UIAO Compliance Mapping and Gap Analysis
Compliance mapping against federal cybersecurity frameworks
UIAO Compliance Mapping and Gap Analysis Compliance Mapping Against Federal Cybersecurity Frameworks |
Classification Controlled Boundary GCC-Moderate Version 1.0 Date April 2026 Author Michael Stratton Repository https://github.com/WhalerMike/uiao |
Table of Contents
Executive Summary
Framework Overview
NIST SP 800-53 Rev 5
FedRAMP Rev 5 Moderate Baseline
FedRAMP 20x
CISA Binding Operational Directives
OMB M-22-09 — Federal Zero Trust Strategy
Document-by-Document Compliance Mapping
Control Family Coverage Matrix
CISA Directive Alignment Assessment
FedRAMP 20x Alignment Assessment
Gap Analysis Summary and Remediation Roadmap
Compliance Inheritance Model
Conclusion
Appendices
NIST 800-53 Rev 5 Control Family Quick Reference
Federal Directive Quick Reference
Document-to-Control-Family Traceability Matrix
1. Executive Summary
This document provides a systematic compliance review of the 23-document UIAO Governance OS corpus and 11 code artifacts against five federal cybersecurity frameworks. The analysis evaluates the degree to which existing UIAO documentation and tooling address federal compliance requirements, identifies coverage gaps, and recommends a prioritized remediation roadmap to achieve comprehensive alignment.
The five frameworks assessed are:
NIST SP 800-53 Rev 5 (Release 5.2.0, August 2025) — 20 control families, 323 controls at FedRAMP Moderate
FedRAMP Rev 5 Moderate Baseline — 323 controls across 18 assessed families
FedRAMP 20x — Automation-first authorization with machine-readable evidence and Key Security Indicators (KSIs)
CISA Binding Operational Directives — BOD 22-01 (KEV), BOD 23-01 (Asset Visibility), BOD 25-01 (SCuBA/M365 Baselines)
OMB M-22-09 — Federal Zero Trust Strategy (phishing-resistant MFA, EDR, encrypted traffic, identity-centric access)
Key Finding UIAO documents address 16 of 20 NIST 800-53 control families with varying depth. Four families have no coverage: AT (Awareness and Training), MP (Media Protection), PE (Physical and Environmental Protection), and PS (Personnel Security). Of the 323 FedRAMP Moderate controls, approximately 187 (~58%) are directly addressed or facilitated by UIAO artifacts. |
The remaining 136 controls fall into three categories:
Not applicable to SaaS — PE/MP physical controls (~26 controls) inherited from Microsoft's GCC-Moderate infrastructure
Organizational/procedural controls requiring agency-specific policy — AT, PS, PL (~23 controls) requiring dedicated program documentation
Genuine gaps requiring new or amended documents — (~87 controls) addressable through targeted document creation and amendments
UIAO's Git-based governance pipeline positions it strongly for FedRAMP 20x alignment. The governance-as-code approach — where Git hooks enforce classification boundaries, drift detection provides continuous monitoring, and assessment modules generate machine-readable evidence — directly aligns with FedRAMP 20x's vision of continuous validation over point-in-time assessments. Seven new documents and approximately 12 document amendments are recommended to close the identified gaps.
2. Framework Overview
2.1 NIST SP 800-53 Rev 5
NIST Special Publication 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, is the foundational control catalog for all federal information systems. Release 5.2.0, published on August 27, 2025, introduced new controls SA-15(13) (Development Process, Standards, and Tools — Automated Analysis of Software), SA-24 (System Provenance), and SI-02(07) (Flaw Remediation — Automated Detection and Notification), reflecting the evolving threat landscape around software supply chain integrity and vulnerability management.
The 20 control families and their FedRAMP Moderate control counts are as follows:
| Code | Family Name | Moderate Count |
|---|---|---|
| AC | Access Control | 43 |
| AT | Awareness and Training | 6 |
| AU | Audit and Accountability | 16 |
| CA | Assessment, Authorization, and Monitoring | 14 |
| CM | Configuration Management | 27 |
| CP | Contingency Planning | 23 |
| IA | Identification and Authentication | 27 |
| IR | Incident Response | 17 |
| MA | Maintenance | 10 |
| MP | Media Protection | 7 |
| PE | Physical and Environmental Protection | 19 |
| PL | Planning | 7 |
| PM | Program Management | Not baselined at Moderate (recommended) |
| PS | Personnel Security | 10 |
| PT | PII Processing and Transparency | Not baselined at Moderate |
| RA | Risk Assessment | 11 |
| SA | System and Services Acquisition | 20 |
| SC | System and Communications Protection | 29 |
| SI | System and Information Integrity | 24 |
| SR | Supply Chain Risk Management | 12 |
Total at Moderate: 322–323 controls (varies by counting of enhancements). NIST 800-53 Rev 5 decoupled controls from specific impact baselines, allowing organizations to tailor control selection. FedRAMP maintains its own baselines derived from NIST selections.
2.2 FedRAMP Rev 5 Moderate Baseline
The FedRAMP Rev 5 Moderate Baseline is the compliance standard for cloud service providers (CSPs) handling Controlled Unclassified Information (CUI) at moderate impact level. The baseline encompasses 323 controls drawn from NIST 800-53 Rev 5, representing the security requirements that a CSP must implement, document, and maintain to achieve a FedRAMP Moderate Authority to Operate (ATO).
FedRAMP Rev 5 added no new controls beyond the NIST baselines but aligned more closely with the NIST catalog structure. The most significant addition was the inclusion of the Supply Chain Risk Management (SR) family, reflecting federal emphasis on software supply chain integrity following Executive Order 14028. FedRAMP also standardized parameter values for controls where NIST left organization-defined parameters open, ensuring consistency across CSP implementations.
