Steelhead Technologies

FedRAMP Moderate Equivalency — Program Progress

Updated weekly  ·  Last update: June 26, 2026

Program Start

Q1 2026

Program kickoff

Target Authorization

Q4 2026

Authorization target

Controls Scope

325

NIST 800-53 Moderate

Platform Readiness

40%

Compliance platform coverage

Controls Mapped

~200

of 325 controls mapped so far

Active Phases

1 · 2 · 4 · 5

Policy, SSP, Env., Evidence — parallel

Overall Program Progress (5 of 7 phases active or complete)
54%

Program Phases

Phase 1

Policy & Documentation

Q1 – Q2 2026

Active
Progress
90%
  • Comprehensive information security policy library developed and reviewed
  • All required policies uploaded to compliance platform with control mappings
  • All 5 FedRAMP program roles formally acknowledged (ISSO, System Owner, AO, SAOP, ISSM)
  • Program compliance framework configured with control ownership assigned
  • System architecture and access boundary documented and reviewed
  • Rules of Behavior program established for all boundary personnel
  • Final policy approvals in progress; full library sign-off targeted this quarter
  • Full compliance platform control coverage at 100% of 325 controls

Phase 2

System Security Plan (SSP) Development

Q1 – Q2 2026

Active
Progress
92%
  • System Security Plan structure established
  • Security control documentation complete across all 18 NIST control families
  • Third-party interconnection security agreements documented for all external services
  • Risk assessment and threat modeling complete; risk register established
  • Supply chain risk management plan drafted
  • Full SSP package generated — control narratives, appendices, and policy library compiled
  • SSP quality review underway; Steelhead-specific content being validated
  • Independent advisory document review package being finalized for submission
  • Plan of Action & Milestones (POA&M) initialized

Phase 3

3PAO Selection & Engagement

Q1 – Q2 2026

Complete
Progress
100%
  • Competitive third-party assessor evaluation complete; all proposals received and evaluated
  • Peer benchmarking with industry counterparts complete
  • 3PAO selected for formal assessment; pre-assessment advisor engaged
  • Final vendor meetings held
  • Assessor contract executed — Q3 assessment slot formally locked
  • Assessment scope and statement of work finalized
  • Assessor-led penetration testing engagement scheduled

Phase 4

FedRAMP-Compliant Environment Buildout

Q2 2026

Active
Progress
75%
  • Cloud environment architecture and security controls designed
  • Identity and access management architecture confirmed
  • CI/CD pipeline architecture finalized; build and deployment security controls integrated
  • SIEM and EDR platforms selected
  • FedRAMP-authorized cloud environment provisioned and live with logging and threat detection enabled
  • Centralized security monitoring integrated — log aggregation, threat detection, and vulnerability scanning active
  • Virtual desktop environment configuration and security agent enrollment
  • Architecture validated against documented security baseline

Phase 5

Evidence Collection & Security Testing

Q2 – Q3 2026

Active
Progress
22%
  • Mandatory continuous monitoring period formally opened
  • Continuous monitoring evidence collection across all 325 controls
  • Authenticated vulnerability scanning active across boundary components
  • Assessor-led penetration testing
  • Business continuity and disaster recovery testing
  • Findings remediation and risk acceptance documentation

Phase 6

3PAO Formal Security Assessment

Q3 – Q4 2026

Not Started
Progress
0%
  • Third-party assessor document review
  • Security control testing and validation
  • Staff interviews and process verification
  • Security Assessment Report received and reviewed
  • Assessment findings remediated

Phase 7

ATO Package & Authorization

Q4 2026

Not Started
Progress
0%
  • Final authorization package compiled
  • Internal Authorizing Official review
  • Authorization to Operate signed — target Q4 2026

Risk Posture

Assessment partnership secured Active
Pre-assessment advisory engagement active Active
Continuous monitoring program active across the live environment Active
Full SSP package ready for independent advisory review Active
Parallel workstreams active Active
Penetration testing scoped and confirmed — assessor-led Locked
Internal AO engagement — pending assessment outcomes Locked

Ongoing Compliance Commitments

monitoring

Monthly risk reviews

Executive + program cadence

event_repeat

Annual reassessment

Full program refresh cycle

radar

Continuous control monitoring

Automated + manual attestations

groups

Dedicated program ownership

Named control owners

inventory_2

Evidence retention

7-year artifact policy

assignment

POA&M management

Tracked remediation SLAs

schedule

Continuous monitoring cadence

Monthly CM reporting