FedRAMP Moderate
Status: not pursued · out of scope for 2026–2027 · last updated 27 May 2026
Glassbreak is not FedRAMP authorised and is not at this time pursuing FedRAMP authorisation. This page exists so that US federal buyers and federal-adjacent enterprises can quickly understand where we sit and what their options are.
Our position, plainly
FedRAMP (the Federal Risk and Authorization Management Program) is the US government's standardised security assessment for cloud services. A FedRAMP Moderate authorisation is the prerequisite for most federal civilian use cases involving Controlled Unclassified Information. It is the right answer if your strategic plan is "sell to the federal government." It is the wrong answer for almost everyone else.
For an organisation of our size, FedRAMP Moderate is a $2M–$5M, 18–24 month commitment covering 3PAO assessment, FedRAMP PMO review, continuous monitoring, FedRAMP-aligned cloud infrastructure (often GovCloud), US-citizens-only access restrictions, and a dedicated GRC team. The work itself sustains a permanent overhead in the tens of percent of engineering capacity. We have not committed to it and will not commit to it speculatively.
When we would start
We will pursue FedRAMP Moderate only if all of the following are true:
- A federal agency sponsor has agreed to be our Authorising Official in writing, with a defined initial use case and projected ATO timeline.
- Either a contracted minimum of $5M annual federal ARR or strategic financing earmarked for compliance is in place.
- Our SOC 2 Type II report has been issued and is current (most of the FedRAMP control evidence overlaps).
- We have the headcount to staff a dedicated GRC function (≥1 FTE permanent).
FedRAMP baselines
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| Low | ~125 NIST SP 800-53 Rev 5 controls — limited adverse-effect systems | Gap | Not pursued. Insufficient for a credential-management platform. |
| Moderate | ~325 controls — serious adverse-effect systems (most federal SaaS) | Gap | Not pursued. The realistic target if a federal agency sponsor materialises. |
| High | ~410 controls — severe or catastrophic-effect systems | Gap | Not pursued. Required only for law-enforcement, emergency-services, or critical-infrastructure deployments. |
| Tailored / Li-SaaS | Lightweight track for low-impact SaaS with no PII beyond login credentials | N/A | Not applicable — Glassbreak handles authentication credentials and audit data, which exceed the Li-SaaS scope. |
Authorisation paths
- Agency Authorisation (Sponsorship path)— A federal agency acts as our sponsor and Authorising Official. After 3PAO assessment, the agency issues an Authority to Operate (ATO) and the package is then published to the FedRAMP Marketplace as "FedRAMP Authorised". Typical timeline: 12–18 months from sponsor commitment.
- JAB Provisional Authorisation (P-ATO) — The Joint Authorisation Board issues a provisional ATO that other agencies can leverage. The JAB takes 12 vendors per year selected by FedRAMP Connect. Higher prestige, longer queue.
Control families — current coverage
The NIST SP 800-53 Rev 5 Moderate baseline spans 20 control families. This is our self-assessment of how much of each family we already implement under SOC 2 / DPA work. This is not a formal SSP.