The Moderate baseline is the most commonly pursued FedRAMP authorization level, applicable to systems where the loss of confidentiality, integrity, or availability would have a serious adverse effect on organizational operations, assets, or individuals. GCC-Moderate environments, such as the one UIAO targets, must demonstrate compliance with this baseline.
2.3 FedRAMP 20x
FedRAMP 20x represents a fundamental transformation of the federal cloud authorization process, shifting from document-heavy, point-in-time assessments to continuous, automation-first validation with machine-readable evidence. The program has progressed through two phases:
Phase 1 (completed September 2025): 12 Low-impact pilot authorizations were completed, validating the core FedRAMP 20x concepts in a controlled environment.
Phase 2 (began November 2025): Expansion to Moderate-impact systems and broader CSP participation, with refined processes based on Phase 1 lessons learned.
Key concepts underpinning FedRAMP 20x include:
Trust Centers: Public-facing portals where CSPs publish their security posture, control implementations, and continuous monitoring data in machine-readable formats. Trust Centers replace static System Security Plans with living, queryable security documentation.
Key Security Indicators (KSIs): Quantifiable, automated metrics that demonstrate ongoing compliance. KSIs replace periodic manual assessments with continuous, machine-readable evidence streams.
Vulnerability Detection and Response (VDR): Automated vulnerability management workflows with defined SLAs for detection, triage, and remediation. VDR replaces point-in-time scan reports with continuous vulnerability monitoring.
Significant Change Notification (SCN): Formalized processes for notifying stakeholders of material changes to the security posture, replacing the traditional Significant Change Request process.
UIAO's Git-based governance pipeline is inherently aligned with the FedRAMP 20x philosophy. The governance-as-code approach, where policy definitions are version-controlled, changes are gated through automated hooks, and drift detection provides continuous monitoring, maps directly to FedRAMP 20x's core requirements.
2.4 CISA Binding Operational Directives
BOD 22-01 — Reducing the Significant Risk of Known Exploited Vulnerabilities
Requires federal agencies to remediate CISA-cataloged Known Exploited Vulnerabilities (KEV) within specified timelines. Applies to all software and hardware products on federal information systems. KEV catalog entries include specific remediation deadlines, and agencies must track and report compliance. As of early 2026, the KEV catalog contains over 1,100 entries spanning commercial software, operating systems, network devices, and application frameworks.
BOD 23-01 — Improving Asset Visibility and Vulnerability Detection on Federal Networks
Requires automated asset discovery every 7 days and vulnerability enumeration every 14 days for all network-addressable IP-based assets. Agencies must maintain a current, comprehensive inventory of networked assets and be able to detect and report vulnerabilities on those assets at the required frequencies. The directive applies to all IPv4 and IPv6 addressable assets, including on-premises, cloud-hosted, and remotely managed devices.
BOD 25-01 — Implementing Secure Practices for Cloud Services (SCuBA)
Mandates implementation of SCuBA (Secure Cloud Business Applications) Secure Configuration Baselines for Microsoft 365 environments. Agencies are required to deploy the ScubaGear assessment tool, establish continuous compliance reporting, and remediate deviations from established baselines. The directive covers seven specific M365 product areas:
Microsoft Entra ID (Azure Active Directory)
Exchange Online
SharePoint Online
OneDrive for Business
Microsoft Teams
Power Platform
Microsoft Defender
2.5 OMB M-22-09 — Federal Zero Trust Strategy
OMB Memorandum M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, establishes the federal Zero Trust Architecture (ZTA) strategy organized around five pillars:
| Pillar | Key Requirements |
|---|---|
| Identity | Phishing-resistant MFA for all users, centralized identity management, enterprise-wide identity lifecycle governance |
| Devices | Complete asset inventory, Endpoint Detection and Response (EDR) deployment on all managed endpoints, device compliance verification |
| Networks | All HTTP traffic encrypted (internal and external), DNS traffic encrypted where possible, network microsegmentation |
| Applications | Application-layer access controls, application inventorying, internet-accessible applications tested regularly |
| Data | Data categorization and labeling, automated data discovery, encryption of data at rest and in transit, DLP implementation |
The original implementation deadline was FY2024. Agencies continue implementation under CISA oversight, with significant progress in Identity and Device pillars. The Networks and Data pillars remain the most challenging for most agencies, requiring infrastructure modernization and organizational change.
3. Document-by-Document Compliance Mapping
This section provides a detailed compliance assessment for each of the 23 UIAO Governance OS documents and 7 code artifact groups. Each subsection identifies the applicable NIST 800-53 controls, CISA BOD alignment, OMB M-22-09 pillar alignment, FedRAMP 20x indicators, specific gaps, and recommended amendments.
