Fedramp Roadmap
Timeline
| Phase | Months | Goal |
|---|---|---|
| Phase 2 | 3–9 | Control implementation; SSP authoring |
| Phase 3 | 9–15 | Readiness assessment; remediation |
| Phase 4 | 15–18 | 3PAO audit; Agency ATO |
| Phase 5 | 18+ | P-ATO via JAB, continuous monitoring |
Operating Boundaries
- GovCloud (US-East, US-West). Tenants in FedRAMP-equivalent workloads are by default routed to GovCloud with no cross-region replication outside the boundary.
- Customer VPC. Air-gapped appliance tier is FedRAMP authorized for the customer's boundary (the customer is the system owner; Denpex operates under their ATO).
Required Controls
Technical (Selected)
- AC-2 Account Management
- AC-3 Access Enforcement
- AU-2 Auditable Events
- AU-3 Content of Audit Records
- AU-4 Audit Log Storage Capacity
- AU-6 Audit Review, Analysis, and Reporting
- AU-9 Protection of Audit Information
- CM-2 Baseline Configuration
- CM-6 Configuration Settings
- CP-9 System Backup
- IA-2 Identification and Authentication
- IA-5 Authenticator Management
- SC-7 Boundary Protection
- SC-8 Transmission Confidentiality and Integrity
- SC-13 Cryptographic Protection
- SI-2 Flaw Remediation
- SI-4 Information System Monitoring
Key Implementation Decisions
- FIPS-only cryptography — see
docs/encryption-guide.md. - US-person-only key holders — for any KMS key handles we maintain.
- Background-checked operators — for all FedRAMP customers.
- Continuous monitoring — Prometheus + audit log forward to ConMon dashboard.
Continuous Monitoring (ConMon)
- Monthly vulnerability scans.
- Annual penetration tests.
- Monthly control self-assessments.
- Annual 3PAO audit for ongoing compliance.
Customer VPC Variant
A FedRAMP-authorized deployment in the customer's VPC requires:
- A copy of our system security plan (SSP) template.
- Boundary diagram and network architecture.
- The customer-issued ATO covering Denpex as a child system.
We provide pre-built Terraform for the boundary + a hardened Helm chart.