Skip to content

Instantly share code, notes, and snippets.

@thelinuxkid
Created June 30, 2026 17:43
Show Gist options
  • Select an option

  • Save thelinuxkid/d673c3a719995be765ecb4c8526013e5 to your computer and use it in GitHub Desktop.

Select an option

Save thelinuxkid/d673c3a719995be765ecb4c8526013e5 to your computer and use it in GitHub Desktop.
FedRAMP Program Status — June 30, 2026

FedRAMP Compliance — Program Status

Date: June 30, 2026 Prepared by: Andres Restrepo Target milestone: Knox boundary cutover complete — July 27, 2026


Overall Progress

53% complete (249 of 469 engineering story points Done). Five of eight sprints are closed. Engineering execution has been on schedule. The remaining work is blocked on one external dependency: the Knox contract has not been signed.


What's Been Completed

All major technical implementation work is done through Sprint 5:

  • Identity & Access: Firebase authentication fully replaced with AWS Cognito (FedRAMP-authorized). Admin dashboard and bastion access hardened with MFA.
  • Infrastructure: Frontend migrated off Vercel to S3+CloudFront inside compliant boundary. KMS/CMK encryption enforced on all PII stores. mTLS transit encryption enabled. WAF deployed on all public endpoints.
  • PII Handling: Mapbox integration remediated — no PII (addresses, GPS) sent to non-authorized services.
  • Security Controls: Full configuration management baseline (STIGs/CIS Level 2), backup automation, DNSSEC, DKIM/DMARC, input validation, session controls — all complete.
  • Decisions Closed: IdP selected (Cognito), Mapbox architecture decided (redact), Knox scope confirmed, CRM Tab 2 integrated.

Current Status: Sprint 6 (June 30 – July 14)

What's unblocked and in progress

Engineering (Andres):

  • Architecture boundary diagrams + internal connection documentation (feeds SSP)
  • Alternate storage and DR site design (CP-6/CP-7)

Governance / Policy (Hannah's team) — must start this week:

  • SSP scaffolding and drafting
  • Contingency Plan, IR Plan, CP Plan, CM Plan documents
  • PIA, Rules of Behavior, 7 additional policies, AT-2/AT-3 training content

What's blocked — Knox contract (5 tickets, 58 story points)

Work Item Blocked On
Knox SIEM detection rules Contract signature
App log emission into Knox Contract signature
GitHub deploy pipeline → Knox accounts Contract signature
EDR/Wiz for ECS Contract signature
Knox workload cutover (Sprint 7) Contract signature

Knox has confirmed in writing (Christy O'Glee, June 10): no onboarding materials, accounts, or credentials will be delivered until after the contract is signed. The DPA is in legal review on both sides. Knox has no TIM assigned yet.


Is July 27 Still Reachable?

At risk. The window is narrow but not closed.

Two things must happen in parallel for July 27 to hold:

  1. Knox contract must sign by ~July 14 — Knox needs time post-signature to provision managed AWS accounts before cutover work can begin. (Exact provisioning lead time should be confirmed with Casey Jones.)
  2. Hannah's team must complete all drafts by July 13 — the policy/plan documents feed the Sprint 7 sign-off milestones. If drafts aren't done by end of Sprint 6, the sign-offs slip into Sprint 8 and the ATO window moves regardless of what Knox does.

If either condition fails: July 27 is not achievable. ATO slides to late November at earliest.


Timeline — Two Paths

gantt
  title FedRAMP ATO Timeline — Path A vs Path B
  dateFormat YYYY-MM-DD
  axisFormat %b %d

  section Today
  Sprint 6 starts (Jun 30)                    : milestone, 2026-06-30, 0d

  section Hannah — Docs (deadline Jul 13)
  SSP draft (AF-257)                          : active, h1, 2026-06-30, 14d
  CP Plan draft (AF-267)                      : active, h2, 2026-06-30, 14d
  IR Plan draft (AF-270)                      : active, h3, 2026-06-30, 14d
  PIA draft (AF-269)                          : active, h4, 2026-06-30, 14d
  CM Plan draft (AF-281)                      : active, h5, 2026-06-30, 14d
  Rules of Behavior (AF-316)                  : active, h6, 2026-06-30, 14d
  7 Policies + Training (AF-294, AF-292)      : active, h7, 2026-06-30, 14d
  ⚠️ Hannah deadline — all drafts due         : milestone, crit, 2026-07-13, 0d

