EXP-002

Soteria

RMF Compliance Engine.

// CORE QUESTION

"What if federal cybersecurity compliance was automated, continuous, and machine-verifiable, from developer commit through production deployment?"

Soteria is a compliance intelligence engine designed to automate, validate, and continuously monitor the full lifecycle of federal cybersecurity evidence. It sits at the intersection of RMF, DevSecOps, and automated assurance, turning what is normally a document-driven burden into a data-driven, machine-verifiable workflow.

Soteria provides traceable, automated, evidence-driven assurance from developer commit through production deployment and continuous monitoring enabling faster, safer, and more defensible Authorization to Operate (ATO) decisions.

Soteria
// 01

Three Things. At the Core.

// 01

Automates Evidence Acquisition

Soteria ingests and normalizes compliance artifacts from any source, converting them into structured, queryable evidence objects with provenance, timestamps, and cryptographic integrity markers.

STIG Viewer outputs
SCAP/OVAL results
Cloud configuration baselines
CI/CD pipeline scans
Manual artifacts (PDF, XLSX, DOCX)
API-level telemetry from deployed systems
// 02

Maintains Continuous Authorization State

Soteria acts as the guardian of the system's authorization posture tracking drift, detecting evidence expiration, monitoring configuration changes, and generating real-time POA&M updates.

Drift detection from approved baselines
Evidence expiration tracking
Configuration change monitoring
Real-time POA&M generation
Continuous monitoring dashboards
Automated ATO renewal workflows
// 03

Performs Machine-Reasoned Control Evaluation

Instead of human-driven checklist review, Soteria applies automated scoring, correlation, and risk-weighted prioritization aligned with NIST 800-53 Rev 5, FedRAMP, and DoD CC SRG.

Control-to-evidence mapping
Automated pass/fail scoring
Gap detection
Control inheritance resolution
Cross-artifact correlation
Risk-weighted prioritization
// 02

Evidence as Structured Data, Not Documents

Soteria ingests and normalizes compliance artifacts from any source, converting them into structured, queryable evidence objects with provenance, timestamps, and cryptographic integrity markers.

Soteria
"Evidence becomes a living dataset."
// SOURCES INGESTED

STIG Viewer Outputs

Automated ingestion and normalization of STIG compliance data.

SCAP / OVAL Results

Machine-readable security configuration results parsed directly.

Cloud Configuration Baselines

AWS, Azure, GCP configuration compliance baselines.

CI/CD Pipeline Scans

Integration with build pipelines for continuous evidence capture.

Manual Artifacts

PDF, XLSX, DOCX artifacts normalized into structured evidence objects.

API-Level Telemetry

Real-time telemetry from deployed systems via API integration.

// EVIDENCE OBJECT STRUCTURE
Provenance (source, ingestion path)
Timestamps (creation, ingestion, expiration)
Cryptographic integrity markers
Control mapping (NIST 800-53 ID)
Pass/fail state
Drift delta from baseline
Audit trail (all changes persisted)
// 03

ATO as a State, Not an Event

Soteria acts as the guardian of the system's authorization posture. ATO is not a certificate issued once, it is a state that must be maintained continuously. Soteria makes that state visible, trackable, and defensible at all times.

Soteria
"ATO becomes a state, not an event."

Drift Detection

Real-time detection of deviation from approved configuration baselines. Drift is surfaced immediately, not at the next audit cycle.

Evidence Expiration Tracking

Every evidence object has an expiration lifecycle. Soteria tracks expiration proactively and alerts before evidence becomes stale.

Configuration Change Monitoring

Every configuration change is captured, timestamped, and assessed for control impact. Changes that affect authorization posture are flagged immediately.

Real-Time POA&M Generation

Plan of Action & Milestones entries are generated automatically when controls enter a gap or violation state, not manually assembled before audits.

Continuous Monitoring Dashboards

Live authorization posture visible at all times to ISSOs, AOs, and program managers. No waiting for the next assessment to know current state.

Automated ATO Renewal Workflows

ATO renewal is a continuous process, not a periodic sprint. Soteria maintains the evidence record needed for renewal as an ongoing operation.

// 04

Objective, Repeatable, Audit-Ready

Instead of human-driven checklist review, Soteria applies automated scoring, correlation, and risk-weighted prioritization. Control evaluation is objective, repeatable, and produces consistent results regardless of who runs it.

"Objective, repeatable, audit-ready outcomes."
Soteria

Control-to-Evidence Mapping

Every control in the NIST 800-53, FedRAMP, or DoD CC SRG catalog is mapped to the evidence objects that satisfy it. The mapping is explicit, traceable, and machine-verifiable.

Automated Pass/Fail Scoring

Controls are scored automatically based on the evidence in the system. Pass/fail decisions are deterministic. The same evidence produces the same result every time.

