FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services used by federal agencies. Any commercial cloud provider seeking to sell to the federal government must achieve FedRAMP authorization.

Infracast ships 89 automated rules mapped to FedRAMP High controls, with full support for continuous monitoring (ConMon) automation, POA&M management, evidence packaging, and GRC integrations (eMASS, CSAM).

FedRAMP Baselines

FedRAMP defines three impact baselines derived from NIST 800-53 Rev 5:

Baseline	Controls	Typical Use Case
Low	~125 controls	Public-facing systems with no PII or sensitive data
Moderate	~325 controls	Systems with CUI, PII, or business-sensitive data (most common)
High	~421 controls	Systems with national security data, law enforcement, healthcare

Infracast's 89 automated rules focus on the High baseline delta controls — the additional technical controls required above Moderate — plus the most critical Moderate controls that can be evaluated automatically.

info

FedRAMP Moderate/High automation requires the ConMon feature. Contact sales for Enterprise licensing.

Infracast FedRAMP Capabilities

Continuous Monitoring Automation (ConMon)

FedRAMP requires Agencies and Cloud Service Providers (CSPs) to perform monthly continuous monitoring. Infracast automates the bulk of this work:

┌─────────────────────────────────────────────────────────┐
│              Monthly ConMon Cycle                       │
├─────────────────────────────────────────────────────────┤
│  Week 1: Automated scans + evidence collection          │
│  Week 2: Significant change detection + review          │
│  Week 3: POA&M updates + risk acceptance                │
│  Week 4: Package assembly + delivery                    │
└─────────────────────────────────────────────────────────┘

Trigger a ConMon scan:

curl -X POST https://api.infracast.io/api/v1/tenants/$TENANT/conmon/monthly \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"month": "2024-03", "baseline": "high"}'

Get ConMon summary:

GET /api/v1/tenants/{tenantID}/conmon/summary

{
  "month": "2024-03",
  "baseline": "high",
  "score": 91,
  "new_findings": 3,
  "resolved_findings": 7,
  "significant_changes": 1,
  "poam_open": 12,
  "poam_overdue": 2,
  "bundle_ready": true
}

Monthly Deliverable Packages

Infracast generates FedRAMP-compliant monthly deliverable packages automatically:

POST /api/v1/tenants/{tenantID}/conmon/bundle
{
  "month": "2024-03",
  "include": ["scan_results", "poam", "significant_changes", "inventory"]
}

Package contents:

Vulnerability scan results (OS, application, database findings)
Updated POA&M in FedRAMP Excel format
Significant change notification (if applicable)
Inventory workbook (updated from discovery)
Control implementation evidence ZIP

Evidence Engine (Build 34)

Infracast's Evidence Engine continuously collects and timestamps compliance artifacts:

# Generate control evidence package
POST /api/v1/tenants/{tenantID}/evidence/generate
{
  "framework": "fedramp-high",
  "controls": ["AC-2", "AU-2", "CM-6", "IA-2", "SC-7", "SC-28"],
  "format": "zip",
  "signed": true
}

Each evidence artifact includes:

Discovery timestamp (cryptographically signed)
Resource inventory snapshot
Configuration values checked
Pass/fail determination with rationale

POA&M Management

Track and manage Plans of Action and Milestones directly in Infracast:

# List open POA&M items
GET /api/v1/tenants/{tenantID}/poam?status=open

# Create POA&M from finding
POST /api/v1/tenants/{tenantID}/poam
{
  "finding_id": "NIST-SC-7-WAF-aws:us-east-1:aws.elbv2.load_balancer:prod-alb",
  "weakness_description": "ALB missing WAF protection",
  "scheduled_completion": "2024-06-30",
  "milestone": "Q2 2024 — Enable WAF on all production ALBs",
  "responsible_party": "platform-team@agency.gov",
  "resources_required": "2 engineer-weeks"
}

# Export POA&M in FedRAMP Excel format
GET /api/v1/tenants/{tenantID}/poam/export?format=xlsx

3PAO Evidence Bundles

When preparing for a FedRAMP assessment, Third-Party Assessment Organizations (3PAOs) require structured evidence packages. Infracast generates these on demand:

POST /api/v1/tenants/{tenantID}/evidence/generate
{
  "framework": "fedramp-high",
  "type": "3pao-bundle",
  "assessment_date": "2024-04-15",
  "include_historical_days": 90
}

The 3PAO bundle includes:

90-day findings history per control
Attestation records with reviewer approval chains
Tool output artifacts (scanner results, config extracts)
Inventory comparison (previous vs. current)

tip

Schedule automatic monthly evidence collection so you always have a 90-day window ready for assessment:

POST /api/v1/tenants/{tenantID}/reports/schedule
{
  "type": "evidence-package",
  "framework": "fedramp-high",
  "frequency": "monthly",
  "day": 1,
  "recipients": ["isso@agency.gov", "3pao-lead@assessor.com"]
}

SSP Generation with Architecture Diagrams (Build 46)

