Skip to main content

Colophon

by Accelera Solutions with SigilArk

colophon (n.): the closing imprint that names a manuscript's author, reviewers, and authority.

Build fast. Ship authorized.

Three humans direct a bench of ~100 trained AI specialists. Accelera Solutions and its SigilArk affiliate deliver federal systems with their RMF evidence. Humans decide, the bench ships, authorization accumulates from day one.

Engage Accelera Solutions
Colophon owl mark

I · The problem and the inversion

From day last to day one

Federal programs need dozens of specialties to ship under ATO. Compliance evidence is reconstructed at the end. Timelines slip, attrition restarts the clock.

Colophon inverts that order. Three humans direct ~100 trained AI specialists; the Stationarius chain-of-custody protocol emits the RMF artifact set as structural byproduct of each shipped increment.

Compliance effort shape: traditional vs. Colophon

A qualitative line chart comparing the shape of compliance effort across a delivery timeline. Horizontal axis runs through five phases: Day 1, Delivery, Release, ATO submission, AO signs. The traditional curve stays near-zero through delivery and spikes sharply at ATO submission, representing reconstructive compliance work performed by dedicated FTEs at the end. The Colophon curve sits at a moderate plateau through delivery and does not spike at ATO submission, because the authorization evidence package has already accumulated. Both curves return to near-zero after the Authorizing Official signs. The point is the shape difference, not the magnitude.

Traditional · reconstructive compliance Colophon · chain-stamped continuously
Colophon chain-of-custody protocol flow

A horizontal pipeline showing how work moves through the Colophon chain of custody. Stages from left to right: requirements, trace review, architecture decisions (optional branch shown above the main path), decomposition into work units, implementation with attached test evidence, the review gauntlet with four parallel review lenses (code, adversarial, test quality, security), and release. Each transition between stages is a structural gate enforced by the chain, not convention. The implementer can refuse to start work whose upstream is not ready, and the refusal is the protection. Below the pipeline, a separate row shows cross-cutting specialists (Documentation, Data architect, Build-deployer, and RCA engineer) that apply across multiple stages rather than occupying a fixed handoff position.

each gate is enforced structurally the protocol refuses incomplete handoffs

II · The bench

The bench

Specialist agents fill specialist roles. Every artifact an IL4/5/6 program needs, emitted as structural byproduct. Humans direct the work; the bench ships it with its evidence.

What you receive: everything an IL4/5/6 program needs, without the FTEs

REQ Requirements + trace
ADR Architecture decision
PECIA Work unit · test evidence
REVIEW 5-lens verdict
SAST Source scan · CVE find
DAST Runtime scan · CVE find
SBOM Supply chain · attestation
STIG Container hardening
POAM Vulnerability lifecycle
CCB Triad decision
RELEASE Gate-passed record
RCA Incident analysis
Enterprise artifact coverage IL4/5/6 + continuous operations + program/contract office

Requirements + program management

What an IL4/5/6 program needs What Colophon emits
Requirements + traceability matrix (RTM) REQ-NNN + /trace review
Architecture decision history ADR-NNN (typed, immutable)
Work breakdown + story tracking PECIA-NNN + Decretum chain
Contract Data Requirements List (CDRL) DoD-STD-formatted deliverables
Earned Value Management (EVM) reporting Cost-schedule performance reports

Code + test artifacts

What an IL4/5/6 program needs What Colophon emits
Source code with inline documentation Bench-produced code + OpenAPI 3.1
Unit + integration + E2E test evidence PECIA test_evidence + TESTRUN-NNN
Quality assurance verdicts 5-lens chain · 6th lens on UI

