If you sell SaaS to government agencies, law enforcement, defense contractors, or election technology customers, your compliance posture determines whether you stay on the vendor list or get pulled.
This is not abstract. CJIS access revocation is unilateral and immediate. FedRAMP ATO suspension happens without warning. ITAR violations carry criminal penalties. And StateRAMP authorization is now mandatory in 23+ states just to get on a procurement shortlist.
n8n gives you five import-ready workflows to automate the compliance work across all seven GovTech customer tiers. Here they are.
The 7 GovTech Customer Tiers
| Tier | Key Compliance | Fastest Clock |
|---|---|---|
| FEDERAL_AGENCY_SAAS | FedRAMP Moderate ATO, FISMA, FOIA | FISMA_MODERATE_IMPACT — IMMEDIATE US-CERT |
| STATE_GOVT_SAAS | StateRAMP, FOIA state equivalents, CJIS adjacent | STATERAMP_AUDIT_FINDING — 72h POA&M |
| LOCAL_GOVT_SAAS | StateRAMP preferred, public records laws | GENERAL_GOVT_SECURITY |
| CRIMINAL_JUSTICE_SAAS | CJIS Security Policy 5.9, FedRAMP High | CJIS_SECURITY_INCIDENT — IMMEDIATE FBI |
| DEFENSE_CONTRACTOR_SAAS | ITAR 22 CFR §§120–130, EAR, DFARS | ITAR_UNAUTHORIZED_DISCLOSURE — IMMEDIATE |
| ELECTION_TECH_SAAS | CISA Election Security, EAC VVSG 2.0, HAVA | ELECTION_SYSTEM_INTEGRITY — 4h CISA |
| GOVTECH_STARTUP | StateRAMP, SOC2 | Standard 72h |
Workflow 1: Tier-Segmented Customer Onboarding Drip
Classifies incoming trials into one of seven tiers, assigns compliance flags, and triggers a tier-specific onboarding sequence with Day 0/3/7 emails.
The Day 0 email for CRIMINAL_JUSTICE_SAAS customers explains the CJIS cloud routing problem. For DEFENSE_CONTRACTOR_SAAS customers, it covers ITAR deemed export risk. For FEDERAL_AGENCY_SAAS, FedRAMP boundary expansion.
{
"name": "GovTech SaaS \u2014 Tier-Segmented Customer Onboarding Drip",
"nodes": [
{
"id": "1",
"name": "Webhook \u2014 trial_started",
"type": "n8n-nodes-base.webhook",
"parameters": {
"path": "govtech-trial-started",
"responseMode": "onReceived"
},
"position": [
0,
0
]
},
{
"id": "2",
"name": "Code \u2014 Tier + Flag Classifier",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "\nconst d = $input.first().json;\nconst agency = (d.agency_type || '').toLowerCase();\nconst userCount = d.user_count || 0;\nconst product = (d.product_type || '').toLowerCase();\nconst stateCustomers = d.state_customers || false;\nconst defenseCustomers = d.defense_customers || false;\n\n// Tier classification\nlet tier = 'GOVTECH_STARTUP';\nif (agency.includes('federal') || product.includes('fedramp') || product.includes('fisma')) tier = 'FEDERAL_AGENCY_SAAS';\nelse if (agency.includes('state') || stateCustomers || product.includes('stateramp')) tier = 'STATE_GOVT_SAAS';\nelse if (agency.includes('local') || agency.includes('county') || agency.includes('city') || agency.includes('municipal')) tier = 'LOCAL_GOVT_SAAS';\nelse if (product.includes('criminal') || product.includes('justice') || product.includes('law_enforcement') || product.includes('cjis') || product.includes('records_mgmt')) tier = 'CRIMINAL_JUSTICE_SAAS';\nelse if (defenseCustomers || product.includes('defense') || product.includes('dod') || product.includes('itar') || product.includes('controlled_tech')) tier = 'DEFENSE_CONTRACTOR_SAAS';\nelse if (product.includes('election') || product.includes('voter') || product.includes('poll') || product.includes('ballot')) tier = 'ELECTION_TECH_SAAS';\nelse if (userCount >= 500) tier = 'STATE_GOVT_SAAS';\n\n// Compliance flags\nconst flags = [];\nif (tier === 'FEDERAL_AGENCY_SAAS') { flags.push('FEDRAMP_MODERATE_REQUIRED'); flags.push('FISMA_MODERATE_IMPACT'); flags.push('FOIA_SUBJECT'); }\nif (tier === 'STATE_GOVT_SAAS') { flags.push('STATERAMP_REQUIRED'); flags.push('CJIS_ADJACENT'); flags.push('FOIA_STATE_EQUIVALENT'); }\nif (tier === 'LOCAL_GOVT_SAAS') { flags.push('STATERAMP_PREFERRED'); flags.push('FOIA_STATE_EQUIVALENT'); }\nif (tier === 'CRIMINAL_JUSTICE_SAAS') { flags.push('CJIS_SECURITY_POLICY_59'); flags.push('FEDRAMP_HIGH_REQUIRED'); flags.push('FBI_CJIS_AGREEMENT_REQUIRED'); }\nif (tier === 'DEFENSE_CONTRACTOR_SAAS') { flags.push('ITAR_22_CFR_PARTS_120_130'); flags.push('EAR_15_CFR_PARTS_730_774'); flags.push('DFARS_7012_COVERED'); }\nif (tier === 'ELECTION_TECH_SAAS') { flags.push('CISA_ELECTION_SECURITY'); flags.push('EAC_VVSG_2_0'); flags.push('HAVA_TITLE_II_REQUIREMENTS'); }\nif (tier === 'GOVTECH_STARTUP') { flags.push('STATERAMP_PREFERRED'); }\nif (userCount >= 200) flags.push('SOC2_REQUIRED');\n\n// Tier-specific Day 0 note\nconst day0Notes = {\n FEDERAL_AGENCY_SAAS: 'FedRAMP Moderate ATO