FedRAMP Authorization While Maintaining Continuous Delivery

by | Compliance

a blue and white logo

FedRAMP Authorization While Maintaining Continuous Delivery

The practical reality of pursuing FedRAMP authorization for a cloud-based security management platform without freezing your release pipeline — how to structure continuous monitoring, automate OSCAL documentation, maintain an Authority to Operate, and still ship updates on a regular cadence.

There's a persistent misconception in our industry that FedRAMP authorization means your release pipeline stops. That the documentation overhead is so heavy, the change control process so rigid, and the assessment cycle so slow that the only way to get through it is to freeze your product, write the paperwork, pass the audit, and then figure out how to start shipping again.

IVO Networks builds network security appliances — hardware that sits in federal data centers processing encrypted traffic. Those appliances carry their own compliance requirements: FIPS 140 validation for cryptographic modules, DISA STIGs for hardening, Common Criteria evaluations. But alongside the hardware, we operate ASAFE — our cloud-based monitoring, reporting, and management platform that provides real-time visibility into VPN infrastructure health, high-availability failover, TPM security chip management, and centralized configuration for deployed appliances. ASAFE is a cloud service offering. When your federal customers need to consume a cloud service, that means FedRAMP.

ASAFE provides real-time monitoring of VPN infrastructure need timely updates — vulnerability patches, new monitoring capabilities, dashboard improvements, integration enhancements. Telling customers "we're pausing updates for eighteen months while we get authorized" was never an option. So we built our authorization process around our delivery pipeline, not the other way around.

This post covers the practical engineering and process decisions that make that work. Not the theoretical framework — the actual implementation.

Understanding What FedRAMP Actually Requires

Before you can build a process that satisfies FedRAMP without freezing your pipeline, you need to understand what FedRAMP actually cares about. It's not "don't change anything." It's "know what you changed, assess the security impact, document it, and prove your security posture hasn't degraded."

FedRAMP is built on NIST SP 800-53 Rev 5 security controls — hundreds of them, organized across families like Access Control, Configuration Management, Incident Response, and System and Information Integrity. For each control, you document how your system implements it in a System Security Plan (SSP). A Third-Party Assessment Organization (3PAO) independently validates your implementation. An agency Authorizing Official (AO) reviews the assessment and issues an Authority to Operate (ATO). Then you enter continuous monitoring — which is where the real work begins.

Continuous monitoring (ConMon) isn't a gate you pass through once. It's an ongoing operational obligation: monthly vulnerability scans and Plan of Action & Milestones (POA&M) submissions, annual assessments by your 3PAO covering core controls plus a rotating subset so all controls are reviewed within a three-year cycle, and remediation timelines that FedRAMP enforces — 30 days for high-severity findings, 90 days for moderate, 180 days for low. Miss those timelines, and your AO has a defined escalation path that can lead to ATO revocation.

None of this says "don't ship updates." All of it says "when you ship updates, know exactly what changed and what it means for your security posture."

The Change Control Problem

The tension between FedRAMP and continuous delivery lives in change control. FedRAMP requires that all changes to an authorized system go through a security impact analysis. Changes that affect the security posture — the system boundary, data flows, authentication mechanisms, encryption implementations, or anything that touches a documented security control — are classified as significant changes. Significant changes require notification, documentation, and in some cases re-assessment by your 3PAO before or shortly after implementation.

If every platform release is a significant change that requires pre-approval and re-assessment, you can't ship on a regular cadence. The assessment timelines alone would throttle your pipeline to a crawl.

The solution isn't to avoid significant changes. It's to architect your system and your release process so that routine updates — the updates you ship most often — don't trigger significant change classification. And when a release genuinely does constitute a significant change, your documentation and assessment processes are fast enough that the release isn't blocked for weeks.

Separating the Security Boundary from the Release Boundary

The most important architectural decision we made was to clearly separate the components that define the FedRAMP security boundary from the components that change in a typical platform release.

The security boundary is defined in the SSP. It describes the system architecture, data flows, network boundaries, authentication mechanisms, encryption standards, and access control model. Changes to these elements are genuinely significant — they affect the documented security posture and require the full significant change process.

But most platform releases don't change any of those things. A typical release might improve dashboard rendering performance, fix a bug in the alerting engine, add a new monitoring metric, refine the failover detection algorithm, or enhance the TPM management workflow. These changes operate within the established security boundary. They don't alter data flows, change encryption mechanisms, or modify access control models. They're functional improvements to components that operate inside the documented architecture.

By designing the architecture with the security boundary explicitly in mind — and documenting it precisely enough that the distinction between "inside the boundary" and "changes the boundary" is unambiguous — we can classify most releases as routine changes that follow a streamlined change control process. Routine changes still get documented, still go through security impact analysis, and still appear in our configuration management records. But they don't require 3PAO re-assessment or AO pre-approval.

The key is that this classification has to be honest and defensible. You can't call everything "routine" to avoid the significant change process. Your 3PAO and your AO will see right through it, and you'll lose credibility — which is the one thing you can't afford to lose in a FedRAMP relationship.

