Blog Archives - stackArmor

Hey MSPs: Why FedRAMP Moderate Equivalency Beats Bare-Minimum CMMC

Implementing CMMC? Think FedRAMP Moderate Equivalent Instead. Hey MSPs…You Should Aim Higher Than Bare-Minimum CMMC. Go Full FedRAMP Moderate Equivalent. Be Brave! The Pentagon finally dropped the other shoe. With the Defense Federal Acquisition Regulation Supplement (DFARS) amendment now posted for public inspection, CMMC requirements officially land in DoD contracts on November 10, 2025. Simply put, the grace period is over! Procurement just turned into a cybersecurity filter. If you don’t meet the level specified in the RFP, go home and slap yo’ SSP – simple as that. This is all great news for national security, but not-so-great if your business plan assumed you’d get to CMMC later or figured it didn’t apply to you. If you’re a Managed Service Provider (MSP) in the Defense Industrial Base (DIB), it definitely applies to you. The good news is that there’s a smarter move than sprinting to the nearest C3PAO for a

Armory20x: Accelerating FedRAMP AI Prioritization for ISVs

Armory20x: The Shortcut AI ISVs Need for FedRAMP AI Prioritization Independent Software Vendors (ISVs) building with AI are in a mad dash to reach the top. Every week brings a new foundation model, a new vector database, a new “copilot for X.” Investors want it FedRAMP authorized yesterday so you can sell to agencies tomorrow. The problem? FedRAMP AI Prioritization isn’t a fast pass for AI systems. It’s a prove you’re serious filter. NIST controls still apply (at least the Key Security Indicators (KSIs)), FIPS encryption still applies, and continuous monitoring still applies. The government isn’t lowering the bar; it’s asking you to clear it faster. So, the question for AI ISVs becomes: Do you want to spend your hard-earned venture capital hiring an army of compliance engineers and writing 700-page System Security Plans… or do you want to keep shipping actual AI features that customers care about? That’s where

Reimagining RMF ATOs: stackArmor’s Compliance-as-Code 20x

We at stackArmor have taken to heart the recent calls to “Blow up the Risk Management Framework (RMF)” and take the compliance drama head-on. ATOs are in the news almost daily, often associated with high costs and long approval cycles with questionable outcomes. As we’re all about to light the RMF on fire and re-imagine it from first principles, we realize the real problem isn’t the RMF itself, it’s the fossilized way we’ve been playing the compliance game: binders packed with off-topic prose, screenshots that are outdated the moment they’re captured, and evidence packages that are obsolete the instant they are zipped. Traditional Federal information system assessments have been an endless cycle of: Write 700 pages of implementation statements that are marginally on topic, and only sometimes accurate. Have your highly skilled/paid engineers copy/paste screenshots into Word docs like a freshly minted, unskilled intern. Ship the whole mess to auditors

Accelerating FedRAMP High ATOs to Address Fast Growing Federal Demand

Federal and Defense agencies are increasingly encouraged to buy the best of breed commercial solutions. Commercial Software-as-a-Service (SaaS) Cloud Service Providers (CSPs) or Independent Software Vendors (ISVs) looking to meet this growing demand must meet the Federal Risk and Authorization Management Program (FedRAMP®) cybersecurity requirements. FedRAMP provides a standardized, reusable approach to security assessment and authorization for commercial cloud service offerings. The FedRAMP Marketplace lists cloud service offerings (CSOs) based on their Impact Levels (amongst other filters). The primary levels are Low, Moderate, and High. A quick analysis of the FedRAMP Marketplace data shows the growing demand for FedRAMP High cloud service offerings. As the graphic below demonstrates, FedRAMP High authorizations are growing faster than those for the Moderate baseline. Understanding FedRAMP High Requirements The FedRAMP cybersecurity requirements are rooted in Federal standards, such as the Federal Information Processing Standard (FIPS) 199, that outlines the security categorization of federal information

Enabling FedRAMP 20X with the stackArmor Cyber Maturity Score (TM)

Written by Johann Dettweiler, Chief Information Security Officer, stackArmor Utilizing a “Risk Score” to Inform Risk-based Authorization of FedRAMP Systems That was a mouthful…a lot of words to discuss what is a really interesting topic, and in my opinion, a bit of a “white rabbit” in the compliance and IT security world. With all of the shakeups happening in the Federal world right now, it seems that FedRAMP is very interested in streamlining and re-designing their authorization process. In January of 2025 they released a blog describing a renewed focus on “delivery”, and prior to that released a number of blogs that focused on “streamlining” and making the overall FedRAMP authorization process more “agile”. And more recently, the launch of FedRAMP 20X explicitly talks about generating ideas on how we move away from a point in time paper-based compliance to continuous compliance. An idea being tossed around is the use of

FedRAMP: Adapting to a Dynamic Landscape While Balancing Security with Efficiency

The FedRAMP program has successfully enabled commercial cloud computing adoption by Federal and DOD agencies for over 14 years, establishing itself as a cornerstone of secure cloud adoption within the government. Despite recent uncertainties and speculation within the community, it’s important to remember that the program’s fundamental principles remain strong. FedRAMP agency authorizations continue at a healthy pace, and the authorization backlog is demonstrably shrinking. Ready In-Process Authorized Total Change from Prior Period 3/14/2025 40 111 380 531 6 3/1/2025 36 119 370 525 15 2/1/2025 26 121 363 510 11 1/1/2025 23 120 356 499 3 12/1/2024 23 119 354 496 -1 11/1/2024 26 119 352 497 1 10/1/2024 28 120 348 496 Source: FedRAMP.gov and historical data pulled from Wayback Machine Government-wide mandates for efficiency and prioritization are driving changes across all agencies, including FedRAMP. As a program established in law to provide a standardized, reusable approach to