is a procurement gate for federal systems \u2014 not optional, not waivable. Cloud iPaaS processing federal agency data expands your FedRAMP authorization boundary: every iPaaS node in the workflow that touches federal data must be listed on your FedRAMP SSP or your ATO is out of compliance (NIST SP 800-53 SA-9). FISMA moderate-impact system: unauthorized processing by a non-FedRAMP tool is an immediate reportable incident. Self-hosted n8n inside your FedRAMP boundary eliminates the boundary expansion.',\n STATE_GOVT_SAAS: 'StateRAMP is now required by 23+ states for cloud vendors selling to state agencies \u2014 not advisory, mandatory in procurement rules. Cloud iPaaS used in your product = undisclosed subprocessor = StateRAMP audit finding. StateRAMP authorized list: cloud.google.com is on it, generic iPaaS platforms often are not. Self-hosted n8n means zero subprocessor disclosure obligation. FOIA state equivalents: most state public records laws (e.g., California PRA, Florida Sunshine Law) apply to vendors holding public agency data.',\n LOCAL_GOVT_SAAS: 'StateRAMP preferred status is the minimum bar many county/city procurement offices require for cloud software. Cloud iPaaS routing municipal records = public records held in a non-compliant third-party system. Local government data breaches trigger state notification laws (all 50 states have breach notification) + public records exposure. Self-hosted n8n inside your local government customer boundary keeps automation data out of cloud subprocessor risk.',\n CRIMINAL_JUSTICE_SAAS: 'CJIS Security Policy 5.9 \u00a75.9.1 is your fastest clock: any security incident involving Criminal Justice Information triggers immediate notification to the FBI CJIS Division \u2014 no grace period. Cloud iPaaS routing CJI = unauthorized system outside the CJIS-compliant boundary = CJIS policy violation. The CJIS policy is explicit: cloud services must be CJIS-certified or the data must not traverse them. Loss of CJIS access = loss of all law enforcement customers. FBI CJIS audits are unannounced.',\n DEFENSE_CONTRACTOR_SAAS: 'ITAR 22 CFR \u00a7127.1: exporting or transferring defense-related technical data to foreign nationals \u2014 including cloud transmission \u2014 without a license is a federal crime (up to $1M fine + 20 years). Cloud iPaaS routing ITAR-controlled technical data = potential deemed export. EAR 15 CFR Part 774 Commerce Control List: dual-use technology in cloud services requires export classification review. DFARS 252.204-7012: cloud services processing CUI must meet NIST SP 800-171 \u2014 cloud iPaaS is a TPSP requiring explicit authorization.',\n ELECTION_TECH_SAAS: 'CISA Election Security Advisories: election systems are critical infrastructure (Sector 16). Cloud iPaaS in election workflows = undisclosed third-party system in critical infrastructure = CISA advisory target. EAC VVSG 2.0 \u00a713.1: voting system software must be auditable with unbroken chain of custody \u2014 cloud workflow execution logs stored in a third-party iPaaS break the audit chain. HAVA Title II: election systems must be certified before deployment. StateRAMP authorization is the minimum bar for state election agency procurement.',\n GOVTECH_STARTUP: 'StateRAMP is the fastest path to government procurement without full FedRAMP. StateRAMP Ready status can be achieved in 60-90 days and opens 23+ state procurement channels. Cloud iPaaS in your product = subprocessor disclosure in your StateRAMP package = additional audit scope. Start with self-hosted n8n to keep your subprocessor count low and your StateRAMP assessment scope clean.'\n};\n\nreturn [{json: {\n ...d,\n tier,\n flags,\n day0_compliance_note: day0Notes[tier] || day0Notes.GOVTECH_STARTUP\n}}];\n"
},
"position": [
250,
0
]
},
{
"id": "3",
"name": "Sheets \u2014 Log Trial",
"type": "n8n-nodes-base.googleSheets",
"parameters": {
"operation": "appendOrUpdate",
"documentId": "YOUR_SHEET_ID",
"sheetName": "trials",
"dataMode": "autoMapInputData"
},
"position": [
500,
0
]
},
{
"id": "4",
"name": "Gmail \u2014 Day 0 Welcome",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"toEmail": "={{ $json.email }}",
"subject": "Welcome to {{ $json.product_name }} \u2014 your government compliance automation setup",
"emailType": "html",
"message": "={{ '<p>Hi ' + $json.first_name + ',</p><p>You are now on the ' + $json.plan + ' trial.</p><p><strong>Compliance Note:</strong> ' + $json.day0_compliance_note + '</p><p>Your onboarding checklist is ready. Reply to this email with any questions.</p>' }}"
},
"position": [
750,
0
]
},
{
"id": "5",
"name": "Wait \u2014 3 days",