Foundation Layer Documents
3.1 AD Computer Object Conversion Guide Description: Provides procedures for converting Active Directory computer objects from on-premises domain-joined to cloud-managed (Entra ID joined or hybrid joined) configurations. Covers object lifecycle from legacy AD to modern management. NIST 800-53 Controls Addressed:
BOD 23-01 Alignment: Supports asset visibility through AD object enumeration. Computer object inventory directly contributes to the 7-day asset discovery requirement. OMB M-22-09 Alignment: Devices pillar — supports transition to cloud-managed device identity. FedRAMP 20x Alignment: Object conversion procedures could generate machine-readable migration evidence. Gaps: No explicit mapping to CM baseline configurations per CIS benchmarks. No verification procedure confirming successful conversion. No rollback procedure if conversion fails. Recommended Amendments: Add CIS benchmark cross-reference table for target configurations. Add post-conversion validation checklist. |
3.2 Git on Windows Server 2025 with IIS — Step-by-Step Implementation Guide Description: Comprehensive implementation guide for deploying Git server infrastructure on Windows Server 2025 with IIS as a reverse proxy, including TLS configuration, security headers, and service hardening. NIST 800-53 Controls Addressed:
BOD Alignment: Limited direct BOD applicability; infrastructure supports BOD 23-01 asset visibility indirectly by hosting governance data. OMB M-22-09 Alignment: Networks pillar — TLS encryption for HTTP traffic. FedRAMP 20x Alignment: Infrastructure foundation for governance pipeline; supports Trust Center hosting. Gaps: No FIPS 140-2/140-3 validated cryptography statement. No certificate lifecycle management procedure. No TLS version pinning (should enforce TLS 1.2+ only). No cipher suite specification. Recommended Amendments: Add FIPS 140 compliance statement. Add certificate renewal and lifecycle management section. Specify minimum TLS version and approved cipher suites. |
3.3 UIAO Git Server — Windows Server 2025 with IIS (UIAO-Specific) Description: UIAO-specific Git server deployment guide extending the generic implementation with organization-specific configurations, service accounts, authentication policies, and access controls. NIST 800-53 Controls Addressed:
OMB M-22-09 Alignment: Identity pillar — authentication requirements for Git access. Gaps: No explicit MFA requirement for Git administrative access documented. No service account review schedule. No privileged access monitoring. Recommended Amendments: Document MFA enforcement for all administrative Git operations. Add service account review procedures per AC-2(3). |
3.4 UIAO Git Infrastructure — Architecture Decision Record Description: Architecture Decision Record documenting the rationale for Git infrastructure design choices, including active-passive replication topology, technology selection, and availability strategy. NIST 800-53 Controls Addressed:
FedRAMP 20x Alignment: ADRs provide transparent, version-controlled decision documentation aligned with Trust Center concepts. Gaps: No formal risk acceptance or Authority to Operate (ATO) language. No threat model reference. No security requirements traceability. Recommended Amendments: Add formal ATO language and risk acceptance documentation. Reference applicable threat models. |
Platform Layer Documents
3.5 UIAO Platform Server Build Guide Description: Standardized build procedures for Windows Server 2025 platforms hosting UIAO infrastructure, including OS hardening, role installation, and security configuration baselines. NIST 800-53 Controls Addressed:
OMB M-22-09 Alignment: Devices pillar — server hardening contributes to trusted device posture. Gaps: No STIG (Security Technical Implementation Guide) or CIS benchmark cross-reference for Windows Server 2025. No SCAP scanning procedure. No hardening verification checklist. Recommended Amendments: Add STIG/CIS benchmark cross-reference table. Add SCAP scanning procedure for baseline verification. Document hardening validation steps. |
3.6 UIAO CLI and Operations Guide Description: Reference guide for UIAO command-line interface operations, including command syntax, operational procedures, and logging configuration. NIST 800-53 Controls Addressed:
Gaps: No separation of duties enforcement documented for CLI operations. No command authorization levels defined. No session recording requirement. Recommended Amendments: Document role-based CLI access levels. Add separation of duties requirements for critical operations. |
Assessment Layer Documents
3.7 UIAO Active Directory Interaction Guide Description: Procedures for UIAO's interaction with Active Directory for assessment, enumeration, and data collection purposes. Covers query methodologies, data schemas, and interaction patterns. NIST 800-53 Controls Addressed:
BOD 23-01 Alignment: Directly supports asset discovery and vulnerability enumeration requirements through AD object enumeration. Gaps: No automated scan scheduling per BOD 23-01 14-day cycle. No data classification for collected AD data. Recommended Amendments: Add automated scheduling guidance for recurring assessments. Document data handling classification for assessment output. |
3.8 UIAO Read-Only AD Assessment Guide Description: Comprehensive guide for conducting Active Directory assessments using only read-only permissions. Documents the 18-point preflight access test and demonstrates that ~87% assessment coverage is achievable with Authenticated Users permissions alone. NIST 800-53 Controls Addressed:
BOD 23-01 Alignment: Provides automated asset discovery capability meeting the 7-day discovery cycle requirement. OMB M-22-09 Alignment: Identity pillar — identity infrastructure assessment capability. Gaps: No formal assessment schedule defined. No integration with CDM (Continuous Diagnostics and Mitigation) infrastructure. No assessment output retention policy. Recommended Amendments: Define recurring assessment schedule. Document CDM integration pathway. Add data retention requirements for assessment artifacts. |
3.9 UIAO vs Microsoft Native Tools Gap Analysis Description: Comparative analysis positioning UIAO as a complementary orchestration layer above Microsoft native tools (Entra ID, Intune, Defender, Purview). Demonstrates that Microsoft native tools cover approximately 22% of UIAO's governance surface. NIST 800-53 Controls Addressed:
FedRAMP 20x Alignment: Validates the need for governance orchestration above native tooling; supports Trust Center differentiation. Gaps: No formal third-party service risk assessment per SA-9. No dependency mapping for Microsoft service outages. Recommended Amendments: Add formal SA-9 external service risk assessment. Document Microsoft service dependency matrix with contingency procedures. |
Modernization Layer Documents
3.10 UIAO Identity Modernization Guide (AD → Entra ID) Description: Comprehensive migration guide for transitioning identity management from on-premises Active Directory to Microsoft Entra ID, covering authentication modernization, conditional access, and passwordless adoption. NIST 800-53 Controls Addressed:
