Analyze Azure Bicep IaC code for NIST 800-53 Rev 5 compliance coverage. Returns controls addressed, gaps, security findings, and overall FedRAMP/IL4 readiness score.

Auto-remediate Azure Bicep code to meet FedRAMP or DoD IL compliance targets. Returns hardened Bicep with a change log mapping each modification to the NIST 800-53 control it addresses.

Look up any NIST 800-53 Rev 5 control and get the full requirement text, Azure implementation guidance, FedRAMP inheritance model, and a copy-ready eMASS narrative starter.

Generate eMASS-ready control implementation narratives for any NIST 800-53 Rev 5 control given your system description. Output is AO-review quality prose.

Generate Plan of Action & Milestones (POA&M) entries from compliance gaps. Output is formatted for eMASS import with weakness descriptions, scheduled completion dates, and milestones.

Score a system description against FedRAMP/DoD ATO requirements. Returns readiness score, critical gaps, estimated timeline, and prioritized next actions.

Generate valid OSCAL SSP fragment (JSON or XML) for Azure resource configurations. Machine-readable output compatible with eMASS OSCAL import.

Design a complete Azure Landing Zone architecture for government workloads. Returns hub-spoke topology, subscription structure, network layout, security services, and Bicep scaffold.

Generate Azure Landing Zone architecture grounded in the official Microsoft Enterprise Scale reference implementation (github.com/Azure/Enterprise-Scale). Returns Management Group hierarchy, policy assignments, hub-spoke topology, and Bicep scaffold aligned with CAF and ALZ accelerator.

Select the right Azure service for a government workload requirement with compliance rationale, GCC High availability confirmation, and alternatives analysis.

Get Azure GCC High specific configuration requirements, limitations, and gotchas for any Azure service or scenario. Includes what works differently in GCC High vs Azure Government vs Commercial.

Generate the complete private endpoint architecture required for a list of Azure services at a given FedRAMP/IL compliance level. Returns Bicep for every required private endpoint and DNS configuration.

Validate a Platform One Big Bang values.yaml against DoD IL compliance requirements. Returns compliance score, specific violations, and hardened values.

Generate a fully hardened Big Bang values.yaml targeting DoD IL4 or IL5 from scratch or from an existing values file. Includes Chainguard/Iron Bank digest-pinned images.

Look up Iron Bank hardened container images for any application. Returns the correct registry1.dso.mil registry path, latest approved version, Cosign verification commands, and pull secret configuration.

Generate production-ready Big Bang addon configuration values for any Platform One addon. Returns hardened values with Iron Bank images, resource limits, and IL-appropriate security settings.

Audit a CI/CD pipeline configuration (GitLab CI, GitHub Actions, Tekton, Jenkins) for DoD DevSecOps compliance. Returns a scored audit with violations and hardened pipeline YAML.

Generate complete artifact signing and verification configuration using Sigstore/Cosign, Notary v2, or DoD PKI. Returns pipeline integration code, Kubernetes admission webhook config, and verification commands.

Generate a DoD DevSecOps maturity scorecard for a software factory or program. Scores against the DoD DevSecOps Reference Design and CNCF security best practices. Returns a scored assessment with a prioritized improvement roadmap.

Generate a complete System Security Plan (SSP) section in eMASS-ready format. Covers system description, boundary, user types, interconnections, laws and regulations, or any NIST 800-18 section.

Generate a NIST 800-34 compliant Contingency Plan (CP) for an Azure government system. Covers BCP/DR procedures, RTO/RPO targets, activation criteria, recovery procedures, and test schedule.

Confirm the GovCloud MCP server is running correctly and get the top example prompts for every tool category — the ideal first call after installation.