"type": "n8n-nodes-base.wait",
"parameters": {
"amount": 3,
"unit": "days"
},
"position": [
1000,
0
]
},
{
"id": "6",
"name": "Gmail \u2014 Day 3 CJIS Deep Dive",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"toEmail": "={{ $json.email }}",
"subject": "The CJIS cloud routing question your law enforcement customers will ask",
"emailType": "html",
"message": "<p>CJIS auditors will ask: where does Criminal Justice Information travel in your product's data flow? If the answer includes a cloud iPaaS vendor not on the CJIS-approved list, your customers have a CJIS boundary violation. The FBI CJIS Division can revoke access immediately \u2014 no warnings, no grace period. n8n self-hosted inside your CJIS-compliant boundary means every workflow step stays in the boundary. No unauthorized subprocessor, no boundary violation.</p>"
},
"position": [
1250,
0
]
},
{
"id": "7",
"name": "Wait \u2014 4 days",
"type": "n8n-nodes-base.wait",
"parameters": {
"amount": 4,
"unit": "days"
},
"position": [
1500,
0
]
},
{
"id": "8",
"name": "Gmail \u2014 Day 7 StateRAMP Pitch",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"toEmail": "={{ $json.email }}",
"subject": "StateRAMP + FedRAMP architecture checklist before your trial ends",
"emailType": "html",
"message": "<p>Before your trial ends: export your workflow JSON and review the StateRAMP subprocessor checklist. 23+ states require StateRAMP authorization for cloud vendors \u2014 each undisclosed subprocessor adds audit scope. Download the GovTech compliance architecture guide and schedule a 15-min deployment review.</p>"
},
"position": [
1750,
0
]
}
],
"connections": {
"Webhook \u2014 trial_started": {
"main": [
[
{
"node": "Code \u2014 Tier + Flag Classifier",
"type": "main",
"index": 0
}
]
]
},
"Code \u2014 Tier + Flag Classifier": {
"main": [
[
{
"node": "Sheets \u2014 Log Trial",
"type": "main",
"index": 0
}
]
]
},
"Sheets \u2014 Log Trial": {
"main": [
[
{
"node": "Gmail \u2014 Day 0 Welcome",
"type": "main",
"index": 0
}
]
]
},
"Gmail \u2014 Day 0 Welcome": {
"main": [
[
{
"node": "Wait \u2014 3 days",
"type": "main",
"index": 0
}
]
]
},
"Wait \u2014 3 days": {
"main": [
[
{
"node": "Gmail \u2014 Day 3 CJIS Deep Dive",
"type": "main",
"index": 0
}
]
]
},
"Gmail \u2014 Day 3 CJIS Deep Dive": {
"main": [
[
{
"node": "Wait \u2014 4 days",
"type": "main",
"index": 0
}
]
]
},
"Wait \u2014 4 days": {
"main": [
[
{
"node": "Gmail \u2014 Day 8 StateRAMP Pitch",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 2: CJIS/FedRAMP/ITAR/StateRAMP Compliance Deadline Tracker
Reads a Google Sheet of compliance deadlines, classifies urgency by type, and fires alerts with specific action instructions.
12 deadline types tracked:
| Deadline | Clock | Consequence |
|---|---|---|
| CJIS_SECURITY_INCIDENT | IMMEDIATE | FBI CJIS access revocation, no warning |
| FISMA_MODERATE_IMPACT_INCIDENT | 1h | US-CERT notification, ATO suspension risk |
| ITAR_UNAUTHORIZED_EXPORT | IMMEDIATE | Criminal prosecution, $1M fine, 20yr |
| FEDRAMP_CONMON_DEVIATION | 30d | ATO suspension |
| STATERAMP_ANNUAL_AUDIT | 60d warning | Loss of 23+ state procurement access |
| CJIS_BIENNIAL_AUDIT | 60d warning | CJIS access review |
| ITAR_LICENSE_EXPIRY | 90d warning | Export activity must cease |
| EAR_BIS_CLASSIFICATION_REVIEW | 60d warning | Export compliance gap |
| FEDRAMP_MODERATE_ATO_RENEWAL | 90d warning | Federal procurement gate closes |
| ELECTION_SYSTEM_CERTIFICATION | 120d warning | State election procurement blocked |
| FOIA_RESPONSE_20_DAY | 5d warning | Constructive denial + litigation |
| HAVA_GRANT_COMPLIANCE_ANNUAL | 60d warning | EAC reporting failure |
{
"name": "GovTech SaaS \u2014 CJIS/FedRAMP/ITAR/StateRAMP Compliance Deadline Tracker",
"nodes": [
{
"id": "1",
"name": "Schedule \u2014 Daily 8AM",
"type": "n8n-nodes-base.scheduleTrigger",
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 8 * * *"
}
]
}
},
"position": [
0,
0
]
},
{
"id": "2",
"name": "Sheets \u2014 Read Deadlines",
"type": "n8n-nodes-base.googleSheets",
"parameters": {
"operation": "read",
"documentId": "YOUR_SHEET_ID",
"sheetName": "compliance_deadlines"
},
"position": [
250,
0
]
},
{
"id": "3",