Generate a complete FedRAMP System Security Plan pre-populated from your infrastructure graph:

POST /api/v1/tenants/{tenantID}/documents/generate
{
  "type": "ssp",
  "framework": "fedramp-high",
  "format": "docx",
  "options": {
    "include_architecture_diagram": true,
    "diagram_type": "network-boundary",
    "impact_level": "high",
    "csp_name": "Acme Cloud Services"
  }
}

The generated SSP includes:

Section 9: System Description (auto-populated from graph)
Section 10: System Environment (VPCs, subnets, boundary nodes)
Section 13: Control Implementation (per-control statements)
Architecture diagrams: Network boundary diagrams generated from discovered topology
Attachment 13: Control Summary Table with automated/attested status

GRC Integrations (eMASS, CSAM)

Infracast integrates with federal GRC platforms to synchronize findings, POA&M items, and evidence directly:

eMASS (Enterprise Mission Assurance Support Service)

# Configure eMASS integration
PUT /api/v1/tenants/{tenantID}/grc-integrations/emass
{
  "api_url": "https://emass.mil/api",
  "api_key": "your-emass-api-key",
  "system_id": 12345,
  "package_id": 67890
}

# Sync findings to eMASS
POST /api/v1/tenants/{tenantID}/grc-integrations/emass/sync
{
  "sync_types": ["findings", "poam", "controls"]
}

CSAM (Cyber Security Assessment and Management)

PUT /api/v1/tenants/{tenantID}/grc-integrations/csam
{
  "host": "csam.agency.gov",
  "username": "infracast-svc",
  "password": "...",
  "system_id": "MY-SYSTEM-001"
}

Supported GRC Platforms

Platform	Sync Types	Bi-directional
eMASS	Controls, POA&M, findings	✅ Yes
CSAM	Inventory, controls, findings	✅ Yes
ServiceNow	Findings → tickets	➡️ One-way
Archer	Risks, controls	✅ Yes

Significant Change Detection

FedRAMP requires notification of significant changes (system boundary, architecture, new services). Infracast tracks infrastructure changes and flags those that qualify:

# List significant changes
GET /api/v1/tenants/{tenantID}/conmon/changes?type=significant

# Acknowledge and document
POST /api/v1/tenants/{tenantID}/conmon/changes/{id}/acknowledge
{
  "determination": "significant",
  "notification_submitted": "2024-03-20",
  "ato_impact": "none",
  "notes": "New S3 bucket added within existing boundary"
}

FedRAMP Coverage by Control Family

Family	Rules	Key Checks
AC	18	Root MFA, IAM least privilege, account lifecycle
AU	12	CloudTrail enabled, log validation, log retention
CM	11	AMI hardening, baseline deviations, change control
IA	10	MFA for all users, password policy, key rotation
SC	19	TLS enforcement, WAF, Shield, encryption at rest
SI	10	Vulnerability scanning, patch status, GuardDuty
IR	5	Alert configurations, GuardDuty, incident detection
RA	7	Inspector findings, CVE tracking, risk scoring
CA	7	Continuous monitoring, plan of action

FedRAMP Document Suite

Infracast auto-generates the full suite of FedRAMP authorization and continuous monitoring documents directly from live infrastructure data and compliance findings.

Document	DocType	Auto-Fill %	Questionnaire Fields
System Security Plan (SSP)	`ssp`	85%	15% — policy statements, system owner
Security Assessment Plan (SAP)	`sap`	75%	25% — dates, team, RoE
Security Assessment Report (SAR)	`sar`	80%	20% — assessor info, scope
Continuous Monitoring Report	`conmon_report`	100%	None — fully automated
FIPS 199 Categorization	`fips199`	70%	30% — info types, CIA impacts
Continuous ATO Bundle	`ato_bundle`	100%	None — packages all above

All documents are generated via Documents → Generate in the Infracast UI, or via API:

POST /api/v1/tenants/{id}/documents/generate
{ "type": "sar" }

ConMon Auto-Scheduling

Monthly ConMon reports can be auto-delivered via email:

POST /api/v1/tenants/{id}/documents/schedule
{ "type": "conmon_report", "schedule": "monthly", "recipients": ["ciso@example.com"] }

Next Steps

NIST 800-53 Guide — The underlying control catalog
POA&M API — Programmatic POA&M management
Evidence API — Generate and download evidence packages
Reports API — Schedule monthly deliverables

FedRAMP Baselines​

Infracast FedRAMP Capabilities​

Continuous Monitoring Automation (ConMon)​

Monthly Deliverable Packages​

Evidence Engine (Build 34)​

POA&M Management​

3PAO Evidence Bundles​

SSP Generation with Architecture Diagrams (Build 46)​

GRC Integrations (eMASS, CSAM)​

eMASS (Enterprise Mission Assurance Support Service)​

CSAM (Cyber Security Assessment and Management)​

Supported GRC Platforms​

Significant Change Detection​

FedRAMP Coverage by Control Family​

FedRAMP Document Suite​

ConMon Auto-Scheduling​

Next Steps​