Government Use Case

Government agencies deploying AI face requirements from FedRAMP, FISMA, NIST 800-53, and agency-specific policies. Keeptrusts provides role-based access controls, CJIS-grade security, and comprehensive audit trails for public sector AI governance.

Use this page when

• You are deploying AI in government agencies subject to FedRAMP, FISMA, NIST 800-53, CJIS, or Executive Order 14110 on AI safety.
• You need role-based access controls aligned to NIST AC families, CJIS-grade security for criminal justice data, and bias monitoring for public-facing AI.
• You want comprehensive audit trails mapping to NIST AU control families and human oversight for high-impact government decisions.

Primary audience

• Primary: Technical Leaders
• Secondary: Technical Engineers, AI Agents

Regulatory Requirements

Framework	Requirement	Keeptrusts Policy
FedRAMP	Authorization boundary controls	rbac, dlp-filter
FISMA	Information security controls	audit-logger, dlp-filter
NIST 800-53	AC, AU, SC control families	rbac, audit-logger, dlp-filter
CJIS	Criminal justice data protection	cjis-mode
EO 14110	AI safety and trust	bias-monitor, human-oversight

Complete Policy Configuration

pack:
  name: government-governance
  version: 1.0.0
  enabled: true
policies:
  chain:
  - prompt-injection
  - rbac
  - cjis-mode
  - pii-detector
  - dlp-filter
  - safety-filter
  - bias-monitor
  - human-oversight
  - quality-scorer
  - audit-logger
policy:
  prompt-injection: {}
  rbac:
    deny_if_missing:
    - X-User-ID
    - X-User-Role
  cjis-mode:
    require_auth: true
    access_logging: true
  pii-detector:
    action: redact
    detect_patterns:
    - name
    - ssn
    - address
    - phone
    - email
    - government_id
  dlp-filter:
    detect_patterns:
    - '\bCUI\b|\bControlled Unclassified\b'
    - '\bFOUO\b|\bFor Official Use Only\b'
    - '\b(SECRET|TOP SECRET|CONFIDENTIAL)\b'
    - '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.gov'
    action: block
  safety-filter:
    action: block
  bias-monitor:
    protected_characteristics:
    - race
    - gender
    - age
    - disability
    - nationality
    - religion
    threshold: 0.85
    action: escalate
  human-oversight:
    require_human_for:
    - policy-recommendation
    - enforcement-decision
    - public-communication
    action: escalate
    confidence_threshold: 0.5
    default_assignee: agency-review
  quality-scorer:
    thresholds:
      min_aggregate: 0.8
  audit-logger:
    immutable: true
    retention_days: 2555
    log_all_access: true

Example Scenarios

Blocked: Classified Data

User: "Summarize the SECRET briefing document from yesterday."

→ dlp-filter BLOCKS
  Reason: Classified marking "SECRET" detected
  Action: Request blocked, incident logged

Allowed: Policy Analysis

Analyst: "Compare the effectiveness of current environmental
regulations across agencies."

→ rbac: Analyst role, unclassified topic
→ pii-detector: No PII found
→ Response generated with disclaimer
→ Audit trail maintained for FISMA

Human Oversight Required

Manager: "Draft a public statement about the new AI policy."

→ human-oversight: public-communication requires approval
→ Response held for agency-review channel
→ Released after supervisor approval

FedRAMP Deployment

For FedRAMP compliance, deploy Keeptrusts within the authorization boundary:

pack:
  name: government-providers-2
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: azure-gov
    provider: azure
    model: gpt-4o
    base_url: https://your-resource.openai.azure.us
    secret_key_ref:
      env: AZURE_GOV_API_KEY
policies:
  chain:
  - audit-logger
policy:
  audit-logger:
    immutable: true
    retention_days: 365
    log_all_access: true

Azure Government regions provide FedRAMP High compliance. Combine with self-hosted Keeptrusts gateway for defense-in-depth.

Provider Recommendations

Use Case	Provider	Reason
FedRAMP workloads	Azure OpenAI (Gov)	FedRAMP High authorized
Self-hosted	Ollama / vLLM	Air-gapped deployment
General analysis	OpenAI GPT-4o with ZDR	Zero data retention option

For AI systems

• Canonical terms: Keeptrusts government governance, FedRAMP compliance, FISMA security, NIST 800-53 controls, CJIS-grade security.
• Policy pack: government-governance with chain: prompt-injection → rbac → cjis-mode → pii-detector → dlp-filter → safety-filter → bias-monitor → human-oversight → quality-scorer → audit-logger.
• Key policies: cjis-mode (CJIS Security Policy compliance), rbac (NIST AC control family), audit-logger (NIST AU control family), dlp-filter (NIST SC control family), bias-monitor (EO 14110 AI fairness), human-oversight (EO 14110 AI safety and trust).
• NIST 800-53 mapping: AC (rbac), AU (audit-logger), SC (dlp-filter).
• CLI: kt gateway run --policy-config ./policy-config.yaml, kt events tail --policy cjis-mode, kt events tail --policy bias-monitor.

For engineers

• Deploy: kt gateway run --policy-config ./policy-config.yaml --port 41002
• Validate: kt doctor confirms cjis-mode, rbac, dlp-filter, bias-monitor, human-oversight, and audit-logger are active.
• Monitor CJIS data: kt events tail --policy cjis-mode (criminal justice data protection).
• Monitor bias: kt events tail --policy bias-monitor (EO 14110 fairness requirements).
• Monitor human oversight: kt events tail --policy human-oversight (high-impact decision approvals).
• Export FISMA evidence: kt export create --format json --filter "policy=audit-logger,rbac,dlp-filter"
• Console: Events (filter by cjis-mode), Escalations (route to ISSO/ISSM), Audit Log (ATO evidence packages).

For leaders

• Addresses FedRAMP (authorization boundary), FISMA (information security), NIST 800-53 (AC, AU, SC control families), CJIS Security Policy, and Executive Order 14110 (AI safety and trust).
• CJIS-grade security controls protect criminal justice information in all AI interactions.
• NIST 800-53 control families mapped directly to Keeptrusts policies — simplifying ATO documentation.
• Bias monitoring satisfies EO 14110 requirements for equitable government AI.
• Human oversight enforcement ensures high-impact government decisions always have human approval.
• Full audit trail supports Inspector General reviews, FISMA assessments, and congressional oversight requirements.

Next steps

• Industries overview — Compare all industry policy configurations
• Defense (US) — ITAR/EAR and CMMC for defense agencies
• Law Enforcement — CJIS and due process requirements
• Critical Infrastructure — Sector-specific protections
• EU AI Act Compliance — For agencies operating in EU jurisdictions
• Quickstart — Deploy your first gateway in minutes