"name": "Code \u2014 Urgency Classifier",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "\nconst today = new Date();\nconst urgent = [];\nfor (const row of $input.all()) {\n const d = row.json;\n const due = new Date(d.due_date);\n const days = Math.ceil((due - today) / 86400000);\n let level = 'OK';\n let action = '';\n\n // Deadline type routing with urgency\n if (d.deadline_type === 'CJIS_SECURITY_INCIDENT') {\n level = 'IMMEDIATE'; action = 'Notify FBI CJIS Division immediately per \u00a75.9.1 \u2014 no grace period. Suspend affected system access. Preserve audit logs. CJIS policy violation = immediate access revocation risk.';\n } else if (d.deadline_type === 'FISMA_MODERATE_IMPACT_INCIDENT') {\n level = 'IMMEDIATE'; action = 'US-CERT/CISA notification required within 1 hour per FISMA \u00a73554(b)(7). FedRAMP Moderate ATO suspension risk. Notify AO (Authorizing Official) immediately.';\n } else if (d.deadline_type === 'ITAR_UNAUTHORIZED_EXPORT') {\n level = 'IMMEDIATE'; action = 'Notify DDTC State Department within 60 days per 22 CFR \u00a7127.12. Suspend export activity. Preserve export records. Voluntary disclosure reduces penalty risk.';\n } else if (d.deadline_type === 'FEDRAMP_CONMON_DEVIATION' && days <= 30) {\n level = 'URGENT'; action = `FedRAMP ConMon deviation \u2014 ${days}d to ATO suspension. Remediate or document Plan of Action & Milestones (POA&M). Notify AO.`;\n } else if (d.deadline_type === 'STATERAMP_ANNUAL_AUDIT' && days <= 60) {\n level = days <= 30 ? 'URGENT' : 'WARNING'; action = `StateRAMP annual audit in ${days}d. Confirm subprocessor list, evidence package, penetration test results. 23+ state procurement channels depend on this.`;\n } else if (d.deadline_type === 'CJIS_BIENNIAL_AUDIT' && days <= 60) {\n level = days <= 30 ? 'URGENT' : 'WARNING'; action = `FBI CJIS biennial security audit in ${days}d. Verify CJIS-compliant cloud inventory, personnel screening, access controls, audit log integrity.`;\n } else if (d.deadline_type === 'ITAR_LICENSE_EXPIRY' && days <= 90) {\n level = days <= 30 ? 'URGENT' : 'WARNING'; action = `ITAR export license expiry in ${days}d. Initiate DSP-5/TAA/MLA renewal with DDTC State Department. Export activity must cease at expiry.`;\n } else if (d.deadline_type === 'EAR_BIS_CLASSIFICATION_REVIEW' && days <= 60) {\n level = days <= 30 ? 'URGENT' : 'WARNING'; action = `EAR BIS export classification review in ${days}d. Verify Commerce Control List (CCL) ECCN classification for all product releases. Cloud deployment changes may affect classification.`;\n } else if (d.deadline_type === 'FEDRAMP_MODERATE_ATO_RENEWAL' && days <= 90) {\n level = days <= 30 ? 'URGENT' : 'WARNING'; action = `FedRAMP Moderate ATO renewal in ${days}d. Submit updated SSP, evidence package, penetration test. Federal procurement gates close at ATO expiry.`;\n } else if (d.deadline_type === 'ELECTION_SYSTEM_CERTIFICATION' && days <= 120) {\n level = days <= 60 ? 'URGENT' : 'WARNING'; action = `EAC VVSG 2.0 certification renewal in ${days}d. Testing laboratory scheduling required 90d in advance. State election agency procurement requires current certification.`;\n } else if (d.deadline_type === 'FOIA_RESPONSE_20_DAY' && days <= 5) {\n level = 'URGENT'; action = `FOIA response deadline in ${days}d. 5 USC \u00a7552 requires initial determination within 20 business days. Missing deadline = constructive denial + litigation risk.`;\n } else if (d.deadline_type === 'HAVA_GRANT_COMPLIANCE_ANNUAL' && days <= 60) {\n level = days <= 30 ? 'URGENT' : 'WARNING'; action = `HAVA Title II grant compliance report in ${days}d. EAC reporting requires certified system inventory, security measures documentation, and audit log summary.`;\n } else {\n continue;\n }\n if (level !== 'OK') urgent.push({...d, urgency: level, action, days_remaining: days});\n}\nreturn urgent.map(u => ({json: u}));\n"
},
"position": [
500,
0
]
},
{
"id": "4",
"name": "Gmail \u2014 Deadline Alert",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"toEmail": "={{ $json.owner_email }}",
"subject": "={{ '[' + $json.urgency + '] ' + $json.deadline_type + ' \u2014 ' + $json.days_remaining + ' days' }}",
"emailType": "html",
"message": "={{ '<p><strong>Customer:</strong> ' + $json.customer_name + '</p><p><strong>Deadline:</strong> ' + $json.due_date + ' (' + $json.days_remaining + ' days)</p><p><strong>Action:</strong> ' + $json.action + '</p>' }}"
},
"position": [
750,
0
]
}
],
"connections": {
"Schedule \u2014 Daily 8AM": {
"main": [
[
{
"node": "Sheets \u2014 Read Deadlines",
"type": "main",
"index": 0
}
]
]
},
"Sheets \u2014 Read Deadlines": {
"main": [
[
{
"node": "Code \u2014 Urgency Classifier",
"type": "main",
"index": 0
}
]
]
},
"Code \u2014 Urgency Classifier": {
"main": [
[
{
"node": "Gmail \u2014 Deadline Alert",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 3: Government Compliance API Health Monitor
Pings five government compliance APIs every 30 minutes. Deduplicates alerts with $getWorkflowStaticData. Fires only when an endpoint has been down for more than an hour.
