Book a demo
SHE BASH · ezRMF
OPERATIONAL
Automated Authority to Operate

ezRMF

From weeks of manual compliance to push-button ATO packages.

AI agents run the RMF lifecycle end-to-end. Connect your cloud, import your docs, ship the package. CSRMC-aligned. IL-5 ready.

IL-5 ready
FIPS 140-2 validated
0 known CVEs
STIG ASD V6R4 286/286
WOSB certified
80%
Faster Inventory
17
AI Agent Skills
3
eMASS Exports
<20m
Deploy Time
0
Known CVEs
395+
STIG Benchmarks
The Old Way vs. The New Way

Stop doing compliance by hand.

Every hour your team spends copy-pasting into spreadsheets is an hour not spent on mission. ezRMF automates the tedious parts so your people can focus on decisions that matter.

Manual RMF With ezRMF Time saved
Weeks typing control narratives into spreadsheets Agents extract controls from your existing docs in minutes ~70%
Manual Excel inventory — track every asset by hand AWS discovery pulls 9 resource types on schedule ~80%
Copy-paste security findings into POA&M line items Security Hub findings land in the POA&M automatically ~90%
Hunt through folders and emails for evidence artifacts Semantic search surfaces evidence by meaning, not filename qualitative
Build eMASS import packages by hand One click ships test results, POA&M, and inventory to eMASS ~99%
How It Works

Four automation pillars.

Connect your environment, import your artifacts, let AI agents handle the grind, and export eMASS-ready packages. Each step replaces days of manual work.

01
Connect Your Cloud
Discover EC2, RDS, S3, Lambda, EKS, ALB, VPC, Security Groups, and EBS volumes on a schedule. Security Hub findings auto-create POAM items with NIST control mapping.
Scheduled discovery · 9 resource types · Security Hub integration
Replaces weeks of manual inventory
02
Import Everything
Import SSPs, SARs, STIGs, and spreadsheets. Agents extract controls, map CCIs, and populate implementation narratives in bulk.
PDF, DOCX, XLSX, CKL · Bulk CCI mapping · Narrative generation
50-70% faster baseline capture
03
Assess With Agents
Run 17 sandboxed agent skills that assess controls, organize evidence, generate documents, and link findings to CCIs. Vector search retrieves evidence by meaning, not filename.
Sandboxed execution · Full audit trail · Vector search
Your team decides, not spreadsheets
04
Export to eMASS
Export the Test Result Import Template, POA&M, and Hardware/Software Inventory in one click. eMASS-compliant formatting, CUI banners, ready to submit.
3 export types · CUI-compliant · eMASS-validated format
100% automated package assembly
Platform Tour

See the workbenches.

ezRMF is built around the work an ISSO actually does. Each surface is purpose-built for the task it serves — not a generic forms layer with compliance bolted on.

Assess workbench mockup
Assess Workbench
AP-level status across every control, CSP inheritance resolved inline, and the agent flagging the exact evidence each non-compliant CCI still needs.
Controls workbench mockup
Controls Workbench
Live Implementation Statement editor next to source 800-53 text, with per-CCI evidence chips and ODP / responsible-role assignment in the same view.
Evidence pipeline mockup
Evidence Pipeline
Artifacts chunked, embedded, and indexed automatically. Hover any CCI to see ranked evidence with section-level citations and a confidence score.
eMASS export mockup
eMASS Export
One-click .xlsx for the Test Result Import Template, POA&M, and Hardware/Software Inventory — CUI banner, prepared metadata, eMASS-validated layout.
CSRMC Alignment

Built for the 5-phase lifecycle.

Purpose-built for the DoD CSRMC framework. Full coverage from Design through Operations with continuous monitoring and cATO support.

01
Design
System categorization, control selection, policy creation
02
Build
Implementation tracking, evidence collection, CCI mapping
03
Test
AI-powered STIG scanning, automated assessment, CKL export
04
Onboard
Dashboard integration, continuous telemetry, DevSecOps pipeline
05
Operate
Continuous monitoring, cATO, real-time compliance status
What's New

Shipping every week.

Release notes live in GitHub Releases. Last three highlights:

v4.2.2
Dependency vulnerabilities patched
14 advisories closed (12 moderate, 2 high) across @anthropic-ai/sdk, @xmldom, hono, mermaid, postcss, uuid, ws and more. Release pipeline back to green.
2026-05-19
v4.2.0
Fast projects, polished collapsed nav
Per-user project index makes the projects page open in ms. Collapsed sidebar gets a project icon with hover flyout. What's New popup centered.
2026-05-19
v4.1.0
Tighter Assess workbench
Collapsible queue with status dots, restructured AP table, CCI badges with evidence count + chevron affordance, scrollable matrix, SCA/SCAR/AO chat history fix.
2026-05-19
Roadmap

Where ezRMF is going next.

