FedRAMP Compliance

Note: FedRAMP policy framework requires Enterprise Edition.

The Federal Risk and Authorization Management Program (FedRAMP) policy framework helps cloud service providers (CSPs) protect federal data and achieve FedRAMP authorization.

Overview

FedRAMP provides a standardized approach to security assessment for cloud products and services used by federal agencies. Aquilon DLP’s FedRAMP policy implements NIST SP 800-53 control families:

• AC - Access Control: System access and authorization
• AU - Audit and Accountability: Audit logging and review
• IA - Identification and Authentication: User/device identification
• MP - Media Protection: Digital and physical media safeguards
• SC - System and Communications Protection: Communication security
• SI - System and Information Integrity: Integrity protection

FedRAMP Baselines

Detection Methods

Cloud-Specific Scanners

Federal Data in Cloud Context

Configuration

Basic Configuration (Moderate Baseline)

[policies]
enabled_policies = ["fedramp"]

Baseline-Specific Configuration

[policies.policy_configs.fedramp]
settings = { baseline = "moderate", confidence_threshold = "0.7" }

Configuration Options

Context Detection

Cloud Context Keywords

• Cloud terms: cloud, SaaS, IaaS, PaaS, tenant, multi-tenant, serverless
• Provider terms: AWS, Azure, GCP, FedRAMP authorized, GovCloud, Azure Government
• Service terms: API, endpoint, webhook, microservice, Lambda, Functions
• Storage: S3, Blob, object storage, bucket, container registry

Federal Agency Context

• Agency terms: federal, agency, government, GSA, FedRAMP PMO
• Authorization terms: ATO, authorization, JAB, P-ATO, agency ATO
• Compliance terms: continuous monitoring, ConMon, POA&M, 3PAO, SSP

Cloud Infrastructure Context

Multi-tenant and infrastructure indicators:

• Tenant isolation: tenant ID, account ID, subscription, organization
• Network: VPC, VNET, security group, NSG, firewall rules
• Identity: IAM, RBAC, service principal, managed identity
• Secrets: Key Vault, Secrets Manager, Parameter Store

Authorization Boundary Context

FedRAMP authorization boundaries require clear data classification:

• Boundary terms: authorization boundary, system boundary, enclave
• Data flow: ingress, egress, data flow diagram, DFD
• Interconnection: ISA, MOU, interconnection security agreement
• External: external system, third-party, SaaS integration

Example Context Flow

Finding: API key "AKIA..." in configuration file
Context: "AWS GovCloud deployment for agency.gov"

Result: Critical violation (cloud credentials in federal context)

Finding: SSN in database export
Context: "Multi-tenant SaaS platform, FedRAMP Moderate ATO"

Result: Critical violation (PII in shared cloud environment)

Violation Metadata

Each FedRAMP violation includes:

{
  "policy": "FedRAMP",
  "severity": "critical",
  "baseline": "moderate",
  "nist_control": "SC-28",
  "control_family": "System and Communications Protection"
}

Compliance Reporting

Authorization Boundary Monitoring

-- All FedRAMP findings
SELECT severity, scanner, COUNT(*) as count
FROM aquilon_dlp_alerts
WHERE policy = 'FedRAMP'
GROUP BY severity, scanner
ORDER BY count DESC;

Continuous Monitoring Support

FedRAMP requires continuous monitoring (ConMon). Query for recent issues:

-- Last 30 days of FedRAMP findings
SELECT path, scanner, severity, timestamp
FROM aquilon_dlp_alerts
WHERE policy = 'FedRAMP'
  AND timestamp > datetime('now', '-30 days')
ORDER BY timestamp DESC;

Best Practices

By Baseline

Low Baseline:

• Monitor for basic data exposure
• Focus on API key and credential leaks
• Annual assessment with ConMon

Moderate Baseline:

• Enable full PII detection
• Monitor CUI in cloud storage
• Integrate with SIEM for ConMon
• Monthly vulnerability scanning integration

High Baseline:

• Strict alerting on any detection
• Real-time incident response integration
• Enhanced audit logging
• Weekly vulnerability correlation

Baseline-Specific Remediation

Low Baseline Remediation:

1. Remove exposed credentials from repositories
2. Rotate any detected API keys
3. Document in POA&M if not immediately remediable

Moderate Baseline Remediation:

1. Encrypt PII at rest and in transit
2. Implement tenant isolation for sensitive data
3. Remove CUI from unauthorized storage locations
4. Enable audit logging for all access
5. Update SSP with control implementations

High Baseline Remediation:

1. Zero tolerance - immediate remediation required
2. Incident response activation for any critical finding
3. Document in 24-hour significant change report
4. Review authorization boundary for spillage

ConMon Integration Patterns

Integrate DLP findings into your Continuous Monitoring program:

Daily Operations:

• Query critical findings for immediate response
• Correlate with vulnerability scan results
• Update incident tracking system

Monthly Reporting:

• Generate finding trends for ConMon report
• Map findings to NIST SP 800-53 controls
• Update POA&M with remediation progress

Annual Assessment:

• Export historical findings for 3PAO review
• Demonstrate control effectiveness
• Support reauthorization evidence

Authorization Maintenance

1. Discover: Use Aquilon to identify sensitive data in cloud boundaries
2. Classify: Map findings to NIST SP 800-53 controls
3. Scope: Validate authorization boundary accuracy
4. Remediate: Address findings before assessment
5. Report: Include DLP findings in ConMon reports
6. Evidence: Generate assessment-ready reports
7. Maintain: Continuous monitoring for authorization renewal

Related Resources

• Compliance Overview
• CUI - CUI detection details
• FISMA - Related federal requirements
• Configuration Guide