🏛️ pack: gov-pack

Earn an ATO without the 18-month FedRAMP nightmare.

Q: What human gates does gov-pack introduce?

gate:fedramp-boundary (ISSO + 3PAO), gate:pia (agency CPO), gate:508-conformance (a11y coordinator), gate:cjis-audit (CSO of agency). These layer on top of the standard plan/ship gates.

Q: What if my project doesn't match these signals exactly?

You can manually add the pack name to PROJECT.md or run /migrate to re-run detection with updated rules.

Serving federal / state / local government? Integrating with CJIS / IRS / DHS? GreatCTO auto-attaches gov-pack with FedRAMP authorization-boundary scoping, NIST 800-53 Rev 5 control mapping (325 Moderate controls), Privacy Impact Assessment, Section 508 VPAT 2.5, plus FIPS 140-3 crypto enforcement and CJIS multi-factor auth.

$ npx great-cto init All packs ↗

Auto-attach signals

Detected by CLI when:

.gov · fedramp · nist-800-53 · cjis · fisma · 508 · piv · cac · aws-us-gov · govcloud · ATO

The pack rides on top of your base archetype (web-service, ai-system, fintech, …) — it doesn't replace it. Auto-injects reviewer agents into the pipeline + opens human gates listed below.

Reviewer agents activated

1 specialist added to the pipeline.

01 · gov-reviewer

FedRAMP boundary scoping (Low / Moderate / High) · NIST 800-53 Rev 5 control mapping · PIA per E-Gov Act § 208 · CJIS § 5.6 (advanced auth) · 508 VPAT · FIPS 140-3 enforcement · StateRAMP for state

Human gates introduced

4 new gate types on top of `gate:plan` + `gate:ship`.

Gate	Owner	Trigger
`gate:fedramp-boundary`	ISSO + 3PAO	before SSP submission
`gate:pia`	agency CPO	before any PII collection
`gate:508-conformance`	a11y coordinator	before public release
`gate:cjis-audit`	CSO of agency	if law-enforcement data is touched

Required artefacts before senior-dev claims tasks

8 concrete deliverables.

✓ FedRAMP authorization-boundary diagram + System Security Plan (SSP) sections
✓ NIST 800-53 Rev 5 control mapping matrix (Moderate baseline: 325 controls)
✓ Privacy Impact Assessment (PIA) per E-Government Act 2002 § 208
✓ Section 508 VPAT 2.5 (Voluntary Product Accessibility Template)
✓ CJIS Security Policy compliance evidence (if applicable)
✓ FIPS 140-3 validated crypto module manifest (no rolled-your-own crypto)
✓ Annual 3PAO penetration test report (FedRAMP Moderate+)
✓ StateRAMP authorization package (state deployments)

EVAL suite required

5 golden-set scenarios shipped as templates.

Each EVAL has ≥5 test cases, pass threshold, regression interpretation, cross-refs to TM + gates. Run via your existing test framework.

EVAL-gov-508-conformance.md
EVAL-gov-fips-140-3-enforcement.md
EVAL-gov-cjis-mfa.md
EVAL-gov-pia-completeness.md
EVAL-gov-il4-data-handling.md

Regulatory surface covered

10 standards / regulations addressed.

FedRAMP Rev 5 NIST SP 800-53 Rev 5 NIST 800-171 (CUI) CJIS Security Policy v5.9 Section 508 ICT Refresh (2018) TIC 3.0 OMB Circular A-130 E-Government Act 2002 § 208 FISMA FIPS 140-3

FAQ

Common questions about gov-pack.

When does gov-pack auto-attach?

When the CLI detects these signals in your repo: .gov · fedramp · nist-800-53 · cjis · fisma · 508 · piv · cac · aws-us-gov · govcloud · ATO. Override anytime by editing packs: in PROJECT.md.

What human gates does gov-pack introduce?

gate:fedramp-boundary (ISSO + 3PAO), gate:pia (agency CPO), gate:508-conformance (a11y coordinator), gate:cjis-audit (CSO of agency). These layer on top of the standard plan/ship gates.

What if my project doesn't match these signals exactly?

You can manually add the pack name to PROJECT.md or run /migrate to re-run detection with updated rules.

30 seconds

Drop GreatCTO into any repo — gov-pack attaches automatically.

$ npx great-cto init

no signup·runs locally·pay your own API