A look at what's live today, what's in design, and what we're researching. Detailed release notes ship continuously on GitHub Releases.

Shipping Now
v4.2 · Now
  • Collapsible workbench navigation with hover flyouts
  • Polished Assess workbench — AP table, CCI affordances, scrollable matrix
  • Evidence chips with confidence ranking on every CCI
  • Per-user project index for instant project switching
In Design
v4.3 · Next
  • Documents: structured editable docs replace blob storage
  • Control text + AP coaching directly in the implementation editor
  • CCI test-type classifier (Examine / Interview / Test)
  • Inline reviewer comments and change-tracking on narratives
Research
v5.x · Later
  • cATO dashboards with streaming posture across systems
  • Multi-tenant project workspaces for program offices
  • Federated MCP across agency boundaries
  • Bidirectional sync with eMASS over its native API

Specific next-version items are tracked publicly at github.com/shebashio/agenticrmf/releases. Dates and scope shift as we learn from each authorization.

Resources

Whitepapers & reference architecture.

In-depth reading for ISSMs, AOs, and platform teams evaluating ezRMF. PDFs are unclassified and freely redistributable.

Overview 6 pp · 2026-05
Automated ATO with AI Agents
How ezRMF compresses the DoD RMF lifecycle from months to weeks using sandboxed agents, retrieval over evidence, and one-click eMASS exports.
Download PDF
Compliance 5 pp · 2026-05
CSRMC 5-Phase Alignment Reference
Phase-by-phase mapping of ezRMF capabilities to the DoD Cyber Survivability Risk Management Construct, with a per-activity coverage matrix.
Download PDF
Architecture 4 pp · 2026-05
FIPS + Chainguard: Securing IL-5 Cloud Deployments
Reference architecture for running ezRMF in AWS GovCloud with FIPS-validated cryptography, zero-CVE Chainguard images, and STIG-hardened workloads.
Download PDF
View all papers
Differentiation

Built different.

Zero Trust by Design
OIDC authentication, role-based access control, and FIPS-compliant Chainguard containers with zero known vulnerabilities. Secure by default, not bolted on.
Edge Deployable
Two-container architecture with minimal resource footprint. Supports disconnected, forward-deployed, and IL-6+ classified environments.
Platform + Expertise
Infrastructure-as-code provisioning. From terraform apply to fully operational in under 20 minutes. Optional embedded engineer and ISSM support to accelerate your ATO timeline.
Engagement

Pick the tier that fits the mission.

Three ways to engage, from a 30-day pilot to a fully embedded ISSM. Every tier ships ezRMF the same way — only the support and deployment model change.

Pilot
Scoped evaluation, deployed in your boundary.
  • Stood up inside your authorization boundary
  • Guided onboarding from our team
  • One project, one authorization boundary
  • Email support during business hours
  • Full export to eMASS at any point
Talk to us →
Production
Multi-project, deployed in your boundary.
  • Deployed in your AWS account (GovCloud, IL-5, or on-prem)
  • IL-5 ready architecture with FIPS modules
  • Unlimited projects and authorization boundaries
  • Named engineering contact, SLA-backed support
  • Quarterly STIG and CVE refresh built in
Talk to us →
Embedded ISSM
Pilot or Production, plus humans on call.
  • Everything in Pilot or Production
  • On-call ezRMF engineer for platform work
  • ISSM-as-a-service for control narratives and reviewer cycles
  • Direct support inside your authorization timeline
  • Joint after-action review on every ATO milestone
Talk to us →

Every engagement is deployed inside your authorization boundary — ezRMF is not offered as a SaaS. Pricing and scope align to your funding vehicle (BPA, contract vehicle, MIPR, etc.). Contact [email protected].

Compare

How ezRMF stacks up.

An honest look at the tools an ISSM might be choosing between. We win on automation and time-to-ATO; eMASS is still the system of record, and we feed it.

Comparison based on publicly documented capabilities as of mid-2026. Mileage varies by program.

Capability
Manual binder
eMASS portal
Telos Xacta
ezRMF
AI-assisted control narratives
partial
Auto AWS inventory discovery
partial
Security Hub → POA&M
Semantic evidence search
One-click eMASS .xlsx export
✓ (native)
partial
Deployable in IL-5 / GovCloud
Continuous monitoring / cATO
partial
partial
FIPS-validated containers
n/a
n/a
partial
Time to first ATO (typical)
12–18 mo
9–12 mo
6–9 mo
8–14 wk
Cost model
Labor-heavy
Per-package fees
Enterprise license
Funding-vehicle aligned
Stack
Vue 3 Express.js TypeScript PostgreSQL 16 MinIO Claude Agent SDK AWS Bedrock OIDC Auth AWS SSM Chainguard FIPS Terraform

Ready to accelerate?

Schedule a demo or request access to the platform.