5 endpoints monitored:
| Endpoint | Compliance Implication |
|---|---|
| FedRAMP Marketplace | ATO boundary tracking |
| CISA KEV Catalog | BOD 22-01 30-day patch window |
| StateRAMP Authorized List | Subprocessor disclosure tracking |
| NIST NVD CVE API | Vulnerability scoring for patch prioritization |
| EAC VVSG Portal | Election system certification tracking |
{
"name": "GovTech SaaS \u2014 Government Compliance API Health Monitor",
"nodes": [
{
"id": "1",
"name": "Schedule \u2014 Every 30min",
"type": "n8n-nodes-base.scheduleTrigger",
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "*/30 * * * *"
}
]
}
},
"position": [
0,
0
]
},
{
"id": "2",
"name": "HTTP \u2014 FedRAMP Marketplace",
"type": "n8n-nodes-base.httpRequest",
"parameters": {
"url": "https://marketplace.fedramp.gov/api/products",
"method": "GET",
"timeout": 10000
},
"position": [
0,
200
]
},
{
"id": "3",
"name": "HTTP \u2014 CISA KEV Catalog",
"type": "n8n-nodes-base.httpRequest",
"parameters": {
"url": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
"method": "GET",
"timeout": 10000
},
"position": [
0,
400
]
},
{
"id": "4",
"name": "HTTP \u2014 StateRAMP Authorized List",
"type": "n8n-nodes-base.httpRequest",
"parameters": {
"url": "https://stateramp.org/wp-json/wp/v2/posts?categories=authorized&per_page=1",
"method": "GET",
"timeout": 10000
},
"position": [
0,
600
]
},
{
"id": "5",
"name": "HTTP \u2014 NIST NVD CVE API",
"type": "n8n-nodes-base.httpRequest",
"parameters": {
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?resultsPerPage=1",
"method": "GET",
"timeout": 10000
},
"position": [
0,
800
]
},
{
"id": "6",
"name": "HTTP \u2014 EAC VVSG Portal",
"type": "n8n-nodes-base.httpRequest",
"parameters": {
"url": "https://www.eac.gov/voting-equipment/currently-certified-voting-systems",
"method": "GET",
"timeout": 10000
},
"position": [
0,
1000
]
},
{
"id": "7",
"name": "Code \u2014 Status Aggregator",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "\nconst seen = $getWorkflowStaticData('global');\nif (!seen.last_alert_ts) seen.last_alert_ts = {};\nconst results = [];\nconst endpoints = [\n { name: 'fedramp_marketplace', label: 'FedRAMP Marketplace \u2014 ATO boundary expansion risk', data: $('HTTP \u2014 FedRAMP Marketplace').first().json },\n { name: 'cisa_kev', label: 'CISA KEV Catalog \u2014 30d patch window per BOD 22-01', data: $('HTTP \u2014 CISA KEV Catalog').first().json },\n { name: 'stateramp_list', label: 'StateRAMP Authorized List \u2014 subprocessor disclosure', data: $('HTTP \u2014 StateRAMP Authorized List').first().json },\n { name: 'nist_nvd', label: 'NIST NVD CVE API \u2014 vulnerability scoring', data: $('HTTP \u2014 NIST NVD CVE API').first().json },\n { name: 'eac_vvsg', label: 'EAC VVSG Portal \u2014 election system certification', data: $('HTTP \u2014 EAC VVSG Portal').first().json }\n];\nconst now = Date.now();\nfor (const ep of endpoints) {\n const isDown = !ep.data || ep.data.error;\n if (isDown) {\n const lastAlert = seen.last_alert_ts[ep.name] || 0;\n if (now - lastAlert > 3600000) {\n seen.last_alert_ts[ep.name] = now;\n results.push({json: {endpoint: ep.name, label: ep.label, status: 'DOWN', ts: new Date().toISOString()}});\n }\n } else {\n seen.last_alert_ts[ep.name] = 0;\n }\n}\nreturn results.length ? results : [{json: {status: 'ALL_OK', ts: new Date().toISOString()}}];\n"
},
"position": [
250,
600
]
},
{
"id": "8",
"name": "IF \u2014 Any Down?",
"type": "n8n-nodes-base.if",
"parameters": {
"conditions": {
"string": [
{
"value1": "={{ $json.status }}",
"operation": "notEqual",
"value2": "ALL_OK"
}
]
}
},
"position": [
500,
600
]
},
{
"id": "9",
"name": "Gmail \u2014 API Alert",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"toEmail": "ciso@yourdomain.com",
"subject": "={{ '[GovTech API DOWN] ' + $json.endpoint }}",
"emailType": "html",