Automating the SSP with OSCAL

The System Security Plan is the single largest documentation artifact in a FedRAMP authorization package. For a Moderate baseline, you're documenting implementation details for hundreds of controls. Traditionally, this has been a Word document — sometimes hundreds of pages — maintained manually, reviewed manually, and submitted as a static file.

That model is incompatible with continuous delivery. If every release requires updating a 400-page Word document by hand, reviewing it for consistency, and resubmitting it, your documentation process becomes the bottleneck that throttles your pipeline.

This is where OSCAL changes everything. The Open Security Controls Assessment Language, developed by NIST, is a set of standardized machine-readable formats (JSON, XML, YAML) for expressing security control information. Instead of a narrative Word document, your SSP becomes structured data — and structured data can be generated, validated, versioned, and updated programmatically.

FedRAMP has made this transition mandatory. RFC-0024, published in January 2026, requires all FedRAMP-authorized providers to submit machine-readable authorization packages. New authorizations must be submitted in an approved machine-readable format by September 30, 2026. Existing authorizations must transition by their next annual assessment after that date. Non-compliance by September 30, 2027 results in loss of FedRAMP certification.

Our SSP is maintained as structured data in version control — the same version control system that manages our source code. When a platform release changes a component that's referenced in a control implementation, the SSP data is updated in the same commit. The control implementation description, the component references, and the system metadata all stay synchronized with the codebase. We generate human-readable output (Word, PDF) from the OSCAL source for stakeholders who need it, but the authoritative SSP is the structured data.

The OSCAL SSP is validated automatically as part of our CI pipeline. Before a release is tagged, the pipeline runs the OSCAL data through schema validation and completeness checks: Are all required controls addressed? Are component references valid? Are Organization-Defined Parameters (ODPs) consistently applied? Do the control implementations reference the correct system components? These checks catch documentation drift before it reaches the 3PAO — not months later during an annual assessment.

Security Impact Analysis in the Pipeline

Every release goes through a security impact analysis. The question is whether that analysis is a manual gate that blocks the pipeline for days, or an integrated process that runs alongside development.

We built our security impact analysis as a structured checklist that maps directly to the SSP's control families. When an engineer opens a release candidate, the analysis template is pre-populated with the components affected by the release (derived from the commit history and the component-to-control mapping in the OSCAL data). The engineer and the security team assess each affected area: Does this change affect the system boundary? Does it modify data flows? Does it change authentication or access control? Does it alter encryption implementations? Does it introduce a new external dependency?

If the answer to all of those is "no," the change is classified as routine, documented in the configuration management log, and the release proceeds. If the answer to any of them is "yes," the change is classified as significant, and the significant change notification process initiates — which includes documenting the change for the AO, determining whether 3PAO assessment is required, and planning the assessment if it is.

The critical insight is that this analysis doesn't have to be slow. When the security boundary is well-defined and the component-to-control mapping is maintained in structured data, the impact analysis is straightforward. Most of the time, the engineer already knows the answer before the analysis starts — the checklist just formalizes and documents it.

Vulnerability Management at Release Cadence

FedRAMP's remediation timelines are non-negotiable: 30 days for high, 90 days for moderate, 180 days for low. If your release pipeline can only ship quarterly, you can't meet a 30-day remediation window for a high-severity finding that arrives the day after a release.

This is actually one of the strongest arguments for maintaining continuous delivery under FedRAMP, rather than abandoning it. A fast release pipeline is a security asset. When a vulnerability is disclosed in a component your platform depends on, the speed at which you can produce, test, and deploy a patched release directly determines whether you meet your remediation timeline.

Our vulnerability management process is tightly integrated with the release pipeline. Vulnerability scanners run against every build. New CVEs are automatically correlated against our software bill of materials (SBOM). When a CVE matches a component in our SBOM, it generates a finding that enters the POA&M workflow with the appropriate severity and remediation deadline. The engineering team sees the finding, the remediation timeline, and the affected component in the same tracking system they use for all development work.

The monthly POA&M submission to our AO is generated automatically from this tracking data. Open findings, remediation status, target completion dates, and risk mitigations are all maintained as structured data and exported in the required format. The monthly submission isn't a documentation exercise — it's a report generated from operational data that already exists.

Annual Assessments Without Stopping

The annual 3PAO assessment is the largest recurring compliance event in the FedRAMP lifecycle. The 3PAO tests a set of core controls plus a rotating subset of the full baseline, examines documentation, interviews personnel, and produces a Security Assessment Report (SAR). This process typically takes weeks, and it has to happen every year.

The mistake organizations make is treating the annual assessment as a special event that requires a code freeze. If your documentation is current, your evidence is continuously collected, and your controls are continuously monitored, the annual assessment is just a third-party verification of what you already know about your security posture. It doesn't require the system to stop changing.