  section Path A — Contract signs by Jul 14
  Sprint 6 · Engineering diagrams + DR design : active, a0, 2026-06-30, 14d
  Knox contract signed ✅                     : milestone, 2026-07-14, 0d
  Sprint 7 · Knox Cutover + Plan sign-offs    : a2, 2026-07-14, 13d
  SSP sign-off (needs cutover done)           : a3, 2026-07-20, 7d
  Cutover complete ✅                         : milestone, 2026-07-27, 0d
  All plans signed off ✅                     : milestone, 2026-07-27, 0d
  Sprint 8 · Evidence + Pre-assessment        : a4, 2026-07-28, 14d
  Engineering handoff to Knox                 : milestone, 2026-08-11, 0d
  Knox 90-day 3PAO window                     : a5, 2026-08-11, 90d
  ATO 🎯                                      : milestone, 2026-11-09, 0d

  section Path B — Either condition fails
  Sprint 6 · Partial work                     : crit, b1, 2026-06-30, 14d
  Sprint 7 · BLOCKED or incomplete            : crit, b2, 2026-07-14, 14d
  Jul 27 missed ❌                            : milestone, crit, 2026-07-27, 0d
  Slipped cutover + sign-offs                 : crit, b3, 2026-07-28, 14d
  Slipped Sprint 8 · Evidence                 : b4, 2026-08-11, 14d
  Engineering handoff (slipped)               : milestone, 2026-08-25, 0d
  Knox 90-day 3PAO window (slipped)           : b5, 2026-08-25, 90d
  ATO slipped 🔴                              : milestone, crit, 2026-11-23, 0d
Loading

What this shows:

  • Hannah's deadline is July 13 — all 8 doc items must be in draft-complete state by end of Sprint 6. Sprint 7 sign-offs cannot happen without them.
  • Path A (contract by Jul 14 + Hannah done by Jul 13): Knox cutover and all plan sign-offs close Sprint 7 → ATO ~November 9
  • Path B (either condition misses): Sprint 7 stalls → ATO ~November 23+
  • Both owners have independent deadlines on the same date. Jonathan: contract. Hannah: drafts. If either slips, the path diverges.

Hannah's Team — What's Due and When

All 8 items must reach draft-complete by July 13 to feed Sprint 7 sign-offs:

Ticket Document Sprint 7 Gate It Feeds Status
AF-257 SSP scaffolding + drafting AF-297 SSP v1 sign-off (also needs Knox cutover) To Do
AF-267 CP-2 Contingency Plan AF-300 CP Plan v1 sign-off To Do
AF-269 PIA draft AF-298 PIA v1 sign-off To Do
AF-270 IR Plan v0 AF-299 IR Plan v1 sign-off To Do
AF-281 CM Plan draft AF-301 CM Plan v1 sign-off To Do
AF-316 Rules of Behavior + Access Agreements AF-320 signatures collected To Do
AF-294 7 additional policies Sprint 7 governance review To Do
AF-292 AT-2/AT-3 training content AF-326 training records filed To Do (unassigned)

Sprint 7 sign-offs (July 14–27) — these all close in Sprint 7 once drafts land:

Ticket Sign-off Owner
AF-298 PIA v1 Hannah
AF-299 IR Plan v1 Hannah + Andres
AF-300 CP Plan v1 Hannah + Andres
AF-301 CM Plan v1 Hannah + Andres
AF-297 SSP v1 (needs cutover complete first) Hannah + Andres
AF-320 RoB signatures collected Hannah

Sprint 8 (July 28 – Aug 11):

Ticket Work Owner
AF-305 CP Plan tabletop / recovery test Hannah + Andres
AF-306 IR Plan tabletop exercise Hannah + Andres

Scenario Summary

Scenario Contract Signed Hannah Drafts Done July 27 Cutover ATO Target
Path A — Best case By ~Jul 14 By Jul 13 ✅ ✅ On track ~November 9, 2026
Path B — Either slips Jul 28+ or late Incomplete ❌ Misses ~November 23, 2026+

Risk Summary

Risk Severity Owner Status
Knox contract not signed Critical Jonathan DPA in legal review; no TIM assigned at Knox
July 27 cutover window Critical Jonathan + Andres ~2 weeks to save the date
Hannah's 8 doc items not started Critical Hannah Sprint 6 just started — deadline July 13
Post-contract engineering backlog Medium Andres Clears within 1–2 weeks once contract signs

Immediate Actions Required

Action Owner Deadline
Sign the Knox contract Jonathan Immediately
Confirm Knox account provisioning lead time with Casey Jones Jonathan This week
Begin all 8 doc drafts (SSP, CP, IR, PIA, CM, RoB, policies, training) Hannah Today — due Jul 13
Assign AF-292 (training content) to Hannah Andres/Jonathan Today
Begin architecture diagrams (AF-293) Andres Today

Data source: Live Jira (AF2 project) as of June 30, 2026. Story point totals verified against planning CSV. Sprint dates and ATO projections verified by Python date arithmetic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment