If you sell software to government agencies — federal, state, county, tribal, or defense — your compliance obligations are more complex and more scrutinized than almost any other vertical.
FedRAMP, FISMA, CJIS, Section 508, StateRAMP. Each one has its own reporting cadence, incident response timeline, and audit trail requirement. And unlike enterprise SaaS, a missed deadline doesn't just generate a fine — it can suspend your Authorization to Operate (ATO) and take your product offline.
Here are 5 n8n workflows GovTech SaaS vendors use to stay compliant — with full JSON you can import today.
Why Government Compliance Is Different
GovTech SaaS has three unique properties that make automation essential:
- Hard deadlines with system consequences: A FedRAMP ConMon report missed by a day is a POA&M finding. An ATO that lapses means your system goes offline — your agency customer loses access, your contract is at risk.
- Multi-body notification requirements: A CJIS policy violation requires notifying the Criminal Justice Agency CSA and the FBI CJIS Division and your own CISO. Manual coordination at 2AM fails. Automated workflows do not.
- Continuous monitoring is contractual: FedRAMP isn't a checkbox — it's a continuous obligation. OMB Circular A-130 requires ongoing monitoring. Cloud service providers who treat security as a quarterly activity lose their P-ATO.
Workflow 1: GovTech Customer Onboarding Drip with Compliance Flag Detection
Every new government customer has a different compliance profile. A federal agency needs FedRAMP and FISMA. A county sheriff's office needs CJIS. A state DMV portal needs Section 508. A defense contractor needs CMMC + IL5.
This workflow detects the customer's compliance flags from their signup data and routes them through a tailored onboarding drip — so your team sends the right documentation to the right customer from Day 0.
Customer tiers: FEDERAL_AGENCY / STATE_AGENCY / COUNTY_MUNICIPAL / TRIBAL_GOVERNMENT / DEFENSE_CONTRACTOR
Compliance flags detected: FEDRAMP_REQUIRED / FISMA_MODERATE / CJIS_POLICY / SECTION508_REQUIRED / STATERAMP_REQUIRED / HIPAA_IF_HEALTH_RECORDS / CMMC_LEVEL2
Day 0: Compliance-specific checklist. CJIS customers get the Security Addendum signature requirement. FedRAMP customers get the shared responsibility matrix link. Section 508 customers get the VPAT/ACR download link.
Day 3: Integration guides matched to their flags — CJIS audit log configuration, FedRAMP boundary network diagram, StateRAMP evidence package location.
Day 7: Invite to a compliance dashboard walkthrough covering authorization boundary confirmation, ConMon tour, and incident response workflow test.
{
"name": "GovTech Customer Onboarding Drip with Compliance Flag Detection",
"nodes": [
{
"id": "1",
"name": "Webhook",
"type": "n8n-nodes-base.webhook",
"parameters": {
"path": "govtech-onboard",
"responseMode": "onReceived"
},
"position": [
0,
0
]
},
{
"id": "2",
"name": "Set Customer Profile",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "const d = $input.first().json;\nconst tier = d.customer_type || 'STATE_AGENCY';\n// FEDERAL_AGENCY: FedRAMP/FISMA required\n// STATE_AGENCY: StateRAMP or FedRAMP equivalent\n// COUNTY_MUNICIPAL: StateRAMP or CJIS\n// TRIBAL_GOVERNMENT: BIA/FHWA federal grants\n// DEFENSE_CONTRACTOR: CMMC + ITAR + IL4/IL5\nconst flags = [];\nif (['FEDERAL_AGENCY','DEFENSE_CONTRACTOR'].includes(tier)) flags.push('FEDRAMP_REQUIRED');\nif (['FEDERAL_AGENCY','DEFENSE_CONTRACTOR'].includes(tier)) flags.push('FISMA_MODERATE');\nif (d.criminal_justice_data) flags.push('CJIS_POLICY');\nif (d.government_website || d.public_portal) flags.push('SECTION508_REQUIRED');\nif (['STATE_AGENCY','COUNTY_MUNICIPAL'].includes(tier)) flags.push('STATERAMP_REQUIRED');\nif (d.health_records) flags.push('HIPAA_IF_HEALTH_RECORDS');\nif (tier === 'DEFENSE_CONTRACTOR') flags.push('CMMC_LEVEL2');\nreturn [{json: {...d, customer_tier: tier, compliance_flags: flags}}];"
},
"position": [
200,
0
]
},
{
"id": "3",
"name": "Send Day 0 Welcome",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"to": "={{ $json.email }}",
"subject": "Welcome to [Your GovTech Platform] \u2014 Government Compliance Setup Checklist",