We handle this by maintaining continuous assessment readiness. The OSCAL SSP is always current (because it's updated with every release). Vulnerability scan data is always available (because scans run with every build and on a regular schedule in production). POA&M data is always current (because it's maintained in real time). Configuration management records are always complete (because they're generated from the same pipeline that produces the platform releases).

When the 3PAO arrives for the annual assessment, they're examining a system that has current documentation, current evidence, and a clear audit trail of every change since the last assessment. They can assess controls against the current state of the system, review the change history, and verify that the security posture has been maintained through the year's releases. The assessment doesn't need a frozen snapshot because the system's documentation and evidence are always in an assessable state.

The POA&M as a Living Document

The Plan of Action and Milestones is where FedRAMP tracks known deficiencies, planned remediation, and risk acceptances. In a traditional compliance model, the POA&M is updated periodically — often as a manual exercise before monthly submissions. This leads to a familiar pattern: scramble to update the document before the deadline, discover findings that were resolved but never closed, argue about whether a remediation is actually complete, and submit something that's approximately accurate.

In our model, the POA&M is a continuously updated dataset. When a vulnerability scanner produces a finding, it enters the POA&M data automatically. When an engineer commits a fix, the POA&M item is updated with the remediation reference. When the fix ships in a platform release, the item's status updates to reflect the release version that includes the fix. When the next vulnerability scan confirms the finding is resolved, the item closes.

The monthly submission is a snapshot of this living dataset at a point in time. No scramble. No reconciliation. No surprises. The AO receives a document that reflects the actual state of the system's known deficiencies and remediation progress, because the data source is the same system that tracks the engineering work.

What FedRAMP 20x Means for This Approach

FedRAMP is in the middle of its most significant structural change in over a decade. The FedRAMP 20x program, which began piloting in 2025, moves authorization away from narrative documentation and toward automated, machine-readable evidence. Key Security Indicators (KSIs) replace the traditional approach of describing control implementation in prose — instead, you demonstrate security outcomes through deterministic, automatable evidence.

For organizations that have already built their compliance process around automation, OSCAL, and pipeline-integrated evidence collection, FedRAMP 20x isn't a disruption — it's a validation. The direction FedRAMP is moving is exactly the direction we moved years ago: treat compliance as data, automate evidence collection, make documentation a byproduct of engineering processes rather than a separate workstream.

The RFC-0024 mandate for machine-readable packages by September 2026 is accelerating adoption across the industry. Organizations that are still maintaining FedRAMP compliance through manual Word documents and Excel spreadsheets are facing a forced migration to structured data. Organizations that already live in OSCAL are focused on optimizing, not migrating.

The Hard Parts

This approach isn't free. There are real costs and real challenges.

The initial investment in tooling is substantial. Building the OSCAL pipeline, the component-to-control mapping, the automated security impact analysis, and the integrated POA&M workflow requires engineering time that could otherwise go toward product development. The return on that investment comes over years, not months.

Maintaining the component-to-control mapping as the system evolves is ongoing work. When you add a new subsystem to the platform, someone has to map it to the relevant controls, write the implementation descriptions, and ensure the OSCAL data reflects the change. This is inherently a human judgment task — automation can flag that a new component needs mapping, but a person has to determine which controls are affected and how.

The relationship with your 3PAO matters enormously. A 3PAO that understands your pipeline, trusts your automation, and can work with OSCAL-native documentation will assess you faster and more accurately than one that expects traditional artifacts. Finding that 3PAO — and building the working relationship — takes time.

And the cultural shift is real. Engineers have to care about compliance implications of their changes, not just functional correctness. Security and compliance staff have to understand the release pipeline well enough to assess changes quickly. Both teams have to share a vocabulary, share tools, and share the conviction that shipping fast and staying authorized are not opposing goals.

The Result

The SSP updates when the code changes. The security impact analysis runs with every release. The vulnerability management feeds directly into the POA&M. The monthly deliverables are generated from operational data. The annual assessment examines a system that's always ready to be examined.

For federal customers, this means they get an authorized cloud management platform that also gets timely updates — vulnerability patches within remediation timelines, new monitoring capabilities, and platform improvements delivered without compromising the security posture documentation. The ATO isn't a snapshot of a frozen system. It's a living authorization over a platform that continues to evolve under disciplined change control.

And for the hardware appliances those customers have deployed in their racks — the concentrators, the gateways, the encryption appliances — maintain a parallel compliance story: FIPS 140 validation for cryptographic modules, DISA STIG compliance for hardening, and the documentation agencies need to include hardware in their own system authorization boundaries. FedRAMP covers the cloud layer. The hardware has its own rigor. Both move forward without freezing.

FedRAMP doesn't require you to stop shipping. It requires you to know what you're shipping and prove it doesn't break your security promises. If your engineering process can do that continuously, your authorization stays healthy and your customers stay current.

For more information about the ASAFE platform, or to discuss the compliance posture of IVO Networks appliances for your agency's deployment, contact our team or reach out to your IVO Networks account representative.