Blog Archives - Stack Armor

CVSS In Transition: CISA BOD 26-04, FedRAMP VDR, and the Rise of Risk-Based Vulnerability Management

Introduction CISA’s Binding Operational Directive 26-04, “Prioritizing Security Updates Based on Risk,” is a game changer leading the transition to risk-based vulnerability management. For years, vulnerability management has been trapped in a compliance ritual: scan the environment, export a giant list of Common Vulnerabilities and Exposures (CVEs), sort by Common Vulnerability Scoring System (CVSS) score, prioritize everything labeled “Critical,” and then spend precious cybersecurity talent hours arguing about why half the findings are either unreachable, mitigated, irrelevant, duplicative, or sitting on a system nobody has touched for a long time. That was a lot of Excel cosplay, meetings and wasted effort leading to a false sense of precision. The CVSS based Vulnerability Management model has given us a common language for severity. That matters. But CVSS was never a complete risk model. A CVSS 9.8 vulnerability on an isolated, non-production host with compensating controls is not automatically more urgent than

Accelerating and Modernizing ATOs with OpenAI’s Trusted Access for Cyber

Introduction On February 5, 2026, OpenAI introduced Trusted Access for Cyber (TAC), an identity- and trust-based access framework designed to give verified defenders more useful access to advanced cyber capabilities while preserving safeguards against misuse.[1] TAC launched alongside GPT-5.3-Codex, which OpenAI described as its most cyber-capable frontier reasoning model at the time.[2] Since then, the program has moved quickly. OpenAI introduced Codex Security in research preview on March 6, 2026; expanded TAC on April 14 with additional access tiers and GPT-5.4-Cyber; and, most recently, announced GPT-5.5 with TAC and a limited preview of GPT-5.5-Cyber on May 7, 2026.[3][4][5] This is not just another AI coding assistant or vulnerability scanner. TAC is a framework for controlled access to powerful dual-use cyber capabilities. Codex Security is one of the first major applications built on that foundation: an agentic application security system that uses deep repository context, threat modeling, validation, and patch generation

stackArmor CISO Johann Dettweiler Featured on FORUM Power Podcast

stackArmor CISO Johann Dettweiler Featured on FORUM Power Podcast Johann Dettweiler, Chief Information Security Officer at stackArmor, a Tyto Athene company, was recently featured on the Forum Power Podcast episode titled “Risk, FedRAMP & the Future of Federal Cybersecurity: A CISO’s Perspective with Johann Dettweiler.” In this episode, Johann dives into: How AI is reshaping federal cybersecurity risk models, and what agencies need to rethink now What FedRAMP modernization and 20x really mean for cloud service providers and agencies How CISOs can balance speed, compliance, and mission delivery without compromising security The episode also explores Johann’s nearly two-decade career in cybersecurity and the unconventional path that shaped his leadership philosophy. From early work in audio production to leading risk-based decision-making for cloud-native, FedRAMP-authorized systems, Johann shares how discipline, deadlines, and accountability remain foundational to effective cybersecurity programs in the public sector. Johann offers candid insights into some of the most

Compliance Theater: Rethinking Cybersecurity Compliance with Automation

Compliance Theater: Why Cybersecurity’s Favorite Tragedy Needs a Rewrite In a recent article published by Security Magazine, Johann Dettweiler, CISO at stackArmor, a Tyto Athene company, delivers a candid critique of how the cybersecurity industry approaches compliance, and why it’s no longer working. Johann argues that compliance has become performance art: slow, manual, and focused on appearances rather than outcomes. Binders of screenshots and narrative “implementation statements” may satisfy audit checklists, but they do little to reflect the real security posture of modern, fast-changing cloud environments. The Problem Isn’t the Frameworks Calls to scrap compliance frameworks altogether miss the point. According to Johann, the real issue isn’t FedRAMP or similar standards, it’s how they’re executed. Point-in-time assessments consume weeks of effort, divert skilled engineers into evidence collection, and deliver artifacts that are outdated almost as soon as they’re submitted. Passing an audit once a year doesn’t equate to being secure year-round. FedRAMP 20x Signals a Shift The article highlights the U.S. General Services Administration’s FedRAMP 20x pilot as

