Free tool ยท in-browser
NOTHING LEAVES YOUR BROWSER ๐FedRAMP 20x KSI Quick Check.
Paste an Okta policy or a Terraform plan. Get a pass/fail against a FedRAMP 20x Key Security Indicator, with the evidence Beacon would emit if it were running inside your boundary. All evaluation runs in your browser โ no upload, no telemetry, no auth.
Privileged-access authentication policy must enforce phishing-resistant factors (webauthn, fido2) and disallow SMS, TOTP, email, and push factors.
NIST 800-53 Rev 5 mapping: IA-2(1), IA-2(2), IA-2(11)
Paste a simplified Okta authentication-policy export. Required fields: factors.allowed and factors.disallowed.
Evaluates locally in JavaScript. Same logic as the open-source evaluator.
How it works
Same logic. In your browser.
Each KSI is a single, automatable check. The two implemented here read the configuration you paste, evaluate the rule, and emit a signed-shape result with the evidence behind the verdict โ the same structure Beacon writes to a FedRAMP 20x authorization package.
The evaluators are the same code as the open-source reference implementation, ported to TypeScript so it runs entirely client-side. Your input is parsed and evaluated in your tab; nothing is sent over the network.
Coverage today is two indicators. The full Phase 2 Moderate baseline is 61 KSIs across seven categories โ Beacon implements the full set under a customer-held signing key, on the three-day cadence the program asks for.
Want this for all 61 KSIs, continuously, signed?
That's Beacon. Design partners are open through the FedRAMP 20x Phase 2 and early Phase 3 window.