Gap Detection

Controls without sufficient evidence are identified automatically. Gaps are surfaced before audits, not discovered during them.

Risk-Weighted Prioritization

Controls are prioritized by risk weight, control family criticality, and mission relevance. The most important gaps get addressed first.

// CROSS-ARTIFACT CORRELATION

Soteria correlates evidence across multiple artifacts to satisfy controls that require evidence from more than one source. A control satisfied by a combination of a STIG result, a CI/CD scan, and a configuration baseline is handled natively, no manual cross-referencing.

// CONTROL INHERITANCE RESOLUTION

Controls inherited from platform or agency overlays are resolved automatically. Programs do not re-prove what has already been proven at a higher level.

// 05

What Changes When Compliance Is Data-Driven

Soteria replaces manual, document-centric RMF workflows with automated, data-driven, machine-verifiable authorization pipelines.

Evidence Handling

LEGACY

Treat evidence as static documents · Manual upload, tagging, review · No provenance or cryptographic integrity · Evidence becomes stale without human refresh

SOTERIA

Treats evidence as structured data objects · Automatically ingests STIGs, SCAP/OVAL, cloud baselines, CI/CD scans · Normalizes into a queryable evidence graph · Tracks provenance, timestamps, expiration, and drift

// Evidence becomes a living dataset.

Control Evaluation

LEGACY

Checklist-driven and subjective · Human interpretation required for every control · No automated scoring or correlation · Inconsistent results across assessors

SOTERIA

Machine-reasoned control evaluation · Automated pass/fail scoring · Cross-artifact correlation · Risk-weighted prioritization and inheritance resolution

// Objective, repeatable, audit-ready outcomes.

Continuous Monitoring

LEGACY

Periodic manual review · No evidence expiration tracking · No real-time drift detection · POA&M updates require human intervention

SOTERIA

Real-time drift detection · Evidence expiration alerts + automated refresh · Continuous POA&M generation · Live dashboards showing authorization posture

// ATO becomes a state, not an event.

Integration & Automation

LEGACY

Limited or no API integration · Not designed for DevSecOps pipelines · Manual data entry dominates workflows · No automated RMF lifecycle execution

SOTERIA

Full API-driven ingestion and dispatch · Integrates with CI/CD, cloud APIs, telemetry feeds · Automated RMF lifecycle (Categorize → Monitor) · Outbox-pattern dispatch for reliability

// Compliance becomes part of the software factory.

Auditability & Transparency

LEGACY

Opaque evidence trails · No tracking of failures or retries · Auditors rely on screenshots and narratives

SOTERIA

Full audit trail for every evidence object · Dispatches, retries, failures persisted · Machine-verifiable integrity and provenance

// Machine-verifiable assurance.

Mission Fit

LEGACY

Built for document management · Not designed for cloud or telemetry-rich systems · Reactive, slow, labor-intensive

SOTERIA

Data-driven, automated, continuous authorization · Designed for cloud, pipelines, telemetry ecosystems · Enables high-tempo missions and rapid fielding

// Aligns with modern federal mission tempo.
// 06

When Compliance Becomes Automated

When compliance becomes automated, continuous, and evidence-driven, the operational, financial, and strategic gains are transformative.

Soteria
// TIME
ATO TIMELINE 9–18 months → 3–6 months
REDUCTION 50–70% faster
CONTROL REVIEW 700–2,100 hours → <10 hours
REDUCTION 95%+ hours saved
CONTINUOUS MONITORING 40–120 hours/cycle → zero manual refresh
// COST
LABOR $500k–$1.2M → $150k–$350k (50–75% saved)
REWORK AVOIDED $100k–$300k saved annually
DEPLOYMENT DELAYS AVOIDED $250k–$500k per release
// STRATEGIC
Mission advantage from faster fielding
50–70% less AO/ISSO review time
Reusable pipelines and mappings across programs
// THE BOTTOM LINE

Soteria does not reduce compliance rigor. It eliminates compliance waste, the human hours spent re-proving what the system already knows, re-assembling evidence that was already generated, and re-reviewing controls that have not changed. The rigor stays. The ceremony goes.

// 07

Open Questions

The questions Soteria cannot yet answer. The reason the experiment is still running.

"What signals indicate that Soteria should escalate from automation to human review, and how are those thresholds learned or tuned?"

// Active area of development.

"How does Soteria quantify uncertainty in its assessments, and how should that uncertainty be communicated?"

// Partially addressed, not yet well-characterized.

"How does Soteria evolve as federal frameworks evolve? Does it adapt automatically, or does it require human updates?"

// Emerging priority, with each new NIST update.

"What is the long-term role of Soteria in federal cybersecurity: assistant, auditor, or autonomous compliance officer?"

// Complete autonomy? Not likely, but what if?