FedRAMP Management Engine

Authorization automation, derived from your real infrastructure.

The Engine automates FedRAMP authorization and continuous monitoring by reading live infrastructure state and generating OSCAL-native artifacts. It deploys inside your authorized boundary, so customer data never leaves your environment.

Request early access See integrations

The problem

Compliance is measured in man-years, not man-hours.

Initial FedRAMP authorization routinely consumes two to four full-time engineers for 12 to 24 months. Continuous monitoring then consumes them indefinitely: monthly ConMon deliverables, quarterly scans, annual reassessments, POA&M tracking, SSP drift reviews.

Most of that work is reconciliation between what the SSP says the system does and what the system actually does. The artifacts are static; the infrastructure is not.

The Engine inverts the model: the infrastructure is the source of truth, and the artifacts are generated from it.

How it works

Four pillars of automated authorization.

Each pillar produces a concrete artifact the platform generates, retains, and keeps current against live infrastructure state.

Infrastructure-derived control state

Control implementation status is read from live infrastructure — Terraform state, cloud APIs, Kubernetes, IaM policy — not from spreadsheets. If the infrastructure drifts, the SSP reflects it.

OSCAL-native artifacts

SSP, SAP, SAR, and POA&M documents are generated in NIST OSCAL format. Hand off to your 3PAO as machine-readable JSON, not 400-page Word documents.

Continuous evidence collection

Per-control evidence is captured on a schedule and timestamped. Vulnerability scans, configuration baselines, access reviews, and change records become queryable evidence — not screenshots in SharePoint.

POA&M lifecycle management

Findings flow from scanner → POA&M entry → remediation commit → verification. Every state change is logged and linked to the change that caused it.

At a glance

Every control family, live.

Implementation status is computed against live infrastructure on every reconciliation pass. No spreadsheet. No quarterly rollup.

engine / control-coverage · baseline=Moderate reconciled 4m ago · 287/325

AC Access Control

94%

AT Awareness & Training

100%

AU Audit & Accountability

88%

CA Assessment & Authorization

75%

CM Configuration Management

91%

CP Contingency Planning

83%

IA Identification & Auth

96%

IR Incident Response

100%

MA Maintenance

92%

MP Media Protection

100%

PE Physical & Environmental

100%

PL Planning

87%

PS Personnel Security

100%

RA Risk Assessment

80%

SA System & Services Acq

72%

SC System & Comm Protection

89%

SI System & Information Integ.

58%

SR Supply Chain Risk Mgmt

71%

Implemented

287

In Progress

Inherited

Not Started

Integrations

Reads the systems you already run.

The Engine ingests the infrastructure and security tooling that's already in your environment. No parallel inventory. No duplicate data entry.

Infrastructure & cloud

Controls are mapped to the IaC modules and cloud resources that implement them. When Terraform state changes, the SSP reflects it on the next reconciliation run.

— Terraform, CloudFormation, Pulumi, and Helm state ingestion.
— AWS GovCloud, Azure Government, Google Cloud Assured Workloads.
— Kubernetes admission policy and service-mesh configuration.
— Cloud IAM, KMS, logging, and backup service inventories.

control / AC-2

AC-2 Account Management IMPLEMENTED

Impact: Moderate · Family: Access Control

Implemented by

terraform/modules/iam/sso.tf

terraform/modules/iam/roles.tf

k8s/overlays/prod/rbac.yaml

Evidence (last 30 days)

Access review · Q2 ✓ 2026-04-15

SCIM provisioning log ✓ live

Inactive account sweep ✓ 2026-04-18

Security tooling & ticketing

Findings from scanners and CSPM tools flow into the POA&M automatically. Remediation commits close the loop — each closure is linked to the change that verified it.

— Vulnerability scanners — Tenable, Qualys, Wiz, Prisma Cloud.
— SIEM & logging — Splunk, Elastic, Chronicle, Sentinel.
— Ticketing — Jira, ServiceNow, Linear, GitHub Issues.
— Identity — Okta, Entra ID, Authentik (for AC-family evidence).

poa&m / PM-2026-0147

CVE-2026-1143 · openssl

Control: SI-2 · Severity: High

CLOSED

2026-04-12 opened by Tenable scan 8f3a

2026-04-14 linked to NCC-441

2026-04-18 remediation · commit 3b9d017

2026-04-19 verified · clean rescan

✓ 7-day remediation · within SLA · evidence retained

POA&M queue

Every open POA&M has an owner, a control reference, a severity, and an SLA clock. The queue view is the day-to-day operational surface for your SecOps, DevOps, and GRC teams.