"message": "={{ 'Hi ' + $json.contact_name + ',\\n\\nWelcome. Based on your profile as a ' + $json.customer_tier + ' customer, here is your Day 0 compliance checklist:\\n\\n' + ($json.compliance_flags.includes('FEDRAMP_REQUIRED') ? '\u2713 FedRAMP Boundary: Confirm our shared responsibility matrix (Annex A) \u2014 boundary diagram available in your portal.\\n' : '') + ($json.compliance_flags.includes('FISMA_MODERATE') ? '\u2713 FISMA Moderate: Schedule your SSP review call \u2014 NIST SP 800-53 Rev 5 control baseline mapping available.\\n' : '') + ($json.compliance_flags.includes('CJIS_POLICY') ? '\u2713 CJIS Policy v5.9: CJIS Security Addendum signature required before CJI data access. Routing to your account team.\\n' : '') + ($json.compliance_flags.includes('SECTION508_REQUIRED') ? '\u2713 Section 508: VPAT (Voluntary Product Accessibility Template) available at [portal]/accessibility. Contact us for ACR.\\n' : '') + ($json.compliance_flags.includes('STATERAMP_REQUIRED') ? '\u2713 StateRAMP: Our StateRAMP Authorized status and P-ATO documentation available on request.\\n' : '') + ($json.compliance_flags.includes('CMMC_LEVEL2') ? '\u2713 CMMC Level 2: Our CMMC assessment scope letter and CUI handling addendum available. Contact contracts team.\\n' : '') + '\\nYour dedicated compliance liaison will reach out within 1 business day.\\n\\nBest,\\nFlowKit GovTech Team'"
},
"position": [
400,
0
]
},
{
"id": "4",
"name": "Wait 3 Days",
"type": "n8n-nodes-base.wait",
"parameters": {
"amount": 3,
"unit": "days"
},
"position": [
600,
0
]
},
{
"id": "5",
"name": "Send Day 3 Integration Guide",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"to": "={{ $json.email }}",
"subject": "Day 3: Connecting [Your Platform] to Your Government IT Environment",
"message": "={{ 'Hi ' + $json.contact_name + ',\\n\\nHere are your Day 3 integration guides, tailored for ' + $json.customer_tier + ':\\n\\n' + ($json.compliance_flags.includes('FEDRAMP_REQUIRED') ? '\u2022 FedRAMP Boundary Setup: All API calls must remain within your FedRAMP authorization boundary. See [docs]/fedramp-network-diagram for approved egress paths.\\n\u2022 ConMon Integration: Connect our continuous monitoring feed to your SIEM. POA&M items auto-sync daily.\\n' : '') + ($json.compliance_flags.includes('CJIS_POLICY') ? '\u2022 CJIS Audit Logging: Enable CJIS-compliant audit logs under Settings > Security > CJIS Logging. Logs retained 7 years per CJIS Policy \u00a75.4.\\n\u2022 Personnel Security: All admin users must complete CJIS Security Awareness Training Level 4 annually (CJIS \u00a75.12.1.1).\\n' : '') + ($json.compliance_flags.includes('SECTION508_REQUIRED') ? '\u2022 Section 508 Configuration: Enable high-contrast mode and screen reader compatibility under Settings > Accessibility. Our VPAT covers WCAG 2.1 AA.\\n' : '') + ($json.compliance_flags.includes('STATERAMP_REQUIRED') ? '\u2022 StateRAMP Evidence Package: Shared responsibility matrix and inherited controls list for your state ISA are in the compliance portal.\\n' : '') + '\\nQuestions? Reply to this email or book a technical review at [calendly link].\\n\\nFlowKit GovTech Team'"
},
"position": [
800,
0
]
},
{
"id": "6",
"name": "Wait 4 Days",
"type": "n8n-nodes-base.wait",
"parameters": {
"amount": 4,
"unit": "days"
},
"position": [
1000,
0
]
},
{
"id": "7",
"name": "Send Day 7 Walkthrough Invite",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"to": "={{ $json.email }}",
"subject": "Day 7: Schedule Your Government Compliance Walkthrough",
"message": "={{ 'Hi ' + $json.contact_name + ',\\n\\nYou are 7 days in. Let us walk through your compliance dashboard and verify your ' + $json.customer_tier + ' setup is complete.\\n\\nWe will cover:\\n\u2022 Authorization boundary confirmation\\n\u2022 ConMon dashboard tour (FedRAMP customers)\\n\u2022 Incident response workflow test (FISMA/CJIS)\\n\u2022 Section 508 ACR review (if applicable)\\n\u2022 StateRAMP evidence package status\\n\\nBook your 45-min walkthrough: [calendly link]\\n\\nFlowKit GovTech Team'"
},
"position": [
1200,
0
]
}
],
"connections": {
"Webhook": {
"main": [
[
{
"node": "Set Customer Profile",
"type": "main",
"index": 0
}
]
]
},
"Set Customer Profile": {
"main": [
[
{
"node": "Send Day 0 Welcome",
"type": "main",
"index": 0
}
]
]
},
"Send Day 0 Welcome": {
"main": [
[
{
"node": "Wait 3 Days",
"type": "main",
"index": 0
}
]
]
},
"Wait 3 Days": {
"main": [
[
{
"node": "Send Day 3 Integration Guide",
"type": "main",
"index": 0
}
]
]
},
"Send Day 3 Integration Guide": {
"main": [
[
{
"node": "Wait 4 Days",
"type": "main",
"index": 0
}
]
]
},
"Wait 4 Days": {
"main": [
[
{
"node": "Send Day 7 Walkthrough Invite",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 2: GovTech Compliance API Health Monitor
For government customers, your platform's uptime is a compliance event.
If your FedRAMP authorization portal goes down, your continuous monitoring feed breaks — that's a NIST SP 800-53 Rev 5 CA-7 control failure. If your CJIS audit log API goes down, you're violating CJIS Policy §5.4.1.1, and you may owe the FBI CJIS Division notification.
This workflow polls 5 critical compliance endpoints every 5 minutes, uses $getWorkflowStaticData to track UP→DOWN state transitions (no alert storms), and notifies your CISO and Compliance Officer immediately on first detection.
