🏛️ archetype: gov-public

Ship to federal / state agencies without a 2-year ATO.

Building with login.gov, USWDS, gov.uk Design System, or targeting FedRAMP / StateRAMP? GreatCTO auto-detects the gov-public archetype and ships FedRAMP boundary scoping, NIST 800-53 Rev 5 control mapping, FISMA compliance, Section 508 accessibility, and PIA generation from day one.

$ npx great-cto init Back to home ↗
What you avoid

The 5 gov-tech bugs that kill ATO.

Without GreatCTO

  • FedRAMP scope too broad — every component in boundary, $2M ATO
  • Audit logs not immutable — AU-9 fails, ATO denied
  • IA-2 MFA via SMS — not phishing-resistant, FIPS 140 fails
  • Section 508 manual VPAT first time — agency procurement stops
  • PIA missing — E-Government Act 208 violated
  • ATO denied · $2M+ wasted · contract evaporates.

With GreatCTO

  • gov-reviewer scopes FedRAMP boundary — push compliance-light OUT
  • NIST 800-53 controls auto-mapped to architecture decisions
  • AU-9 immutability via WORM storage / cryptographic chain
  • IA-2(11) phishing-resistant MFA: FIDO2 / PIV / CAC required
  • WCAG 2.2 AA in CI + structured VPAT input ready
  • ATO in 6 months instead of 18-24, $500k saved.
Auto-applied gates

Detected: login-gov-sdk + uswds or README mentions fedramp / government
gov-public archetype.

Compliance auto-suggested: fedramp · nist-800-53 · fisma · section-508 · pia · ato · cjis · stateramp. Specialist agents activated:

01 · gov-reviewer

FedRAMP + NIST + PIA + 508

FedRAMP authorization-boundary scoping · NIST 800-53 Rev 5 control mapping (Moderate / High / Tailored) · FISMA · Section 508 / WCAG 2.2 AA · PIA draft · CJIS for law-enforcement integrations · StateRAMP for state-level.

02 · security-officer

Continuous compliance

POA&M tracking · ConMon (continuous monitoring) automation · monthly vuln scans · annual assessment prep · NIST 800-53 control evidence collection.

03 · db-migration-reviewer

Audit-safe migrations

PII change tracking · access logs · retention enforcement · rollback path mandatory · change ticket linked to ATO POA&M.

04 · senior-dev

FIPS 140 cryptography

Validated crypto modules everywhere · MFA flows reviewed · audit log integrity proven · no plaintext fallback paths.

Domain pack overlays

Likely to overlay on gov-public.

Packs auto-attach when CLI detects pack-specific signals (e.g. twilio in deps → voice-pack). Each pack adds its own reviewer agents + human gates on top of the base archetype pipeline.

+ Climate MRV
GHG Protocol, Verra, SBTi, CSRD, CBAM + biosecurity (DURC, IGSC HSP v2)
Real-world examples

Companies operating as gov-public.

7 startups in this space. Click for full pack mapping.

Palantir
Defense + commercial data platform
publicUS
Tyler Technologies
Government software platform
publicUS
Anduril
Defense AI + autonomous systems
growthUS
Anduril
Defense AI + autonomous systems
growthUS
OpenGov
Cloud ERP for state + local gov
growthUS
Shield AI
AI pilot for defense aircraft
series-fUS
Granicus
Government digital experience
privateUS

Listed companies operate in this space. Inclusion is based on publicly available product descriptions and does not imply endorsement of or by GreatCTO.

30 seconds

Drop into any federal / state / municipal tech repo.

$ npx great-cto init
no signup·runs locally·pay your own API