FedRAMP
Accuracy commitment
Every regulatory reference on this page links to the official source document. If you find an error, email [email protected].
What is FedRAMP?
FedRAMP (Federal Risk and Authorization Management Program) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies.
Cloud Service Providers (CSPs) must achieve a FedRAMP authorization before federal agencies can procure and use their services.
Impact Levels
FedRAMP organizes security requirements by the impact level of the data the cloud system will process.
| Impact Level | Control Baseline | Typical use case |
|---|---|---|
| Low | 125+ controls | Publicly available information, no PII |
| Moderate | 325+ controls | Most federal systems; non-national security data |
| High | 420+ controls | Law enforcement, emergency services, financial systems |
All baselines are derived from NIST SP 800-53 Rev 5 (opens in a new tab).
Source: FedRAMP Security Controls Baselines (opens in a new tab)
FedRAMP 20x
FedRAMP 20x is a modernization initiative by GSA that replaces narrative documentation with automated, machine-readable evidence. Under FedRAMP 20x:
- Security assessments are based on Key Security Indicators (KSIs) validated automatically
- Evidence must be packaged as OSCAL-formatted assessment results
- Continuous monitoring replaces the traditional periodic assessment cycle
- Phase 2 requires KSIs to be validated continuously, not just at assessment time
RFC-0024 — Machine-Readable Package Mandate
RFC-0024, proposed by the FedRAMP Program Management Office, requires all FedRAMP providers — not just FedRAMP 20x participants — to produce machine-readable authorization packages by September 30, 2026.
The mandate requires:
- OSCAL-formatted System Security Plans (SSPs)
- Machine-readable KSI evidence
- Cosign-signed evidence packages for tamper verification
Deadline: September 30, 2026. FedRAMP providers that cannot produce OSCAL authorization packages by this date risk non-compliance with the RFC-0024 mandate. REAEGIS generates Cosign-signed OSCAL packages from live system state on demand.
Key Security Indicators (KSIs)
KSIs are specific, measurable security properties that can be evaluated automatically. FedRAMP 20x Phase 2 requires continuous KSI validation. REAEGIS validates 61 KSIs automatically against each program's evidence base.
KSI categories include:
- Vulnerability management (patching cadence, CVSS thresholds)
- Access control implementation
- Encryption in transit and at rest
- Logging and monitoring coverage
- Incident response capability
The FedRAMP authorization lifecycle
FedRAMP authorization follows a defined process. REAEGIS supports every phase:
1. Preparation
The CSP defines the system boundary, identifies data flows involving federal data, and selects the appropriate impact level (Low, Moderate, or High). REAEGIS generates a network topology diagram from infrastructure data and populates the system boundary in the SSP template.
REAEGIS output: System boundary diagram (SVG, Mermaid), SSP shell pre-populated with system description, data flows, and interconnections.
2. Security Control Implementation
The CSP implements the controls required by the selected baseline. NIST 800-53 Rev 5 baselines:
- Low: ~125 controls
- Moderate: ~325 controls
- High: ~420 controls
REAEGIS tracks implementation status for all 800-53 controls with evidence per control, AI-drafted control narratives from actual scanner and configuration data, and SSP narrative generation.
3. Security Assessment
A FedRAMP-authorized Third Party Assessment Organization (3PAO) assesses the system against the baseline. Under FedRAMP 20x, KSIs are validated automatically; under the traditional process, the 3PAO produces a Security Assessment Report (SAR) and POA&M.
REAEGIS output: OSCAL-formatted assessment results, POA&M with all open findings, Cosign-signed evidence vault with 3PAO-accessible evidence links.
4. Authorization
The Agency Authorizing Official (AO) reviews the authorization package and issues an Authority to Operate (ATO). Under FedRAMP 20x, this is based on KSI validation results and automated assessment evidence.
5. Continuous Monitoring (ConMon)
After authorization, the CSP must provide ongoing evidence that controls remain effective. FedRAMP requires:
- Monthly vulnerability scan reports
- Significant change notifications
- Annual security assessments
- Incident reporting within 1 hour of detection
REAEGIS output: PHAROS generates monthly ConMon packages automatically; CHRONICLE provides a signed event trail for incident evidence; RAMPART evaluates every push for new findings.
Authorization Package Components
A complete FedRAMP authorization package includes:
| Document | REAEGIS automation |
|---|---|
| System Security Plan (SSP) | Generated from real control data with AI-drafted narratives |
| Security Assessment Report (SAR) | Template with evidence links |
| Plan of Action & Milestones (POA&M) | Live from finding database, OSCAL-formatted |
| Continuous Monitoring Plan (ConMon) | Monthly auto-generation via PHAROS |
| Network Diagram | Auto-derived from infrastructure data; versioned and signed |
| Control Implementation Summary (CIS) | Per-control status with evidence references |
NIST 800-53 Rev 5 control families
FedRAMP Moderate requires controls from all 20 NIST 800-53 Rev 5 control families. The highest-burden families for cloud systems:
| Family | Controls in Moderate | Most complex requirements |
|---|---|---|
| AC | 25 | Privileged account management, least privilege, remote access |
| AU | 12 | Audit log content, retention, protection, review |
| CM | 12 | Baseline configuration, change control, software usage |
| IA | 12 | Multi-factor authentication, identifier management |
| IR | 10 | Incident response testing, reporting, handling |
| SC | 28 | Boundary protection, encryption, network segmentation |
| SI | 16 | Flaw remediation, malicious code protection, monitoring |
Continuous ATO (cATO)
FedRAMP 20x Phase 2 introduces continuous authorization — an ATO model where real-time monitoring data replaces periodic assessments. Under cATO:
- KSIs must be validated continuously, not just at assessment time
- Evidence must be machine-readable and tamper-evident (Cosign-signed)
- The AO's authorization remains valid only while KSIs stay within defined risk parameters
- Any KSI falling outside parameters triggers a conditional ATO review
REAEGIS supports cATO through the PHAROS continuous monitoring engine and the 10-factor ATO readiness ring, which computes readiness across all cATO criteria in real time.
How REAEGIS Supports FedRAMP
| Capability | Description |
|---|---|
| 9-gate RAMPART pipeline | Evaluates every push against FedRAMP-relevant controls with NIST 800-53 mappings |
| 61 KSI Dashboard | Real-time KSI validation with OSCAL output for 3PAO and AO review |
| OSCAL-native SSP | System Security Plan generated from current system state with AI-drafted narratives |
| 40 document templates | SSP, SAR, POA&M, ConMon, network diagram, CIS, and more |
| Cosign-signed evidence vault | Tamper-evident evidence packages for RFC-0024 compliance |
| ConMon automation | PHAROS generates monthly ConMon packages automatically |
| cATO readiness ring | 10-factor continuous authorization readiness score |
| Network topology | Auto-derived system boundary diagram for SSP Section 9 |
| OSCAL POA&M | Machine-readable POA&M for RFC-0024 and FedRAMP 20x |
| 3PAO evidence portal | Evidence vault accessible to assessors with signed audit trail |
RFC-0024 compliance checklist
The following items are required by September 30, 2026:
- OSCAL-formatted SSP (JSON or XML)
- OSCAL-formatted POA&M with all open findings
- OSCAL-formatted assessment results
- Cosign-signed evidence packages per control
- Machine-readable KSI evidence
REAEGIS generates all five items from live system state.
Related guides
- RAMPART Engine — Gate-by-gate NIST 800-53 control mappings
- ARE Engine — Autonomous remediation for open FedRAMP findings
- NIST SP 800-53 Rev 5 — Full control catalog reference