Endpoints monitored:
| Endpoint | Regulatory Risk |
|---|---|
fedramp_authorization_portal |
OMB Circular A-130 continuous monitoring gap |
fisma_boundary_scanner |
NIST SP 800-53 Rev 5 CA-7 control failure |
cjis_audit_log_api |
CJIS Policy §5.4.1.1 — FBI CJIS Division notification required |
section508_accessibility_checker |
DOJ Section 508 complaint exposure |
ato_status_api |
NIST SP 800-37 Rev 2 §2.5 — operating without authorization |
{
"name": "GovTech Compliance API Health Monitor",
"nodes": [
{
"id": "1",
"name": "Every 5 Minutes",
"type": "n8n-nodes-base.scheduleTrigger",
"parameters": {
"rule": {
"interval": [
{
"field": "minutes",
"minutesInterval": 5
}
]
}
},
"position": [
0,
0
]
},
{
"id": "2",
"name": "Check FedRAMP Auth Portal",
"type": "n8n-nodes-base.httpRequest",
"parameters": {
"url": "https://your-platform.gov/api/fedramp/authorization/health",
"method": "GET",
"timeout": 10000
},
"position": [
200,
-200
]
},
{
"id": "3",
"name": "Check FISMA Boundary Scanner",
"type": "n8n-nodes-base.httpRequest",
"parameters": {
"url": "https://your-platform.gov/api/fisma/boundary/scan",
"method": "GET",
"timeout": 10000
},
"position": [
200,
0
]
},
{
"id": "4",
"name": "Check CJIS Audit Log API",
"type": "n8n-nodes-base.httpRequest",
"parameters": {
"url": "https://your-platform.gov/api/cjis/audit-log/health",
"method": "GET",
"timeout": 10000
},
"position": [
200,
200
]
},
{
"id": "5",
"name": "Check Section 508 Checker",
"type": "n8n-nodes-base.httpRequest",
"parameters": {
"url": "https://your-platform.gov/api/accessibility/508/health",
"method": "GET",
"timeout": 10000
},
"position": [
200,
400
]
},
{
"id": "6",
"name": "Check ATO Status API",
"type": "n8n-nodes-base.httpRequest",
"parameters": {
"url": "https://your-platform.gov/api/ato/status/health",
"method": "GET",
"timeout": 10000
},
"position": [
200,
600
]
},
{
"id": "7",
"name": "Evaluate Health & State Transitions",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "const prev = $getWorkflowStaticData('global');\nconst checks = [\n {name: 'fedramp_authorization_portal', status: $('Check FedRAMP Auth Portal').first().json.status, risk: 'FedRAMP \u00a71003.15 ConMon \u2014 authorization portal DOWN = continuous monitoring gap. OMB Circular A-130 reporting risk.'},\n {name: 'fisma_boundary_scanner', status: $('Check FISMA Boundary Scanner').first().json.status, risk: 'FISMA NIST SP 800-53 Rev 5 CA-7 \u2014 boundary scan DOWN = continuous monitoring control failure. FISMA annual assessment finding risk.'},\n {name: 'cjis_audit_log_api', status: $('Check CJIS Audit Log API').first().json.status, risk: 'CJIS Policy \u00a75.4.1.1 \u2014 audit log DOWN = CJIS compliance violation. Criminal justice agency SLA breach. FBI CJIS Division notification required.'},\n {name: 'section508_accessibility_checker', status: $('Check Section 508 Checker').first().json.status, risk: 'Section 508 29 USC \u00a7794d \u2014 accessibility checker DOWN = cannot verify WCAG 2.1 AA compliance. DOJ complaint exposure.'},\n {name: 'ato_status_api', status: $('Check ATO Status API').first().json.status, risk: 'ATO expiry undetected = operating without authorization (NIST SP 800-37 Rev 2 \u00a72.5). Immediate agency notification required.'}\n];\nconst alerts = [];\nfor (const c of checks) {\n const wasDown = prev[c.name + '_down'] || false;\n const isDown = c.status !== 'healthy';\n if (isDown && !wasDown) {\n alerts.push({...c, transition: 'UP\u2192DOWN'});\n prev[c.name + '_down'] = true;\n } else if (!isDown && wasDown) {\n prev[c.name + '_down'] = false;\n }\n}\n$setWorkflowStaticData('global', prev);\nreturn alerts.map(a => ({json: a}));"
},
"position": [
400,
200
]
},
{
"id": "8",
"name": "If Any Down",
"type": "n8n-nodes-base.if",
"parameters": {
"conditions": {
"string": [
{
"value1": "={{ $json.name }}",
"operation": "isNotEmpty"
}
]
}
},
"position": [
600,
200
]
},
{
"id": "9",
"name": "Alert CISO via Slack",
"type": "n8n-nodes-base.slack",
"parameters": {
"channel": "#govtech-compliance-ops",
"text": "={{ '\ud83d\udea8 GovTech COMPLIANCE API DOWN\\n*Service:* ' + $json.name + '\\n*Status:* ' + $json.status + '\\n*Risk:* ' + $json.risk }}",
"attachments": []
},
"position": [
800,
100
]
},
{
"id": "10",
"name": "Email CISO + Compliance Officer",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"to": "ciso@yourcompany.com",
"cc": "compliance@yourcompany.com",
"subject": "={{ '\ud83d\udea8 GovTech Compliance API DOWN: ' + $json.name }}",
"message": "={{ 'Compliance API failure detected at ' + new Date().toISOString() + '\\n\\nService: ' + $json.name + '\\nStatus: ' + $json.status + '\\n\\nRegulatory Risk:\\n' + $json.risk + '\\n\\nImmediate action required. Check [monitoring dashboard] for details.' }}"
},
"position": [
800,
300
]
}
],
"connections": {
"Every 5 Minutes": {
"main": [
[
{
"node": "Check FedRAMP Auth Portal",
"type": "main",
"index": 0
},
{
"node": "Check FISMA Boundary Scanner",
"type": "main",
"index": 0
},
{
"node": "Check CJIS Audit Log API",
"type": "main",
"index": 0
},
{
"node": "Check Section 508 Checker",
"type": "main",
"index": 0
},
{
"node": "Check ATO Status API",
"type": "main",
"index": 0
}
]
]
},
"Check ATO Status API": {
"main": [
[
{
"node": "Evaluate Health & State Transitions",
"type": "main",
"index": 0
}
]
]
},
"Evaluate Health & State Transitions": {
"main": [
[
{
"node": "If Any Down",
"type": "main",
"index": 0
}
]
]
},
"If Any Down": {
"main": [
[
{
"node": "Alert CISO via Slack",
"type": "main",
"index": 0
}
],
[]
]
},
"Alert CISO via Slack": {
"main": [
[
{
"node": "Email CISO + Compliance Officer",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 3: GovTech Compliance Deadline Tracker
Government compliance has more deadline types than almost any other vertical — and they're spread across months and years.
