Federal backends that hold under audit.

The federal backend problem

Commercial backend engineering optimizes for velocity: ship a feature, fix it in production, iterate. Federal backend engineering optimizes for a different function entirely — traceability, control inheritance, and audit survivability. An endpoint that works is only half the job; an endpoint that works and generates a compliant audit log, validates input against a schema, authenticates against a PIV certificate, encrypts in transit with FIPS-validated ciphers, and emits structured telemetry that a SOC analyst can read at 2am is the actual bar.

We build to that bar. Every backend service we ship carries a control inheritance matrix, a threat model, an OpenAPI 3.1 contract, and a deployment manifest that a federal SCA can review without asking follow-up questions. That discipline doesn't slow delivery — it prevents the six-month ATO rework that eats most federal software budgets.

Language and framework stack

Language choice is driven by three factors: operator skill on the receiving team, agency IT standards, and the maturity of the security tooling ecosystem. We do not introduce a language a federal sustainment team cannot operate.

• Python 3.12+ — FastAPI for modern async APIs, Django for admin-heavy line-of-business systems, Flask for lightweight internal services. SQLAlchemy 2.x with Alembic migrations, Pydantic v2 for request/response validation, Celery for background jobs. Ruff for linting, mypy strict mode for type safety, pytest with 85%+ coverage as the standard gate.
• Node.js 20 LTS / TypeScript 5.x — Fastify for high-throughput APIs (10x faster than Express at the p99), NestJS for structured enterprise codebases, Express when the customer already runs it. Zod for runtime validation, Prisma or Drizzle for database access, BullMQ for queues backed by Redis.
• Go 1.22+ — chi or echo for HTTP APIs, gRPC for internal service-to-service, sqlc for type-safe database queries. Go is our default when the service needs single-binary deployment, tight memory footprint, or must run inside a hardened container with minimal dependencies (DISA STIG containers prefer Go's static binaries).
• Rust — actix-web or axum for performance-critical services (cryptographic processing, high-throughput ingestion, packet parsing). Memory safety without a garbage collector matters for long-running DoD systems where GC pauses break SLOs.
• Java 17/21 — Spring Boot for legacy modernization where the agency already runs Java and the sustainment team has deep Spring experience. We migrate Java 8/11 codebases to Java 21 (virtual threads, pattern matching) as part of modernization engagements.

API design: what federal consumers actually need

Most federal API contracts arrive half-specified. We fix that upfront. Every API we ship comes with a complete OpenAPI 3.1 specification, versioned in git, published to an internal developer portal, and validated in CI against the running service. When the contracting officer asks for "the API documentation," we hand them a Swagger UI URL and a Postman collection — not a Word document nobody maintains.

Conventions we hold to: RFC 7807 problem+json for error responses, RFC 7232 ETag/If-Match for optimistic concurrency, RFC 9110 cache-control for safe responses, cursor-based pagination over offset-based (stable under concurrent writes), idempotency keys on all POST mutations that could be retried by a federal client on a flaky network.

For GraphQL (used sparingly in federal contexts), we enforce depth limits, cost analysis, and persisted queries — never raw operations from untrusted clients. For gRPC internal services, protobuf schemas live in a central repo with buf.build linting and breaking-change detection gated on pull requests.

Authentication: PIV, CAC, Login.gov, and beyond

Federal authentication is not a single protocol; it is a stack. Our standard pattern for internal agency applications terminates PIV/CAC mutual TLS at a hardened reverse proxy (nginx compiled with OpenSSL FIPS provider, or Envoy with BoringSSL). The proxy validates the client certificate against the Federal Common Policy CA bundle, performs OCSP stapling for revocation checking, and extracts the FASC-N (for PIV) or EDIPI (for CAC) from the Subject Alternative Name.

That identity is forwarded to the backend as a signed header (X-Forwarded-Client-Cert) or a short-lived JWT minted by the edge. The application never touches the raw certificate. Session management uses secure, HttpOnly, SameSite=Strict cookies bound to the TLS session ticket, with a 15-minute absolute timeout and 5-minute idle timeout per NIST SP 800-63B AAL3 guidance.

For citizen-facing services, we integrate Login.gov (OIDC) or ID.me (SAML 2.0 / OIDC). For agency-to-agency federation, SAML 2.0 with signed assertions and mandatory encryption of the NameID. For service-to-service, mTLS with SPIFFE identities or short-lived JWTs from a centralized token service. We never issue long-lived bearer tokens — 15 minutes is the ceiling, with silent refresh against a rotating refresh token family that detects replay.

Session, authorization, and RBAC/ABAC

Authorization is the control that federal auditors scrutinize most and that commercial teams implement most sloppily. We separate authentication ("who are you") from authorization ("what can you do") cleanly: the authentication layer produces an identity envelope, the authorization layer is a pure function from (identity, resource, action) to allow/deny/reason.

For simple federal apps, we ship role-based access control (RBAC) with roles stored in the database and a middleware guard on every route. For data-heavy apps (a case worker who can see their caseload but not another office's), we escalate to attribute-based access control (ABAC) using OPA (Open Policy Agent) or Cedar. Policies live in git, get unit-tested, and are versioned alongside code.

Row-level security in PostgreSQL (RLS policies) provides defense in depth. Even if a query in the application layer forgets a WHERE clause, the database refuses to return rows the connected role isn't entitled to see. We enable RLS on every tenant-scoped or classification-scoped table by default.

Data layer: PostgreSQL, Redis, Kafka

PostgreSQL 16 is our default relational store. Configured with TLS 1.3 to clients, FIPS-validated OpenSSL at the OS level, pg_hba.conf restricted to application subnets, and transparent data encryption via LUKS or cloud-native KMS-backed volume encryption. We use logical replication for read replicas, pgBackRest or WAL-G for point-in-time recovery to S3/Blob, and pgAudit for session-level audit logging that satisfies AU-2/AU-3.

Redis 7 (or Valkey, the open-source fork after Redis Labs' license change) for caching, rate limiting, session storage, and BullMQ-style queues. We deploy with TLS and ACL-based authentication, not the legacy AUTH command. For federal workloads that require FIPS validation, we run Redis on FIPS-enabled Linux distributions with the underlying crypto library validated — Redis itself uses the system OpenSSL.

Kafka (or Amazon MSK, Confluent Platform) for event-driven systems. Producers and consumers authenticate via SASL/SCRAM-SHA-512 over TLS, authorized via ACLs per topic and consumer group. Schema Registry enforces Avro or Protobuf contracts so producers can't ship a breaking change without coordination. For cross-agency integration, we've implemented Kafka MirrorMaker 2 between on-premise and GovCloud clusters with end-to-end encryption.

Observability and audit logging

Every request flowing through a federal backend we build emits a structured JSON log record with a correlation ID, timestamp in RFC 3339 with microseconds, user identity (or "anonymous" with the client IP), action verb, resource URI, outcome, and a hash of any sensitive payload (never the payload itself). That log is shipped to the agency SIEM — CloudWatch, Splunk, Elastic, Sentinel — via Fluent Bit or a direct log driver.

Metrics via OpenTelemetry to Prometheus (federal on-prem) or CloudWatch/Azure Monitor. Traces via OTLP to Tempo, Jaeger, or X-Ray. The trace ID is propagated through Kafka headers and gRPC metadata so a single user action traces across a dozen services. We instrument the four golden signals (latency, traffic, errors, saturation) on every service by default and alert on SLO burn rate, not raw thresholds.

NIST 800-53 control mapping for backends

Every backend we ship includes a control inheritance matrix. A condensed sample:

• AC-2 (Account Management) — inherited from agency IdP; application enforces role assignment.
• AC-3 (Access Enforcement) — OPA policy evaluation on every request; tested with negative cases.
• AU-2/AU-3 (Audit Events) — structured JSON log for every request; includes all required fields from 800-53r5.
• IA-2 (Identification and Authentication) — PIV/CAC at edge; no local passwords; MFA enforced.
• SC-8 (Transmission Confidentiality) — TLS 1.3 with FIPS-approved ciphers only; older TLS disabled.
• SC-13 (Cryptographic Protection) — FIPS 140-3 validated modules (OpenSSL FIPS provider, BoringSSL FIPS).
• SI-10 (Information Input Validation) — Pydantic/Zod schema validation at every endpoint boundary.
• SI-11 (Error Handling) — RFC 7807 problem+json; no stack traces in responses; full detail in server logs only.

Deployment targets

We deploy to AWS GovCloud, Azure Government, and GCP Assured Workloads. Containerized via Docker, orchestrated via Kubernetes (EKS, AKS, GKE, or on-prem with DISA STIG-hardened nodes). Infrastructure as code via Terraform. CI/CD via GitLab, GitHub Actions, or Jenkins depending on agency standards.