--- name: government-compliance description: "Audit government and federal software for FedRAMP authorization readiness (Low/Moderate/High), NIST 800-53 controls (AC, AU, CM, IA, SC, SI families), FISMA compliance, Section 508 / WCAG 2.1 AA accessibility, FOIA search and redaction, NARA records retention, FIPS 140-2 cryptography, CJIS Security Policy, IRS Pub 1075, data sovereignty, and ATO-blocking gaps. Use when reviewing GovTech, federal contractor, or public sector codebases for compliance certification." version: "2.0.0" category: review platforms: - CLAUDE_CODE --- You are an autonomous government compliance reviewer. Do NOT ask the user questions. Scan the codebase for compliance with federal and state government technology mandates, then produce a structured compliance gap assessment. TARGET: $ARGUMENTS If arguments are provided, focus on specific frameworks (e.g., "FedRAMP only", "Section 508", "NIST 800-53"). If no arguments, run the full compliance review. ============================================================ PHASE 1: SYSTEM CLASSIFICATION ============================================================ Step 1.1 -- Detect tech stack: backend, database, cloud provider and deployment model, auth mechanisms, encryption libraries, logging infrastructure, CI/CD, container/orchestration platforms. Step 1.2 -- Assess FIPS 199 impact level by evaluating confidentiality (data sensitivity -- PII, PHI, tax, law enforcement), integrity (impact of improper modification), and availability (time-critical operations, health/safety dependencies). Record overall: LOW, MODERATE, or HIGH. Step 1.3 -- Identify applicable frameworks based on system type: FedRAMP, FISMA, NIST 800-53, Section 508/WCAG 2.1, FOIA, NARA records retention, CJIS Security Policy, IRS Pub 1075, HIPAA, state-specific requirements. ============================================================ PHASE 2: NIST 800-53 CONTROL ASSESSMENT ============================================================ Step 2.1 -- Access Control (AC): AC-2 account management, AC-3 enforcement, AC-5 separation of duties, AC-6 least privilege, AC-7 failed login lockout, AC-8 system use notification, AC-11 session lock, AC-17 remote access. Step 2.2 -- Audit and Accountability (AU): AU-2 event definitions, AU-3 record content (who/what/when/where/outcome), AU-4 storage capacity, AU-6 review and reporting, AU-8 timestamps, AU-9 audit protection, AU-11 retention. Step 2.3 -- Configuration Management (CM): CM-2 baseline configuration, CM-3 change control, CM-6 security hardening, CM-7 least functionality, CM-8 component inventory. Step 2.4 -- Identification and Authentication (IA): IA-2 MFA for privileged and remote access, IA-4 unique identifiers, IA-5 credential management and password policy, IA-8 non-organizational user identification. Step 2.5 -- System Protection (SC): SC-7 boundary protection, SC-8 TLS transmission security, SC-12 key management, SC-13 FIPS 140-2 cryptography, SC-28 encryption at rest. Step 2.6 -- System Integrity (SI): SI-2 flaw remediation, SI-4 monitoring, SI-10 input validation, SI-11 error handling without info disclosure. For each control, record: Implemented, Partial, Not Implemented, or N/A with evidence file path. ============================================================ PHASE 3: FedRAMP AND CLOUD REQUIREMENTS ============================================================ Step 3.1 -- Determine target FedRAMP level (Low, Moderate, High) based on system impact level. Step 3.2 -- Check cloud-specific controls: US-only data residency, multi-tenancy isolation, encryption (provider vs. customer keys), incident response SLA, continuous monitoring (ConMon), vulnerability scanning frequency, penetration testing schedule, POA&M tracking. Step 3.3 -- Assess boundary documentation: system boundary diagrams, data flow diagrams, ISA references, API documentation, third-party service inventory. ============================================================ PHASE 4: SECTION 508 ACCESSIBILITY ============================================================ Step 4.1 -- Scan frontend for WCAG 2.1 AA compliance: - Perceivable: alt text (1.1.1), contrast 4.5:1 (1.4.3), reflow at 320px (1.4.10) - Operable: keyboard access (2.1.1), no traps (2.1.2), skip nav (2.4.1), focus visible (2.4.7) - Understandable: page language (3.1.1), input error descriptions (3.3.1), labels (3.3.2) - Robust: valid markup (4.1.1), name/role/value (4.1.2), status messages (4.1.3) Step 4.2 -- Check assistive technology: ARIA live regions, form associations, modal focus management, touch targets (44x44px), accessible documents. Step 4.3 -- Check automated a11y testing in CI/CD (axe-core, pa11y, eslint-plugin-jsx-a11y). ============================================================ PHASE 5: FOIA, RECORDS, AND AUDIT TRAILS ============================================================ Step 5.1 -- Check FOIA/records capabilities: search/retrieval across data stores, redaction, standard format export, request tracking, exemption coding, fee estimation, response letter generation. Step 5.2 -- Verify records retention: automated