FedRAMP annual assessments. Monthly ConMon reports. CJIS triennial policy reviews. Section 508 VPAT renewals. StateRAMP annual assessments. NIST SP 800-171 self-assessments for DFARS customers. ITAR Technical Assistance Agreement renewals.
This workflow runs weekday mornings, queries your deadline database, and sends tiered alerts to the right people — with deduplication so the same owner doesn't get spammed.
12 deadline types tracked:
-
FEDRAMP_ANNUAL_ASSESSMENT— NIST SP 800-53 Rev 5 CA-2 -
FEDRAMP_CONMON_MONTHLY— OMB Memo M-24-03 monthly ConMon reporting -
FISMA_ANNUAL_ASSESSMENT— 44 USC §3554 -
CJIS_SECURITY_POLICY_TRIENNIAL— CJIS Policy §5.2 -
SECTION508_VPAT_RENEWAL— 29 USC §794d -
STATERAMP_ANNUAL_ASSESSMENT— StateRAMP Authorization Program -
NIST800171_ANNUAL_REVIEW— DFARS 252.204-7012 -
ITAR_TAA_RENEWAL— 22 CFR Part 124 -
FTA_AUDIT_ANNUAL— FTA Circular 4220.1F -
IL5_REAUTHORIZATION_ANNUAL— DoD IL5 annual SOC2_TYPE2_RENEWAL-
ANNUAL_PENETRATION_TEST— FedRAMP SC-28
{
"name": "GovTech Compliance Deadline Tracker",
"nodes": [
{
"id": "1",
"name": "Weekdays 8AM",
"type": "n8n-nodes-base.scheduleTrigger",
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 8 * * 1-5"
}
]
}
},
"position": [
0,
0
]
},
{
"id": "2",
"name": "Get Compliance Deadlines",
"type": "n8n-nodes-base.postgres",
"parameters": {
"operation": "executeQuery",
"query": "SELECT id, deadline_type, customer_name, deadline_date, owner_email, alert_sent_date FROM govtech_compliance_deadlines WHERE deadline_date <= NOW() + INTERVAL '90 days' AND active = true ORDER BY deadline_date ASC;"
},
"position": [
200,
0
]
},
{
"id": "3",
"name": "Classify Severity & Deduplicate",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "const items = $input.all();\nconst today = new Date();\nconst alerts = [];\nconst DEADLINE_LABELS = {\n 'FEDRAMP_ANNUAL_ASSESSMENT': 'FedRAMP Annual Assessment (NIST SP 800-53 Rev 5 CA-2)',\n 'FEDRAMP_CONMON_MONTHLY': 'FedRAMP ConMon Monthly Report (OMB Memo M-24-03)',\n 'FISMA_ANNUAL_ASSESSMENT': 'FISMA Annual Assessment (44 USC \u00a73554)',\n 'CJIS_SECURITY_POLICY_TRIENNIAL': 'CJIS Security Policy Triennial Review (CJIS Policy \u00a75.2)',\n 'SECTION508_VPAT_RENEWAL': 'Section 508 VPAT Renewal (29 USC \u00a7794d)',\n 'STATERAMP_ANNUAL_ASSESSMENT': 'StateRAMP Annual Assessment (StateRAMP Authorization Program)',\n 'NIST800171_ANNUAL_REVIEW': 'NIST SP 800-171 Rev 3 Annual Self-Assessment (DFARS 252.204-7012)',\n 'ITAR_TAA_RENEWAL': 'ITAR Technical Assistance Agreement Renewal (22 CFR Part 124)',\n 'FTA_AUDIT_ANNUAL': 'FTA Circular 4220.1F Annual Procurement Audit',\n 'IL5_REAUTHORIZATION_ANNUAL': 'DoD IL5 Annual Reauthorization Review',\n 'SOC2_TYPE2_RENEWAL': 'SOC 2 Type II Renewal',\n 'ANNUAL_PENETRATION_TEST': 'Annual Penetration Test (FedRAMP SC-28)'\n};\nfor (const item of items) {\n const d = item.json;\n const daysUntil = Math.ceil((new Date(d.deadline_date) - today) / 86400000);\n let severity;\n if (daysUntil < 0) severity = 'OVERDUE';\n else if (daysUntil <= 14) severity = 'CRITICAL';\n else if (daysUntil <= 30) severity = 'URGENT';\n else if (daysUntil <= 60) severity = 'WARNING';\n else severity = 'NOTICE';\n const lastSent = d.alert_sent_date ? new Date(d.alert_sent_date) : null;\n const hoursSinceLast = lastSent ? (today - lastSent) / 3600000 : 9999;\n const minGap = {'OVERDUE': 24, 'CRITICAL': 48, 'URGENT': 72, 'WARNING': 168, 'NOTICE': 336}[severity];\n if (hoursSinceLast >= minGap) {\n alerts.push({json: {...d, severity, days_until: daysUntil, label: DEADLINE_LABELS[d.deadline_type] || d.deadline_type}});\n }\n}\nreturn alerts;"
