The Compliance Tax: What It Actually Costs to Ship Software to the U.S. Government
Where defense engineering organizations break down under FedRAMP, CMMC, STIG, and EO 14028, and what a credible solution looks like.
Stop the Pre-Release Compliance Scramble.
Continuous compliance evidence, as a byproduct of development.
Lunar enforces CMMC, NIST SSDF, and STIG at every pull request, producing the evidence continuously.
From the Blog
The Compliance Tax, Mapped Along Every Delivery
Every stage between feature complete and delivery leaks program time to compliance toil that never ships product.
DRA-001 · Delivery Readiness
Program: Release Train Status
Trajectory
Behind · Compounding
Feature Complete
Code ready to ship
+10 hrs / release
Hold
10+ hrs
Manual Checklist Scramble
Compliance items developers skipped during normal work, surfaced
when the release train assembles. Platform engineering scrambles,
every release.
+ weeks / delivery
Assemble
Weeks
Evidence Packaging
ATO prep assembled by hand: STIG verifications, SBOMs, scan reports,
CI logs. Scattered across tools, reconstituted retroactively, easy
to game.
+ 3 months / artifact
Investigate
3 months
One Flagged Artifact
One unexpected SBOM entry triggers investigation, legal review, and
program-level fallout at $200K+ and counting. No hotfix-and-move-on
in defense.
Delivery
Late. Every time.
Structural pressure · always on
1 : 50+
Platform engineers to developers
Five engineers cannot verify every merge from fifty developers. At scale the ratio hits 1:300, and standards quietly slide from required to optional.
The Audit Trail Writes Itself
Policy-as-code for every control your customers, prime contractors, and auditors expect. Continuously enforced, continuously documented.
Evidence by Default
Every PR, build, and release produces an evidence record. Your audit trail assembles itself while engineers do their normal work. No evidence packages, no last-minute archaeology.
Mapped to Your Frameworks
Each guardrail maps to the CMMC, NIST 800-171, NIST SSDF, and STIG controls it supports. Show your assessor the control-to-evidence link, not a zip file of logs.
Deterministic, Not Sampled
Every merge, every build, every release runs through the same guardrails. No sampling, no "we mostly do this." Your assessor sees 100% coverage, or you see the gap first.
One Place to Instrument, Every Pipeline
Works across GitHub Actions, Jenkins, CircleCI, GitLab, and Buildkite. Add a guardrail once, enforce it across every repo and every program.
Gradual Rollout, Not a Mandate
Start in visibility mode, move to warn, then to block. Bring development teams along instead of staging an all-hands fight on launch day.
Self-Hosted and Air-Gap Ready
Deploy on-premise, in your IL4 to IL5 environment, or fully air-gapped. Your source, SBOMs, and compliance data never leave your boundary.
Controls Your Auditors Expect, Enforced Continuously
The guardrails that appear in every defense compliance audit. Ready to deploy today.
SBOM Generation in CI/CD
CycloneDX or SPDX for every build artifact, tied to the exact commit that
produced it. Required by EO 14028 §4 and flagged in every CMMC assessment.
Approved Base Images Only
Require STIG-hardened or Chainguard base images with pinned digests. Block
rebuilds that silently pull new upstream content (NIST SSDF PW.4, CMMC
CM.L2-3.4.2).
License & Origin Scanning
Flag non-approved licenses and foreign-controlled components at PR time. ITAR
exposure is much cheaper to prevent than to remediate after the fact.
PR-to-Jira Traceability
Every merged PR links to an authorized change request, a ticket, and a reviewer.
SOC 2 CC8.1 and CMMC AU.L2-3.3.1 without asking engineers to fill a form.
SAST/SCA Coverage on Every Repo
Detect the repos that aren't being scanned. Track remediation SLAs on the repos
that are. Fail closed (NIST 800-53 RA-5, CMMC RA.L2-3.11.2).
Pinned Dependencies & Actions
Disallow floating dependency ranges and unpinned GitHub Actions. Stop
supply-chain drift that bypasses your change-control process (NIST SSDF PW.4).
Explore 100+ Built-in Guardrails
Plus artifact signing, vulnerability SLA enforcement, branch protection,
CODEOWNERS enforcement, container hardening, and more.
Mapped to the Frameworks You Report Against
Each guardrail maps to the controls it supports, so the evidence your assessor asks for is the data Lunar already collects.
| Control Area | Guardrail | Maps To |
|---|---|---|
| Supply chain integrity | SBOM generation in CI |
EO 14028 §4
NIST SSDF PW.4
CMMC SI.L2-3.14.1
|
| Artifact provenance | Signed container images |
NIST SSDF PS.1
CMMC SI.L2-3.14.2
|
| Container hardening | STIG-approved base images |
STIG
CMMC CM.L2-3.4.1
|
| Dependency integrity | Pinned dependencies and Actions |
NIST SSDF PW.4
CMMC CM.L2-3.4.2
|
| Export compliance | License and origin scanning |
ITAR
CMMC AM.L2-3.4.1
|
| Audit trail | PR-to-Jira traceability |
SOC 2 CC8.1
CMMC AU.L2-3.3.1
|
| Access control | Branch protection and required reviewers |
CMMC AC.L2-3.1.5
NIST 800-171 3.1.5
|
| Vulnerability management | SAST/SCA coverage with remediation SLAs |
NIST 800-53 RA-5
CMMC RA.L2-3.11.2
|
Lunar ships with 100+ guardrails tied to CMMC, NIST SSDF, NIST 800-171, NIST 800-53, STIG, ITAR, FedRAMP, and SOC 2 controls.
Trusted by Teams Shipping Under
Defense-Grade Scrutiny
The only holistic, expandable solution we've looked at. Every other tool does
one piece. Lunar is the layer that enforces the outcomes we actually care about.
Previous compliance standardization attempts created real trauma. Starting in
visibility mode, measuring impact, then turning on blocking gave us a rollout
path engineering leadership could actually approve.
0hrs
Of evidence assembly
per delivery
per delivery
5min
From framework control
to enforced guardrail
to enforced guardrail
100+
Built-in guardrails mapped to
CMMC, NIST, and STIG
CMMC, NIST, and STIG
Ready to Automate Your Standards?
See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
Works with any process
AI agent rules & prompt files
Post-mortem action items
Security & compliance policies
Testing & quality requirements
AI agent rules & prompt files
Post-mortem action items
Security & compliance policies
Testing & quality requirements