← Back to reference

Fedramp Roadmap

Timeline

PhaseMonthsGoal
Phase 23–9Control implementation; SSP authoring
Phase 39–15Readiness assessment; remediation
Phase 415–183PAO audit; Agency ATO
Phase 518+P-ATO via JAB, continuous monitoring

Operating Boundaries

  • GovCloud (US-East, US-West). Tenants in FedRAMP-equivalent workloads are by default routed to GovCloud with no cross-region replication outside the boundary.
  • Customer VPC. Air-gapped appliance tier is FedRAMP authorized for the customer's boundary (the customer is the system owner; Denpex operates under their ATO).

Required Controls

Technical (Selected)

  • AC-2 Account Management
  • AC-3 Access Enforcement
  • AU-2 Auditable Events
  • AU-3 Content of Audit Records
  • AU-4 Audit Log Storage Capacity
  • AU-6 Audit Review, Analysis, and Reporting
  • AU-9 Protection of Audit Information
  • CM-2 Baseline Configuration
  • CM-6 Configuration Settings
  • CP-9 System Backup
  • IA-2 Identification and Authentication
  • IA-5 Authenticator Management
  • SC-7 Boundary Protection
  • SC-8 Transmission Confidentiality and Integrity
  • SC-13 Cryptographic Protection
  • SI-2 Flaw Remediation
  • SI-4 Information System Monitoring

Key Implementation Decisions

  1. FIPS-only cryptography — see docs/encryption-guide.md.
  2. US-person-only key holders — for any KMS key handles we maintain.
  3. Background-checked operators — for all FedRAMP customers.
  4. Continuous monitoring — Prometheus + audit log forward to ConMon dashboard.

Continuous Monitoring (ConMon)

  • Monthly vulnerability scans.
  • Annual penetration tests.
  • Monthly control self-assessments.
  • Annual 3PAO audit for ongoing compliance.

Customer VPC Variant

A FedRAMP-authorized deployment in the customer's VPC requires:

  • A copy of our system security plan (SSP) template.
  • Boundary diagram and network architecture.
  • The customer-issued ATO covering Denpex as a child system.

We provide pre-built Terraform for the boundary + a hardened Helm chart.