๐Ÿ“ข New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First ยท ๐Ÿ“ Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June ยท ๐Ÿšฆ Beacon โ€” the FedRAMP 20x KSI emitter โ€” design partners open โœจ ยท ๐Ÿ†• 20x Hub: program reference, kept current ยท ๐Ÿงช Free tool: KSI Quick Check โ€” paste, run, get the verdict
โ† All products

Beacon

BETA ยท DESIGN PARTNERS

Key Security Indicators, emitted continuously.

FedRAMP 20x replaces annual ConMon paperwork with a continuous stream of Key Security Indicators โ€” machine-validated against the infrastructure that actually runs your service. Beacon emits that stream from inside your boundary, signed, in the machine-readable format the program is moving to.

Become a design partner Try a KSI check in your browser โ†’

The shift

ConMon becomes a signal, not a deliverable.

Traditional FedRAMP ConMon centers on a monthly artifact: vulnerability scans rolled up, POA&Ms summarized, an SSP reconciled against whatever has drifted. The cadence is paperwork, the rhythm is quarterly, and the work is reconciliation.

FedRAMP 20x changes the shape of the obligation. Authorization is structured around Key Security Indicators โ€” measurable, automatable outcomes that replace the 325+ Rev 5 controls with about 60 indicators per impact level. The program asks for those indicators continuously, not on a quarterly cycle. For 20x Moderate, the floor is one validation pass every three days.

Beacon is the piece that produces those indicators. It reads your cloud, Kubernetes, identity, and configuration state directly, evaluates each KSI against current infrastructure, and emits a signed evidence package the FedRAMP Management Engine โ€” or any RFC-0024 consumer โ€” can hold as the authoritative record.

How it works

Four pillars of continuous KSI emission.

Each pillar produces a concrete artifact Beacon emits, retains, and keeps current against live infrastructure state โ€” under your signing key, inside your boundary.

01

Reads infrastructure, emits indicators

Beacon reads cloud, Kubernetes, IAM, and identity state directly โ€” then emits Key Security Indicators against the FedRAMP 20x baselines. 56 KSIs for Low, 61 for Moderate, mapped to the categories the program publishes: CNA, IAM, SVC, CMT, monitoring, recovery.

02

Three-day persistent validation

For 20x Moderate, KSI validation must run at least every three days. Beacon runs continuously by default โ€” the three-day window is a fallback, not a target. Each emission is a signed, machine-readable record of what was true when it ran.

03

Machine-readable, RFC-0024 ready

Beacon writes the FedRAMP machine-readable package format that becomes mandatory September 30, 2026 under RFC-0024. JSON-first; OSCAL when your authorization is on the Rev 5 path. The output is the artifact the assessor reads โ€” no template intermediary.

04

Signed at the source

Every KSI emission is signed with ed25519 inside your boundary before it lands in any evidence ledger. The 3PAO verifies the signature, not Novaprospect. Tamper-evident across the chain from infra read to authorization package.

Coverage

Every KSI category, emitted live.

Beacon implements the seven KSI categories published by FedRAMP for the 20x Phase 2 Moderate baseline. Coverage numbers below reflect what's shipping in the design-partner beta.

beacon / ksi-emission ยท baseline=20x-moderate
KSI-CNA Cloud Native Architecture 12 KSIs
KSI-IAM Identity & Access Management 10 KSIs
KSI-SVC Service Configuration 11 KSIs
KSI-CMT Change Management 8 KSIs
KSI-MLA Monitoring, Logging, Auditing 9 KSIs
KSI-RPL Recovery Planning 6 KSIs
KSI-PIY Policy & Inventory 5 KSIs
Passing
61
Warning
0
Failing
0
Cadence
continuous

A single KSI, end to end

Phishing-resistant MFA, every three days.

KSI-IAM-01 asks for phishing-resistant MFA on privileged access. Beacon reads your identity provider's policy, evaluates the rule, and emits a signed result โ€” not a narrative attestation.

beacon / emission โ†’ ksi-iam-01
"ksi-emission": {
  "ksi-id":        "KSI-IAM-01",
  "baseline":      "20x-moderate",
  "description":   "Phishing-resistant MFA on privileged access",
  "result":        "pass",
  "evaluated-at":  "2026-05-15T11:42:08Z",
  "evidence": {
    "source":     "okta-policy-api",
    "policy-id":  "00p1k4z3a2cN9rT",
    "factors":    ["webauthn", "fido2"],
    "disallowed": ["sms", "totp", "email", "push"],
    "scope":      "privileged-users (n=14)"
  },
  "rev5-mapping": ["IA-2(1)", "IA-2(2)", "IA-2(11)"],
  "sig":           "ed25519:8c3a91โ€ฆ"
}
โœ“ signed at source ยท Rev 5 mapped ยท 20x-package ready ยท cadence 3d

Compliance alignment

Built for the rules as they're being written.

Beacon tracks the consolidated rules and RFC outcomes as they land. What ships today is what works with the Phase 2 Moderate spec; what ships next quarter follows the rules into Phase 3.

FedRAMP 20x ยท Phase 2 / Phase 3

Emits against the 56-KSI Low and 61-KSI Moderate baselines published in RFC-0006 and the Phase 2 Moderate spec. Tracks the consolidated rules as they finalize through June 2026.

RFC-0024 machine-readable packages

Generates the FedRAMP machine-readable package format mandated for all CSPs (Rev 5 and 20x) by September 30, 2026.

NIST 800-53 Rev 5 mapping

Each KSI carries its Rev 5 control mapping so organizations on the traditional path can use the same infrastructure scans for OSCAL evidence.

Architecture

Inside your boundary. Under your signing key.

Beacon is delivered as a single container with Helm and Terraform modules. It runs inside your authorization boundary โ€” on-prem, customer cloud, or GovCloud tenant โ€” and reads infrastructure through short-lived credentials scoped to inventory and configuration APIs.

Every emission is signed with a key generated and held inside your boundary. The signature is what makes the evidence assessor-verifiable; Novaprospect is never on the trust path.

Beacon writes emissions to a customer-owned data store. The FedRAMP Management Engine consumes them natively, but the format is RFC-0024-compliant, so any conforming consumer works.

Design partner program

A small cohort, through Phase 3.

We're working with a small number of CSPs through the FedRAMP 20x Phase 2 and early Phase 3 window. The design partner program is for organizations already in or planning to apply for the program this calendar year.

Partners get the running Beacon build, direct input on the KSI emitter implementations, and the rev-by-rev coverage updates as the consolidated rules finalize. The intent is two-way: we want the implementation feedback as much as you want the tooling.

Apply to the program

Elsewhere in the platform

SYSTEM OF RECORD

FedRAMP Management Engine โ†’

Holds Beacon's KSI emissions as the authorization package record. Generates Rev 5 OSCAL alongside the 20x machine-readable package.
HOST STATE

Citadel โ†’

Signed osquery results feed Beacon as the host-side input for KSI-CNA and KSI-CMT categories.
AI OPERATIONS

NAICOM โ†’

Session receipts feed Beacon as evidence for KSI-MLA (monitoring/logging) categories.

Build against 20x while the rules are still being written.

The Consolidated Rules 2026 finalize at the end of June. The machine-readable package requirement is mandatory September 30. Beacon is for teams who want to be ready for both before they land.

Become a design partner