},
"position": [
400,
0
]
},
{
"id": "4",
"name": "If Alerts",
"type": "n8n-nodes-base.if",
"parameters": {
"conditions": {
"string": [
{
"value1": "={{ $json.severity }}",
"operation": "isNotEmpty"
}
]
}
},
"position": [
600,
0
]
},
{
"id": "5",
"name": "Slack Compliance Team",
"type": "n8n-nodes-base.slack",
"parameters": {
"channel": "#govtech-compliance-deadlines",
"text": "={{ $json.severity + ': ' + $json.label + ' \u2014 ' + $json.customer_name + ' \u2014 Due: ' + $json.deadline_date.substring(0,10) + ' (' + $json.days_until + ' days)' }}",
"attachments": []
},
"position": [
800,
-100
]
},
{
"id": "6",
"name": "Email Owner + Compliance",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"to": "={{ $json.owner_email }}",
"cc": "compliance@yourcompany.com",
"subject": "={{ '[' + $json.severity + '] GovTech Compliance Deadline: ' + $json.label + ' \u2014 ' + $json.customer_name }}",
"message": "={{ 'Deadline: ' + $json.label + '\\nCustomer: ' + $json.customer_name + '\\nDue: ' + $json.deadline_date.substring(0,10) + ' (' + $json.days_until + ' days)\\nSeverity: ' + $json.severity + '\\n\\nAction required. Update the compliance tracker once complete.' }}"
},
"position": [
800,
100
]
},
{
"id": "7",
"name": "Mark Alert Sent",
"type": "n8n-nodes-base.postgres",
"parameters": {
"operation": "executeQuery",
"query": "UPDATE govtech_compliance_deadlines SET alert_sent_date = NOW() WHERE id = {{ $json.id }};"
},
"position": [
1000,
0
]
}
],
"connections": {
"Weekdays 8AM": {
"main": [
[
{
"node": "Get Compliance Deadlines",
"type": "main",
"index": 0
}
]
]
},
"Get Compliance Deadlines": {
"main": [
[
{
"node": "Classify Severity & Deduplicate",
"type": "main",
"index": 0
}
]
]
},
"Classify Severity & Deduplicate": {
"main": [
[
{
"node": "If Alerts",
"type": "main",
"index": 0
}
]
]
},
"If Alerts": {
"main": [
[
{
"node": "Slack Compliance Team",
"type": "main",
"index": 0
}
],
[]
]
},
"Slack Compliance Team": {
"main": [
[
{
"node": "Email Owner + Compliance",
"type": "main",
"index": 0
}
]
]
},
"Email Owner + Compliance": {
"main": [
[
{
"node": "Mark Alert Sent",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 4: GovTech Security Incident Response Pipeline
Government incident response has the shortest clocks and the most external notification requirements of any vertical.
A FedRAMP security incident requires notifying the agency Authorizing Official within 1 hour of detection, plus US-CERT reporting via CISA. A CJIS policy violation requires notifying the FBI CJIS Division within 24 hours. A CUI exfiltration requires DoD CISO notification within 72 hours under DFARS 252.204-7012.
This webhook-based pipeline classifies the incident, calculates the response deadline, logs it to Postgres, notifies the right people (CISO, AO, Legal, FBI CJIS Division, DoD CISO — depending on type), and responds with a 200 ACK containing the incident ID and response deadline for audit trail purposes.
