The NSA Simplifies Regulatory Compliance in Public + Private Organizations with the Puppet-Based SIMP

The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense. The NSA built one of their most critical tools on Puppet code — a tool now used by other government organizations to maintain their cybersecurity posture.

Benefits of Using Puppet:

Created a management platform

for standardizing cybersecurity and compliance efforts.

Reduced manual effort

to meet common compliance expectations.

Shared a powerful open source tool

with public and private organizations.

Challenge: Strict Compliance Requirements + Duplication of Work

The NSA plays a significant role in establishing cybersecurity standards, best practices, and tools that help other government organizations improve their cybersecurity and compliance posture. The Systems Integrity Management Platform (SIMP) is one such tool: an open source security and compliance framework that government organizations use to keep systems compliant.

The NSA’s official press release says that “By releasing SIMP, the agency seeks to reduce duplication of effort and promote greater collaboration within the community: The wheel would not have to be reinvented for every organization.”

Watch: Inside the Systems Integrity Management Platform (SIMP) at the NSA

“The goal of SIMP is to make sure that you have a good foundation for compliance over time,” said Trevor Vaughan, Vice President of Engineering and Co-Founder at Onyx Point, co-creator of SIMP.  

This framework was purpose-built to target foundational policies for federal security regulations, helping technology in government comply with major security standards — with a goal to be compatible with “really any security policy out there,” said Vaughan. Now, SIMP works to meet HIPAA, SOX, GLBA, and more for both public and private organizations.

Results: Puppet is the Automation Engine for Security + Compliance

“[SIMP] is going to let [organizations] basically ignore a lot of the foundational groundwork for these systems and get on with what they’re supposed to do for their business and for their mission.”

Trevor Vaughan, Vice President of Engineering and Co-Founder at Onyx Point

“[SIMP] uses Puppet language at its core,” said Vaughan. “The SIMP [primary server] is the Puppet [primary server]. It works like Puppet and it uses Puppet completely underneath ... It is a Puppet [primary server] running SIMP modules.”


To accelerate innovation between the public and private sectors, the NSA made SIMP publicly available on GitHub. Organizations are encouraged to adopt the tool and use it to strengthen their systems and networks against cyber threats — and, of course, spend less time catching up on compliance.

“They can stop worrying about the stuff that everyone has to do,” said Vaughan. “This way, you can concentrate on your business goals and stop worrying about compliance goals that should be trivial.”

Find out how Puppet is used in government IT or contact our team to learn more about Puppet with the links below: