[FEATURE][COMPLIANCE]: Compliance report generator - FedRAMP/HIPAA/SOC2 automation #2224
Description
📊 Feature: Compliance Report Generator - FedRAMP/HIPAA/SOC2 Automation
Goal
Implement an automated Compliance Report Generator that produces audit-ready reports for FedRAMP, HIPAA, SOC2, and other compliance frameworks by collecting evidence from policy decisions, access logs, and configuration state.
Why Now?
- Audit Preparation Overhead: Compliance audits require weeks of manual evidence collection
- Control Mapping Gap: No automated mapping between gateway features and compliance controls
- Evidence Staleness: Manual evidence collection quickly becomes outdated
- Continuous Compliance: Organizations need ongoing compliance monitoring, not point-in-time snapshots
- Multi-Framework: Many enterprises need to comply with multiple frameworks simultaneously
📖 User Stories
US-1: Compliance Officer - Generate FedRAMP Report
As a Compliance Officer
I want to generate a FedRAMP compliance report
So that I can provide evidence for our ATO (Authorization to Operate)
Acceptance Criteria:
Given I need FedRAMP Moderate compliance evidence:
When I generate a report:
POST /compliance/reports
{
"framework": "fedramp-moderate",
"period_start": "2024-01-01",
"period_end": "2024-03-31"
}
Then the report includes evidence for:
- AC-2: Account Management
- AC-3: Access Enforcement
- AC-6: Least Privilege
- AU-2: Audit Events
- AU-3: Content of Audit Records
- AU-6: Audit Review
And each control has:
- Implementation status (Implemented/Partial/Not Implemented)
- Evidence artifacts
- Findings and recommendationsUS-2: Auditor - Export Evidence Artifacts
As an External Auditor
I want to export evidence artifacts in standard formats
So that I can verify compliance independently
Acceptance Criteria:
Given a compliance report has been generated:
When I export evidence:
GET /compliance/reports/{id}/export?format=pdf
Then I receive:
- Executive summary
- Control-by-control evidence
- Access decision logs (sampled)
- Policy configurations
- User/role inventory
And the report is digitally signed
And timestamps are verifiable🏗 Architecture
Control Mapping Example
| Control | Framework | Evidence Source |
|---|---|---|
| AC-2 | FedRAMP | User inventory, role assignments, team memberships |
| AC-3 | FedRAMP | Policy decisions, RBAC rules, MAC clearances |
| AC-6 | FedRAMP | Role permissions, JIT access grants |
| AU-2 | FedRAMP | Audit configuration, logged events |
| AU-3 | FedRAMP | Sample audit records with required fields |
| 164.312(a)(1) | HIPAA | Access controls, authentication |
| CC6.1 | SOC2 | Logical access controls |
📋 Implementation Tasks
- Define compliance framework schemas (FedRAMP, HIPAA, SOC2)
- Create control-to-evidence mapping configuration
- Implement evidence collectors:
- User/role inventory collector
- Policy decision sample collector
- Configuration snapshot collector
- Audit log summary collector
- Create report template engine
- Implement PDF report generator
- Implement CSV/JSON export
- Add report scheduling
- Create Admin UI for report generation
- Write unit tests
- Create documentation
- Pass
make verifychecks
⚙️ Configuration Example
compliance:
frameworks:
fedramp-moderate:
enabled: true
controls:
- id: AC-2
evidence_sources: [users, roles, teams]
- id: AC-3
evidence_sources: [policies, decisions]
- id: AU-2
evidence_sources: [audit_config]
hipaa:
enabled: true
controls:
- id: "164.312(a)(1)"
evidence_sources: [access_controls, auth_logs]
reporting:
auto_generate: true
schedule: "0 0 1 * *" # Monthly
retention_days: 2555 # 7 years
export:
formats: [pdf, csv, json]
sign_reports: true✅ Success Criteria
- FedRAMP Moderate report generation working
- HIPAA report generation working
- SOC2 Type II report generation working
- Evidence automatically collected from system
- Reports exportable in PDF, CSV, JSON
- Report scheduling functional
- Admin UI for report management
- 80%+ test coverage
🔗 Related Issues
- [EPIC][SECURITY]: Policy-as-code security and compliance automation platform #2222 - Epic: Policy-as-Code Security & Compliance Platform
- [FEATURE][LOGGING]: Structured JSON logging with correlation IDs #300 - Structured JSON Logging with Correlation IDs