"message": "={{ '<p><strong>' + $json.label + '</strong> is DOWN as of ' + $json.ts + '.</p><p>Government compliance workflows depending on this API may be impaired.</p>' }}"
},
"position": [
750,
500
]
}
],
"connections": {
"Schedule \u2014 Every 30min": {
"main": [
[
{
"node": "HTTP \u2014 FedRAMP Marketplace",
"type": "main",
"index": 0
},
{
"node": "HTTP \u2014 CISA KEV Catalog",
"type": "main",
"index": 0
},
{
"node": "HTTP \u2014 StateRAMP Authorized List",
"type": "main",
"index": 0
},
{
"node": "HTTP \u2014 NIST NVD CVE API",
"type": "main",
"index": 0
},
{
"node": "HTTP \u2014 EAC VVSG Portal",
"type": "main",
"index": 0
}
]
]
},
"HTTP \u2014 FedRAMP Marketplace": {
"main": [
[
{
"node": "Code \u2014 Status Aggregator",
"type": "main",
"index": 0
}
]
]
},
"HTTP \u2014 CISA KEV Catalog": {
"main": [
[
{
"node": "Code \u2014 Status Aggregator",
"type": "main",
"index": 0
}
]
]
},
"HTTP \u2014 StateRAMP Authorized List": {
"main": [
[
{
"node": "Code \u2014 Status Aggregator",
"type": "main",
"index": 0
}
]
]
},
"HTTP \u2014 NIST NVD CVE API": {
"main": [
[
{
"node": "Code \u2014 Status Aggregator",
"type": "main",
"index": 0
}
]
]
},
"HTTP \u2014 EAC VVSG Portal": {
"main": [
[
{
"node": "Code \u2014 Status Aggregator",
"type": "main",
"index": 0
}
]
]
},
"Code \u2014 Status Aggregator": {
"main": [
[
{
"node": "IF \u2014 Any Down?",
"type": "main",
"index": 0
}
]
]
},
"IF \u2014 Any Down?": {
"main": [
[
{
"node": "Gmail \u2014 API Alert",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 4: Government Compliance Incident Pipeline
POST to /govtech-incident with incident_type and get routed, prioritized, logged, and alerted within seconds.
8 incident types — fastest clocks first:
| Incident Type | Priority | SLA | Required Action |
|---|---|---|---|
| CJIS_SECURITY_INCIDENT | P0 | IMMEDIATE | FBI CJIS Division notification, suspend CJI access |
| FISMA_MODERATE_IMPACT | P0 | 1h | US-CERT/CISA notification, notify AO |
| ITAR_UNAUTHORIZED_DISCLOSURE | P0 | IMMEDIATE | DDTC voluntary disclosure, suspend exports |
| FEDRAMP_ATO_BOUNDARY_BREACH | P1 | 24h | Notify AO, update SSP, emergency Change Request |
| STATERAMP_AUDIT_FINDING | P1 | 72h | POA&M to StateRAMP PMO |
| ELECTION_SYSTEM_INTEGRITY | P1 | 4h | Notify CISA Election Security, state officials |
| FOIA_UNAUTHORIZED_DISCLOSURE | P1 | 48h | Notify agency FOIA officer, document scope |
| GENERAL_GOVT_SECURITY | P2 | 72h | NIST SP 800-61 response, check notification triggers |
{
"name": "GovTech SaaS \u2014 Government Compliance Incident Pipeline",
"nodes": [
{
"id": "1",
"name": "Webhook \u2014 incident_reported",
"type": "n8n-nodes-base.webhook",
"parameters": {
"path": "govtech-incident",
"responseMode": "onReceived"
},
"position": [
0,
0
]
},
{
"id": "2",
"name": "Code \u2014 Incident Classifier",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "\nconst d = $input.first().json;\nconst type = (d.incident_type || '').toUpperCase();\n\nconst routing = {\n CJIS_SECURITY_INCIDENT: { priority: 'P0', sla_hours: 0, label: 'CJIS_SECURITY_INCIDENT \u2014 IMMEDIATE', action: 'FBI CJIS Division notification immediate per \u00a75.9.1. Suspend all CJI access to affected system. Preserve and protect audit logs (chain of custody). Notify state CJIS Systems Agency. No grace period \u2014 CJIS access revocation is unilateral and immediate.' },\n FISMA_MODERATE_IMPACT: { priority: 'P0', sla_hours: 1, label: 'FISMA_MODERATE_IMPACT \u2014 1h US-CERT', action: 'US-CERT/CISA notification within 1 hour per FISMA \u00a73554(b)(7). Notify Authorizing Official (AO) immediately. FedRAMP ConMon deviation report due within 24 hours. ATO suspension risk if not remediated within 30 days.' },\n ITAR_UNAUTHORIZED_DISCLOSURE: { priority: 'P0', sla_hours: 0, label: 'ITAR_UNAUTHORIZED_DISCLOSURE \u2014 IMMEDIATE', action: 