Architecture
Achieving government compliance is a confusing process with many caveats. Archon SDK for Government is designed to abstract away as many of these processes as possible while exposing a sensible and familiar API.
However, you may wonder what heavy lifting goes on behind the scenes to make Archon easier to use than traditional methods. This document gives a technical overview of our process, as well as key considerations we've made.
Key terms
Archon is composed of several key components that you should be familiar with to better understand this document
| Term | Definition |
|---|---|
| SDK for Government | The library that you integrate into your software. Connects to other Archon systems to achieve your compliance goals. Free and open. |
| Archon Engine | The core software platform that the SDK communicates with. Handles the backend tasks for compliance features. Typically a container (or set of containers) |
| Development Engine | The engine that runs on your computer when developing locally, enabling you to test your integrations and prepare to sell to government. Free and open. |
| Government Engine | The engine that runs when you use Archon to deploy your software to a production, government environment. Significantly more complicated, paid product. See What's in the Government Engine |
| Archon Environment | Any collection of your application, an engine, and supporting components. Typically includes the engine, boundary protection, cybersecurity tools, etc. |
| Archon Boundary | Controls and authenticates connections from outside your application. Traffic from the boundary to your application is always authenticated. |
| Component | Any distinct functionality. Your application, the engine, databases, the boundary, and other specific groupings of functionality are all components. |
| Archon Policy Tools | A service that helps you achieve regulatory compliance by composing sophisticated documentation required for the regulatory process. Paid product. |
Compliant Systems
NIST SP 800-53 dictates all requirements, called controls, that federal software must comply with. These controls are split into two distinct categories: software and organizational. The Archon SDK for Government focuses on achieving the software requirements with a few key guiding principles.
-
Simplicity: SDK for Government is designed to be familiar to developers while abstracting away arcane requirements. It should be quick and easy to integrate.
-
Flexibility: SDK for Government should work in as many different development scenarios as possible, providing a "batteries-included" approach only where it's necessary to achieve regulatory goals. Other parts should be open to the software developer.
-
Openness: Archon strives to bring better software to government. Making the regulatory process more open and accessible, especially to startups, is our strongest guiding principle.
For compliance with organizational requirements, you should check out Archon Policy Tools. This is our suite of advanced document-writing templates, subject matter expert advice, and AI-powered drafting to achieve organizational compliance.
An example workflow
While we've discussed what a business workflow looks like for integrators (see Overview), this should cover questions about technical aspects, both transparent and opaque.
1. You connect your software to our SDK
First, you use archon.yaml to provide instructions for what the base infrastructure and objects should look like when you deploy to an Archon Environment. See 3. archon.yaml and You
Then, you integrate our SDK into relevant systems like authentication, access control, logging, etc.
2. You start the Archon Environment (Development mode)
When you run archon dev start, we create a mock compliant environment on your machine using the Archon Development Engine. This allows you to test your application before committing to the compliance path.
Archon Engine will read your archon.yaml and configure the components you request (like databases, etc.). When fully built, it will look something like this
SDK for Government will establish a connection with the Development Engine, which mocks all the components and features required for compliance. The engine will read the archon.yaml file to generate and facilitate connections to other components like databases. Credentials and instructions to connect to these databases will be supplied via secret config values (see Components)
Engine will also begin routing all traffic destined for your application through the Boundary. The Boundary will authenticate traffic in a compliant manner before it ever reaches your application, reducing your development burden.
At this stage, your application is disconnected from the internet. You cannot use public APIs here. If you need access to an API, it would need to become a component that could spin up via the Engine.
This is because outbound API traffic must be scanned for leaking federal information, and therefore must be controlled carefully. If you need access to an external API, contact your representative. We can likely get you access within a day.
3. You've completed your integration and you're ready to achieve full compliance
Once you're satisfied with your application with the Development Engine, you can deploy to a real production environment with an instance of the Government Engine. This step is not free, and requires an agreement to be in place with Archon. Contact your representative for more information.
This separation exists because it is not feasible to implement all compliance components directly on a developer's computer. See What's in the Government Engine for more info
When you deploy to a production Archon environment, the Development Engine is hot-swapped for the Government Engine opaquely to your application. We guarantee that the API will perform exactly the same between the Development and Government engines.
4. You're running in production, and you can start composing your documentation
Once you're running in Archon's production environment, you can start writing the required documentation for your compliance audit and eventual government use.
You can either compose these documents in-house, or leverage Archon Policy Tools to help you. Archon Policy Tools will read through your environment automatically, identifying points of integration with the SDK and documenting them automatically. It will also provide templates and expert guidance for the variety of other policy requirements.
Once you're running in production, you will need 90 days of "operational evidence" to prove you are capable of administrating a compliant environment. See More details on FedRAMP for clarifications
Conclusion
Archon provides a structured and efficient way to meet the technical compliance requirements outlined in NIST SP 800-53. By leveraging components such as the Development and Government Engines, along with a robust boundary system, developers can focus on their applications while ensuring compliance is handled in a consistent and reliable manner.
With a commitment to simplicity, flexibility, and openness, Archon makes compliance accessible, enabling developers and businesses to innovate without being bogged down by bureaucratic hurdles. Whether you’re a startup or an established enterprise, Archon provides the tools you need to confidently navigate the regulatory landscape and deliver better software to government agencies.