FedRAMP 20x · Continuous Authorization

Authorization at 20x cadence.

FedRAMP 20x replaces annual paperwork with continuous, machine-validated security indicators emitted from inside your boundary. We build the tooling to do it — KSI emission, machine-readable authorization packages, and the system of record that holds them together.

See Beacon — the 20x KSI emitter All products

Products

A focused portfolio.

A new wedge for FedRAMP 20x continuous authorization, supported by a system of record and the host-state and AI-operations evidence sources that feed it.

beacon / ksi-stream · 20x-moderate CONTINUOUS

KSI-IAM-01 · phishing-resistant MFA ✓ pass

KSI-CNA-RNT · network segmentation ✓ pass

KSI-CMT-RMV · immutable infra ✓ pass

✓signed at source · ed25519 · package ready

Beacon

Beta · Design Partners

FedRAMP 20x Key Security Indicator emitter. Reads infrastructure state continuously and emits signed, machine-readable KSI evidence — at the three-day cadence 20x asks for and in the format the Consolidated Rules 2026 mandate. Plugs into the Engine or stands alone.

Learn more →

engine / CloudOps-SaaS-v2 ATO IN PROGRESS

CM-8 · component inventory ✓ 247 hosts

SA-11 · dev testing ✓ 3 refs

SI-2 · flaw remediation ● 1 open

FedRAMP Management Engine

Limited Release

System of record for authorization, in both directions. Holds Beacon's 20x KSI emissions as the authoritative package, and generates Rev 5 OSCAL artifacts and POA&M lifecycle for organizations on the traditional path through the Consolidated Rules transition window.

Learn more →

naicom / sessions NCC-441

naic-f804 · code

prompt: NCC-441-patch.md

● coding

naic-a219 · qa

review · commit 3b9d017

✓ closed

naic-7c3e · code

closed by receipt · signed

✓ closed

operator: alice@customer.gov 3 receipts · signed

NAICOM

Limited Release

Control plane for enterprise AI operations. Provides structured, auditable AI development workflows aligned to NIST AI RMF — issue-linked sessions, versioned prompt files, and a queryable audit trail across every change.

Learn more →

citadel / pack: cm8-inventory HOURLY

app-01.prodrpm_packages0

app-02.prodrpm_packages0

app-03.prodrpm_packages+1

Citadel

Limited Release

osquery fleet manager for regulated environments. Deploys and configures osquery agents across a host fleet, distributes compliance-aligned query packs, and turns results into a signed, queryable evidence stream for CM, SI, and AU-family controls.

Learn more →

The platform

Four products. One authorization boundary. One audit surface.

Run independently, each product stands on its own. Run together, they compose into a single evidence pipeline — from the edge request that authorizes access, through the AI-assisted change that ships the code, to the KSI emission that lands in the 20x authorization package and the OSCAL artifact your 3PAO reads.

The stack

inside the customer boundary

04 · SYSTEM OF RECORD

FedRAMP Management Engine

20x package · OSCAL SSP · POA&M · evidence ledger

FedRAMP 20x OSCAL RFC-0024

↑ evidence ↑

03 · 20x KSI EMISSION · BETA

Beacon

Continuous KSI evidence · signed at source · 3-day cadence floor

KSI-IAM KSI-CNA KSI-CMT

↑ evidence ↑

02 · AI OPERATIONS

NAICOM

Sessions · prompt files · attribution

AI RMF SA-11 SI-7

↑ evidence ↑

01 · HOST STATE

Citadel

osquery fleet · compliance packs · signed results

CM-6 CM-8 SI-4

engine / evidence-ledger · live signed · OSCAL-linked

Time	Source	Event	Control	Artifact
09:14:08	Beacon	KSI-IAM-01 · phishing-resistant MFA · pass	IA-2(1), IA-2(11)	20x-pkg §iam-01
09:14:22	Citadel	pack cm8-inventory · 247 hosts · rows 101,924	CM-8, CM-8(1)	ssp.json §cm-8
09:14:48	NAICOM	session naic-f804 · role=code · NCC-441	SA-11, SI-7	ssp.json §sa-11
09:16:03	NAICOM	commit 3b9d017 · prompt NCC-441-patch.md	CM-3, CM-5	ssp.json §cm-3
09:16:21	Engine	control refresh · AC-2 · drift=0	AC-2	ssp.json §ac-2
09:17:05	Engine	POA&M PM-2026-0147 · verified closed	SI-2	poam.json §147

✓ 6 events · 4 sources · signed · 20x-package + OSCAL-linked · forwarded to splunk-prod

One evidence pipeline

Every event inside the boundary — access, AI work, control change — lands in the same OSCAL record. Auditors see one surface, not three.

Control coverage by design

AC, SC, AU, CM, SA, SI, and AI-RMF families are covered natively by the stack. No manual attestation pass.

Signed, tamper-evident

Every event is signed at its source. The evidence ledger is verifiable end-to-end without trusting Novaprospect.

Deploys in your boundary

The entire stack runs inside your authorization boundary. Customer data, policy, sessions, and audit records never leave your environment.

Compliance

Built for regulated environments.

Every architectural decision is made with government authorization in mind — not bolted on after the fact.

FedRAMP 20x

Native KSI emission against the Phase 2 Moderate baseline. Designed for the Q3-Q4 2026 wide-adoption window when 20x becomes the default authorization pathway.

Consolidated Rules 2026

Generates the machine-readable authorization package mandated by RFC-0024, effective September 30, 2026. No template files.

NIST 800-53 Rev 5

Full control-family coverage tracked against the Rev 5 baseline for organizations on the traditional path. POA&M and OSCAL artifacts built in.

DoD IL2 / IL4 / IL5

Architecture aligned to the DoD Cloud Computing SRG. IL2 authorization is the near-term target with IL4 / IL5 defined on the roadmap.

About

About Novaprospect

Novaprospect, LLC is a New Mexico limited liability company. The company builds authorization, governance, and access-control software for organizations operating in regulated environments.

The product stack is purpose-built for compliance workloads. Every component is designed for reliability, auditability, and a clear path to FedRAMP and DoD IL authorization.

Contact

Get in touch about early access, partnerships, or general inquiries.