'Voluntary disclosure to DDTC State Department per 22 CFR \u00a7127.12 \u2014 reduces penalty from criminal prosecution to civil settlement. Suspend all export activity. Preserve export logs. Notify legal counsel immediately. ITAR violations: up to $1M fine + 20 years per violation.' },\n FEDRAMP_ATO_BOUNDARY_BREACH: { priority: 'P1', sla_hours: 24, label: 'FEDRAMP_ATO_BOUNDARY_BREACH \u2014 24h', action: 'FedRAMP boundary breach: notify AO within 24h per FedRAMP ConMon guidance. Submit updated SSP showing unauthorized component. Initiate emergency Change Request. ATO suspension if not remediated in 30 days.' },\n STATERAMP_AUDIT_FINDING: { priority: 'P1', sla_hours: 72, label: 'STATERAMP_AUDIT_FINDING \u2014 72h POA&M', action: 'StateRAMP audit finding: submit Plan of Action & Milestones (POA&M) within 72h to StateRAMP PMO. High findings require remediation within 30 days. Failure = loss of StateRAMP authorized status = loss of 23+ state procurement channels.' },\n ELECTION_SYSTEM_INTEGRITY: { priority: 'P1', sla_hours: 4, label: 'ELECTION_SYSTEM_INTEGRITY \u2014 4h CISA', action: 'Notify CISA Election Security team within 4 hours. Election systems are critical infrastructure \u2014 incident disclosure is mandatory under sector-specific guidance. Notify state election officials. EAC must be notified if certified system is affected.' },\n FOIA_UNAUTHORIZED_DISCLOSURE: { priority: 'P1', sla_hours: 48, label: 'FOIA_UNAUTHORIZED_DISCLOSURE \u2014 48h', action: 'Notify agency FOIA officer within 48h. 5 USC \u00a7552(f): improper disclosure of exempted records may constitute Privacy Act violation. Document disclosure scope, affected records, and remediation steps.' },\n GENERAL_GOVT_SECURITY: { priority: 'P2', sla_hours: 72, label: 'GENERAL_GOVT_SECURITY \u2014 72h', action: 'Standard government security incident response: document, triage, remediate per NIST SP 800-61 Rev 2. Check if incident triggers any CJIS/FedRAMP/ITAR/StateRAMP-specific notification obligations.' }\n};\n\nconst r = routing[type] || routing.GENERAL_GOVT_SECURITY;\nconst slaDue = new Date(Date.now() + r.sla_hours * 3600000).toISOString();\n\nreturn [{json: {\n ...d,\n priority: r.priority,\n sla_hours: r.sla_hours,\n sla_due: slaDue,\n incident_label: r.label,\n action_required: r.action,\n incident_id: 'GOVT-' + Date.now()\n}}];\n"
},
"position": [
250,
0
]
},
{
"id": "3",
"name": "Sheets \u2014 Log Incident",
"type": "n8n-nodes-base.googleSheets",
"parameters": {
"operation": "appendOrUpdate",
"documentId": "YOUR_SHEET_ID",
"sheetName": "incidents",
"dataMode": "autoMapInputData"
},
"position": [
500,
0
]
},
{
"id": "4",
"name": "Gmail \u2014 Incident Alert",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"toEmail": "ciso@yourdomain.com",
"subject": "={{ '[' + $json.priority + '] ' + $json.incident_label }}",
"emailType": "html",
"message": "={{ '<p><strong>Incident ID:</strong> ' + $json.incident_id + '</p><p><strong>SLA Due:</strong> ' + $json.sla_due + ' (' + $json.sla_hours + 'h)</p><p><strong>Action:</strong> ' + $json.action_required + '</p><p><strong>Customer:</strong> ' + ($json.customer_name || 'N/A') + '</p>' }}"
},
"position": [
750,
0
]
}
],
"connections": {
"Webhook \u2014 incident_reported": {
"main": [
[
{
"node": "Code \u2014 Incident Classifier",
"type": "main",
"index": 0
}
]
]
},
"Code \u2014 Incident Classifier": {
"main": [
[
{
"node": "Sheets \u2014 Log Incident",
"type": "main",
"index": 0
}
]
]
},
"Sheets \u2014 Log Incident": {
"main": [
[
{
"node": "Gmail \u2014 Incident Alert",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 5: Weekly GovTech KPI Dashboard
Every Monday at 8AM: pulls metrics from Google Sheets, computes MRR WoW%, segments by customer tier, surfaces open CJIS/FedRAMP/ITAR incidents and upcoming audit deadlines. Email to CEO + CISO, BCC CCO.
