Back to Blog

Using AI to Write Your FedRAMP SSP (Without Sharing CUI)

Alex Smolen

One of the challenges for operating a FedRAMP environment is maintaining solid documentation in your System Security Plan, which is how auditors, agencies, and stakeholders validate your compliance. If you’re like me, you’ve been using AI to support your documentation writing. It’s a helpful way to handle document analysis and updates, especially for large complicated docs like SSPs. However, popular AI tools like OpenAI and Anthropic are not currently FedRAMPed. So, using these (or any other tools) to collaborate on sensitive documentation like the SSP could get you in trouble. I built an example of how you can use Bedrock, which is currently FedRAMP authorized, to create a RAG-based knowledge base with your SSP and ground truth NIST 800-53 documentation to supercharge your FedRAMP compliance tasks. This could be updated to include AWS configuration information, architecture diagrams, and any other data that can be consumed in a Knowledge base by AWS.

Think of RAG like having a really smart research assistant who can instantly read through all your documentation and use that knowledge to help write new content. Instead of just making educated guesses, it’s working directly from your actual SSP, configurations, and NIST guidance. AWS has a great technical explanation of how this works, but what matters for FedRAMP documentation is that your AI assistant is always working from your real, approved content rather than making things up.

For FedRAMP documentation, this difference is crucial. Instead of getting generic responses about how a control “might” be implemented, RAG pulls from your actual SSP content, existing control implementations, and specific NIST guidance. When you ask “How do we handle access revocation in AC-2?”, the system retrieves your actual AC-2 implementation details, related controls, and specific procedures before generating a response. This ensures accuracy and consistency with your existing documentation while helping identify areas that need updating or clarification.

AI and the FedRAMP Authorization Boundary Challenge

According to FedRAMP’s Authorization Boundary Guidance:

Federal metadata with an indirect potential impact on mission, organizations or individuals should there be a loss of confidentiality, integrity, or availability. This includes data revealing system infrastructure, facilities, and design; applications name, version, and release; application, system, and network configuration information; interconnections and access methods; systems inventories; architecture models, diagrams, and details; system security plans

So, if an SSP is Federal Metadata, you can only send it to FedRAMPed CSPs, which doesn’t include most AI tooling that people are using today.

So, when you are developing an SSP (for instance, if you recently updated from NIST 800-53 v4 to v5) you may need to update text across multiple control implementations. You may want to find references to outdated information or use precise language to describe how you implement key controls. Having an LLM supporting this process can be helpful, as is seen in the proliferation of LLM assistants in Google Docs, Confluence, and any other organization that’s trying to hit the AI hype cycle. While the devil is in the details, these tools are useful, and not having them for SSP development is particularly painful.

AWS Bedrock: A FedRAMP-Authorized Solution

When I first saw Bedrock I sort of assumed it was a way to call different backend AIs, but I actually found it hosts the models themselves within AWS’s infrastructure. This is how they enable their FedRAMP use case, as detailed in their blog post.

Building a RAG Knowledge Base for Your SSP

I’ve created a Terraform configuration that sets up everything you need to build a RAG-enabled knowledge base for your SSP. The approach is inspired by AWS’s AI chat accelerator, but focused specifically on SSP management.

The infrastructure includes:

  • Aurora Serverless v2 for vector storage (scales to zero when not in use)
  • AWS Bedrock for AI processing
  • S3 for document storage
  • IAM roles and policies for secure access

You can find the complete code here: https://github.com/fedramplabs/ssp-rag-kb

Next Steps

This is just the beginning of exploring how we can use AI within FedRAMP boundaries. As more providers obtain FedRAMP authorization, we’ll see more options for integrating AI into compliance workflows. For now, AWS Bedrock provides a path to start using these capabilities while maintaining compliance.

If you need help implementing FedRAMP-compliant AI solutions or modernizing your FedRAMP processes, reach out to us at FedRAMP Labs.