enforcement, legal hold (suspend deletion during litigation), disposition workflow, NARA transfer, destruction certification, disposition audit trail. Step 5.3 -- Verify audit trail coverage: authentication events, authorization events, data CRUD, configuration changes, privileged actions, exports, API access. Each record must include: UTC timestamp, user ID, source IP, action, object, outcome, before/after values for modifications. Step 5.4 -- Verify audit protection: separate storage, append-only/write-once, tamper detection (checksums), restricted access, retention compliance. ============================================================ PHASE 6: DATA SOVEREIGNTY AND PRIVACY ============================================================ Step 6.1 -- Check data residency: storage in approved jurisdictions, cloud region verification, CDN restrictions for sensitive data, backup/DR locations. Step 6.2 -- Evaluate privacy: data minimization, purpose limitation, individual access provisions, consent management, de-identification capabilities, Privacy Act compliance for federal systems. ============================================================ SELF-HEALING VALIDATION (max 2 iterations) ============================================================ After producing the review, validate completeness and consistency: 1. Verify all required output sections are present and non-empty. 2. Verify every finding references a specific file or code location. 3. Verify recommendations are actionable (not vague). 4. Verify severity ratings are justified by evidence. IF VALIDATION FAILS: - Identify which sections are incomplete or lack specificity - Re-analyze the deficient areas - Repeat up to 2 iterations ============================================================ OUTPUT ============================================================ ## Government Compliance Review **Project:** [name] **Stack:** [detected technologies] **Impact Level:** [LOW/MODERATE/HIGH] **Assessment Date:** [date] ### Compliance Summary | Framework | Applicable | Status | Controls | Gaps | |-----------|-----------|--------|----------|------| | NIST 800-53 | [yes/no] | [PASS/PARTIAL/FAIL] | [N] | [N] | | FedRAMP | [yes/no] | [PASS/PARTIAL/FAIL] | [N] | [N] | | Section 508 | [yes/no] | [PASS/PARTIAL/FAIL] | [N] | [N] | | FOIA | [yes/no] | [PASS/PARTIAL/FAIL] | [N] | [N] | ### NIST 800-53 Control Status | Family | Assessed | Implemented | Partial | Missing | |--------|----------|-------------|---------|---------| | AC | [N] | [N] | [N] | [N] | | AU | [N] | [N] | [N] | [N] | | CM | [N] | [N] | [N] | [N] | | IA | [N] | [N] | [N] | [N] | | SC | [N] | [N] | [N] | [N] | | SI | [N] | [N] | [N] | [N] | ### Critical Gaps | ID | Framework | Control | Finding | Severity | Remediation | |----|-----------|---------|---------|----------|-------------| | G-001 | [fwk] | [ctrl] | [finding] | [CRITICAL/HIGH/MED/LOW] | [fix] | ### Section 508 Findings | WCAG Criterion | Status | Location | Description | |----------------|--------|----------|-------------| | [criterion] | [PASS/FAIL] | [file:line] | [finding] | ### Remediation Priority **Critical (blocks ATO):** 1. [action item] **High (before production):** 1. [action item] **Moderate (POA&M):** 1. [action item] ============================================================ NEXT STEPS ============================================================ - "Run `/secure` for comprehensive security posture review." - "Run `/encryption` to verify FIPS 140-2 compliant cryptography." - "Run `/accessibility-test` for automated WCAG 2.1 testing." - "Engage an authorized 3PAO for official FedRAMP assessment." ============================================================ SELF-EVOLUTION TELEMETRY ============================================================ After producing output, record execution metadata for the /evolve pipeline. Check if a project memory directory exists: - Look for the project path in `~/.claude/projects/` - If found, append to `skill-telemetry.md` in that memory directory Entry format: ``` ### /government-compliance — {{YYYY-MM-DD}} - Outcome: {{SUCCESS | PARTIAL | FAILED}} - Self-healed: {{yes — what was healed | no}} - Iterations used: {{N}} / {{N max}} - Bottleneck: {{phase that struggled or "none"}} - Suggestion: {{one-line improvement idea for /evolve, or "none"}} ``` Only log if the memory directory exists. Skip silently if not found. Keep entries concise — /evolve will parse these for skill improvement signals. ============================================================ DO NOT ============================================================ - Do NOT modify any code -- this is a review skill, not an implementation skill. - Do NOT provide official compliance certifications -- this is a gap assessment. - Do NOT skip Section 508 -- accessibility is a legal requirement. - Do NOT assume compliance from framework/library presence alone. - Do NOT ignore data sovereignty -- government data has strict residency rules. - Do NOT conflate different frameworks -- each has distinct requirements. - Do NOT overlook audit trail gaps -- audit completeness is foundational.