8 incident types with response clocks:
| Incident | Clock | Key Obligation |
|---|---|---|
FEDRAMP_SECURITY_INCIDENT |
1h | Agency AO notification + US-CERT reporting |
FISMA_BOUNDARY_BREACH |
4h | OIG notification + POA&M |
CJIS_POLICY_VIOLATION |
24h | FBI CJIS Division + Criminal Justice Agency CSA |
SECTION508_COMPLAINT |
72h | DOJ complaint response + remediation plan |
ATO_SUSPENSION |
2h | System offline + Agency AO notification |
STATERAMP_SECURITY_EVENT |
24h | StateRAMP PMO + state agency ISO |
CUI_EXFILTRATION |
1h | DoD CISO within 72h (DFARS 252.204-7012) |
INSIDER_THREAT_GOV |
4h | Security Officer + EO 13587 Insider Threat POC |
{
"name": "GovTech Security Incident Pipeline",
"nodes": [
{
"id": "1",
"name": "Incident Webhook",
"type": "n8n-nodes-base.webhook",
"parameters": {
"path": "govtech-incident",
"responseMode": "responseNode"
},
"position": [
0,
0
]
},
{
"id": "2",
"name": "Classify Incident",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "const d = $input.first().json;\nconst INCIDENT_TYPES = {\n 'FEDRAMP_SECURITY_INCIDENT': {\n response_hours: 1,\n severity: 'CRITICAL',\n // FedRAMP IR Playbook: 1-hour detection-to-report, US-CERT reporting via https://www.cisa.gov/report\n regulation: 'FedRAMP IR Playbook + NIST SP 800-61 Rev 2 + US-CERT reporting (CISA). Cloud Service Provider must notify agency AO within 1 hour of detection. OMB M-22-09 zero trust overlay.',\n notify: ['CISO','AO','ISSO','US-CERT']\n },\n 'FISMA_BOUNDARY_BREACH': {\n response_hours: 4,\n severity: 'CRITICAL',\n regulation: 'FISMA 44 USC \u00a73554(b)(7) + NIST SP 800-61 Rev 2 + OIG notification. Boundary breach = potential POA&M finding. Agency Inspector General may require written notification within 24h.',\n notify: ['CISO','OIG_LIAISON','ISSO']\n },\n 'CJIS_POLICY_VIOLATION': {\n response_hours: 24,\n severity: 'HIGH',\n // CJIS Policy \u00a75.9.3: violations reported to FBI CJIS Division + criminal justice agency CSA\n regulation: 'CJIS Security Policy \u00a75.9.3 \u2014 notify the Criminal Justice Agency CSA and FBI CJIS Division within 24 hours. Vendor agreement may be suspended pending investigation.',\n notify: ['CISO','CJA_CSA','FBI_CJIS_DIVISION']\n },\n 'SECTION508_COMPLAINT': {\n response_hours: 72,\n regulation: 'Section 508 29 USC \u00a7794d + DOJ Section 508 complaint process (ADA.gov). Agency Section 508 Coordinator must be notified. Remediation plan required within 90 days per DOJ settlement patterns.',\n notify: ['COMPLIANCE','SECTION508_COORDINATOR','LEGAL']\n },\n 'ATO_SUSPENSION': {\n response_hours: 2,\n severity: 'CRITICAL',\n // NIST SP 800-37 Rev 2 \u00a72.5: operating without ATO = immediate risk\n regulation: 'NIST SP 800-37 Rev 2 \u00a72.5 \u2014 ATO suspension means immediate loss of authorization to operate. System must be taken offline until reauthorization. Agency authorizing official must be notified within 2 hours.',\n notify: ['CISO','AO','CEO']\n },\n 'STATERAMP_SECURITY_EVENT': {\n response_hours: 24,\n regulation: 'StateRAMP Security Incident Reporting \u2014 notify StateRAMP PMO within 24h. Affected state agency ISO must be notified. StateRAMP authorization may be suspended.',\n notify: ['CISO','STATERAMP_PMO','STATE_AGENCY_ISO']\n },\n 'CUI_EXFILTRATION': {\n response_hours: 1,\n severity: 'CRITICAL',\n // NIST SP 800-171 \u00a73.6.2 + DFARS 252.204-7012 72h DoD CISO reporting\n regulation: 'NIST SP 800-171 Rev 3 \u00a73.6.2 + DFARS 252.204-7012 \u2014 CUI exfiltration requires DoD CISO notification within 72 hours. Immediate isolation of affected system. Evidence preservation for IG investigation.',\n notify: ['CISO','DOD_CISO','LEGAL','ISSO']\n },\n 'INSIDER_THREAT_GOV': {\n response_hours: 4,\n regulation: 'EO 13587 National Insider Threat Policy + SEAD 3 \u2014 notify agency Security Officer and Insider Threat Program POC. Preserve access logs immediately. Personnel security team engagement required.',\n notify: ['CISO','SECURITY_OFFICER','INSIDER_THREAT_POC']\n }\n};\nconst config = INCIDENT_TYPES[d.incident_type] || {response_hours: 24, severity: 'HIGH', regulation: 'Unknown incident type \u2014 escalate to CISO', notify: ['CISO']};\nconst deadline = new Date(Date.now() + config.response_hours * 3600000);\nreturn [{json: {...d, ...config, response_deadline: deadline.toISOString(), detected_at: new Date().toISOString()}}];"
},
"position": [
200,
0
]
},
{
"id": "3",
"name": "Log to Postgres",
"type": "n8n-nodes-base.postgres",
"parameters": {