{
"name": "GovTech SaaS \u2014 Weekly KPI Dashboard",
"nodes": [
{
"id": "1",
"name": "Schedule \u2014 Monday 8AM",
"type": "n8n-nodes-base.scheduleTrigger",
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 8 * * 1"
}
]
}
},
"position": [
0,
0
]
},
{
"id": "2",
"name": "Sheets \u2014 Read Metrics",
"type": "n8n-nodes-base.googleSheets",
"parameters": {
"operation": "read",
"documentId": "YOUR_SHEET_ID",
"sheetName": "kpi_weekly"
},
"position": [
250,
0
]
},
{
"id": "3",
"name": "Code \u2014 KPI Builder",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "\nconst rows = $input.all().map(r => r.json);\nconst latest = rows[rows.length - 1] || {};\nconst prev = rows[rows.length - 2] || {};\n\nconst pct = (a, b) => b ? (((a - b) / b) * 100).toFixed(1) + '%' : 'N/A';\n\nconst mrr = latest.mrr_usd || 0;\nconst mrrPrev = prev.mrr_usd || 0;\n\nreturn [{json: {\n week: latest.week_ending || new Date().toISOString().slice(0,10),\n mrr: '$' + mrr.toLocaleString(),\n mrr_wow: pct(mrr, mrrPrev),\n federal_agency_customers: latest.federal_agency_customers || 0,\n state_govt_customers: latest.state_govt_customers || 0,\n local_govt_customers: latest.local_govt_customers || 0,\n criminal_justice_customers: latest.criminal_justice_customers || 0,\n defense_contractor_customers: latest.defense_contractor_customers || 0,\n election_tech_customers: latest.election_tech_customers || 0,\n fedramp_authorized_customers: latest.fedramp_authorized || 0,\n stateramp_customers: latest.stateramp_customers || 0,\n cjis_compliant_customers: latest.cjis_compliant || 0,\n itar_licensed_customers: latest.itar_licensed || 0,\n open_cjis_incidents: latest.open_cjis_incidents || 0,\n open_fedramp_deviations: latest.open_fedramp_deviations || 0,\n open_itar_findings: latest.open_itar_findings || 0,\n stateramp_audit_due_30d: latest.stateramp_audit_due_30d || 0,\n cjis_audit_due_90d: latest.cjis_audit_due_90d || 0,\n itar_license_expiry_90d: latest.itar_license_expiry_90d || 0\n}}];\n"
},
"position": [
500,
0
]
},
{
"id": "4",
"name": "Gmail \u2014 Weekly KPI",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"toEmail": "ceo@yourdomain.com",
"cc": "ciso@yourdomain.com",
"bcc": "cco@yourdomain.com",
"subject": "={{ 'GovTech Weekly KPI \u2014 ' + $json.week + ' | MRR ' + $json.mrr + ' (' + $json.mrr_wow + ')' }}",
"emailType": "html",
"message": "={{ '<h2>GovTech SaaS Weekly KPI \u2014 ' + $json.week + '</h2><table border=1 cellpadding=6><tr><td>MRR</td><td>' + $json.mrr + ' (' + $json.mrr_wow + ' WoW)</td></tr><tr><td>Federal Agency Customers</td><td>' + $json.federal_agency_customers + '</td></tr><tr><td>State Govt Customers</td><td>' + $json.state_govt_customers + '</td></tr><tr><td>Local Govt Customers</td><td>' + $json.local_govt_customers + '</td></tr><tr><td>Criminal Justice Customers</td><td>' + $json.criminal_justice_customers + '</td></tr><tr><td>Defense Contractor Customers</td><td>' + $json.defense_contractor_customers + '</td></tr><tr><td>Election Tech Customers</td><td>' + $json.election_tech_customers + '</td></tr><tr><td>FedRAMP Authorized</td><td>' + $json.fedramp_authorized_customers + '</td></tr><tr><td>StateRAMP Customers</td><td>' + $json.stateramp_customers + '</td></tr><tr><td>CJIS Compliant</td><td>' + $json.cjis_compliant_customers + '</td></tr><tr><td>ITAR Licensed</td><td>' + $json.itar_licensed_customers + '</td></tr><tr><td colspan=2><strong>Open Issues</strong></td></tr><tr><td>CJIS Incidents Open</td><td>' + $json.open_cjis_incidents + '</td></tr><tr><td>FedRAMP Deviations Open</td><td>' + $json.open_fedramp_deviations + '</td></tr><tr><td>ITAR Findings Open</td><td>' + $json.open_itar_findings + '</td></tr><tr><td>StateRAMP Audit Due 30d</td><td>' + $json.stateramp_audit_due_30d + '</td></tr><tr><td>CJIS Audit Due 90d</td><td>' + $json.cjis_audit_due_90d + '</td></tr><tr><td>ITAR License Expiry 90d</td><td>' + $json.itar_license_expiry_90d + '</td></tr></table>' }}"
},
"position": [
750,
0
]
}
],
"connections": {
"Schedule \u2014 Monday 8AM": {
"main": [
[
{
"node": "Sheets \u2014 Read Metrics",
"type": "main",
"index": 0
}
]
]
},
"Sheets \u2014 Read Metrics": {
"main": [
[
{
"node": "Code \u2014 KPI Builder",
"type": "main",
"index": 0
}
]
]
},
"Code \u2014 KPI Builder": {
"main": [
[
{
"node": "Gmail \u2014 Weekly KPI",
"type": "main",
"index": 0
}
]
]
}
}
}
Why Self-Hosting Wins for GovTech
| Framework | Cloud iPaaS Problem | Self-Hosted n8n Solution |
|---|---|---|
| CJIS Security Policy 5.9 | Cloud iPaaS routing CJI = unauthorized system outside CJIS boundary = immediate access revocation | Workflow execution stays inside CJIS-compliant boundary — no boundary gap |
| FedRAMP Moderate ATO | Cloud iPaaS in workflow = FedRAMP boundary expansion = SSP violation | n8n inside FedRAMP boundary = no expansion, no SSP change |
| StateRAMP | Cloud iPaaS = undisclosed subprocessor = audit finding across 23+ state programs | Self-hosted = zero subprocessor disclosure obligation |
| ITAR 22 CFR §120–130 | Cloud transmission of ITAR data = deemed export risk, potential $1M fine + 20yr | Self-hosted inside ITAR boundary = no export event |
| FOIA / State Public Records | Cloud iPaaS holds government records = third-party records custodian = legal exposure | Self-hosted keeps government data in-boundary |
Get These Workflows
All five workflows are available at the FlowKit n8n automation template store. Import, configure credentials, and deploy — no coding required.
FlowKit builds automation templates for SaaS vendors with compliance obligations.
Top comments (0)