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| AC | Access Control | Partial | RBAC, MFA, session control implemented; FedRAMP-specific requirements (session lock, system use notification at logon, account-management automation) need formal implementation. |
| AT | Awareness and Training | Partial | Annual security awareness training and role-based training operating per /policies/onboarding §§4.3, 5, 8. FedRAMP-specific insider-threat training module still required. |
| AU | Audit and Accountability | Partial | Application audit log + observability in place; tamper-evident chain and audit-record retention policy are not. |
| CA | Assessment, Authorisation, and Monitoring | Gap | SSP, SAR, POA&M, continuous monitoring plan are FedRAMP artefacts that do not exist today. |
| CM | Configuration Management | Met | OpenTofu under version control; CM baselines and change-control records exercised in PRs. |
| CP | Contingency Planning | Met | BCP/DR plan at /policies/business-continuity with RTO/RPO, scenario-specific recovery procedures, and 22 nightly DR test scenarios (dr-tests/). |
| IA | Identification and Authentication | Partial | Argon2id, TOTP/WebAuthn, refresh-token rotation; FedRAMP requires PIV/CAC authentication for federal users and acceptance of third-party identity assurance levels (NIST SP 800-63B). |
| IR | Incident Response | Partial | Procedure documented at /policies/incident-response with SEV-1/2/3/4 classification, response phases, and post-mortem template. FedRAMP-specific US-CERT reporting integration still required. |
| MA | Maintenance | N/A | N/A for serverless; documentation that maintenance is performed by cloud sub-processors needs to exist. |
| MP | Media Protection | Met | Cloud sub-processors handle production media. Staff endpoint media protection documented at /policies/offboarding §§5, 7 (device wipe, secure erase, re-imaging). |
| PE | Physical and Environmental Protection | Partial | Inherited from FedRAMP-authorised cloud (AWS GovCloud would be the target; current Scaleway French region does not satisfy US physical-location requirements). |
| PL | Planning | Partial | InfoSec Policy + ISMS Scope + SoA + RTP + SDLC published at /policies; SSP outline at /policies/fedramp-ssp-summary; full FedRAMP-template SSP still required. |
| PM | Program Management | Gap | Risk-management strategy, POA&M, critical-infrastructure plan are FedRAMP artefacts to draft. |
| PS | Personnel Security | Partial | Background-check procedure for production-access roles at /policies/onboarding §3.2; FedRAMP-Moderate-specific public-trust investigation level may exceed our current programme. |
| PT | PII Processing and Transparency | Met | Met largely by GDPR programme (DPA, sub-processor list, data-subject rights routes). |
| RA | Risk Assessment | Partial | Risk Treatment Plan at /policies/risk-treatment-plan defines methodology + register; FedRAMP-specific FIPS-199 categorisation and annual RA still required. |
| SA | System and Services Acquisition | Partial | Supplier-assessment procedure at /policies/procedures/supplier-assessment + SCRM plan at /policies/supply-chain-risk; FedRAMP-specific external impact assessment still required. |
| SC | System and Communications Protection | Met | TLS 1.2+, HSTS, multi-cloud isolation, encryption at rest, hybrid post-quantum encryption (the latter is well above the FedRAMP Moderate baseline). |
| SI | System and Information Integrity | Partial | Dependabot, smoke tests, monitoring; FedRAMP requires malicious-code protection (less relevant in serverless), spam protection, error handling, and output-filtering procedures. |
| SR | Supply Chain Risk Management | Partial | Commercial SCRM plan at /policies/supply-chain-risk; FedRAMP-specific SCRM extensions (deeper SBOM cadence, federal-impact supplier review) still required. |
FedRAMP-specific infrastructure requirements
A FedRAMP Moderate environment is not the same infrastructure as our commercial product. We would need a dedicated environment hosted in a FedRAMP-authorised cloud region (AWS GovCloud, Azure Government, Google Assured Workloads for Government), US-citizen-only personnel with access to production data, FIPS 140-3 validated cryptographic modules (our current Noble libraries are not FIPS-validated; substitution required), a separate FedRAMP-tailored CI/CD pipeline with no commercial-side code reuse, and continuous monitoring (ConMon): monthly vulnerability scans, quarterly POA&M updates, annual assessor visit.
Alternatives for federal-adjacent buyers
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| StateRAMP | State and local government equivalent of FedRAMP | Gap | Not held. Much lower cost than FedRAMP and may be sufficient for non-federal public sector — would consider ahead of FedRAMP given lower investment. |
| DoD IL2 | Department of Defense Impact Level 2 — non-controlled information | Gap | Often satisfied by FedRAMP Moderate; not held standalone. |
| CMMC L1 | Cybersecurity Maturity Model Certification Level 1 — basic safeguarding | Gap | Achievable without full FedRAMP; would consider for DoD-supply-chain customers. |
| CMMC L2 | CMMC Level 2 — protecting CUI | Gap | Not pursued; significant overlap with FedRAMP Moderate. |
If a customer must use a FedRAMP service today, there are credential vaults already authorised; we will provide an honest competitive comparison on request.
Honest disclosure
A vendor that says "we're FedRAMP ready" or "FedRAMP equivalent" without an active In Process listing on the FedRAMP Marketplace is overselling. We will not use either phrase. If we begin formal FedRAMP work we will publish the In Process listing URL on this page.
If federal use is a material part of your buying decision, please write to compliance@glassbreak.io. We would rather give you a clean "not today" than a hedged maybe.