Select a document on the left.
Controls by family
RAISE 2.0 Security Gates (this run)
What this is
This dashboard is published by the DevSecOps pipeline on every run. It rolls up the
pipeline's security gates (SAST, SCA, SBOM, secrets, IaC, container scan + sign + SLSA provenance, DAST,
STIG/SCAP, license, supply-chain) into a NIST SP 800-53 control posture, a POA&M (eMASS layout), a
continuous-monitoring trend, and an eMASS submission package. The automated control test results are a
first pass — the Security Control Assessor makes the final determination and signs the SAR; the Authorizing
Official (and, for cATO, the DoD CISO; for RAISE, the RPOC ISSM/AO) renders the authorization decision.
See docs/ao-quickstart.md and compliance/crosswalks/ in the repo.
⚠️ This is a reference/template implementation. Confirm every mapping against the controlling
documents — several authoritative sources (RMF Knowledge Service, eMASS User Guide & POA&M template,
RAISE RIG annexes, DoD overlays) are CAC-restricted and may be newer than the public versions this is built from
(compliance/references.md).
| Sev | Gate | Tool | Title | Component / location | CVE / CWE | Fix |
|---|
eMASS-layout POA&M. Scheduled completion dates are computed from the remediation SLA
(policy/thresholds.yaml; default CAT I = 21 calendar days, per the RAISE 2.0 RIG). Confirm the
eMASS POA&M import template columns before importing — see compliance/crosswalks/emass-crosswalk.md.
Continuous monitoring trend
CA-7 / cATO Pillar 1 / RAISE ConMon. Each pipeline run appends a dated snapshot.
| Date | Findings C/H/M/L | Controls Compliant/NC | Auto-assess % | POA&M open (overdue) | POA&M CAT I/II/III | SBOM components | Run |
|---|
DevSecOps pipeline gates → controls → RAISE Security Gates
Each gate is a job in .github/workflows/devsecops-pipeline.yml (or a standalone
workflow). Fail-the-build policy: policy/thresholds.yaml. Details: docs/pipeline-gates.md.
| Gate | Phase | Tools | RAISE Gate | Controls evidenced | Ran? | Findings | Fail policy |
|---|
eMASS submission package
The pipeline assembles an eMASS-ready Body of Evidence on every run (workflow artifact body-of-evidence
/ emass-package) and attaches emass-package.zip to every version-tag GitHub Release.
Contents
MANIFEST.json— machine index: every file → control(s)/CCI(s) → eMASS artifact category/typeato-package-summary.md— human index + posture snapshot + submission stepssystem-security-plan.md— the SSP (PL-2)controls.json/controls.csv— per-control implementation status, responsibility, CCIs, narrativetest-results.csv— control test results + rationale + assessing runpoam.csv— POA&M in the eMASS column layouthardware-software-list.csv— software baseline from the SBOM (HW = template)ppsm.csv— Ports/Protocols/Services templateartifacts/<gate>/…— the raw scan reports, SBOMs, attestations, and the normalized findings
Runbook: docs/emass-submission-runbook.md.
Crosswalks & supporting documents
All of the compliance documents — the RMF/cATO/RAISE 2.0/SSDF/eMASS crosswalks, the SSP, the ConMon strategy, the references bibliography, the runbooks — are readable right here in the Docs tab (and on GitHub).