Security artifacts

What an IL4/5/6 program needs What Colophon emits
Static application security testing (SAST) Semgrep + Trivy + gitleaks per release
Dynamic application security testing (DAST) OWASP ZAP + Burp at integration boundary
Container hardening DISA Container STIG + image scanning
CVE / vulnerability lifecycle Discovery → triage → remediation + POAM
Threat models STRIDE / PASTA + coverage matrix
Supply chain attestations SLSA L3 + Cosign + CycloneDX SBOM
CUI handling discipline CuiValue<T> typed wrappers + redaction

Compliance + ATO

What an IL4/5/6 program needs What Colophon emits
System Security Plan (SSP) NIST 800-53 control implementations
Plan of Action & Milestones (POAM) CVE / exception tracking with milestones
eMASS authorization packages eMASS-uploadable artifact bundles
STIG compliance evidence DISA STIG checklists + ACAS scan output
Continuous monitoring plan Observability + scan cadence + drift
NIST 800-53 control mapping Digesta cross-referenced corpus
Privacy Impact Assessment (PIA) Zone-based data-flow + PIA artifact
Accessibility (VPAT 2.5 Rev 508) axe-core + 508 / WCAG AA evidence

Operational + audit

What an IL4/5/6 program needs What Colophon emits
Operational runbooks (deploy · incident · DR) Documentation + release / rollback pattern
Standard Operating Procedures (SOPs) Adopter-specific SOP set
Configuration management plan IaC + config baselines
Incident response plan + RCAs RCA-NNN with corrective actions
Change control board records CCB-NNN · role-dependent veto
Release records + gate evidence RELEASE-NNN + reviewer sign-offs
Audit trail (DoD 5015.02-compatible) Decretum append-only decision precedent store
Documentation set (user · API · operator) Documentation Mandate output
Telemetry + structured logs Continuous monitoring evidence
per-commit cadence. Every PECIA emits its slice of this artifact set
Colophon protocol artifacts mapped to RMF artifact classes

Two-column diagram. Left column lists six typed artifacts the Colophon chain-of-custody protocol emits: requirement traces, architecture decisions, pecia with attached test evidence, review-lens sign-offs, release records, and incident root-cause analyses. Right column lists five Risk Management Framework (NIST 800-37 Rev 2) artifact classes: System Security Plan, Security Assessment Report, Plan of Action and Milestones, Authorization Package, and Continuous Monitoring. Connecting lines show which protocol artifacts primarily feed which RMF artifacts. The mapping is many-to-many in practice; the diagram shows primary relationships only.

primary mapping shown · many-to-many in practice · framework reference: NIST 800-37 Rev 2

Change Control Board and role mapping

Change Control Board humans decide · 3-seat CCB · one authority

Technical

Decides architecture and engineering direction: target-platform tradeoffs, system boundaries, tooling selection, build-vs-buy calls.

Program

Decides scope and delivery: cadence, stakeholder coordination, what ships next, what defers, where the bench focuses.

ATO / Cyber

Decides authorization posture: compliance path, AO-facing evidence, security gate enforcement, risk acceptance.

Traditional hire → Colophon bench buyer-role mapping · representative coverage · grows as project domains require
What you'd traditionally hire What the bench covers it with
Engineer · Software Developer Planner · Implementer
Software Architect Architect (ADR author)
iOS · Android · Web Developer Implementer (per-target binding)
Information Scientist · Knowledge Architect IA Mandate (controlled vocab · authority files · faceted classification)
Library Specialist · Metadata Architect IA Mandate (Dublin Core metadata · information radiators)
Data Modeler · Knowledge Graph Engineer IA Mandate (graph data model · event sourcing · cache invalidation)
Database Admin · Data Architect Data architect (relational · document · wide-column · key-value · graph)
Cyber · Red Team · Threat Modeler Threat modeler · Adversarial reviewer · SAST reviewer
DAST Lead · Information Security Engineer DAST reviewer
Container Security · STIG Specialist Container hardening
Vulnerability Manager · POAM Lead Vulnerability management
ATO Evidence Specialist · ISSE ATO evidence + Digesta corpus
Technical Writer · DoD-STD Compliance Documentation + contract deliverables (SDD · ICD · IRS · STP · STR · SVD)
Program Manager · EVM Analyst Program management + handler role (human side)
Data Scientist · ML Engineer Data science (statistical analysis · ML BOM · drift · bias eval)
Accessibility Specialist · 508 / VPAT Lead Accessibility + accessibility reviewer
Site Reliability Engineer · Observability Architect Observability
CUI Discipline Lead CUI value typed wrappers
representative mapping · 60+ specialist Mandates + 7 Workstream B Mandates in flight
Stack coverage top 7 DoD languages · multi-cloud · 5 database paradigms