Making FedRAMP ATOs Great with OSCAL and Components

OMB Memo M-24-15 published on July 24, 2024 directed GSA and the FedRAMP PMO to streamline the FedRAMP ATO process using NIST OSCAL. By late 2025 or early 2026 (18 months after the issuance of the memo), GSA must ensure the ability to receive FedRAMP authorization and continuous monitoring artifacts through automated, machine-readable means. Additionally, by the Summer of 2026 (twenty four months after the issuance of the memo), agencies must ensure that agency GRC and system-inventory tools can ingest and produce machine-readable authorization and continuous monitoring artifacts using OSCAL, or any succeeding protocol as identified by FedRAMP. As agencies, and cloud service providers race to meet the mandated timelines, it is important to understand and adopt NIST OSCAL in the right way! The experienced team of FedRAMP experts at stackArmor with over a decade plus of experience in helping cloud service providers meet the requirements of the FedRAMP program

A New Way to SSP: The Component Definition Approach to Defining Controls

A New Way to SSP: The Component Definition Approach to Defining Controls Guest Post by Johann Dettweiler, CISO, stackArmor Imagine a world where the “say nothing” narrative implementation statements, rampant across the landscape of System Security Plans (SSPs), get replaced by a definitive, understanding of system state to determine the implementation status of controls. For those of us that have languished with the “old way” of writing SSPs, we dare not imagine that promised land. However, with the introduction of the Open Security Controls Assessment Language (OSCAL), there is promise of a light in the darkness, a sip to a desert wanderer, a cool breeze in hell – I present to you – Component Definitions (CDEFs)! “Cue “Thus Spake Zarathustra” – BUM… bum… BUMMMMM… BUM, bum, BUMMMMM!” Alright, admittedly that may have been a little bit over dramatic, but if you’ve ever experienced reading or writing an SSP, suffice to

California’s AI RAMP or FedRAMP for AI?

California’s AI RAMP or FedRAMP for AI?: Urgent need for an actionable and enforceable US safety and security framework for AI California State Bill 1047 was passed today by the Assembly where it heads to the Senate and the Governor’s desk for consideration. SB 1047 is remarkable for the specificity of the governance requirements and penalties for developers of AI models. The proposed Act clearly spells out covered models and establishes the governance model which includes designating a “Government Operating Agency”, mandating a third-party audit and explicit guidance on change management & reporting. The proposed law provides for flexibility by allowing the developer to choose the appropriate framework “(i) In fulfilling its obligations under this chapter, a developer shall consider industry best practices and applicable guidance from the U.S. Artificial Intelligence Safety Institute, National Institute of Standards and Technology, the Government Operations Agency, and other reputable standard-setting organizations.” The act clearly

Embracing MLSecOps for Secure and Safe AI Systems

Written by Matt Venne, Managing Director, stackArmor The advent of artificial intelligence (AI) is transforming practically every corner of our world. Concurrently, the need for MLSecOps platforms has become fundamental in ensuring the security of AI systems. Traditional security models often fall short in addressing the unique vulnerabilities inherent in AI systems. The integration of AI into the software development lifecycle (SDLC) is pivotal in fortifying the security frameworks of organizations leveraging AI technologies. Additionally, the introduction of AI Security Posture Management and scanning for AI-specific vulnerabilities play crucial roles. Implementing an LLM Firewall further enhances these security measures. These measures are essential for ensuring the robust protection of systems that utilize AI. Uncharted Waters: Unique Attack Vectors in AI Systems AI systems introduce a set of unique attack vectors that traditional security models are not equipped to handle. Unlike conventional software, AI systems can be susceptible to data poisoning,

Conducting a CMMC 2.0 Readiness Assessment

The Cybersecurity Maturity Model Certification program gives the Defense Department a mechanism to verify the readiness of defense contractors both large and small to handle controlled unclassified information and federal contract information in accordance with federal regulations. The CMMC 2.0 program is currently in the final rulemaking phase with implementation expected in 2025. Large defense contractors with multi-location or region business operations should conduct a CMMC readiness assessment to get ahead of the eventual implementation deadline and better understand how to best implement a compliance solution. stackArmor’s security and compliance experts have over two decades of experience implementing strong security and compliance guardrails based on NIST and DOD controls. They have developed an efficient Cybersecurity Maturity Model Certification (CMMC) Readiness Assessment solution. Defense contractors should accelerate their readiness efforts by: Determining the CMMC scope and boundary definition Performing a discovery of CUI data that may include but not limited to Word

Accelerating CMMC 2.0 Compliance for Defense Contractors with Microsoft Azure

Microsoft Azure provides a suite of highly integrated security services that provide a cost-effective solution for Defense contractors looking to meet the CMMC 2.0 requirements. The Cybersecurity Maturity Model Certification (CMMC) is a framework designed to enhance the security posture of companies that work with the Department of Defense (DoD) by implementing a set of cybersecurity best practices. In this blog post, we will delve into the impact of CMMC and how organizations can effectively monitor their compliance with this crucial framework. The ThreatAlert(R) CMMC Accelerator on Microsoft Azure provides a secure and dedicated CUI boundary with all the tools, documentation and services necessary to meet CMMC 2.0 requirements. A critical part of the ThreatAlert(R) CMMC Accelerator is the ThreatAlert(R) Security Workbench (TSW) for Azure, which provides unmatched level of visibility into potential vulnerabilities and compliance gaps, enabling contractors to comply with CMMC 2.0 monitoring and reporting requirements. Define