Blog Archives - Stack Armor

Crushing the 10 Tenets of DoD CSRMC — The Future is ThreatAlert®

Crushing the 10 Tenets of DoD CSRMC — The Future is ThreatAlert® If the Risk Management Framework (RMF) was the long-running compliance opera: grandiose sets, endless rehearsals, dead-eyed troop members that just want it to end; the Cybersecurity Risk Management Construct (CSRMC) is the punk-rock reboot with a break-stuff attitude, razor-sharp set list, and the Hell’s Angels doing crowd control. The Department of Defense (or should I say, Department of War? No, seriously, I’m asking…) formally unveiled the CSRMC in late September 2025, positioning it as the successor to the legacy RMF and centering it on a five-phase lifecycle (Design → Build → Test → Onboard → Operate). CSRMC | Cybersecurity Risk Management Construct Why the switch? A decade of RMF inside DoD taught everyone the same lesson: static artifacts age like dead beef in a hot car during a Phoenix summer. CSRMC replaces the long-since zombified RMF with something

Modernizing the ATO Process: Cutting Red Tape, Securing the Mission

Cutting Red Tape, Securing the Mission: Why Faster ATOs Matter Featured in PSC Contractor Magazine – Fall 2025By Gaurav “GP” Pal, CEO and Founder, stackArmor, a Tyto Athene Company Federal agencies and contractors dedicate millions of hours each year navigating the Risk Management Framework (RMF) and Authority to Operate (ATO) process—essential for security, but often a source of costly delay. In the latest issue of PSC Contractor Magazine, stackArmor CEO and Founder Gaurav “GP” Pal outlines a bold yet practical path forward: modernizing and accelerating the ATO process without sacrificing rigor or compliance. Key Highlights The Cost of Complexity:Each year, government and industry spend an estimated 26 million hours and $3.6 billion on RMF and ATO activities across more than 13,000 systems. Simplifying and automating these processes could save over $1.4 billion annually and free cyber talent to focus on true mission risk. The Problem Today:RMF evidence lives in static

How to do FedRAMP the Wrong Way

How to do FedRAMP the Wrong Way A lovingly sarcastic field guide to burning time, money, and morale Let’s start with the myth that refuses to die: FedRAMP ATOs take 18–24 months and cost $3–5M. If you follow the classic FedRAMP advisory playbook, sure. You’ll spend months on a gap assessment, commission a reference architecture that looks gorgeous in PowerPoint, and then sink quarters into R&D trying to interpret every control like it’s Renaissance poetry. Damn it, what the hell is a Prince of Cats!? Cue the consultant parade and the endless gap analyses. Cue roadmaps to hell. Cue the realization that you’ve made poor career choices. And the absolute worst—cue the invoices!! If your organization is the beneficiary of billions in angel investment capital because you’ve created the thing everyone cannot live without, by all means proceed. For everyone else, there’s a better way. The Wrong Way | A

DoD SRG Update: IL5 Reclassified as NSS — What CSPs Need to Know

DoD SRG’s Silent Earthquake: IL5 Moved to NSS-Land. Most of You Are Actually IL4 (and that’s okay). The Defense Information Systems Agency (DISA) has been pushing out a number of Cloud Security Requirements Guide (SRG) updates in recent months. Since July 2025, we’ve seen: SRG V1R3 – dated July 02, 2025 SRG V1R4 – dated August 13, 2025 SRG V1R5 – dated September 03, 2025 Hey DISA, friendly request here—maybe gather everyone together to think about a roadmap of quarterly releases or even an industry town hall? While there’s been many updates, in my opinion V1R3 had the largest impact by far. The version number whispers “minor,” but the blast radius is atomic. Every CSP needs to understand the following: Impact Level (IL) 5 is now explicitly a National Security System (NSS) neighborhood, and that’s not a place most CSPs want to find themselves in. The part hardly anyone

Hey MSPs: Why FedRAMP Moderate Equivalency Beats Bare-Minimum CMMC

Implementing CMMC? Think FedRAMP Moderate Equivalent Instead. Hey MSPs – You Should Aim Higher Than Bare-Minimum CMMC. Go Full FedRAMP Moderate Equivalent. Be Brave! The Pentagon finally dropped the other shoe. With the Defense Federal Acquisition Regulation Supplement (DFARS) amendment now posted for public inspection, CMMC requirements officially land in DoD contracts on November 10, 2025. Simply put, the grace period is over! Procurement just turned into a cybersecurity filter. If you don’t meet the level specified in the RFP, go home and slap yo’ SSP – simple as that. This is all great news for national security, but not-so-great if your business plan assumed you’d get to CMMC later or figured it didn’t apply to you. If you’re a Managed Service Provider (MSP) in the Defense Industrial Base (DIB), it definitely applies to you. The good news is that there’s a smarter move than sprinting to the nearest

Armory20x: Accelerating FedRAMP AI Prioritization for ISVs

Armory20x: The Shortcut AI ISVs Need for FedRAMP AI Prioritization Independent Software Vendors (ISVs) building with AI are in a mad dash to reach the top. Every week brings a new foundation model, a new vector database, a new “copilot for X.” Investors want it FedRAMP authorized yesterday so you can sell to agencies tomorrow. The problem? FedRAMP AI Prioritization isn’t a fast pass for AI systems. It’s a prove you’re serious filter. NIST controls still apply (at least the Key Security Indicators (KSIs)), FIPS encryption still applies, and continuous monitoring still applies. The government isn’t lowering the bar; it’s asking you to clear it faster. So, the question for AI ISVs becomes: Do you want to spend your hard-earned venture capital hiring an army of compliance engineers and writing 700-page System Security Plans or do you want to keep shipping actual AI features that customers care about? That’s

