Skip to content

Efterlev

Compliance automation for SaaS companies pursuing their first FedRAMP 20x Class C (Moderate) authorization.

Scans your Terraform for KSI-level evidence. Drafts FRMR-compatible validation data for your 3PAO. Proposes code-level remediations you can apply today. Runs locally — no SaaS, no telemetry, no procurement cycle.

:material-rocket-launch: Get started :material-map-marker-path: The ISV journey :material-book-open: Read the concepts :material-github: View on GitHub

New to FedRAMP 20x? The ISV journey maps the seven stages from "should we do this?" to continuous monitoring, and says plainly where Efterlev helps and where it doesn't.

pipx install efterlev
cd path/to/your-repo
efterlev init --baseline fedramp-20x-moderate
efterlev report run                          # init → scan → gap → document → poam → oscal, one command

Just want to see it? efterlev studio opens a local browser app on sample data — no key, no setup. See Efterlev Studio.

Pronounced "EF-ter-lev." From Swedish efterlevnad (compliance).

What it does

  • Scans Terraform, AWS CloudFormation, and Python CDK source for evidence of FedRAMP 20x Key Security Indicators (KSIs), backed by NIST 800-53 Rev 5 controls.
  • Ingests runtime-tool findings — AWS Security Hub, AWS Config, and Prowler — into the same provenance store as the IaC scanner (file-based; no AWS API calls).
  • Drafts FRMR-compatible attestation JSON grounded in that evidence, with every assertion citing its source line.
  • Proposes code-level remediation diffs for detected gaps.
  • Emits machine-readable validation data — FRMR attestations plus OSCAL 1.0.4 POA&M and Component-Definition — ready for 3PAO review and the FedRAMP 20x automated validation pipeline.
  • Visualizes the whole run in Efterlev Studio, a local browser app.
  • Traces every generated claim back to the source line that produced it.

Everything runs locally. The only outbound network call is to your configured LLM endpoint (Anthropic direct or AWS Bedrock for GovCloud) for reasoning tasks. Scanner output is deterministic and offline.

What it doesn't do

  • It does not produce an Authorization to Operate. Humans and 3PAOs do that.
  • It does not certify compliance. It produces drafts that accelerate the human review cycle.
  • It does not guarantee generated narratives are correct. Every LLM-generated artifact is marked DRAFT — requires human review.
  • It does not cover SOC 2, ISO 27001, HIPAA, or GDPR. Other tools serve those well.
  • It does not scan live cloud infrastructure yet. v1.5+.

Full accounting in LIMITATIONS.md

Why Efterlev

A 100-person SaaS company just got told by its biggest prospect: "we'll buy, but only if you're FedRAMP Class C (Moderate) by next year."

The team looks at each other. Nobody's done this before. They google it and find:

  • Consulting engagements starting at $250K
  • SaaS compliance platforms that cover SOC 2 beautifully but treat FedRAMP as a footnote
  • Enterprise GRC tooling priced for the wrong scale
  • Spreadsheets, Word templates, and a NIST document family that runs to thousands of pages

What they actually need is something that reads their infrastructure-as-code — whatever flavor they use — and tells them, in their own language, what's wrong and how to fix it. Something a single engineer can install on a Tuesday and show results at Wednesday's standup. Something whose output is concrete enough that their 3PAO can use it — and whose claims are honest enough that the 3PAO won't throw it out.

Efterlev is that tool.

Read the full ICP

How it's built

Three layers, each with a clear job.

  • Detectors — small deterministic Python rules that read Terraform / CloudFormation / CDK source (and .github/workflows/) and emit evidence. 66 ship today, covering 37 of 60 KSIs across 10 themes; the long-term plan is hundreds, contributed by the community.
  • Primitives — typed functions that wrap the things agents need to do: load a catalog, validate output, render a report. Stable interface layer.
  • Agents — reasoning loops that compose primitives. Three: Gap (classify each KSI), Documentation (draft FRMR attestations), Remediation (propose code-level fixes).

Read the architecture overview

Status

  • v0.1.214 current (2026-05-30): 200+ patch releases since v0.1.0 (2026-04-29), each shipped under a per-fix regression-test discipline and the full CI gate (mypy strict, ruff, doc-drift check, real-API E2E smoke). Highlights: a scanner for Terraform, CloudFormation (default-on since v0.1.99), and Python CDK source (v0.1.131); FRMR attestation output plus OSCAL 1.0.4 POA&M and Component-Definition (default-on in report run, triple-validated against the NIST schema, a FedRAMP rule layer, and NIST oscal-cli); runtime-tool ingestion of AWS Security Hub / Config / Prowler findings into the same provenance store (v0.1.124); Efterlev Studio, the local browser visualization; and the AWS GovCloud Bedrock backend, with Bedrock Claude Haiku 4.5 maintainer-validated as quality-neutral. Distribution is PyPI + container + GitHub Action, every release cosign-signed with SLSA provenance. Full per-release detail in the CHANGELOG.
  • Open source: Apache 2.0. Pure OSS — no commercial tier, no paid layer, no managed SaaS at this time. Why.
  • Governance: BDFL today, technical steering committee at 10 sustained contributors. Details.

External context — what AWS recommends

For AWS-native CSPs, AWS published two FedRAMP 20x guidance pieces:

Efterlev's positioning relative to the AWS-native pattern is complementary: AWS Config / Security Hub evaluate runtime state on a 3-day cadence; Efterlev evaluates pre-deploy IaC during the dev loop. Customers pursuing FedRAMP need both. The AWS posts also frame the FRMR catalog as 63 KSIs (counting 3 cross-cutting CSX KSIs); Efterlev counts the same catalog as 60 thematic KSIs. See csx-mapping.md for how Efterlev's existing artifacts already satisfy the CSX KSIs.

Efterlev is built for the VP Eng or DevSecOps lead whose CEO just said "we need FedRAMP" and who needs to know, by Monday, where they actually stand.