OMB M-22-09 Alignment: Identity pillar — Strong alignment. Directly addresses phishing-resistant MFA migration, centralized identity management, and passwordless authentication. This is the single strongest OMB M-22-09 document in the UIAO corpus. BOD 25-01 Alignment: Entra ID configuration aligns with SCuBA Entra ID baselines. Gaps: No explicit FIDO2/PIV/CAC mapping to IA-2(6) phishing-resistant requirements. No privileged access workstation (PAW) guidance. No identity proofing procedure per IA-12. Recommended Amendments: Add FIDO2/PIV/CAC implementation section with IA-2(6) cross-reference. Add PAW deployment guidance for privileged administrators. Document identity proofing standards. |
3.11 UIAO DNS Modernization Guide (AD DNS → Azure DNS) Description: Migration guide for transitioning DNS services from Active Directory-integrated DNS to Azure DNS, including DNSSEC assessment and DNS security evaluation. NIST 800-53 Controls Addressed:
OMB M-22-09 Alignment: Networks pillar — DNS encryption and integrity. Gaps: No DNSSEC implementation plan (assessment only — does not address SC-20 implementation). No DNS logging to SIEM integration documented. No DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) guidance. Recommended Amendments: Add DNSSEC implementation plan. Document DNS query logging and SIEM integration procedures. Address encrypted DNS protocols. |
3.12 UIAO PKI Modernization Guide (ADCS → Cloud PKI) Description: Migration guide for transitioning from on-premises Active Directory Certificate Services (ADCS) to cloud-based PKI, including ESC1-ESC8 vulnerability detection for ADCS environments. NIST 800-53 Controls Addressed:
BOD 22-01 Alignment: ESC1-ESC8 vulnerability detection directly addresses BOD 22-01 by identifying known exploitable PKI misconfigurations that may appear in the KEV catalog. Gaps: No FIPS 140-2/140-3 validation requirement stated. No certificate transparency logging. No HSM (Hardware Security Module) guidance for CA key protection. No certificate revocation monitoring. Recommended Amendments: Add FIPS 140-2/140-3 compliance requirements. Document HSM requirements for root and issuing CA keys. Add certificate transparency and revocation monitoring procedures. |
Planning and Policy Layer Documents
3.13 UIAO Master Project Plan Description: Comprehensive project plan covering 7 phases, 48 milestones, and a 52-week timeline for the complete UIAO governance modernization initiative. NIST 800-53 Controls Addressed:
FedRAMP 20x Alignment: Phased migration approach supports iterative authorization. Gaps: No explicit POA&M template. No milestone-to-control-family traceability matrix. No risk register. No resource allocation for compliance activities. Recommended Amendments: Add POA&M template appendix. Create milestone-to-control-family traceability matrix. Add risk register with risk ratings and mitigation strategies. |
3.14 UIAO Conditional Access Policy Library Description: Library of 30+ Conditional Access policies with explicit NIST 800-53 control mappings, covering user authentication, device compliance, application access, and risk-based access decisions. NIST 800-53 Controls Addressed:
OMB M-22-09 Alignment: Identity and Devices pillars — Strong alignment. Directly addresses phishing-resistant MFA and device compliance requirements. BOD 25-01 Alignment: CA policies implement SCuBA Entra ID baselines for conditional access configuration. FedRAMP 20x Alignment: Machine-readable policy definitions could serve as Key Security Indicators (KSIs). Policy-as-code approach aligns with automation-first philosophy. Gaps: No Conditional Access policy for compliant/managed device enforcement (OMB M-22-09 Device pillar). No policy versioning or change tracking procedure. No policy effectiveness measurement. Recommended Amendments: Add device compliance enforcement policy. Document policy change management procedure. Add policy effectiveness metrics and review schedule. |
3.15 UIAO Intune Policy Templates Description: Comprehensive library of Intune management policies including 5 compliance policies, 10 Settings Catalog profiles, 6 Endpoint Security profiles, and 2 App Protection policies with CIS Benchmark mappings. NIST 800-53 Controls Addressed:
OMB M-22-09 Alignment: Devices pillar — Strong alignment. EDR deployment via Endpoint Security profiles. Device compliance verification. BOD 25-01 Alignment: Supports M365 configuration baseline enforcement through Intune-managed device compliance. Gaps: No STIG mapping (CIS only). No automated compliance drift alerting integrated with Intune. No application control policies (allowlisting). Recommended Amendments: Add STIG cross-reference mappings alongside CIS. Integrate Intune compliance drift alerting with governance dashboard. Add application control (WDAC) policy templates. |
3.16 UIAO Azure Arc Policy Library Description: Azure Arc policy definitions extending cloud governance controls to on-premises and hybrid servers, enabling unified policy enforcement across the estate. NIST 800-53 Controls Addressed:
OMB M-22-09 Alignment: Devices pillar — extends device management to non-cloud resources. Gaps: No Arc-to-NIST control family cross-reference table. No Arc policy compliance reporting procedure. No remediation workflow for non-compliant Arc resources. Recommended Amendments: Add NIST control family cross-reference. Document compliance reporting and remediation procedures. |
Reference Layer
3.17 UIAO PowerShell Module Reference Description: Technical reference documentation for 41 functions across 8 PowerShell modules, providing the automation foundation for UIAO governance operations. NIST 800-53 Controls Addressed:
FedRAMP 20x Alignment: Documented automation functions could generate KSI evidence. Gaps: No secure coding standards reference. No code signing procedure. No module integrity verification (hash/signature validation). No dependency documentation. Recommended Amendments: Add secure coding standards reference section. Document code signing and module integrity verification procedures. Add dependency manifest. |
Infrastructure and Operations Layer
3.18 UIAO Active-Passive Git Replication Guide Description: Implementation guide for active-passive Git replication topology, providing high availability for the governance repository without the split-brain risks of active-active configurations. NIST 800-53 Controls Addressed:
Gaps: No replication monitoring/alerting procedure. No failover test schedule. No data-in-transit encryption verification for replication. No replication lag SLA. Recommended Amendments: Add replication health monitoring and alerting. Define failover testing schedule (recommend quarterly). Document encryption verification for replication traffic. |
3.19 UIAO Governance Dashboard Design Description: Design specification for the UIAO governance dashboard, covering 7 dashboard pages with OJS/D3 visualization specifications for governance metrics, compliance posture, and operational status. NIST 800-53 Controls Addressed:
FedRAMP 20x Alignment: Strong alignment. Dashboard could serve as Trust Center foundation, providing public-facing security posture visibility. Gaps: No role-based access control for dashboard viewers. No data retention policy for dashboard metrics. No dashboard availability SLA. Recommended Amendments: Implement role-based dashboard access. Define data retention requirements. Add dashboard as Trust Center candidate for FedRAMP 20x. |
3.20 UIAO Quarto Pipeline Integration Guide Description: Integration guide for the Quarto-based documentation pipeline, covering 124+ QMD files, GitHub Actions CI/CD, and automated governance document generation from canonical sources. NIST 800-53 Controls Addressed:
