FedRAMP AI Studio

Automated SSP Narrative Generation

AI Agent Playground

This page is a browser-based test harness for the new AI-agent capabilities. Each section includes what it does, which requirement it satisfies, and a form that calls the matching /ai/... API.

Tip: Outputs stay hidden until you run an action (no more empty black boxes). Buttons show a loading state while requests are in-flight.

1) Documentation Evidence (RAG)

Requirement #1: “Where does the policy say we enforce MFA?” Upload policy/SSP PDFs and retrieve exact supporting paragraphs (with page ranges) for a given control.

RAG — Ingest Security Document

Uploads a PDF/DOCX/MD/TXT, extracts text, chunks it, generates embeddings, and stores it for semantic search. Calls: POST /ai/docs/ingest
Upload a policy or SSP PDF, then use the Search/Control Evidence tools to retrieve auditor-ready citations. 

        


        

          
RAG — Search

          

            Semantic search across uploaded documents.
            Calls: POST /ai/docs/search
          


          
          

          
          

          

            
            
          


          

            Try: “MFA enforcement”, “password policy”, “encryption at rest”, “incident reporting timeline”.
          

          


          

            Uses the retrieved passages as context and asks GPT-5 to answer your question with citations.
            Calls: POST /ai/docs/answer
          

          

        

      


      

        
Docs → Control Evidence

        

          Uses the selected NIST control definition from your DB to search uploaded documentation for supporting paragraphs.
          Calls: POST /ai/docs/control-evidence
        


        
        

        
        

        

          
          
        


        

          Pick IA-2 to find MFA language, or AC-8 to find warning banner references (if present).
        

        

      

    


    
    

      

        
2) Sensitive Data Locations

        

          Requirement #2: Identify where Federal data could live by analyzing ingested AWS evidence
          (S3/RDS metadata, tags, and posture flags like encryption/public exposure).
        

      


      

      

        
Sensitive Data — Locations (AWS Evidence)

        

          Calls: POST /ai/data/sensitive-locations
        


        
        

        
        

        

          
        


        

          This flags “risk hotspots” using deterministic signals (tags/names/posture). It does not inspect object contents.
          (Macie integration can be added next.)
        

        

      


      

        
Macie — Sensitive Data Findings (S3)

        

          Calls: POST /ai/data/macie/findings
        


        
        

        
        

        
        

        
        

        

          
        


        

          Macie must be enabled in the target account/region, and the assumed role must allow macie2:ListFindings and macie2:GetFindings.
        

        

      

      

    


    
    

      

        
3) Vendors → Categories

        

          Requirement #3: Build the SSP “Security and Management Technologies” table by extracting tools/vendors
          from AWS evidence (+ optional doc snippets) and returning strict JSON + HTML table.
        

      


      

        
Vendors / Tech Map

        

          Calls: POST /ai/vendors/map
        


        
        

        
        

        

        

          
        


        

          Output includes vendor_map (strict JSON) and html_table for direct SSP rendering.
        

        


        

          
Rendered Vendor Table (SSP-ready)

          

            This renders html_table as an actual table (safe text-only rebuild in-browser).
          

          

        

      

    


    
    

      

        
4) Scan Results → Controls

        

          Requirement #4: Ingest scanner findings (Nessus CSV / SecurityHub JSON) and map failures to relevant
          NIST controls (deterministic rules first; optional LLM fallback).
        

      


      

        
Scans — Ingest + Map

        

          Ingest: POST /ai/scans/ingest  |  Map: POST /ai/scans/map-controls
        


        
        

        
        

        
        

        

          
          
        


        

          Rule-based mapping covers common items (e.g., warning banner → AC-8). LLM fallback can be used to reduce manual work.
        

        

      

    


    
    

      

        
5) Generate Missing Policies

        

          Requirement #5: Generate baseline policies/procedures and write them into the repo using discovered vendor/tooling context.
        

      


      

        
Policy Generator

        

          Calls: POST /ai/policies/generate (writes to @docs/generated_policies/)
        


        
        

        
        

        
        

        

          
        


        

          This writes a Markdown policy file into the repo. Next iteration can add auto-commit to GitHub/GitLab.
        

        

      

    


    
    

      

        
6) Exceptions / POA&M Validation

        

          Requirement #6: Ingest a POA&M/deviation list and validate whether vendor fixes exist using external intelligence (NVD CVE API).
        

      


      

        
POA&M — Ingest + Validate

        

          Ingest: POST /ai/poam/ingest  |  Validate: POST /ai/poam/validate
        


        
        

        
        

        

          
        


        
        

        

          
        


        

          Validation returns the raw NVD payload (for engineering triage). You can later add “status changed” flags + reminders.
        

        

      

    


  





    


    

        FedRAMP AI Studio — Assessment AI Engine — 0.1.0