Crushing the 10 Tenets of DoD CSRMC — The Future is ThreatAlert®

Crushing the 10 Tenets of DoD CSRMC — The Future is ThreatAlert® If the Risk Management Framework (RMF) was the long-running compliance opera: grandiose sets, endless rehearsals, dead-eyed troop members that just want it to end; the Cybersecurity Risk Management Construct (CSRMC) is the punk-rock reboot with a break-stuff attitude, razor-sharp set list, and the Hell’s Angels doing crowd control. The Department of Defense (or should I say, Department of War? No, seriously, I’m asking…) formally unveiled the CSRMC in late September 2025, positioning it as the successor to the legacy RMF and centering it on a five-phase lifecycle (Design → Build → Test → Onboard → Operate). CSRMC | Cybersecurity Risk Management Construct Why the switch? A decade of RMF inside DoD taught everyone the same lesson: static artifacts age like dead beef in a hot car during a Phoenix summer. CSRMC replaces the long-since zombified RMF with something

Modernizing the ATO Process: Cut Red Tape and Secure the Mission

Cutting Red Tape, Securing the Mission: Why Faster ATOs Matter Featured in PSC Contractor Magazine – Fall 2025By Gaurav “GP” Pal, CEO and Founder, stackArmor, a Tyto Athene Company Federal agencies and contractors dedicate millions of hours each year navigating the Risk Management Framework (RMF) and Authority to Operate (ATO) process—essential for security, but often a source of costly delay. In the latest issue of PSC Contractor Magazine, stackArmor CEO and Founder Gaurav “GP” Pal outlines a bold yet practical path forward: modernizing and accelerating the ATO process without sacrificing rigor or compliance. Key Highlights The Cost of Complexity:Each year, government and industry spend an estimated 26 million hours and $3.6 billion on RMF and ATO activities across more than 13,000 systems. Simplifying and automating these processes could save over $1.4 billion annually and free cyber talent to focus on true mission risk. The Problem Today:RMF evidence lives in static

How to do FedRAMP the Wrong Way

How to do FedRAMP the Wrong Way A lovingly sarcastic field guide to burning time, money, and morale Let’s start with the myth that refuses to die: FedRAMP ATOs take 18–24 months and cost $3–5M. If you follow the classic FedRAMP advisory playbook, sure. You’ll spend months on a gap assessment, commission a reference architecture that looks gorgeous in PowerPoint, and then sink quarters into R&D trying to interpret every control like it’s Renaissance poetry. Damn it, what the hell is a Prince of Cats!? Cue the consultant parade and the endless gap analyses. Cue roadmaps to hell. Cue the realization that you’ve made poor career choices. And the absolute worst—cue the invoices!! If your organization is the beneficiary of billions in angel investment capital because you’ve created the thing everyone cannot live without, by all means proceed. For everyone else, there’s a better way. The Wrong Way | A

DoD SRG Update: IL5 Reclassified as NSS — What CSPs Need to Know

DoD SRG’s Silent Earthquake: IL5 Moved to NSS-Land. Most of You Are Actually IL4 (and that’s okay). The Defense Information Systems Agency (DISA) has been pushing out a number of Cloud Security Requirements Guide (SRG) updates in recent months. Since July 2025, we’ve seen: SRG V1R3 – dated July 02, 2025 SRG V1R4 – dated August 13, 2025 SRG V1R5 – dated September 03, 2025 Hey DISA, friendly request here—maybe gather everyone together to think about a roadmap of quarterly releases or even an industry town hall? While there’s been many updates, in my opinion V1R3 had the largest impact by far. The version number whispers “minor,” but the blast radius is atomic. Every CSP needs to understand the following: Impact Level (IL) 5 is now explicitly a National Security System (NSS) neighborhood, and that’s not a place most CSPs want to find themselves in. The part hardly anyone

Hey MSPs: Why FedRAMP Moderate Equivalency Beats Bare-Minimum CMMC

Implementing CMMC? Think FedRAMP Moderate Equivalent Instead. Hey MSPs – You Should Aim Higher Than Bare-Minimum CMMC. Go Full FedRAMP Moderate Equivalent. Be Brave! The Pentagon finally dropped the other shoe. With the Defense Federal Acquisition Regulation Supplement (DFARS) amendment now posted for public inspection, CMMC requirements officially land in DoD contracts on November 10, 2025. Simply put, the grace period is over! Procurement just turned into a cybersecurity filter. If you don’t meet the level specified in the RFP, go home and slap yo’ SSP – simple as that. This is all great news for national security, but not-so-great if your business plan assumed you’d get to CMMC later or figured it didn’t apply to you. If you’re a Managed Service Provider (MSP) in the Defense Industrial Base (DIB), it definitely applies to you. The good news is that there’s a smarter move than sprinting to the nearest

