feat(compliance): add FedRAMP 20x KSI compliance framework

[ethanolivertroy]

Context

This PR adds support for FedRAMP 20x Key Security Indicators (KSIs) compliance framework to Prowler. FedRAMP 20x is a modernization initiative aimed at automating the FedRAMP authorization process, focusing on continuous monitoring and cloud-native security principles. The 10 KSIs represent core security areas that cloud service providers must address as part of the FedRAMP 20x Phase One pilot program.

This framework enables organizations pursuing FedRAMP authorization to assess their cloud environments against the FedRAMP 20x requirements using Prowler's existing security checks.

Description

This PR introduces FedRAMP 20x KSI compliance frameworks for AWS, Azure, and GCP providers. The implementation maps Prowler's existing security checks to the 10 Key Security Indicators defined by FedRAMP:

Changes included:

• Added 3 new compliance framework JSON files:

  • prowler/compliance/aws/fedramp_20x_ksi_aws.json - Maps 96 AWS checks to KSIs
  • prowler/compliance/azure/fedramp_20x_ksi_azure.json - Maps 73 Azure checks to KSIs
  • prowler/compliance/gcp/fedramp_20x_ksi_gcp.json - Maps 94 GCP checks to KSIs

• Added dashboard visualization modules:

  • dashboard/compliance/fedramp_20x_ksi_aws.py
  • dashboard/compliance/fedramp_20x_ksi_azure.py
  • dashboard/compliance/fedramp_20x_ksi_gcp.py

• Updated documentation:

  • Updated framework counts in docs/tutorials/compliance.md

The 10 KSIs covered:

1. KSI-CED: Cybersecurity Education
2. KSI-CMT: Change Management
3. KSI-CNA: Cloud Native Architecture
4. KSI-IAM: Identity and Access Management
5. KSI-INR: Incident Reporting
6. KSI-MLA: Monitoring, Logging, and Auditing
7. KSI-PIY: Policy and Inventory
8. KSI-RPL: Recovery Planning
9. KSI-SVC: Service Configuration
10. KSI-TPR: Third-Party Information Resources

Each KSI is mapped to relevant NIST 800-53 controls and existing Prowler checks, following the official FedRAMP 20x documentation structure.

Checklist

• Are there new checks included in this PR? No - This PR only adds compliance frameworks that map to existing checks
  • If so, do we need to update permissions for the provider? N/A
• Review if the code is being covered by tests. (Compliance frameworks follow existing patterns)
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, Poetry, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

---

Additional Notes for Reviewers:

• Framework structure follows existing Prowler compliance framework patterns
• Check mappings are based on official FedRAMP 20x KSI documentation: https://github.com/FedRAMP/docs
• Tested locally with GCP provider, achieving expected compliance results
• Dashboard modules handle long KSI descriptions appropriately to prevent UI overlap issues

[ethanolivertroy]

[MrCloudSec]

Thank you for the PR @ethanolivertroy , we will review it soon and get back to you.

[MrCloudSec]

@ethanolivertroy can you add the tests for the new checks? You can find the guide here.

[ethanolivertroy]

Tests added @MrCloudSec 👍

[MrCloudSec]

Tests added @MrCloudSec 👍

Thanks, please add the corresponding tests for the checks too. Also, add the changelog and run our pre-commit.

[ethanolivertroy]

Tests added @MrCloudSec 👍

Thanks, please add the corresponding tests for the checks too. Also, add the changelog and run our pre-commit.

All done. Removed the RCP stuff because that from another branch.

This functionality will really help out orgs working toward https://www.fedramp.gov/20x/goals/

[Copilot]

Pull Request Overview

This PR adds support for FedRAMP 20x Key Security Indicators (KSI) compliance framework to Prowler, enabling organizations pursuing FedRAMP authorization to assess their cloud environments against FedRAMP 20x requirements using existing security checks.

• Introduces 3 new compliance framework JSON files mapping existing Prowler checks to 10 KSI requirements across AWS, Azure, and GCP
• Adds dashboard visualization modules for each provider to handle long KSI descriptions
• Updates documentation with new framework counts and changelog entry

Reviewed Changes

Copilot reviewed 12 out of 14 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
prowler/compliance/aws/fedramp_20x_ksi_aws.json	Maps 96 AWS checks to FedRAMP 20x KSI requirements
prowler/compliance/azure/fedramp_20x_ksi_azure.json	Maps 73 Azure checks to FedRAMP 20x KSI requirements
prowler/compliance/gcp/fedramp_20x_ksi_gcp.json	Maps 94 GCP checks to FedRAMP 20x KSI requirements
dashboard/compliance/fedramp_20x_ksi_*.py	Dashboard modules that shorten long KSI descriptions for UI display
tests/lib/compliance/test_fedramp_20x_ksi_frameworks.py	Framework validation tests
tests/dashboard/compliance/test_fedramp_20x_ksi_*.py	Dashboard module tests
docs/tutorials/compliance.md	Updated framework counts
prowler/CHANGELOG.md	Added changelog entry

Comments suppressed due to low confidence (2)

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.19%. Comparing base (dfdd45e) to head (c8d2e2d).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #8512      +/-   ##
==========================================
- Coverage   75.81%   75.19%   -0.63%     
==========================================
  Files          98       72      -26     
  Lines        5616     4725     -891     
==========================================
- Hits         4258     3553     -705     
+ Misses       1358     1172     -186     

Flag	Coverage Δ
prowler	75.19% <ø> (-0.63%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	75.19% <ø> (-0.63%)	⬇️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ethanolivertroy]

Made some changes in the tests and checks to address the correct KSI control names in https://github.com/FedRAMP/docs/blob/main/FRMR.KSI.key-security-indicators.json

[pedrooot]

Thanks for this, please review my comments and remember to add the needed changes in __main__.py in order to generate the output for the new compliance frameworks that you're adding. See how it's done here: https://github.com/prowler-cloud/prowler/blob/bb07cf9147cde9b911273dc1b5518d28f677a992/prowler/__main__.py#L436C13-L448C47

[pedrooot]

Where does this attribute comes from? NistControls

If you need to add this attribute for this new compliance framework, you have to add a new model and class inside: https://github.com/prowler-cloud/prowler/blob/master/prowler/lib/outputs/

Maybe you can add the needed changes to match the generic one: https://github.com/prowler-cloud/prowler/blob/master/prowler/lib/outputs/compliance/generic/generic.py