🏛️ archetype: gov-public

Ship to federal / state agencies without a 2-year ATO.

Building with login.gov, USWDS, gov.uk Design System, or targeting FedRAMP / StateRAMP? GreatCTO auto-detects the gov-public archetype and ships FedRAMP boundary scoping, NIST 800-53 Rev 5 control mapping, FISMA compliance, Section 508 accessibility, and PIA generation from day one.

$ npx great-cto init Back to home ↗
What you avoid

The 5 gov-tech bugs that kill ATO.

Without GreatCTO

  • FedRAMP scope too broad — every component in boundary, $2M ATO
  • Audit logs not immutable — AU-9 fails, ATO denied
  • IA-2 MFA via SMS — not phishing-resistant, FIPS 140 fails
  • Section 508 manual VPAT first time — agency procurement stops
  • PIA missing — E-Government Act 208 violated
  • ATO denied · $2M+ wasted · contract evaporates.

With GreatCTO

  • gov-reviewer scopes FedRAMP boundary — push compliance-light OUT
  • NIST 800-53 controls auto-mapped to architecture decisions
  • AU-9 immutability via WORM storage / cryptographic chain
  • IA-2(11) phishing-resistant MFA: FIDO2 / PIV / CAC required
  • WCAG 2.2 AA in CI + structured VPAT input ready
  • ATO in 6 months instead of 18-24, $500k saved.
Auto-applied gates

Detected: login-gov-sdk + uswds or README mentions fedramp / government
gov-public archetype.

Compliance auto-suggested: fedramp · nist-800-53 · fisma · section-508 · pia · ato · cjis · stateramp. Specialist agents activated:

01 · gov-reviewer

FedRAMP + NIST + PIA + 508

FedRAMP authorization-boundary scoping · NIST 800-53 Rev 5 control mapping (Moderate / High / Tailored) · FISMA · Section 508 / WCAG 2.2 AA · PIA draft · CJIS for law-enforcement integrations · StateRAMP for state-level.

02 · security-officer

Continuous compliance

POA&M tracking · ConMon (continuous monitoring) automation · monthly vuln scans · annual assessment prep · NIST 800-53 control evidence collection.

03 · db-migration-reviewer

Audit-safe migrations

PII change tracking · access logs · retention enforcement · rollback path mandatory · change ticket linked to ATO POA&M.

04 · senior-dev

FIPS 140 cryptography

Validated crypto modules everywhere · MFA flows reviewed · audit log integrity proven · no plaintext fallback paths.

Domain pack overlays

Likely to overlay on gov-public.

Packs auto-attach when CLI detects pack-specific signals (e.g. twilio in deps → voice-pack). Each pack adds its own reviewer agents + human gates on top of the base archetype pipeline.

+ Climate MRV
GHG Protocol, Verra, SBTi, CSRD, CBAM + biosecurity (DURC, IGSC HSP v2)
Real-world examples

Companies operating as gov-public.

2 startups in this space. Click for full pack mapping.

Anduril
Defense AI + autonomous systems
growthUS
Shield AI
AI pilot for defense aircraft
series-fUS

Listed companies operate in this space. Inclusion is based on publicly available product descriptions and does not imply endorsement of or by GreatCTO.

30 seconds

Drop into any federal / state / municipal tech repo.

$ npx great-cto init
no signup·runs locally·pay your own API