FedRAMP 20x Alignment: Strong alignment. CI/CD pipeline generates machine-readable governance artifacts, directly supporting KSI generation and Trust Center content. Gaps: No pipeline integrity verification (supply chain protection for CI). No artifact signing. No pipeline access control documentation. Recommended Amendments: Add pipeline integrity verification with checksum validation. Implement artifact signing for generated documents. Document pipeline access controls and approval workflows. |
3.21 UIAO Disaster Recovery Playbook Description: Operational disaster recovery playbook covering 8 failure scenarios, RPO/RTO matrix, and 5 backup scripts for UIAO infrastructure recovery. NIST 800-53 Controls Addressed:
Gaps: No Business Impact Analysis (BIA) referenced. No alternate site contact information. No annual DR test requirement documented. No communication plan for stakeholders during DR events. No maximum tolerable downtime (MTD) definitions. Recommended Amendments: Add BIA reference or appendix. Document annual DR test requirement with success criteria. Add stakeholder communication plan and escalation procedures. |
3.22 UIAO Operations Runbook Description: Operational runbook covering 14 scheduled tasks, daily health checks, incident response procedures, and routine maintenance operations for the UIAO platform. NIST 800-53 Controls Addressed:
Gaps: No formal Change Advisory Board (CAB) process. No maintenance window policy. No incident severity classification matrix. No escalation matrix with contact information. Recommended Amendments: Add CAB process and change approval workflow. Define maintenance windows and notification procedures. Add incident severity classification matrix with escalation paths. |
3.23 UIAO End User Training Guide Description: End user training material covering passwordless setup, OneDrive Known Folder Move (KFM), Conditional Access user experience, and 15+ frequently asked questions. NIST 800-53 Controls Addressed:
OMB M-22-09 Alignment: Addresses user adoption of zero trust controls (passwordless, conditional access). Gaps: Covers end user training only — no security awareness training for IT staff, administrators, or privileged users. No training completion tracking mechanism. No phishing simulation program. No annual refresher requirement. No training effectiveness measurement. Recommended Amendments: Add IT staff and administrator security training modules. Implement training completion tracking. Add phishing simulation program guidance. Define annual refresher requirements per AT-2. |
Code Artifacts Compliance Mapping
3.24 PowerShell Assessment Modules (UIAOADAssessment, UIAODNSAssessment, UIAOPKIAssessment, UIAOReadOnlyAssessment, UIAOIdentityAssessment) Description: Five PowerShell assessment modules providing automated security assessment capabilities across Active Directory, DNS, PKI (ADCS), read-only AD queries, and Entra ID identity configurations. NIST 800-53 Controls Addressed:
BOD 23-01 Alignment: Automated asset discovery and vulnerability enumeration directly support 7-day and 14-day cycle requirements. BOD 22-01 Alignment: ESC1-ESC8 detection identifies known exploitable conditions that may correspond to KEV catalog entries. Gaps: No code signing. No module integrity hash published. No SCAP/OVAL integration. No vulnerability severity scoring (CVSS). Recommended Enhancements: Implement Authenticode code signing. Publish SHA-256 integrity hashes. Add SCAP/OVAL output format support. |
3.25 UIAOImportAdapters Module Description: Data import module providing adapters for Azure Migrate, GPO Analytics, Microsoft Defender, ScubaGear, and Nessus assessment outputs. Normalizes external assessment data into UIAO's governance data model. NIST 800-53 Controls Addressed:
BOD 25-01 Alignment: ScuBA import adapter directly consumes ScubaGear output, supporting SCuBA baseline compliance monitoring. Gaps: No input validation against OSCAL schema. No data sanitization documentation. No adapter health/status monitoring. Recommended Enhancements: Add OSCAL schema validation for imported data. Document data sanitization procedures. Add adapter health monitoring and error reporting. |
3.26 UIAOPlanGenerators Module Description: Automated plan generation module producing migration plans per domain (Computer, GPO, Identity, DNS, PKI) based on assessment outputs. NIST 800-53 Controls Addressed:
Gaps: No POA&M format compliance with FedRAMP template. No plan approval workflow. No plan revision tracking. Recommended Enhancements: Add FedRAMP-compliant POA&M output format. Implement plan approval metadata. Add revision history tracking. |
3.27 UIAODriftDetection Module Description: Core continuous monitoring module providing deep JSON diff with severity scoring, scheduled drift detection, and webhook alert delivery for governance configuration changes. NIST 800-53 Controls Addressed:
FedRAMP 20x Alignment: Core capability for continuous validation and KSI generation. Severity-scored drift reports directly map to FedRAMP 20x's machine-readable evidence requirements. BOD 25-01 Alignment: Could generate SCuBA compliance drift reports for M365 baseline configurations. Gaps: No integration with CISA CDM infrastructure. No OSCAL-formatted output. No drift resolution SLA definitions. Recommended Enhancements: Add OSCAL output format. Document CDM data feed integration. Define drift resolution SLAs by severity tier. |
3.28 Gitea Configuration (app.ini) Description: Gitea application configuration file defining authentication methods, access controls, password policies, and repository management settings. NIST 800-53 Controls Addressed:
Gaps: No FIPS mode configuration. No session timeout explicitly mapped to AC-12. No account lockout policy after failed attempts. Recommended Amendments: Add FIPS mode configuration directive. Map session timeout to AC-12. Add account lockout configuration. |
3.29 IIS web.config Description: IIS web server configuration implementing HTTPS redirection, HSTS enforcement, security headers, and custom error handling for the Git server frontend. NIST 800-53 Controls Addressed:
Gaps: No TLS version pinning (should enforce TLS 1.2+ only). No cipher suite specification. No request size limits for DoS mitigation. Recommended Amendments: Add TLS 1.2+ enforcement. Specify approved cipher suites. Add request throttling configuration. |
3.30 Git Governance Hooks (pre-receive, post-receive, update) Description: Git server-side hooks enforcing governance rules including branch protection, PR-only merges, JSONL audit logging, classification boundary enforcement (GCC-Moderate), and canon change detection. NIST 800-53 Controls Addressed:
FedRAMP 20x Alignment: Strong alignment. Git hooks provide automated governance gates — machine-readable enforcement of compliance rules at the point of change. Gaps: No hook integrity verification (hook files themselves could be tampered). No alerting on hook bypass attempts. No hook version management. Recommended Amendments: Add hook integrity verification mechanism (hash validation). Implement bypass attempt detection and alerting. Add hook version tracking. |
4. Control Family Coverage Matrix
The following matrix summarizes UIAO's coverage across all 20 NIST 800-53 Rev 5 control families at the FedRAMP Moderate baseline. Coverage levels are assessed as Full (>80%), Strong (60-80%), Partial (30-59%), Minimal (10-29%), or None (0-9%).