Reimagining RMF ATOs: stackArmor’s Compliance-as-Code 20x

We at stackArmor have taken to heart the recent calls to “Blow up the Risk Management Framework (RMF)” and take the compliance drama head-on. ATOs are in the news almost daily, often associated with high costs and long approval cycles with questionable outcomes. As we’re all about to light the RMF on fire and re-imagine it from first principles, we realize the real problem isn’t the RMF itself, it’s the fossilized way we’ve been playing the compliance game: binders packed with off-topic prose, screenshots that are outdated the moment they’re captured, and evidence packages that are obsolete the instant they are zipped. Traditional Federal information system assessments have been an endless cycle of: Write 700 pages of implementation statements that are marginally on topic, and only sometimes accurate. Have your highly skilled/paid engineers copy/paste screenshots into Word docs like a freshly minted, unskilled intern. Ship the whole mess to auditors

Accelerating FedRAMP High ATOs to Address Fast Growing Federal Demand

Federal and Defense agencies are increasingly encouraged to buy the best of breed commercial solutions. Commercial Software-as-a-Service (SaaS) Cloud Service Providers (CSPs) or Independent Software Vendors (ISVs) looking to meet this growing demand must meet the Federal Risk and Authorization Management Program (FedRAMPÂ®) cybersecurity requirements. FedRAMP provides a standardized, reusable approach to security assessment and authorization for commercial cloud service offerings. The FedRAMP Marketplace lists cloud service offerings (CSOs) based on their Impact Levels (amongst other filters). The primary levels are Low, Moderate, and High. A quick analysis of the FedRAMP Marketplace data shows the growing demand for FedRAMP High cloud service offerings. As the graphic below demonstrates, FedRAMP High authorizations are growing faster than those for the Moderate baseline. Understanding FedRAMP High Requirements The FedRAMP cybersecurity requirements are rooted in Federal standards, such as the Federal Information Processing Standard (FIPS) 199, that outlines the security categorization of federal

Enabling FedRAMP 20X with the stackArmor Cyber Maturity Score (TM)

Written by Johann Dettweiler, Chief Information Security Officer, stackArmor Utilizing a “Risk Score” to Inform Risk-based Authorization of FedRAMP Systems That was a mouthful…a lot of words to discuss what is a really interesting topic, and in my opinion, a bit of a “white rabbit” in the compliance and IT security world. With all of the shakeups happening in the Federal world right now, it seems that FedRAMP is very interested in streamlining and re-designing their authorization process. In January of 2025 they released a blog describing a renewed focus on “delivery”, and prior to that released a number of blogs that focused on “streamlining” and making the overall FedRAMP authorization process more “agile”. And more recently, the launch of FedRAMP 20X explicitly talks about generating ideas on how we move away from a point in time paper-based compliance to continuous compliance. An idea being tossed around is the use of

FedRAMP: Adapting to a Dynamic Landscape While Balancing Security with Efficiency

The FedRAMP program has successfully enabled commercial cloud computing adoption by Federal and DOD agencies for over 14 years, establishing itself as a cornerstone of secure cloud adoption within the government. Despite recent uncertainties and speculation within the community, it’s important to remember that the program’s fundamental principles remain strong. FedRAMP agency authorizations continue at a healthy pace, and the authorization backlog is demonstrably shrinking. Ready In-Process Authorized Total Change from Prior Period 3/14/2025 40 111 380 531 6 3/1/2025 36 119 370 525 15 2/1/2025 26 121 363 510 11 1/1/2025 23 120 356 499 3 12/1/2024 23 119 354 496 -1 11/1/2024 26 119 352 497 1 10/1/2024 28 120 348 496 Source: FedRAMP.gov and historical data pulled from Wayback Machine Government-wide mandates for efficiency and prioritization are driving changes across all agencies, including FedRAMP. As a program established in law to provide a standardized, reusable approach to

Making FedRAMP ATOs Great with OSCAL and Components

OMB Memo M-24-15 published on July 24, 2024 directed GSA and the FedRAMP PMO to streamline the FedRAMP ATO process using NIST OSCAL. By late 2025 or early 2026 (18 months after the issuance of the memo), GSA must ensure the ability to receive FedRAMP authorization and continuous monitoring artifacts through automated, machine-readable means. Additionally, by the Summer of 2026 (twenty four months after the issuance of the memo), agencies must ensure that agency GRC and system-inventory tools can ingest and produce machine-readable authorization and continuous monitoring artifacts using OSCAL, or any succeeding protocol as identified by FedRAMP. As agencies, and cloud service providers race to meet the mandated timelines, it is important to understand and adopt NIST OSCAL in the right way! The experienced team of FedRAMP experts at stackArmor with over a decade plus of experience in helping cloud service providers meet the requirements of the FedRAMP program

A New Way to SSP: The Component Definition Approach to Defining Controls

A New Way to SSP: The Component Definition Approach to Defining Controls Guest Post by Johann Dettweiler, CISO, stackArmor Imagine a world where the “say nothing” narrative implementation statements, rampant across the landscape of System Security Plans (SSPs), get replaced by a definitive, understanding of system state to determine the implementation status of controls. For those of us that have languished with the “old way” of writing SSPs, we dare not imagine that promised land. However, with the introduction of the Open Security Controls Assessment Language (OSCAL), there is promise of a light in the darkness, a sip to a desert wanderer, a cool breeze in hell – I present to you – Component Definitions (CDEFs)! “Cue “Thus Spake Zarathustra” – BUM bum BUMMMMM BUM, bum, BUMMMMM!” Alright, admittedly that may have been a little bit over dramatic, but if you’ve ever experienced reading or writing an SSP, suffice to