Skip to content

Efterlev

Compliance automation for SaaS companies pursuing their first FedRAMP Moderate authorization via the FedRAMP 20x pilot.

Scans your Terraform for KSI-level evidence. Drafts FRMR-compatible validation data for your 3PAO. Proposes code-level remediations you can apply today. Runs locally — no SaaS, no telemetry, no procurement cycle.

:material-rocket-launch: Get started :material-book-open: Read the concepts :material-github: View on GitHub

pipx install efterlev
cd path/to/your-repo
efterlev init --baseline fedramp-20x-moderate
efterlev report run                          # init → scan → gap → document → poam, one command

Pronounced "EF-ter-lev." From Swedish efterlevnad (compliance).

What it does

  • Scans Terraform source for evidence of FedRAMP 20x Key Security Indicators (KSIs), backed by NIST 800-53 Rev 5 controls.
  • Drafts FRMR-compatible attestation JSON grounded in that evidence, with every assertion citing its source line.
  • Proposes code-level remediation diffs for detected gaps.
  • Emits machine-readable validation data ready for 3PAO review and the FedRAMP 20x automated validation pipeline.
  • Traces every generated claim back to the source line that produced it.

Everything runs locally. The only outbound network call is to your configured LLM endpoint (Anthropic direct or AWS Bedrock for GovCloud) for reasoning tasks. Scanner output is deterministic and offline.

What it doesn't do

  • It does not produce an Authorization to Operate. Humans and 3PAOs do that.
  • It does not certify compliance. It produces drafts that accelerate the human review cycle.
  • It does not guarantee generated narratives are correct. Every LLM-generated artifact is marked DRAFT — requires human review.
  • It does not cover SOC 2, ISO 27001, HIPAA, or GDPR. Other tools serve those well; see comparisons.
  • It does not scan live cloud infrastructure yet. v1.5+.

Full accounting in LIMITATIONS.md

Why Efterlev

A 100-person SaaS company just got told by its biggest prospect: "we'll buy, but only if you're FedRAMP Moderate by next year."

The team looks at each other. Nobody's done this before. They google it and find:

  • Consulting engagements starting at $250K
  • SaaS compliance platforms that cover SOC 2 beautifully but treat FedRAMP as a footnote
  • Enterprise GRC tooling priced for the wrong scale
  • Spreadsheets, Word templates, and a NIST document family that runs to thousands of pages

What they actually need is something that reads their infrastructure-as-code — whatever flavor they use — and tells them, in their own language, what's wrong and how to fix it. Something a single engineer can install on a Tuesday and show results at Wednesday's standup. Something whose output is concrete enough that their 3PAO can use it — and whose claims are honest enough that the 3PAO won't throw it out.

Efterlev is that tool.

Read the full ICP

How it's built

Three layers, each with a clear job.

  • Detectors — small deterministic Python rules that read Terraform (or .github/workflows/) and emit evidence. 51 ship today (v0.1.35) covering 36 of 60 KSIs across 9 themes; the long-term plan is hundreds, contributed by the community.
  • Primitives — typed functions that wrap the things agents need to do: load a catalog, validate output, render a report. Stable interface layer.
  • Agents — reasoning loops that compose primitives. Three: Gap (classify each KSI), Documentation (draft FRMR attestations), Remediation (propose code-level fixes).

Read the architecture overview

Status

  • v0.1.80 current (2026-05-13): eighty-two patch releases since v0.1.0 (2026-04-29), each addressing real-world first-run issues caught by deep-dive shakedowns or — at v0.1.11 — by an external 3PAO blinded review. PyPI + container + GitHub Action + AWS GovCloud Bedrock backend + 66 detectors + full provenance graph + token-usage telemetry + ConMon Lite v0/v1 PR-delta sticky comments + efterlev detectors new <id> contributor scaffolder + efterlev boundary set --interactive helper + efterlev detectors show <id> + efterlev manifests validate <path> + efterlev scan hard-errors on subdir-below-workflows-ancestor (closes a documented funnel-killer; --allow-subdir-target opts back in for the monorepo case) + github.branch_protection detector + wheel/sdist CycloneDX SBOMs on every GitHub Release + ALL third-party Actions SHA-pinned (no exceptions) + pip-audit + bandit lockfile-pinned in [dev] extra + eval-harness Phase 2 lite operational on Terraform inputs (3 vendored real-shape fixtures from terraform-aws-modules/{vpc, s3-bucket, lambda} with 67 maintainer-validated labels at 100% precision + 100% recall) + CFN/CDK synth-mode arc shipped through v0.1.78 (DECISIONS 2026-05-12: PR alpha=design v0.1.70, PR beta=parser+adapter+scan v0.1.72, PR gamma=property-mapping table v0.1.73 with the architecture-validation slice, PR gamma.2 batches 1-4 expanding to 18 CFN types across 13 AWS namespaces v0.1.74-v0.1.77, CFN eval-harness Phase 2 lite scaffolding with first labeled CFN fixture csp-starter-cfn v0.1.78; the maintainer-validation LLM-call run for CFN remains the deferred bet-pays-off measurement). Full E2E pipeline smoke runs on every PR. See the CHANGELOG.
  • Open source: Apache 2.0. Pure OSS — no commercial tier, no paid layer, no managed SaaS at this time. Why.
  • Governance: BDFL today, technical steering committee at 10 sustained contributors. Details.

External context — what AWS recommends

For AWS-native CSPs, AWS published two FedRAMP 20x guidance pieces:

Efterlev's positioning relative to the AWS-native pattern is complementary: AWS Config / Security Hub evaluate runtime state on a 3-day cadence; Efterlev evaluates pre-deploy IaC during the dev loop. Customers pursuing FedRAMP need both. The AWS posts also frame the FRMR catalog as 63 KSIs (counting 3 cross-cutting CSX KSIs); Efterlev counts the same catalog as 60 thematic KSIs. See csx-mapping.md for how Efterlev's existing artifacts already satisfy the CSX KSIs.

Efterlev is built for the VP Eng or DevSecOps lead whose CEO just said "we need FedRAMP" and who needs to know, by Monday, where they actually stand.