Armory20x: Accelerating FedRAMP AI Prioritization for ISVs

Armory20x: The Shortcut AI ISVs Need for FedRAMP AI Prioritization Independent Software Vendors (ISVs) building with AI are in a mad dash to reach the top. Every week brings a new foundation model, a new vector database, a new “copilot for X.” Investors want it FedRAMP authorized yesterday so you can sell to agencies tomorrow. The problem? FedRAMP AI Prioritization isn’t a fast pass for AI systems. It’s a prove you’re serious filter. NIST controls still apply (at least the Key Security Indicators (KSIs)), FIPS encryption still applies, and continuous monitoring still applies. The government isn’t lowering the bar; it’s asking you to clear it faster. So, the question for AI ISVs becomes: Do you want to spend your hard-earned venture capital hiring an army of compliance engineers and writing 700-page System Security Plans or do you want to keep shipping actual AI features that customers care about? That’s

Reimagining RMF ATOs: stackArmor’s Compliance-as-Code 20x

We at stackArmor have taken to heart the recent calls to “Blow up the Risk Management Framework (RMF)” and take the compliance drama head-on. ATOs are in the news almost daily, often associated with high costs and long approval cycles with questionable outcomes. As we’re all about to light the RMF on fire and re-imagine it from first principles, we realize the real problem isn’t the RMF itself, it’s the fossilized way we’ve been playing the compliance game: binders packed with off-topic prose, screenshots that are outdated the moment they’re captured, and evidence packages that are obsolete the instant they are zipped. Traditional Federal information system assessments have been an endless cycle of: Write 700 pages of implementation statements that are marginally on topic, and only sometimes accurate. Have your highly skilled/paid engineers copy/paste screenshots into Word docs like a freshly minted, unskilled intern. Ship the whole mess to auditors

Accelerating FedRAMP High ATOs to Address Fast Growing Federal Demand

Federal and Defense agencies are increasingly encouraged to buy the best of breed commercial solutions. Commercial Software-as-a-Service (SaaS) Cloud Service Providers (CSPs) or Independent Software Vendors (ISVs) looking to meet this growing demand must meet the Federal Risk and Authorization Management Program (FedRAMPÂ®) cybersecurity requirements. FedRAMP provides a standardized, reusable approach to security assessment and authorization for commercial cloud service offerings. The FedRAMP Marketplace lists cloud service offerings (CSOs) based on their Impact Levels (amongst other filters). The primary levels are Low, Moderate, and High. A quick analysis of the FedRAMP Marketplace data shows the growing demand for FedRAMP High cloud service offerings. As the graphic below demonstrates, FedRAMP High authorizations are growing faster than those for the Moderate baseline. Understanding FedRAMP High Requirements The FedRAMP cybersecurity requirements are rooted in Federal standards, such as the Federal Information Processing Standard (FIPS) 199, that outlines the security categorization of federal

Enabling FedRAMP 20X with the stackArmor Cyber Maturity Score (TM)

Written by Johann Dettweiler, Chief Information Security Officer, stackArmor Utilizing a “Risk Score” to Inform Risk-based Authorization of FedRAMP Systems That was a mouthful…a lot of words to discuss what is a really interesting topic, and in my opinion, a bit of a “white rabbit” in the compliance and IT security world. With all of the shakeups happening in the Federal world right now, it seems that FedRAMP is very interested in streamlining and re-designing their authorization process. In January of 2025 they released a blog describing a renewed focus on “delivery”, and prior to that released a number of blogs that focused on “streamlining” and making the overall FedRAMP authorization process more “agile”. And more recently, the launch of FedRAMP 20X explicitly talks about generating ideas on how we move away from a point in time paper-based compliance to continuous compliance. An idea being tossed around is the use of

FedRAMP: Adapting to a Dynamic Landscape While Balancing Security with Efficiency

The FedRAMP program has successfully enabled commercial cloud computing adoption by Federal and DOD agencies for over 14 years, establishing itself as a cornerstone of secure cloud adoption within the government. Despite recent uncertainties and speculation within the community, it’s important to remember that the program’s fundamental principles remain strong. FedRAMP agency authorizations continue at a healthy pace, and the authorization backlog is demonstrably shrinking. Ready In-Process Authorized Total Change from Prior Period 3/14/2025 40 111 380 531 6 3/1/2025 36 119 370 525 15 2/1/2025 26 121 363 510 11 1/1/2025 23 120 356 499 3 12/1/2024 23 119 354 496 -1 11/1/2024 26 119 352 497 1 10/1/2024 28 120 348 496 Source: FedRAMP.gov and historical data pulled from Wayback Machine Government-wide mandates for efficiency and prioritization are driving changes across all agencies, including FedRAMP. As a program established in law to provide a standardized, reusable approach to

