REAEGIS
Sign inRequest a demo
Getting Started
Key Concepts

Key Concepts

Program

A system or application being managed for compliance. Maps to one authorization boundary. A program can span multiple repositories but represents a single system under evaluation — for example, a single FedRAMP application, a single CMMC-scoped information system, or a single DoD RMF authorization package.

Evaluation

A full run of all 9 RAMPART gates against a repository at a specific commit SHA. An evaluation produces a set of gate results, findings, and evidence artifacts. Every push to a connected repository triggers an evaluation automatically.

Gate

A compliance check run by RAMPART as part of an evaluation. Each gate returns one of four decisions:

DecisionMeaning
PASSThe gate check succeeded with no issues
WARNThe gate could not fully run (missing evidence is itself a signal)
FAILThe gate found a compliance violation
BLOCKThe gate found a critical violation that blocks deployment

Finding

A specific compliance violation detected by a RAMPART gate, scanner, or integration. Every finding has:

  • Severity (CRITICAL / HIGH / MEDIUM / LOW / INFO)
  • NIST SP 800-53 control mapping
  • Remediation status (open / remediated / accepted risk / deferred)
  • Scanner origin

Control Implementation

A NIST 800-53 or 800-171 control, its implementation status, and the narrative describing how it is satisfied. Status values:

  • IMPLEMENTED — fully implemented and evidenced
  • PARTIALLY_IMPLEMENTED — partially implemented, remainder documented in POA&M
  • NOT_IMPLEMENTED — not yet implemented; in POA&M

POA&M

Plan of Action and Milestones. Documents known weaknesses, the plan to mitigate them, and scheduled remediation dates. Required for FedRAMP and DoD RMF programs.

Source: NIST SP 800-53 Rev 5, CA-5 (opens in a new tab)

ATO

Authority to Operate. The official decision by an Authorizing Official (AO) that a system may operate at an acceptable risk level. The AO grants the ATO based on the security authorization package, which includes the SSP, SAR, and POA&M.

Source: DoD RMF (opens in a new tab)

cATO

Continuous ATO. An ongoing authorization model where real-time monitoring data replaces periodic assessment. Under cATO, the AO's authorization decision remains valid as long as the system stays within defined risk parameters and monitoring is continuous and evidenced.

SPRS Score

Supplier Performance Risk System score. A numeric score ranging from -203 to +110 that represents a contractor's cybersecurity posture under NIST SP 800-171.

The score is derived from the DoD Assessment Methodology:

  • Each of the 110 practices has a weighted point value
  • The maximum achievable score is +110
  • Practices not yet implemented reduce the score
  • The minimum score (-203) reflects complete non-implementation

Contractors must enter their self-assessment score into SPRS within 30 days of conducting an assessment.

Source: SPRS (opens in a new tab)
Methodology: DoD NIST SP 800-171 Assessment Methodology v1.2.1 (opens in a new tab)

CUI

Controlled Unclassified Information. Information the Government creates or possesses, or that an entity creates or possesses on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Source: CUI Registry — National Archives (opens in a new tab)

OSCAL

Open Security Controls Assessment Language. A NIST-developed set of formats (XML, JSON, YAML) for representing security control catalogs, baselines, system security plans, assessment plans, assessment results, and POA&Ms. FedRAMP 20x requires OSCAL-formatted authorization packages.

SSP

System Security Plan. The primary document that describes how a system implements security controls. REAEGIS generates the SSP from real evidence — control narratives are drafted from actual scanner output, not manually entered descriptions.

CCB

Change Control Board. The body that reviews and approves changes to a system under configuration management control. REAEGIS generates Change Requests (CRs) from the ARE remediation pipeline and routes them through the CCB workflow before creating pull requests.

Source: NIST SP 800-53 Rev 5, CM-3 (opens in a new tab)

FCI

Federal Contract Information. Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.

SBOM

Software Bill of Materials. A formal, machine-readable inventory of software components and their dependencies. REAEGIS generates CycloneDX SBOMs for every evaluated system and uses them for supply chain risk analysis.

Quick StartRAMPART — Evaluation Engine