Languages

  • Java
  • C# / .NET
  • Python
  • C++
  • TypeScript
  • Go
  • Rust

Clouds

  • AWS commercial
  • AWS GovCloud
  • Azure commercial
  • Azure Government

Databases

  • Relational (Postgres)
  • Document (Mongo · Couch)
  • Wide-column (Cassandra)
  • Key-value (DynamoDB)
  • Graph (Neo4j · Neptune)
full-stack delivery per combination · per-target binding at /implement dispatch Go + Rust on platform-roadmap · colophon-platform issues #203 · #204
Three-tier escalation orchestrated by Stationarius: bounded autonomous peer collaboration with lazy escalation

A three-tier diagram. Bottom tier: six peer specialist agents (Planner, Architect, Implementer, Reviewer, Adversarial, SAST) with bidirectional arcs showing peer-to-peer conflict resolution. Middle tier: three arbiter agents, activated by three trigger conditions (flag raised, audit sample, or peers exhausted). Top tier: the Change Control Board, a single node labeled "Change Control Board" with subtitle "handlers convene," where human handlers (Technical, Program, ATO/Cyber) convene when arbiters cannot resolve. The CCB is human-side; it does not contain agents of its own. Visual asymmetry: peer tier is wide and prominent, arbiter tier is narrower, CCB tier is a single node with a focal ripple animation.

Peer specialist agents · most work resolves here Arbiter agents · activate on specific conditions Change Control Board · Technical · Program · ATO/Cyber handlers convene when arbiters escalate

Stationarius: the coordination protocol

Stationarius routes work between agents and humans over Colloquy (typed wire protocol, five message classes) and writes every exchange to Decretum, the audit-trailed decision precedent store the AO reads at authorization.

Tier 1

Peer-to-peer

Specialist agents resolve most work themselves. Every implementation passes a five-lens review chain (code review, adversarial review, test quality, security, and CI parity) with signed concerns. A sixth lens (accessibility) gates user-facing changes. Async + multi-threaded autonomy.

Tier 2

Arbiter agents

When revisions on a single work unit exceed a configured threshold, an arbiter agent auto-activates, diagnoses the impasse, and writes a structured verdict prescribing the next step. Verdicts are advisory by default; high-stakes work flips them binding by frontmatter declaration.

Tier 3

Change Control Board

The CCB convenes only when arbiters can't resolve, or when a change is production-impacting, cross-cutting, or compliance-domain by class. Role-dependent veto applies; each seat decides binding within its named domain.

Stationarius coordination protocol architecture

Three-column architecture diagram. Left column: five specialist agents (Planner, Implementer, Reviewer, Adversarial, SAST) dispatching work into the central engine. Center column: Stationarius shown as a stacked panel of four named sub-components (Routing Rules, Agent Registry, Decretum decision-precedent store, and Colloquy typed wire protocol) which together orchestrate the three-tier escalation flow. Right column: the handler triad (Technical, Program, ATO/Cyber) receiving escalations from Stationarius. Three communication channels are labeled at the bottom: Channel A is the pull-driven MCP tool surface that agents call into, Channel B is the MCP subscription surface that returns verdicts back to originating sessions, Channel C is the outbound push surface that wakes handlers via Slack, APNs, FCM, or email.