| Control Family | Code | Moderate Count | UIAO Documents Addressing | Coverage | Key Gaps |
|---|---|---|---|---|---|
| Access Control | AC | 43 | CA Policy Library, Identity Modernization, Gitea config, Git Hooks | Partial (~65%) | AC-4 (Info Flow), AC-18 (Wireless), AC-19 (Mobile), AC-20 (External Systems), AC-22 (Public Content) |
| Awareness & Training | AT | 6 | End User Training Guide (partial) | Minimal (~33%) | AT-1 (Policy), AT-3 (Role-Based for IT staff), AT-4 (Training Records) |
| Audit & Accountability | AU | 16 | Git Hooks (JSONL), Operations Runbook, Dashboard | Partial (~62%) | AU-4 (Log Storage Capacity), AU-7 (Audit Reduction), AU-10 (Non-repudiation) |
| Assessment, Authorization & Monitoring | CA | 14 | Assessment modules, Drift Detection, Dashboard | Partial (~57%) | CA-3 (System Interconnections), CA-6 (Authorization — no ATO template), CA-8 (Penetration Testing) |
| Configuration Management | CM | 27 | Intune Templates, Git Hooks, Platform Build, Arc Policies | Strong (~74%) | CM-4 (Impact Analysis), CM-11 (User-Installed Software) |
| Contingency Planning | CP | 23 | DR Playbook, Replication Guide | Partial (~52%) | CP-2 (Formal CP), CP-3 (CP Training), CP-4 (CP Testing), CP-8 (Telecom Services) |
| Identification & Authentication | IA | 27 | Identity Modernization, CA Policy Library, Gitea config | Strong (~70%) | IA-6 (Authenticator Feedback), IA-12 (Identity Proofing) |
| Incident Response | IR | 17 | DR Playbook (partial), Operations Runbook (partial) | Partial (~35%) | IR-1 (IR Policy), IR-2 (IR Training), IR-3 (IR Testing), IR-7 (IR Assistance), IR-8 (IR Plan) |
| Maintenance | MA | 10 | Operations Runbook (partial) | Minimal (~20%) | MA-1 (Policy), MA-3 (Maintenance Tools), MA-4 (Nonlocal Maintenance), MA-6 (Timely Maintenance) |
| Media Protection | MP | 7 | None | None (0%) | All controls — primarily physical media; limited SaaS applicability |
| Physical & Environmental | PE | 19 | None | N/A (0%) | Not applicable — inherited from CSP (Microsoft GCC) |
| Planning | PL | 7 | Master Project Plan, ADR | Minimal (~29%) | PL-1 (Policy), PL-2 (SSP), PL-4 (Rules of Behavior) |
| Program Management | PM | N/A | Master Project Plan (partial) | Not Baselined | Recommended but not required at Moderate |
| Personnel Security | PS | 10 | None | None (0%) | All controls — screening, termination, transfer, agreements |
| PII Processing & Transparency | PT | N/A | None | Not Baselined | Recommended for identity data processing |
| Risk Assessment | RA | 11 | Assessment modules, this Gap Analysis | Partial (~45%) | RA-1 (Policy), RA-2 (Security Categorization), RA-7 (Risk Response) |
| System & Services Acquisition | SA | 20 | PowerShell Reference, Quarto Pipeline, Platform Build | Partial (~40%) | SA-4 (Acquisition Process), SA-9 (External Services), SA-11 (Developer Testing) |
| System & Comms Protection | SC | 29 | IIS web.config, DNS Modernization, PKI Modernization, Gitea config | Partial (~52%) | SC-5 (DoS Protection), SC-7 enhancements, SC-10 (Network Disconnect), SC-18 (Mobile Code) |
| System & Information Integrity | SI | 24 | Intune Templates, Drift Detection, Git Hooks, PKI Assessment | Partial (~50%) | SI-2 (Formal Flaw Remediation), SI-5 (Security Alerts), SI-8 (Spam Protection) |
| Supply Chain Risk Management | SR | 12 | Import Adapters (partial) | Minimal (~17%) | SR-1 (Policy), SR-2 (SCRM Plan), SR-3 (Supply Chain Controls), SR-11 (Authenticity) |
Coverage Summary Approximately 187 of 323 FedRAMP Moderate controls (~58%) are directly addressed or facilitated by UIAO artifacts. Configuration Management (CM) and Identification & Authentication (IA) families show the strongest coverage. Media Protection (MP), Physical & Environmental (PE), Personnel Security (PS), and Awareness & Training (AT) families represent the largest gaps. |
5. CISA Directive Alignment Assessment
5.1 BOD 22-01 — Known Exploited Vulnerabilities
UIAO Coverage: The PKI Assessment module's ESC1-ESC8 detection identifies known exploitable ADCS conditions, several of which correspond to or are analogous to KEV catalog entries. Import adapters consume Nessus and Microsoft Defender findings, both of which include KEV-tagged vulnerabilities in their output. The UIAODriftDetection module can detect changes to PKI configurations that might introduce or re-introduce exploitable conditions.