engine / poam-queue · 12 open 3 high · 9 moderate · 0 critical

ID	Finding	Control	Severity	Owner	SLA
PM-2026-0151	rpm drift · app-03.prod · new openssl build	CM-8, SI-7	● moderate	DevOps	7 days
PM-2026-0150	SAST finding · container image cve-2026-1143	SI-2, SA-11	● high	SecOps	2 days
PM-2026-0149	ConMon evidence gap · AC-2 quarterly review	AC-2, CA-7	● moderate	GRC Team	14 days
PM-2026-0148	NAICOM receipt missing signature on 2 commits	SA-11, AU-2	● moderate	Eng Lead	21 days
PM-2026-0147	openssl CVE-2026-1143 · 3 services	SI-2	● closed	DevOps	verified

filters: status: open baseline: moderate 5 of 12 shown

Paired with the platform

Three evidence sources. One OSCAL record.

The Engine is designed to ingest evidence from Citadel and NAICOM natively. Access events, AI session receipts, and infrastructure state all land in the same OSCAL SSP — with per-control origin references your assessor can verify.

Citadel host state

Signed osquery results → CM, SI, AU families

NAICOM AI operations

Session receipts → SA-11, SI-7, CM-3/5, AU-2

Engine infrastructure

Live infra scan → CM, SI, SC families

→

OSCAL SSP

One control-implementation stanza per control

Every origin-reference in the SSP points back to a signed event from Citadel, a session receipt from NAICOM, or a live infra-scan artifact. Nothing is hand-keyed.

ssp.json → control-implementation § cm-8

"implemented-requirement": {
  "control-id": "cm-8",
  "description": "System Component Inventory",
  "origin-refs": [
    {
      "source": "citadel",
      "kind":   "osquery-result",
      "pack":   "cm8-inventory",
      "hosts":  247,
      "sig":    "ed25519:4b01…"
    },
    {
      "source": "naicom",
      "kind":   "session-receipt",
      "ref":    "naic-f804",
      "sig":    "ed25519:8c3a…"
    },
    {
      "source": "engine",
      "kind":   "infra-scan",
      "ref":    "tf-state-2026-04-21",
      "sig":    "ed25519:e019…"
    }
  ],
  "last-verified": "2026-04-21T09:16:21Z"
}

✓ 3 origin refs · all signatures verified · drift=0

Evidence, not attestation

Every origin reference in the SSP points to a signed event, verifiable without trusting Novaprospect.

Control families covered

AC, SC, AU, CM, SA, SI, and AI-RMF Map/Measure covered natively across the stack.

One audit surface

Assessors review one OSCAL artifact per control — not three siloed systems that have to be reconciled.

Stays current automatically

Drift between SSP narrative and live state is detected on every reconciliation cycle and surfaced as a POA&M candidate.

Compliance alignment

Machine-readable from day one.

The Engine speaks the formats FedRAMP, the PMO, and your 3PAO already use.

NIST 800-53 Rev 5

Full control-family coverage against the Rev 5 baseline. Low, Moderate, and High impact profiles are supported.

FedRAMP Moderate · High · LI-SaaS

Native baseline templates for each FedRAMP authorization path, including the newer LI-SaaS profile.

OSCAL 1.x

Read and write OSCAL SSP, component definitions, assessment plans, and POA&M documents. Interoperates with any OSCAL-aware tooling.

Architecture

Inherits your boundary, not ours.

The Engine is delivered as Docker containers with Helm charts and Terraform modules. It runs inside your existing authorization boundary — on-premises, customer cloud, or GovCloud tenant — under your controls.

Read access to your infrastructure is provided through short-lived cloud credentials scoped to inventory and configuration APIs. The Engine never writes to production systems; it writes OSCAL artifacts and evidence to a customer-owned data store.

No Novaprospect authorization is required to begin using the Engine. A managed GovCloud SaaS offering is on the roadmap once the company's own authorization is complete.

Elsewhere in the platform

AI OPERATIONS

NAICOM →

AI-SDLC evidence the Engine consumes as SA-11, SI-7, and CM-family origin refs.

HOST STATE

Citadel →

Signed osquery results feeding the Engine as CM-family and SI-family evidence.

Ready to cut your ConMon overhead?

Early-access pilots are open to organizations pursuing or maintaining FedRAMP Moderate, High, or LI-SaaS authorization.

Get in touch