- ATLAS - Automated Terraform Leveraging AI for Security
- ATO - Authority To Operate
- Accelerator - 🚀
This project proposes using AI coding assistants to generate NIST-compliant Terraform infrastructure code from the outset, shifting security compliance left in the development process to reduce ATO timelines and improve security posture.
Create specialized guidance documents that AI assistants read before generating infrastructure code, encoding NIST 800-53 control implementation patterns, secure baseline configurations, and ATO documentation requirements. This ensures infrastructure is both functional and ATO-ready from the start.
The proposal outlines three options:
- AGENTS.md Files - Repository-specific markdown files that AI assistants automatically read
- Claude Skill Architecture - Formal skills with comprehensive NIST-Terraform guidance
- Hybrid Multi-Layered System - Combines organization-level skills with project-specific guidance
- Knowledge Encoding - Translating NIST requirements into Terraform patterns
- AI-Assisted Generation - Producing compliant infrastructure code through IDE assistants
- Validation & Documentation - Policy-as-code validation plus automated SSP generation
- Continuous Compliance - Maintaining consistency as infrastructure evolves
- 30-50% reduction in ATO preparation time
- Infrastructure code that is compliant-by-default
- Standardized security implementations across teams
- ATO documentation generated alongside infrastructure code
- Reduced friction between development and security teams
See it in action! The /demo directory contains a complete hands-on walkthrough that demonstrates the core ATLAS concept.
What it does:
- Uses AI coding assistants to generate NIST 800-53 compliant Terraform infrastructure
- Deploys a containerized CRUD API to local Kubernetes (Kind) with simulated AWS services (LocalStack)
- Automatically generates compliance documentation from infrastructure code
- Shows how security controls are embedded from the start, not added later
What you'll learn:
- How AGENTS.md guidance files work with AI assistants
- Patterns for NIST-compliant S3 buckets, PostgreSQL databases, and Kubernetes deployments
- Automated compliance artifact generation (control matrices, implementation summaries)
- Production-ready code that works in real cloud environments
Time required: ~1 hour for complete walkthrough
👉 Get started with the demo →
A 10-week phased approach:
- Foundation (Weeks 1-2) - 5 high-impact NIST controls, 3 common resources
- Documentation Integration (Weeks 3-4) - SSP generation from Terraform
- Validation Loop (Weeks 5-6) - Policy-as-code implementation
- User Testing (Weeks 7-8) - Real-world validation with developers
- Expansion Planning (Weeks 9-10) - Roadmap for full implementation
See PROPOSAL.md for complete details on problem statement, technical approach, resource requirements, and risk assessment.
Copyright © 2025 Mark Headd
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
See the LICENSE file for the full license text.