Steelhead Technologies
FedRAMP Moderate Equivalency — Program Progress
Updated weekly · Last update: May 1, 2026
Program Start
Q1 2026
March 13, 2026
Target Authorization
Q4 2026
December 31, 2026
Controls Scope
325
NIST 800-53 Moderate
Platform Readiness
40%
Compliance platform coverage
Controls Mapped
~130
of 325 controls addressed
Active Phases
1 · 2 · 3
Policy, SSP, 3PAO — parallel
Program Phases
Phase 1
Policy & Documentation
Active
Q1 – Q2 2026
Progress88%
- Comprehensive information security policy library developed and reviewed
- All required policies uploaded to compliance platform with control mappings
- All FedRAMP program roles formally designated, acknowledged, and documented
- Program compliance framework configured with control ownership assigned
- System architecture and access boundary documented and reviewed
- Remaining policy approvals in progress; completion targeted this quarter
- Full compliance platform control coverage at 100% of 325 controls
Phase 2
System Security Plan (SSP) Development
Active
Q1 – Q2 2026
Progress20%
- System Security Plan structure established
- System description and architecture narrative in development
- Security control narratives being authored across all 18 NIST control families
- Third-party service interconnection agreements
- Formal risk assessment and threat modeling
- Plan of Action & Milestones (POA&M) initialized
Phase 3
3PAO Selection & Engagement
Active
Q1 – Q2 2026
Progress95%
- Competitive third-party assessor evaluation complete
- Assessor engagement formalized — formal assessment window reserved for September 2026
- Pre-assessment advisory firm contracted and engaged
- Assessment scope and work order being finalized
- Assessor kickoff meeting and evidence request list
- Independent penetration testing firm engaged
Phase 4
FedRAMP-Compliant Environment Buildout
Starting Q2
Q2 2026 — Target go-live: June 2026
Progress0%
- Cloud environment architecture and security controls designed
- Identity and access management architecture confirmed
- FedRAMP-authorized cloud environment provisioned
- Security monitoring, logging, and audit infrastructure deployed
- Access-controlled virtual desktop environment configured
- Architecture validated against documented security baseline
Phase 5
Evidence Collection & Security Testing
Not Started
Q2 – Q3 2026 (90-day window: Jun – Sep)
Progress0%
- Continuous monitoring evidence collection across all 325 controls
- Authenticated vulnerability scanning across all boundary components
- Independent penetration testing
- Business continuity and disaster recovery testing
- Findings remediation and risk acceptance documentation
Phase 6
3PAO Formal Security Assessment
Not Started
Sep 4 – Oct 23, 2026
Progress0%
- Third-party assessor document review
- Security control testing and validation
- Staff interviews and process verification
- Security Assessment Report received and reviewed
- Assessment findings remediated
Phase 7
ATO Package & Authorization
Not Started
Q4 2026 (Nov – Dec 31)
Progress0%
- Final authorization package compiled
- Internal Authorizing Official review
- Authorization to Operate signed — target December 31, 2026
Key Milestones
Timeline
Milestone / Deliverable
Status
Q1 2026
Program kickoff; assessor outreach begins; policy development sprint starts
✓ Complete
Q1 2026
Competitive assessor evaluation launched; all proposals received; peer benchmarking complete
✓ Complete
Apr 14–17, 2026
All five FedRAMP program roles formally acknowledged. Signed records on file.
✓ Complete
Apr 17, 2026
Third-party assessor selected; pre-assessment advisory firm selected. Final meetings held.
✓ Complete
Apr 17–24, 2026
System Security Plan initiated; 14 policies uploaded to compliance platform
✓ Complete
Apr 29, 2026
Assessor engagement formalized — assessment window reserved for September 2026. Advisory firm contracted.
✓ Complete
Apr 30, 2026
Program roles and responsibilities documentation uploaded to compliance platform as formal evidence
✓ Complete
Early Q2 2026
Policy library complete — all policies active in compliance platform, full control coverage achieved
In Progress
May 22, 2026
Assessment scope and work order finalized — September 4 slot formally locked
Upcoming
Jun 2026
FedRAMP cloud environment live; 90-day continuous monitoring window begins
Planned
Jun 12, 2026
All 325 SSP security control narratives complete
Planned
Sep 4, 2026
Third-party formal security assessment begins
Planned
Dec 31, 2026
🏆 Authorization to Operate (ATO) granted — FedRAMP Moderate Equivalency achieved
Planned
NIST 800-53 Control Family Coverage
AC
Access Control
AT
Awareness & Training
AU
Audit & Accountability
CA
Security Assessment
CM
Configuration Mgmt
CP
Contingency Planning
IA
Identification & Auth
IR
Incident Response
MA
Maintenance
MP
Media Protection
PE
Physical & Environ.
PL
Planning
PM
Program Management
PS
Personnel Security
RA
Risk Assessment
SA
System & Svc Acq.
SC
Comms Protection
SI
System & Info Integrity
Program Risk Management
Status
Commitment / Approach
Active
Assessor partnership secured — a FedRAMP-accredited third-party assessor has been formally engaged with a September 2026 assessment window reserved.
Active
Pre-assessment advisory engagement underway — an independent advisory firm is conducting gap analysis and readiness support ahead of the formal assessment.
Active
Parallel workstreams — security documentation, environment buildout, and evidence collection are advancing simultaneously to meet the compressed timeline.
Planned
Mandatory 90-day continuous monitoring window begins upon environment go-live — this is a hard FedRAMP requirement built into the program schedule.
Planned
Independent penetration testing is scoped and scheduled within the evidence collection window, coordinated with the assessor.
Ongoing
An internal Authorizing Official is engaged throughout the program. Authorization is granted internally — no government agency submission queue is involved.
Ongoing Compliance Commitment
Monthly Risk Reviews
A formal Plan of Action & Milestones process tracks open risks from day one — not just a pre-authorization checkbox. Items are reviewed monthly and remediated on defined timelines.
Annual Re-Assessment
FedRAMP Moderate Equivalency is maintained, not just achieved. The program includes annual control re-assessment, penetration testing, and evidence refresh.
Continuous Control Monitoring
Once the environment is live, automated evidence collection provides ongoing visibility across all 325 NIST 800-53 Moderate controls.
Dedicated Program Ownership
All five FedRAMP program roles are formally designated — ISSO, System Owner, Authorizing Official, SAOP, and ISSM/vCISO. Signed acknowledgment records are on file.