Loading ATO review summary…
ATO AS CODE (ATAC)
automated compliance controls
ATO AS CODE Checklist
Per-control automated checks · click any card to drill into evidence and remediation
Click Run Scan to check this AWS account against your compliance controls.
Analytics · Visual Summary
Posture, trends, and coverage at a glance · refreshes after every scan
Catalog Coverage
—
of controls in scope
Open POA&M Items
—
tracked for remediation
Top 10 Priorities
Weighted by control criticality × severity · click a row to jump to its card
Run a scan to populate
Findings by Control Family
Active checks grouped by control family
Run a scan to populate
Expiring Attestations
Next 90 days · click a row to upload a renewal
No upcoming expirations
OSCAL Implementation Status
Catalog controls · implemented / partial / planned
Run a scan to populate
POA&M by Risk Level
Open action items · high / moderate / low
Run a scan to populate
Frameworks · Multi-Standard Posture
Open findings per compliance framework and the shared-responsibility split · from Security Hub
Frameworks
Loading…
Shared-Responsibility Split
Loading…
Framework Catalog · toggle on/off
Loading the framework catalog…
Audit Manager · Evidence & Assessments
Frameworks beyond Security Hub standards · continuous evidence collection
Loading Audit Manager…
ATO Review Summary
Overall state of the review · trends · regression detection
Regression Since Last Scan
Newly failing vs newly passing
Need at least 2 scans to compute regression
Plan of Action & Milestones
Auto-generated from latest scan · sorted by ETA · click any row to expand
Total open
—
Past ETA
—
Auto-generated
—
| Control | Title | Risk | Status | ETA | Days |
|---|---|---|---|---|---|
| Run a scan to populate the POA&M. | |||||
ATO Package — OSCAL 1.1.2 Evidence
Machine-readable compliance artifacts for your annual ATO recertification
Catalog Coverage
—
Loading…
Recommended
Complete ATO Bundle
All three OSCAL artifacts (SSP + SAR + POA&M) plus coverage metadata in one JSON file. This is what you hand to your assessor.
SSP
System Security Plan — how each control is implemented. Edit parties/roles metadata post-generation.
SAR
Security Assessment Results — latest scan outcomes as OSCAL findings & observations. Annual assessment evidence.
POA&M
Plan of Action & Milestones — open findings with risk level and estimated remediation dates.
Validate Before Submission
Runs an inline structural validator over SSP/SAR/POA&M: UUIDs, enum values, cross-references. Catches most schema issues before your assessor sees them.
SSP as Document (HTML)
Human-readable SSP formatted as a standard ATO document. Opens in Word (saves as .docx), prints cleanly to PDF, viewable in any browser.
POA&M as Document (HTML)
Human-readable POA&M with risk-prioritized open items, summary statistics, and remediation schedule rationale.
Before submitting: OSCAL output contains placeholder values for System Owner, ISSO, Authorizing Official, and Organization metadata. Edit those fields in the downloaded JSON before handing to your assessor. Also complete manual-evidence controls (AC-8, CA-8, CM-7(2), CP-2, RA-5(11), SR-8, SR-11(1), SR-12) with policy and procedure documentation attached separately.