Gaps Identified:
No automated KEV catalog cross-reference — assessment findings are not programmatically mapped to CISA's KEV database
No defined SLA for KEV remediation (CISA requires remediation within specified timelines per vulnerability)
No tracking dashboard for KEV remediation status
No notification mechanism when new KEV entries affect UIAO-managed infrastructure
Recommended Remediation:
Add KEV catalog lookup function to UIAOImportAdapters that cross-references assessment findings against the CISA KEV JSON feed
Add KEV remediation timeline tracking to the governance dashboard with status indicators and SLA countdown
Implement automated KEV catalog monitoring with alerts when new entries match UIAO-relevant products
5.2 BOD 23-01 — Asset Visibility and Vulnerability Detection
UIAO Coverage: AD Assessment modules provide comprehensive asset discovery capabilities covering computers, users, groups, service accounts, and trust relationships. The Read-Only Assessment Guide demonstrates that approximately 87% of assessment coverage is achievable with Authenticated Users permissions alone, reducing barriers to deployment. Assessment modules enumerate both on-premises AD objects and, through the Identity Assessment module, Entra ID objects.
Gaps Identified:
No 7-day automated discovery cycle enforced — assessments are manual or ad hoc
No 14-day vulnerability enumeration schedule codified in operational procedures
No integration with CISA CDM (Continuous Diagnostics and Mitigation) infrastructure
No roaming/nomadic device coverage — assessments focus on domain-joined and Entra-registered devices; devices that roam off-network are not enumerated
No IPv6 asset discovery capability documented
Recommended Remediation:
Add scheduled task configurations for 7-day discovery and 14-day vulnerability enumeration cycles to the Operations Runbook
Document CDM data feed procedures and format requirements for agency CDM reporting
Extend assessment coverage to Intune-managed roaming devices using Microsoft Graph API queries
Add IPv6 asset discovery to AD assessment modules
5.3 BOD 25-01 — SCuBA Secure Configuration Baselines
UIAO Coverage: The Import-UIAOScuBAReport adapter consumes ScubaGear output, normalizing SCuBA compliance data into the UIAO governance data model. Conditional Access policies in the CA Policy Library align with SCuBA Entra ID baselines. Intune policy templates align with SCuBA endpoint configuration baselines. The governance dashboard can display SCuBA compliance metrics.
Gaps Identified:
No native ScubaGear execution integration — UIAO imports results but does not invoke ScubaGear assessments
No SCuBA Connect automated reporting to CISA — agencies must manually configure reporting
Incomplete coverage of all 7 M365 product baselines — strong coverage for Entra ID and endpoint configurations but limited coverage for Exchange Online, SharePoint, OneDrive, Teams, Power Platform, and Defender baselines
No SCuBA baseline deviation remediation playbooks
Recommended Remediation:
Create UIAOScuBARunner module providing native ScubaGear execution wrapper with scheduled assessment capability
Document SCuBA Connect or agency-hosted reporting integration procedures
Create baseline coverage matrix for all 7 M365 products with gap identification
Develop SCuBA deviation remediation playbooks per product area
5.4 OMB M-22-09 — Zero Trust Strategy Alignment
| ZTA Pillar | UIAO Coverage | Coverage Level | Key Gaps |
|---|---|---|---|
| Identity | Identity Modernization Guide, CA Policy Library — phishing-resistant MFA, centralized identity, passwordless authentication | Strong | No PIV/CAC integration guide; no passwordless-only enforcement timeline; no identity governance lifecycle documentation |
| Devices | Intune Templates, AD Assessment, Azure Arc — device compliance, EDR profiles, hybrid device management | Moderate | No standalone EDR deployment guide; no device trust scoring mechanism; no BYOD policy |
| Networks | IIS web.config (TLS), DNS Modernization — HTTPS enforcement, HSTS, DNS security assessment | Limited | No microsegmentation guidance; no internal traffic encryption verification; no network access control documentation |
| Applications | Conditional Access (application-layer access control), Gitea config (application authentication) | Partial | No application inventory; no application-level authorization beyond M365; no application security testing program |
| Data | Classification marking (Controlled) in Git hooks — minimal data governance | Minimal | No data categorization scheme; no DLP policy guidance; no information classification taxonomy beyond "Controlled" marking; no data encryption verification |
6. FedRAMP 20x Alignment Assessment
This section evaluates UIAO's alignment with the four core requirements of the FedRAMP 20x program. UIAO's governance-as-code approach provides inherent advantages for FedRAMP 20x compliance, but several formalization gaps must be addressed.
6.1 Trust Center
UIAO Alignment: The Governance Dashboard (7 pages with OJS/D3 specifications) could serve as a Trust Center foundation, providing visual security posture information. The Git repository itself provides transparent, version-controlled security documentation that aligns with Trust Center transparency principles. The Quarto pipeline generates web-publishable governance artifacts from canonical sources.
Gaps:
No public-facing Trust Center page designed or published
No machine-readable security posture publication (e.g., OSCAL SSP)
No Trust Center content management procedure
No Trust Center access control or authentication for sensitive content tiers
Recommendation: Extend the Quarto dashboard to publish a dedicated Trust Center page with automated security status indicators derived from drift detection and assessment outputs. Define Trust Center content tiers (public, authenticated, authorized) with appropriate access controls. Publish OSCAL-formatted SSP components as machine-readable Trust Center data.