"operation": "insert",
"table": "govtech_incidents",
"columns": "incident_type,severity,customer_name,detected_at,response_deadline,regulation,raw_payload",
"values": "={{ [$json.incident_type, $json.severity, $json.customer_name, $json.detected_at, $json.response_deadline, $json.regulation, JSON.stringify($json)] }}"
},
"position": [
400,
0
]
},
{
"id": "4",
"name": "Slack CISO Immediate",
"type": "n8n-nodes-base.slack",
"parameters": {
"channel": "#govtech-incidents-critical",
"text": "={{ '\ud83d\udea8 GOVTECH INCIDENT: ' + $json.incident_type + '\\nCustomer: ' + $json.customer_name + '\\nSeverity: ' + ($json.severity || 'HIGH') + '\\nResponse Deadline: ' + $json.response_deadline + '\\nRegulation: ' + $json.regulation }}",
"attachments": []
},
"position": [
600,
-100
]
},
{
"id": "5",
"name": "Email CISO + Legal",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"to": "ciso@yourcompany.com",
"cc": "legal@yourcompany.com",
"subject": "={{ '\ud83d\udea8 GOVTECH INCIDENT: ' + $json.incident_type + ' \u2014 ' + $json.customer_name }}",
"message": "={{ 'Government Compliance Incident Detected\\n\\nType: ' + $json.incident_type + '\\nCustomer: ' + $json.customer_name + '\\nDetected: ' + $json.detected_at + '\\nResponse Required By: ' + $json.response_deadline + '\\n\\nRegulatory Obligation:\\n' + $json.regulation + '\\n\\nNotify: ' + $json.notify.join(', ') + '\\n\\nThis is a time-sensitive government compliance incident. Immediate action required.' }}"
},
"position": [
600,
100
]
},
{
"id": "6",
"name": "Respond 200 ACK",
"type": "n8n-nodes-base.respondToWebhook",
"parameters": {
"respondWith": "json",
"responseBody": "={{ JSON.stringify({status: 'received', incident_id: $json.id, response_deadline: $json.response_deadline, regulation: $json.regulation}) }}"
},
"position": [
800,
0
]
}
],
"connections": {
"Incident Webhook": {
"main": [
[
{
"node": "Classify Incident",
"type": "main",
"index": 0
}
]
]
},
"Classify Incident": {
"main": [
[
{
"node": "Log to Postgres",
"type": "main",
"index": 0
}
]
]
},
"Log to Postgres": {
"main": [
[
{
"node": "Slack CISO Immediate",
"type": "main",
"index": 0
}
]
]
},
"Slack CISO Immediate": {
"main": [
[
{
"node": "Email CISO + Legal",
"type": "main",
"index": 0
}
]
]
},
"Email CISO + Legal": {
"main": [
[
{
"node": "Respond 200 ACK",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 5: Weekly GovTech Vendor KPI Dashboard
A weekly snapshot of your government compliance posture — sent to CEO and CPO every Monday morning, with CISO on BCC.
Subject line flags critical items so leadership sees the urgency before opening: [ATO SUSPENSION THIS WEEK], [CJIS VIOLATION THIS WEEK], [FEDRAMP OVERDUE], [CONMON REPORT OVERDUE].
7 metrics tracked:
- FedRAMP/Gov deadlines overdue
- FedRAMP critical deadlines (14 days)
- CJIS incidents (7 days)
- FedRAMP incidents (7 days)
- ATO suspensions (7 days)
- Section 508 complaints (30 days)
- ConMon reports overdue
{
"name": "Weekly GovTech Vendor KPI Dashboard",
"nodes": [
{
"id": "1",
"name": "Monday 8AM",
"type": "n8n-nodes-base.scheduleTrigger",
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 8 * * 1"
}
]
}
},
"position": [
0,
0
]
},
{
"id": "2",
"name": "Query GovTech KPIs",
"type": "n8n-nodes-base.postgres",
"parameters": {
"operation": "executeQuery",
"query": "SELECT\n (SELECT COUNT(*) FROM govtech_compliance_deadlines WHERE deadline_date < NOW() AND active = true) AS fedramp_deadlines_overdue,\n (SELECT COUNT(*) FROM govtech_compliance_deadlines WHERE deadline_date BETWEEN NOW() AND NOW() + INTERVAL '14 days' AND deadline_type LIKE 'FEDRAMP%' AND active = true) AS fedramp_critical_14d,\n (SELECT COUNT(*) FROM govtech_incidents WHERE incident_type = 'CJIS_POLICY_VIOLATION' AND created_at >= NOW() - INTERVAL '7 days') AS cjis_incidents_7d,\n (SELECT COUNT(*) FROM govtech_incidents WHERE incident_type = 'FEDRAMP_SECURITY_INCIDENT' AND created_at >= NOW() - INTERVAL '7 days') AS fedramp_incidents_7d,\n (SELECT COUNT(*) FROM govtech_incidents WHERE incident_type = 'ATO_SUSPENSION' AND created_at >= NOW() - INTERVAL '7 days') AS ato_suspensions_7d,\n (SELECT COUNT(*) FROM govtech_incidents WHERE incident_type = 'SECTION508_COMPLAINT' AND created_at >= NOW() - INTERVAL '30 days') AS section508_complaints_30d,\n (SELECT COUNT(*) FROM govtech_compliance_deadlines WHERE deadline_type = 'FEDRAMP_CONMON_MONTHLY' AND deadline_date <= NOW() AND alert_sent_date IS NULL) AS conmon_reports_overdue;"
},
"position": [
