
ControlState	`control_id`, `name`, `family`, `framework`, `framework_name`, `weight`, `status`, `score`, `last_evidence`, `evidence_count`, `last_assessed`
DriftAlert	`id`, `control_id`, `framework`, `severity`, `description`, `previous_status`, `current_status`, `detected_at`, `acknowledged`, `remediation_attempted`, `remediation_result`
TrendPoint	`date`, `overall_score`, `framework_scores` (per-framework)
Dashboard	`overall_score`, `framework_scores`, `control_summary`, `active_drift_alerts`, `last_scan`, `scan_count`, `trend_data`, `frameworks`

UI Description

The Compliance Engine dashboard follows the ThreatOps design system: white card backgrounds, slate-200 borders, orange accent buttons, and responsive grid layout. It presents:

Header bar with shield icon, title, last scan timestamp, scan count, and an orange "Run Scan" button
5-column grid: circular gauge on the left showing overall posture (0-100), four framework cards on the right with score bars, trend indicators (up/down/flat), control counts, mini bar charts, and per-framework export buttons
Trend chart showing 30-day compliance score history as a bar chart with color-coded bars (green ≥ 80, yellow ≥ 60, red below 60)
Drift alerts panel (collapsible) showing active alerts with severity badges (critical/high/medium/low), descriptions, detection timestamps, auto-remediation status, and acknowledge buttons
Control status table (collapsible) with full-text search, status filter dropdown, framework filter dropdown, and a scrollable table showing control ID, name, framework, family, status badge, inline score bar, and last evidence timestamp
Evidence timeline showing the 30 most recent evidence collection events with collector name, evidence type, control family, and confidence percentage
Quick actions footer with continuous-operation indicator and per-framework export buttons