Automating FedRAMP CI/CD

Session Overview

• Common Mistakes
• Major Challenges
• Automation Framework

Download Full Presentation (PDF)

Common Mistakes & Misconceptions

• What’s at Stake?
• Automating FedRAMP CI/CD
• 4 Challenges to FedRAMP CI/CD Automation
• FedRAMP CI/CD Framework

Major Challenges

CSP Specific Challenges

• Parity: Alignment of commercial staff, processes & tools to FedRAMP
• Speed: Time to market
• Codebase: Forking of Infrastructure as Code (IaC) and application code to support disparate environments
• Continuous Deployment vs Continuous Delivery

Challenge 1 – Government Clouds: Assumption vs. Reality

Government Clouds: Reality

• AWS GovCloud is a physically isolated partition
• ARNs, VPCs & IAM cannot cross boundaries
• Plan for code changes and re-architecting efforts
• Hardcoded configuration
• Service availability
• Feature limitations

Challenge 2 – Access Controls

Gray Areas

• Who can view it? FedRAMP users are subject to guardrails
• How is it accessed? Systems containing sensitive metadata must reside within the FedRAMP boundary

Sensitive metadata includes:

• Configuration data (hostnames, IPs, patching level, etc.)
• Scan data & security documentation
• Incident response data & tickets with specific system details

Challenge 3 – Change Management

This involves friction in:

• Developer Experience
• Release Velocity

Challenge 4 – Limited Tooling

• FedRAMP Authorized or Self-Hosted
• FIPS-Validated Cryptographic Modules
• Functionality: Small Subset of Industry Best-In-Class Tools

Recently Authorized CSOs

• 03/14/2025 – Atlassian Government Cloud
• 05/15/2025 – GitLab Dedicated for Government
• Reduced overhead and management of self-hosted tooling

Automation Framework

Foundational Pillars: Shifting Compliance Left

Compliant IaC

• Utilize centralized module repository with ”building block” reusability in mind
• Bake security best practices and compliance requirements into modules
• Integrate vulnerability and compliance scans into pipelines
• Re-audit usage and feedback cycle

Compliant Applications

• Utilize feature flags to control FedRAMP app features
• Integrate vulnerability and compliance scans into pipelines
• Automate FedRAMP artifact creation

FedRAMP as a Consumer

• Reduced Access Control: Developers are trained and thinking about FedRAMP requirements without direct access to boundary.
• Automated Artifacts: FedRAMP compliant container images and scan artifacts are generated prior to delivery and CCB.
• In-boundary Initiated Pull: Reduced risk of ”grey area” with regards to code and reduced codebase sprawl
• Expedited Deployments: Known deployment-ready (vulnerability scanned) images and artifacts.
• Optimize CCB Timelines: Automated artifacts significantly reduce CCB overhead and approval cycles.
• Smaller SRE Team: FedRAMP SRE team drives deployment forward once change approved.

Conclusion: Automating FedRAMP CI/CD

• CI/CD is achievable in FedRAMP with minor adjustment to staff, processes & tooling
• Commercial application code SDLC can remain untouched allowing for development outside of boundary
• Move with similar velocity as commercial while achieving FedRAMP compliance

Breakdown of CI/CD in FedRAMP:

• Build: Shift compliance left into commercial SDLC. Remediate vulnerabilities outside of boundary.
• Deploy: Automated deployment allows for small FedRAMP SRE team. Portable code allows development to occur outside of boundary.
• Release: Automate compliance artifact creation. Continue to iterate on friction points.