200,
0
]
},
{
"id": "3",
"name": "Build KPI Report",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "const d = $input.first().json;\nconst flags = [];\nif (d.ato_suspensions_7d > 0) flags.push('[ATO SUSPENSION THIS WEEK]');\nif (d.cjis_incidents_7d > 0) flags.push('[CJIS VIOLATION THIS WEEK]');\nif (d.fedramp_deadlines_overdue > 0) flags.push('[FEDRAMP OVERDUE]');\nif (d.conmon_reports_overdue > 0) flags.push('[CONMON REPORT OVERDUE]');\nconst subject = flags.length > 0 ? 'GovTech KPI ' + flags.join(' ') : 'GovTech KPI \u2014 Weekly Dashboard';\nconst html = `<h2>GovTech Vendor Weekly KPI \u2014 ${new Date().toISOString().substring(0,10)}</h2>\n<table border='1' cellpadding='6'>\n<tr><th>Metric</th><th>Value</th><th>Status</th></tr>\n<tr><td>FedRAMP/Gov Deadlines Overdue</td><td>${d.fedramp_deadlines_overdue}</td><td>${d.fedramp_deadlines_overdue > 0 ? '\ud83d\udd34 ACTION' : '\ud83d\udfe2 OK'}</td></tr>\n<tr><td>FedRAMP Deadlines Critical (14d)</td><td>${d.fedramp_critical_14d}</td><td>${d.fedramp_critical_14d > 2 ? '\ud83d\udfe1 REVIEW' : '\ud83d\udfe2 OK'}</td></tr>\n<tr><td>CJIS Incidents (7d)</td><td>${d.cjis_incidents_7d}</td><td>${d.cjis_incidents_7d > 0 ? '\ud83d\udd34 FBI CJIS NOTIFY' : '\ud83d\udfe2 CLEAR'}</td></tr>\n<tr><td>FedRAMP Incidents (7d)</td><td>${d.fedramp_incidents_7d}</td><td>${d.fedramp_incidents_7d > 0 ? '\ud83d\udd34 US-CERT REPORT' : '\ud83d\udfe2 CLEAR'}</td></tr>\n<tr><td>ATO Suspensions (7d)</td><td>${d.ato_suspensions_7d}</td><td>${d.ato_suspensions_7d > 0 ? '\ud83d\udd34 SYSTEM OFFLINE' : '\ud83d\udfe2 AUTHORIZED'}</td></tr>\n<tr><td>Section 508 Complaints (30d)</td><td>${d.section508_complaints_30d}</td><td>${d.section508_complaints_30d > 0 ? '\ud83d\udfe1 DOJ REVIEW' : '\ud83d\udfe2 OK'}</td></tr>\n<tr><td>ConMon Reports Overdue</td><td>${d.conmon_reports_overdue}</td><td>${d.conmon_reports_overdue > 0 ? '\ud83d\udd34 FEDRAMP BREACH' : '\ud83d\udfe2 CURRENT'}</td></tr>\n</table>\n<p style='font-size:11px;color:#666'>FedRAMP ConMon: OMB M-24-03 | CJIS: Policy v5.9.3 | Section 508: 29 USC \u00a7794d | ATO: NIST SP 800-37 Rev 2</p>`;\nreturn [{json: {subject, html, ...d}}];"
},
"position": [
400,
0
]
},
{
"id": "4",
"name": "Email CEO + CPO, BCC CISO",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"to": "ceo@yourcompany.com",
"cc": "cpo@yourcompany.com",
"bcc": "ciso@yourcompany.com",
"subject": "={{ $json.subject }}",
"message": "={{ $json.html }}",
"options": {
"bodyContentType": "html"
}
},
"position": [
600,
0
]
}
],
"connections": {
"Monday 8AM": {
"main": [
[
{
"node": "Query GovTech KPIs",
"type": "main",
"index": 0
}
]
]
},
"Query GovTech KPIs": {
"main": [
[
{
"node": "Build KPI Report",
"type": "main",
"index": 0
}
]
]
},
"Build KPI Report": {
"main": [
[
{
"node": "Email CEO + CPO, BCC CISO",
"type": "main",
"index": 0
}
]
]
}
}
}
Why GovTech SaaS Vendors Self-Host n8n
| Reason | Detail |
|---|---|
| FedRAMP boundary | Cloud iPaaS = expansion of your authorization boundary. If Zapier or Make processes data from your FedRAMP-authorized system, that's a boundary breach. Self-hosted n8n stays inside your authorized boundary. |
| CJIS §5.9.1.2 | Criminal Justice Information cannot traverse systems not meeting CJIS Security Policy baseline. Cloud automation platforms are not CJIS-certified. Self-hosted n8n on your CJIS-compliant infrastructure resolves this. |
| CUI handling (DFARS 252.204-7012) | Controlled Unclassified Information cannot be processed on non-FedRAMP-authorized systems. Self-hosted n8n keeps CUI in your NIST 800-171-compliant environment. |
| Section 508 audit trail | GSA and DOJ audit Section 508 compliance. Self-hosted automation keeps the accessibility testing audit trail in your own governance boundary, not a vendor's. |
| StateRAMP cost | StateRAMP authorization is faster and cheaper than FedRAMP but still requires a security boundary. Self-hosted n8n is within scope, cloud iPaaS adds a subprocessor disclosure. |
Get the Complete GovTech Automation Bundle
These 5 workflows are part of the FlowKit GovTech SaaS Bundle — 15 production-ready n8n workflows for compliance automation across FedRAMP, FISMA, CJIS, Section 508, StateRAMP, CMMC, and more.
👉 Get the bundle at stripeai.gumroad.com
Individual templates start at $12. The full bundle is $97.
Drop a comment if you want me to cover a specific government compliance use case — CMMC Level 2, IL5, FedRAMP High, ITAR, or state-specific requirements.
Top comments (0)