Making FedRAMP ATOs Great with OSCAL and Components

OMB Memo M-24-15 published on July 24, 2024 directed GSA and the FedRAMP PMO to streamline the FedRAMP ATO process using NIST OSCAL. By late 2025 or early 2026 (18 months after the issuance of the memo), GSA must ensure the ability to receive FedRAMP authorization and continuous monitoring artifacts through automated, machine-readable means. Additionally, by the Summer of 2026 (twenty four months after the issuance of the memo), agencies must ensure that agency GRC and system-inventory tools can ingest and produce machine-readable authorization and continuous monitoring artifacts using OSCAL, or any succeeding protocol as identified by FedRAMP. As agencies, and cloud service providers race to meet the mandated timelines, it is important to understand and adopt NIST OSCAL in the right way! The experienced team of FedRAMP experts at stackArmor with over a decade plus of experience in helping cloud service providers meet the requirements of the FedRAMP program

A New Way to SSP: The Component Definition Approach to Defining Controls

A New Way to SSP: The Component Definition Approach to Defining Controls Guest Post by Johann Dettweiler, CISO, stackArmor Imagine a world where the “say nothing” narrative implementation statements, rampant across the landscape of System Security Plans (SSPs), get replaced by a definitive, understanding of system state to determine the implementation status of controls. For those of us that have languished with the “old way” of writing SSPs, we dare not imagine that promised land. However, with the introduction of the Open Security Controls Assessment Language (OSCAL), there is promise of a light in the darkness, a sip to a desert wanderer, a cool breeze in hell – I present to you – Component Definitions (CDEFs)! “Cue “Thus Spake Zarathustra” – BUM bum BUMMMMM BUM, bum, BUMMMMM!” Alright, admittedly that may have been a little bit over dramatic, but if you’ve ever experienced reading or writing an SSP, suffice to

California’s AI RAMP or FedRAMP for AI?

California’s AI RAMP or FedRAMP for AI?: Urgent need for an actionable and enforceable US safety and security framework for AI California State Bill 1047 was passed today by the Assembly where it heads to the Senate and the Governor’s desk for consideration. SB 1047 is remarkable for the specificity of the governance requirements and penalties for developers of AI models. The proposed Act clearly spells out covered models and establishes the governance model which includes designating a “Government Operating Agency”, mandating a third-party audit and explicit guidance on change management & reporting. The proposed law provides for flexibility by allowing the developer to choose the appropriate framework “(i) In fulfilling its obligations under this chapter, a developer shall consider industry best practices and applicable guidance from the U.S. Artificial Intelligence Safety Institute, National Institute of Standards and Technology, the Government Operations Agency, and other reputable standard-setting organizations.” The act clearly

Embracing MLSecOps for Secure and Safe AI Systems

Written by Matt Venne, Managing Director, stackArmor The advent of artificial intelligence (AI) is transforming practically every corner of our world. Concurrently, the need for MLSecOps platforms has become fundamental in ensuring the security of AI systems. Traditional security models often fall short in addressing the unique vulnerabilities inherent in AI systems. The integration of AI into the software development lifecycle (SDLC) is pivotal in fortifying the security frameworks of organizations leveraging AI technologies. Additionally, the introduction of AI Security Posture Management and scanning for AI-specific vulnerabilities play crucial roles. Implementing an LLM Firewall further enhances these security measures. These measures are essential for ensuring the robust protection of systems that utilize AI. Uncharted Waters: Unique Attack Vectors in AI Systems AI systems introduce a set of unique attack vectors that traditional security models are not equipped to handle. Unlike conventional software, AI systems can be susceptible to data poisoning,

Conducting a CMMC 2.0 Readiness Assessment

The Cybersecurity Maturity Model Certification program gives the Defense Department a mechanism to verify the readiness of defense contractors both large and small to handle controlled unclassified information and federal contract information in accordance with federal regulations. The CMMC 2.0 program is currently in the final rulemaking phase with implementation expected in 2025. Large defense contractors with multi-location or region business operations should conduct a CMMC readiness assessment to get ahead of the eventual implementation deadline and better understand how to best implement a compliance solution. stackArmor’s security and compliance experts have over two decades of experience implementing strong security and compliance guardrails based on NIST and DOD controls. They have developed an efficient Cybersecurity Maturity Model Certification (CMMC) Readiness Assessment solution. Defense contractors should accelerate their readiness efforts by: Determining the CMMC scope and boundary definition Performing a discovery of CUI data that may include but not limited to Word

Accelerating CMMC 2.0 Compliance for Defense Contractors with Microsoft Azure

Microsoft Azure provides a suite of highly integrated security services that provide a cost-effective solution for Defense contractors looking to meet the CMMC 2.0 requirements. The Cybersecurity Maturity Model Certification (CMMC) is a framework designed to enhance the security posture of companies that work with the Department of Defense (DoD) by implementing a set of cybersecurity best practices. In this blog post, we will delve into the impact of CMMC and how organizations can effectively monitor their compliance with this crucial framework. The ThreatAlert(R) CMMC Accelerator on Microsoft Azure provides a secure and dedicated CUI boundary with all the tools, documentation and services necessary to meet CMMC 2.0 requirements. A critical part of the ThreatAlert(R) CMMC Accelerator is the ThreatAlert(R) Security Workbench (TSW) for Azure, which provides unmatched level of visibility into potential vulnerabilities and compliance gaps, enabling contractors to comply with CMMC 2.0 monitoring and reporting requirements. Define

ThreatAlert® on Google Cloud Platform: A Proven Solution for Comprehensive Security

Alec Meyer, Sr. Cloud Solutions Specialist As cloud adoption continues its meteoric rise, so too does the complexity of securing diverse environments. At stackArmor, our ThreatAlert® Security Platform has been a cornerstone for achieving and maintaining compliance within Amazon Web Services (AWS) and Microsoft Azure. Moreover, ThreatAlert® is also fully compatible with Google Cloud Platform (GCP), broadening its reach to empower organizations across multiple cloud providers. Secure, Compliant, and AI-Powered: The Google Cloud Platform Advantage Google Cloud is taking compliance seriously by recently achieving ATOs on 100+ new services authorized at a FedRAMP high level. This significant achievement underscores GCP’s commitment to providing secure and compliant cloud solutions. Consequently, Google Cloud Platform is gaining popularity due to its advanced data processing, machine learning and AI capabilities. GCP’s BigQuery, Vertex AI suite and security tools are attracting commercial software companies to build mission-focused SaaS solutions. ThreatAlert’s GCP integration makes it easy

Adding GenAI to a FedRAMP Authorized Boundary

The FedRAMP PMO announced the Emerging Technology Prioritization Framework (ETPF) to fast-track AI solutions in code generation, image generation, and chatbots. Cloud service providers (CSP) with existing FedRAMP authorizations can now add OpenAI services to their current Cloud service offerings (CSO). This can be done by following FedRAMP’s prescribed change management process that is often referred to by its acronym – the SCR process. In this blog we will walk you through how you can prepare for such a journey and add Gen AI capabilities to your existing FedRAMP accreditation boundary. stackArmor engineers have informed this blog with their work for existing customers and clients. Select the right FedRAMP Accredited Cloud Service for GenAI First, the journey begins with selecting the right FedRAMP accredited AI cloud service to add to your boundary based on the use case. Google, with Vertex AI, and Microsoft, with Azure OpenAI, both hold FedRAMP High

How Much Does FedRAMP Compliance Cost?

FedRAMP compliance costs can be broken up into two parts: 1) initial ATO costs and 2) ongoing authorization or continuous monitoring costs. The initial FedRAMP compliance professional services costs for the most part vary between $250,000 to $750,000 depending on the support required, accreditation level and size of the environment. Generally, speaking FedRAMP compliance costs are accrued to support deployment engineering, documentation and 3PAO assessment as well as ongoing continuous monitoring costs. FedRAMP compliance is becoming the gold standard in security given its rigorous and comprehensive coverage of management, operational and technical controls. As organizations look to provide cloud services to the federal government, understanding the costs associated with Federal Risk and Authorization Management Program (FedRAMP) compliance becomes crucial. In this blog post, we’ll break down the various costs associated with FedRAMP to help you plan and budget effectively. What is FedRAMP? FedRAMP, the Federal Risk and Authorization Management Program,

An Analysis of AI usage in Federal Agencies

Federal Agencies are rapidly deploying and utilization AI/ML technologies to further the mission. This blog attempts to understand the types of AI/ML systems being used by agencies and how best to develop relevant guardrails. OMB’s M-14-10 memo outlines specific requirements that must be met for ensuring Responsible AI deployments. Responsible AI Directives from OMB As part of its guidance to agencies to ensure Responsible AI use as recommended by the NIST AI RMF to maintain AI system and use case inventories, OMBâ€™s guidance M-24-10 is prescriptive, and direct. Its states, in Sections 3-a-iv and 3-a-v: AI Use Case Inventories. Each agency (except for the Department of Defense and the Intelligence Community) must individually inventory each of its AI use cases at least annually, submit the inventory to OMB, and post a public version on the agencyâ€™s website. OMB will issue detailed instructions for the inventory and its scope through its