Async + multi-threaded by design. Three to five agents work in parallel under one human's direction, instructing each other inside the protocol. Humans serve as the CCB for actions and decisions, not as prompt-by-prompt operators.

One bench. Four providers. Sovereign by design. Routes per task across Anthropic, OpenAI, Gemini, and Llama 4 via cloud providers or local / air-gapped hardware (Ollama, vLLM). Selection driven by sovereignty, cost, and classification.

Stationarius parallel-subagent dispatch: Gantt-style strip

A timeline diagram split into two waves of work. Wave 1 shows three subagents working concurrently: an Implementer, an Adversarial Reviewer, and a Test-Quality Reviewer. Each is drawn as a horizontal stripe along the time axis, with offset start times and overlapping durations to communicate parallelism. Between Wave 1 and Wave 2 sits a Stationarius consolidation row showing the engine collecting subagent outputs and dispatching the next wave. Wave 2 shows an Implementer revision pass responding to the consolidated verdicts. A footer annotation cites a real example: colophon-platform PR #182 (Quaestor workflow canonicalization) used three parallel subagents in one wave to produce 914 lines across 19 files.

III · Proof

Proof

SigilArk delivers federal healthcare systems to the Defense Health Agency under RMF authority. Compliance gates are declared once at initiation, stamped into the chain of custody, enforced through delivery.

Authorization track record SigilArk organizational posture · 2026-Q2

ATOs achieved

1

AWS GovCloud · current

ATOs in flight

1

authorization timeline on plan

Provider inheritance

2 clouds

AWS GovCloud · Azure Government (IL2 through IL6)

Dogfood · bench output federal engagements · in-house products

DHA · Application I

Full-stack delivery · iOS, Android, Web, API

First of the DHA cohort delivered on the bench. Four-week stack cycle against an eight-month scheduled baseline; zero CVEs, full STIG parity, eMASS re-drafted per commit.

DHA · Application II

Full-stack delivery · iOS, Android, Web, API

Second app in the DHA cohort, same protocol, same tempo. Repeatability confirmed; the four-week cadence and near-zero findings posture hold across adjacent missions.

Vallark

web · iOS · Android · API

Every layer of Vallark (vallark.build, the iOS / Android / web clients, the Hono.js API, the cloud infrastructure, and the compliance-floor scaffolds Vallark itself distributes) shipped end to end on the bench. Same protocol as a federal engagement, applied to an in-house product.

Glyphon

web · CLI · API · Agents

Every layer of Glyphon (the web dashboard, the CLI, the API, the deployment infrastructure, and the 53+ specialist agents inside the product itself) authored, tested, and authorized on Colophon's bench. Bench agents producing bench-grade agents.

Target segments authorization-gated delivery · regulated industries

Federal systems

RMF · NIST 800-37 · FedRAMP

DoD programs

Impact Level 2 through 6 · DoD CC SRG

Defense Industrial Base

CMMC 2.0 · NIST 800-171

Healthcare

HIPAA · HITECH · 42 CFR Part 2

Finance

SOX · PCI-DSS · FFIEC · GLBA

Critical infrastructure

NERC CIP · TSA · sector-specific

IV · Engage the platform

Built by Accelera Solutions and SigilArk

Accelera Solutions with SigilArk

Colophon is the internal development platform Accelera Solutions and its SigilArk affiliate use to deliver federal systems with their RMF evidence. It is bundled into every engagement, not procured separately.

For prime delivery, engage Accelera Solutions. For WOSB-set-aside procurements, engage SigilArk. Both routes deliver on the same Colophon bench. For full company details (contract vehicles, leadership, procurement essentials), visit accelerasolutions.com or sigilark.com.

Engage Accelera Solutions

Accelera Solutions is the point of contact on all contracts, including WOSB-set-aside procurements delivered via the SigilArk affiliate.

Engagements scoped program by program, aligned to your authorization path.