Federal Agencies · FIPS / NIST 800-53 Aligned

FedRAMP-aligned.
NIST-mapped.
Outbound only.

For federal evaluators who read the controls before they read the marketing.

STRATUS AccessGov is built against the FedRAMP Moderate baseline and NIST 800-53 Rev. 5 controls — not as a retrofit, but as a design constraint from the first commit. Cryptographic operations are designed to use FIPS-enabled AWS KMS endpoints or customer-provided HSMs where required by the deployment boundary. Provider validation certificates and operational modes are documented in the Federal Evaluation Packet. Outbound-only connectivity. Immutable evidence chain. FedRAMP-aligned today; pursuing Authorization with our first federal Founding Partner.

Plan a 30-Day Proof of Revoke See NIST control mapping
Honest Compliance Posture

What "aligned" actually means.

We say FedRAMP-aligned, not FedRAMP-authorized — because words matter when the contracting officer reads them. Here's the precise distinction and the timeline.

Moderate
FedRAMP baseline aligned
Pursuit
ATO with first Founding Partner
High
On roadmap · post-Moderate ATO

Translation: the architecture is designed against the technical baseline controls. We do not yet hold an Authorization to Operate. If FedRAMP Moderate ATO is a year-one purchase requirement for your agency, that's an honest signal we should look at structuring you as a Founding Partner where the ATO pursuit completes during your deployment.

NIST 800-53 Rev. 5 · Control Mapping Preview

The controls
federal evaluators actually score.

Excerpts from the STRATUS control mapping document. Full mapping available under NDA during evaluation.

AC · Access Control Family

"Account management, least privilege, access enforcement."
  • AC-2 Account Management — JML automation with HR system of record
  • AC-2(13) Disable Accounts of Individuals Posing Significant Risk — Kill Switch
  • AC-3 Access Enforcement — deterministic policy engine, no ML probability
  • AC-6 Least Privilege — JIT access with auto-expire and pruning
  • AC-6(7) Review of User Privileges — quarterly certifications with auto-revoke

AU · Audit & Accountability Family

"Audit log integrity, non-repudiation, retention."
  • AU-2 Event Logging — every access decision captured as Evidence Pack
  • AU-9 Protection of Audit Information — SHA-256 hash chain
  • AU-9(3) Cryptographic Protection — S3 Object Lock in Compliance Mode
  • AU-10 Non-Repudiation — chained signatures, KMS-backed
  • AU-11 Audit Record Retention — 7-year default, configurable to 10+

SC · System & Communications Protection

"Boundary protection, cryptography, network."
  • SC-7 Boundary Protection — zero inbound ports, outbound mTLS only
  • SC-8 Transmission Confidentiality — TLS 1.3, mTLS for HCG
  • SC-12 Cryptographic Key Establishment — BYO-KMS, FIPS 140-3 modules
  • SC-13 Cryptographic Protection — AES-256-GCM at rest
  • SC-28 Protection of Information at Rest — encrypted with customer-managed keys

IA · Identification & Authentication

"Identification, authentication, credential management."
  • IA-2 Identification & Authentication — SAML 2.0 / OIDC, MFA passthrough
  • IA-3 Device Identification — mTLS client cert for HCG agents
  • IA-5 Authenticator Management — credentials pass-through, never stored
  • IA-9 Service Identification — non-human identity (NHI) governance for service accounts
For Federal Buyers Specifically

The pieces that matter
for your evaluation.

01 · Cryptography

Built against FIPS 140-3 boundaries.

All cryptographic operations — AES-256 at rest, TLS 1.3 in transit, mTLS for HCG, SHA-256 evidence hashing — are architected to run inside FIPS 140-3 boundaries via AWS KMS (FIPS endpoints) or customer-provided HSM. The cryptographic boundary documentation, including provider validation certificates and operational modes, is part of the Federal Evaluation Packet shared under NDA during procurement.

02 · Boundary

Zero inbound. Outbound mTLS.

The Hybrid Connector Gateway dials out from inside the agency's accreditation boundary. No listener exposed to the public internet. Drastically reduces the SC-7 control surface that has to be re-evaluated.

03 · Evidence

Non-repudiable. Cryptographically chained.

Every access decision becomes an Evidence Pack: SHA-256 hash, prev_hash chain link, KMS signature, S3 Object Lock in compliance mode. AU-9(3) and AU-10 alignment is supported by design, not only by policy.

04 · Procurement

GSA path · Founding Partner ATO pursuit.

We are pursuing GSA Schedule placement and FedRAMP Moderate ATO with our first federal Founding Partner — typically a state agency with federal data flows or a small federal civilian shop. If that fits, the pricing and the path both work in your favor.

Want the
full control mapping?

NIST 800-53 Control Alignment PDF

Technical alignment only. Not certification. Final control satisfaction depends on customer configuration, operating procedures, and shared responsibility.

Download Full Alignment Spec
The Federal Evaluation Packet is available under NDA and includes: full NIST 800-53 Rev. 5 control mapping, FedRAMP Moderate SSP outline, FIPS 140-3 cryptographic boundary documentation (provider + validation certificate + operational mode), data flow diagram, subprocessor list, accessibility / Section 508 status, and SOC 2 audit timeline.

Request Federal Evaluation Packet See Trust Center