6.2 Key Security Indicators (KSIs)
UIAO Alignment: The UIAODriftDetection module generates severity-scored drift reports that function as proto-KSIs. Assessment modules produce quantifiable security metrics including ESC vulnerability counts, stale account counts, GPO compliance scores, DNS configuration findings, and identity posture metrics. These metrics are already structured and machine-readable in JSON format.
Gaps:
No formal KSI definitions with measurement methodology
No KSI thresholds (acceptable, warning, critical)
No KSI reporting frequency established
No KSI historical trending or baseline establishment
Recommendation: Define 10–15 KSIs derived from existing drift detection and assessment outputs. Suggested initial KSI set:
Configuration drift score (aggregate severity from drift detection)
PKI vulnerability count (ESC1-ESC8 findings)
Stale account percentage (accounts exceeding inactivity threshold)
MFA enrollment coverage (percentage of users with phishing-resistant MFA)
Device compliance rate (Intune-managed devices meeting baseline)
Conditional Access policy coverage (percentage of sign-ins evaluated by CA)
Governance pipeline integrity (hook execution success rate)
Assessment currency (days since last complete assessment cycle)
SCuBA baseline compliance score (per-product compliance percentage)
Vulnerability remediation velocity (mean time to remediate by severity)
Publish KSI definitions in the canon/ directory with thresholds and measurement intervals. Implement KSI trending in the governance dashboard.
6.3 Vulnerability Detection and Response (VDR)
UIAO Alignment: PKI ESC1-ESC8 detection, Nessus and Defender import adapters, and AD vulnerability scanning provide vulnerability detection across multiple domains. The assessment pipeline can identify vulnerabilities in Active Directory, DNS, PKI, and identity configurations. Drift detection identifies when configurations change in ways that may introduce vulnerabilities.
Gaps:
No consolidated vulnerability management workflow connecting detection to remediation
No VDR SLA definitions (time-to-detect, time-to-triage, time-to-remediate)
No automated remediation playbooks
No vulnerability risk scoring methodology (CVSS or equivalent)
Recommendation: Create a UIAO Vulnerability Management Procedure document defining VDR SLA tiers:
| Severity | Detection SLA | Triage SLA | Remediation SLA |
|---|---|---|---|
| Critical | 24 hours | 4 hours | 48 hours |
| High | 72 hours | 24 hours | 7 days |
| Medium | 7 days | 72 hours | 30 days |
| Low | 14 days | 7 days | 90 days |
Integrate VDR SLAs with drift detection alerting and governance dashboard tracking.
6.4 Significant Change Notification (SCN)
UIAO Alignment: Git hooks detect canon changes and queue stewardship review, providing automated change detection. Post-receive webhook delivery notifies downstream systems of governance-relevant changes. Drift detection alerts on configuration changes that may represent significant deviations from approved baselines.
Gaps:
No formal SCN process mapped to FedRAMP requirements
No SCN template or standardized notification format
No notification recipient registry
No SCN trigger criteria definitions (what constitutes a "significant change")
Recommendation: Formalize the SCN process in the Operations Runbook with the following components:
Trigger criteria: Define what constitutes a significant change (e.g., new control implementation, architecture change, boundary modification, technology substitution)
Notification templates: Standardized SCN format with change description, impact assessment, affected controls, and timeline
Recipient management: Registry of notification recipients including authorizing officials, ISSOs, and FedRAMP PMO contacts
Response tracking: Mechanism to track SCN acknowledgment and any required FedRAMP PMO actions
7. Gap Analysis Summary and Remediation Roadmap
7.1 Priority 1 — Critical Gaps (New Documents Required)
The following new documents are required to achieve comprehensive FedRAMP Moderate compliance coverage. These represent the most significant gaps in the current corpus and should be prioritized for immediate development.
UIAO System Security Plan (SSP) Template
Required for any FedRAMP authorization. Must map all 323 Moderate controls to UIAO implementations, shared responsibility statements, or inheritance declarations. Addresses PL-2. This is the foundational document for FedRAMP authorization and the single most critical gap in the corpus.
UIAO Incident Response Plan
Standalone IR plan covering IR-1 through IR-8. Must include incident classification matrix (severity levels 1–4), escalation procedures with contact information, reporting timelines per US-CERT requirements, evidence preservation procedures (chain of custody), lessons learned process, and coordination with law enforcement and CISA.
UIAO Plan of Action and Milestones (POA&M) Template
FedRAMP-compliant POA&M format for tracking compliance gaps with remediation timelines, responsible parties, risk ratings, and estimated completion dates. Addresses CA-5. Must include automated generation from assessment module outputs.
UIAO Security Awareness and Training Program
Comprehensive program covering AT-1 through AT-4. Must include role-based training requirements for administrators, developers, operators, and end users. Include phishing simulation program requirements, training completion tracking, annual refresher requirements, and new employee onboarding training procedures.
UIAO Supply Chain Risk Management Plan
Addresses SR-1 through SR-12. Must cover third-party component vetting procedures (Gitea, PowerShell modules, Quarto, Node.js dependencies), software bill of materials (SBOM) generation and maintenance, component provenance verification, and supplier risk assessment methodology.
UIAO Continuous Monitoring Strategy
Formal ConMon document per CA-7 covering monitoring scope, frequency, metrics, reporting, and escalation. Must link to FedRAMP 20x KSI framework. Define automated and manual monitoring activities, reporting frequency, and dashboard requirements.
UIAO Privacy Impact Assessment
Address PT family controls and privacy considerations for identity data processed during AD-to-Entra ID modernization. Document data flows, privacy controls, consent mechanisms, and data retention/destruction requirements for personally identifiable information.
7.2 Priority 2 — Document Amendments Required
| Document | Amendment Required | Controls Addressed | Priority |
|---|---|---|---|
| