Skip to main content

Overview

AegisShield is FedRAMP Ready, implementing core security controls required for Federal Risk and Authorization Management Program compliance. The application implements 15 NIST SP 800-53 Rev. 5 controls that align with FedRAMP baseline requirements.
FedRAMP Status: Ready for Low and Moderate impact systemsImplementation Coverage: 100% of identified applicable controlsCompliance Frameworks: FedRAMP, FISMA

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Standardization

Standardized security assessment approach for federal cloud services

Reusability

Do once, use many times - authorizations are reusable across agencies

Risk Management

Risk-based approach aligned with NIST SP 800-53

Continuous Monitoring

Ongoing security monitoring and incident response

FedRAMP Impact Levels

FedRAMP defines three impact levels based on the sensitivity of data:

FedRAMP Low

Data Classification: Public informationSecurity Controls: 125 controls from NIST SP 800-53AegisShield Applicability: ✅ ReadyAegisShield implements core controls required for Low impact systems, including:
  • Access control and authentication (AC-3, IA-2, IA-5)
  • Audit and accountability (AU-3, AU-4, AU-6, AU-8)
  • System monitoring (SI-4, SI-7, SI-11)

AegisShield FedRAMP Control Mapping

AegisShield implements controls across multiple FedRAMP baseline categories:

Access Control Family

Implementation Location: api_key_handler.py:73, 82FedRAMP Requirement: Enforce approved authorizations for logical accessAegisShield Implementation:
  • API key validation before granting access to external services
  • Access control enforcement through authenticator validation
  • Session state management for credential validation
Evidence:
# NIST AC-3: Access enforcement through credential validation
# NIST AC-3: Enforce access control through authenticator validation
Assessment Status: ✅ Fully Implemented

Identification and Authentication Family

Implementation Location: api_key_handler.py:8FedRAMP Requirement: Uniquely identify and authenticate organizational usersAegisShield Implementation:
  • Authentication to external services (OpenAI, NVD, AlienVault OTX)
  • API key management for service authentication
  • Secure credential storage via Streamlit secrets
Evidence:
# IA-2 (Identification and Authentication): 
# Authentication to external services
Assessment Status: ✅ Fully Implemented
Implementation Location: api_key_handler.py:4, 15, 20, 72, 78FedRAMP Requirement: Manage information system authenticatorsAegisShield Implementation:
  • IA-5(1): Password-Based Authentication
  • Secure API key storage using Streamlit secrets
  • Masked input for sensitive authenticator data
  • Session-based credential management
Evidence:
# IA-5 (Authenticator Management): API key management and secure storage
# IA-5(1): Authenticator Management | Password-Based Authentication
# NIST IA-5(1): Secure storage and retrieval of authenticators
# NIST IA-5(1): Masked input for sensitive authenticator data
Assessment Status: ✅ Fully Implemented with Enhancement

System and Communications Protection Family

Implementation Location: nvd_search.py:13, 37, 128 and alientvault_search.py:14, 69FedRAMP Requirement: Monitor and control communications at external system boundariesAegisShield Implementation:
  • Secure external API communications with retry mechanisms
  • HTTP error handling and timeout management
  • Exponential backoff for resilient communication
  • Boundary protection for NVD and OTX API endpoints
Evidence:
# SC-7 (Boundary Protection): External API communication security
# SC-7: Boundary Protection - Resilient external API communication
# SC-7: Boundary Protection - Secure NVD API communication
Assessment Status: ✅ Fully Implemented
Implementation Location: api_key_handler.py:5, 16FedRAMP Requirement: Establish and manage cryptographic keysAegisShield Implementation:
  • SC-12(2): Symmetric Keys implementation
  • API key lifecycle management
  • Secure key storage and retrieval systems
Evidence:
# SC-12 (Cryptographic Key Establishment and Management): Key lifecycle management
# SC-12(2): Cryptographic Key Establishment | Symmetric Keys
Assessment Status: ✅ Fully Implemented with Enhancement

System and Information Integrity Family

Implementation Location: nvd_search.py:15, 38 and alientvault_search.py:11, 66FedRAMP Requirement: Monitor the information system to detect attacks and unauthorized activityAegisShield Implementation:
  • Continuous vulnerability monitoring via NVD
  • External threat intelligence monitoring via AlienVault OTX
  • Connection failure monitoring and logging
Evidence:
# SI-4 (Information System Monitoring): Continuous vulnerability monitoring
# SI-4: Information System Monitoring - Connection failure monitoring
# SI-4: Information System Monitoring - External threat intelligence collection
Assessment Status: ✅ Fully Implemented
Implementation Location: nvd_search.py:11, 126FedRAMP Requirement: Employ integrity verification toolsAegisShield Implementation:
  • Automated vulnerability identification for software components
  • Technology version vulnerability analysis
  • CVE-based integrity assessment via NVD
Evidence:
# SI-7 (Software, Firmware, and Information Integrity): 
# Vulnerability assessment and monitoring
# SI-7: Software Integrity - Technology version vulnerability analysis
Assessment Status: ✅ Fully Implemented
Implementation Location: error_handler.py:14, 53, 82, 88, 97FedRAMP Requirement: Generate error messages that provide necessary information without revealing sensitive dataAegisShield Implementation:
  • Centralized exception management
  • User-friendly error messages without sensitive data exposure
  • Comprehensive error capture and logging
  • Sanitized error messages to prevent information leakage
Evidence:
# SI-11 (Error Handling): Systematic error handling and user notification
# SI-11: Error Handling - User-friendly error messages without sensitive details
# NIST SI-11: Display sanitized error message to user (no sensitive data exposure)
Assessment Status: ✅ Fully Implemented

Audit and Accountability Family

Implementation Location: error_handler.py:10, 32, 50, 61, 98FedRAMP Requirement: Generate audit records containing sufficient informationAegisShield Implementation:
  • Complete error context and metadata capture
  • API interaction logging (NVD, OTX)
  • Vulnerability scan result logging
  • Threat intelligence query logging
Evidence:
# AU-3 (Content of Audit Records): Comprehensive logging with timestamps and context
# AU-3: Content of Audit Records - Complete error context and metadata
# NIST AU-3: Content of Audit Records - Structured log entry with context
Assessment Status: ✅ Fully Implemented
Implementation Location: error_handler.py:11, 33FedRAMP Requirement: Allocate audit record storage capacityAegisShield Implementation:
  • Automated log directory creation
  • Log file management and storage
Evidence:
# AU-4 (Audit Storage Capacity): Log file management and storage
# AU-4: Audit Storage Capacity - Log directory creation and management
Assessment Status: ✅ Fully Implemented
Implementation Location: error_handler.py:12, 52, 66, 83, 99FedRAMP Requirement: Review and analyze information system audit recordsAegisShield Implementation:
  • Structured log format for analysis
  • Console output for immediate audit review
  • User notification as part of error handling
Evidence:
# AU-6 (Audit Review, Analysis, and Reporting): Error analysis and reporting
# NIST AU-6: Write to console for immediate audit review
Assessment Status: ✅ Fully Implemented
Implementation Location: error_handler.py:13, 34, 51, 59FedRAMP Requirement: Use internal system clocks to generate time stampsAegisShield Implementation:
  • Precise timestamp generation for all logged events
  • Consistent timestamp format for audit records
Evidence:
# AU-8 (Time Stamps): Timestamp generation for all logged events
# NIST AU-8: Time Stamps - Generate precise timestamp for audit record
Assessment Status: ✅ Fully Implemented

Risk Assessment Family

Implementation Location: alientvault_search.py:12, 67FedRAMP Requirement: Conduct risk assessments periodicallyAegisShield Implementation:
  • Industry-specific threat intelligence collection
  • Threat intelligence integration for risk analysis
  • AlienVault OTX integration for risk-relevant data
Evidence:
# RA-3 (Risk Assessment): Threat intelligence integration for risk analysis
# RA-3: Risk Assessment - Industry-specific threat intelligence for risk analysis
Assessment Status: ✅ Fully Implemented
Implementation Location: nvd_search.py:12, 125FedRAMP Requirement: Scan for vulnerabilities in the information systemAegisShield Implementation:
  • Automated CVE discovery via NVD API
  • Technology-specific vulnerability scanning
  • CVSS score-based vulnerability prioritization
Evidence:
# RA-5 (Vulnerability Scanning): Automated vulnerability identification via NVD
# RA-5: Vulnerability Scanning - Automated CVE discovery and assessment
Assessment Status: ✅ Fully Implemented

Program Management Family

Implementation Location: alientvault_search.py:13, 68FedRAMP Requirement: Implement a threat awareness programAegisShield Implementation:
  • External threat intelligence consumption
  • Structured threat intelligence collection
  • AlienVault OTX integration for organizational threat awareness
Evidence:
# PM-16 (Threat Awareness Program): External threat intelligence consumption
# PM-16: Threat Awareness Program - Structured threat intelligence consumption
Assessment Status: ✅ Fully Implemented

FedRAMP Assessment Procedures

Security Assessment Process

1

Package Preparation

Prepare System Security Plan (SSP) documenting all control implementations
  • Document architecture and data flows
  • Map controls to implementation locations
  • Prepare control traceability matrix
2

Assessment Testing

Third-party assessment organization (3PAO) conducts testing
  • Examine: Review documentation and code evidence
  • Interview: Discuss implementation with development team
  • Test: Validate control effectiveness through testing
3

Authorization

Agency or Joint Authorization Board (JAB) reviews assessment
  • Review security assessment report (SAR)
  • Issue authorization to operate (ATO)
  • Define continuous monitoring requirements
4

Continuous Monitoring

Ongoing security monitoring and reporting
  • Monthly vulnerability scanning
  • Incident reporting
  • Annual assessment

Assessment Methods for AegisShield Controls

All AegisShield controls support three assessment methods:

Examine

Review source code, documentation, and control mappingsEvidence: nist-sp-800-53-controls-mapping.json

Interview

Discuss implementation with development teamEvidence: Architecture documentation and design decisions

Test

Validate control effectiveness through functional testingEvidence: Test cases and execution results

Machine-Readable Control Evidence

AegisShield provides machine-readable control mappings for automated assessment: 
# Extract all FedRAMP-applicable controls
jq '.controls[] | select(.compliance_frameworks[] == "FedRAMP")' \
  nist-sp-800-53-controls-mapping.json

# Generate FedRAMP compliance summary
jq '{total_controls: .assessment_summary.total_controls_implemented,
    coverage: .assessment_summary.implementation_coverage,
    frameworks: .assessment_summary.compliance_frameworks_supported}' \
  nist-sp-800-53-controls-mapping.json

# List implementation evidence for specific control
jq '.controls[] | select(.control_id == "AC-3") | 
    {control: .control_id, evidence: .evidence, files: .implementation_locations}' \
  nist-sp-800-53-controls-mapping.json
The complete machine-readable control mapping includes assessment methods, responsible roles, and direct code references for each control.

Continuous Monitoring Requirements

FedRAMP requires continuous monitoring of authorized systems:
  • Vulnerability scanning using approved tools
  • AegisShield implements RA-5 (Vulnerability Scanning) via NVD integration
  • Automated CVE discovery and CVSS prioritization
  • Report security incidents within required timeframes
  • AegisShield implements SI-11 (Error Handling) with comprehensive logging
  • AU-3, AU-6, AU-8 provide audit trail capabilities
  • Track and document system changes
  • Control implementations documented in code with NIST references
  • Version control provides change tracking
  • Annual security assessment by 3PAO
  • Machine-readable control mappings facilitate automated assessment
  • Complete traceability from control to code

Path to FedRAMP Authorization

For organizations seeking FedRAMP authorization using AegisShield:

1. Determine Impact Level

Best for: Public information systemsAegisShield Status: ✅ Core controls readyNext Steps: Document additional infrastructure and operational controls

2. Prepare System Security Plan

  • Use NIST-SP-800-53-CONTROLS.md as implementation guide
  • Reference nist-sp-800-53-controls-mapping.json for automated documentation
  • Document system architecture and data flows
  • Map all controls to implementation evidence

3. Engage Third-Party Assessor

  • Select FedRAMP-approved 3PAO
  • Provide control implementation documentation
  • Support assessment activities (examine, interview, test)
  • Remediate findings and document compensating controls

4. Submit for Authorization

  • Agency ATO: Submit to sponsoring agency
  • JAB P-ATO: Submit to Joint Authorization Board
  • Address any authorization conditions
  • Establish continuous monitoring procedures

Additional Resources

NIST SP 800-53 Controls

Detailed control implementation documentation

GRC Integration

Integrate with ServiceNow, RSA Archer, and other GRC tools

FedRAMP.gov

Official FedRAMP program website

NIST SP 800-53

NIST SP 800-53 Rev. 5 documentation

Build docs developers (and LLMs) love

Get started for freeTalk to us