FedRAMP 20x KSI Dashboard
The FedRAMP 20x KSI Dashboard automatically validates Key Security Indicators (KSIs) and packages results as Cosign-signed OSCAL assessment artifacts. This satisfies the machine-readable evidence requirement of RFC-0024.
What are KSIs?
Key Security Indicators are specific, measurable security properties defined by the FedRAMP Program Management Office under the FedRAMP 20x initiative. Unlike traditional narrative controls, KSIs are designed to be validated automatically through technical evidence rather than human-written descriptions.
FedRAMP 20x Phase 2 requires KSIs to be validated continuously, not just at initial assessment.
Source: FedRAMP 20x (opens in a new tab)
RFC-0024 Compliance
RFC-0024 requires all FedRAMP providers to produce machine-readable authorization packages by September 30, 2026. The REAEGIS KSI Dashboard generates:
- OSCAL Assessment Results documents containing KSI validation outcomes
- Cosign-signed evidence packages with Rekor transparency log anchoring
- Continuous monitoring data suitable for ongoing authorization
Deadline: September 30, 2026. FedRAMP providers that cannot produce OSCAL authorization packages by this date will not meet the RFC-0024 mandate. The REAEGIS KSI Dashboard generates these packages automatically from live system evidence.
KSI Categories
REAEGIS validates 61 KSIs across these categories:
| Category | Examples |
|---|---|
| Vulnerability management | CVSS thresholds enforced, patch cadence within SLA, critical CVEs remediated within 30 days |
| Access control | MFA enforced for all privileged accounts, least-privilege access to production |
| Encryption | TLS 1.2+ enforced in transit, data encrypted at rest with approved algorithms |
| Logging and monitoring | Audit logs collected for all privileged actions, log retention ≥ 90 days |
| Incident response | IR plan documented, contact information current, incident classification defined |
| Configuration management | IaC-managed infrastructure, no manual production changes without CRs |
| Supply chain | SBOM present, container images pinned to digest, provenance attestations present |
Validation Mechanism
Each KSI is validated against evidence already present in REAEGIS:
| Evidence source | KSIs validated |
|---|---|
| RAMPART gate results | Image digest, vulnerability scan, SBOM attestation, secrets scan, IaC compliance, SLSA provenance |
| PHAROS continuous monitoring | Patch cadence, drift detection, posture score trends |
| Scanner output | CVE counts by severity, fix availability, age of open findings |
| Control implementations | Access control narratives, encryption configurations, IR plan existence |
| CHRONICLE audit log | Evidence of logging, audit coverage, log retention |
OSCAL Output
The KSI Dashboard generates OSCAL Assessment Results (AR) documents:
{
"@type": "assessment-results",
"uuid": "...",
"metadata": {
"title": "FedRAMP 20x KSI Validation",
"last-modified": "2026-06-14T00:00:00Z"
},
"results": [
{
"title": "KSI-VM-01 Critical CVEs remediated within 30 days",
"description": "...",
"start": "2026-06-14T00:00:00Z",
"findings": [...]
}
]
}Documents are signed with Cosign and the signature is anchored to Rekor. Verifiers can check the signature with cosign verify-attestation.
Using the KSI Dashboard
- Navigate to your FedRAMP program in REAEGIS
- Click Compliance Intelligence → FedRAMP 20x KSI
- Review the KSI table — each KSI shows current status (Pass / Fail / Partial / Not assessed)
- Click any KSI to see the evidence used for validation
- Click Generate OSCAL Package to produce a signed assessment results document
The KSI status updates automatically as PHAROS processes new evidence. Manual refresh is not required.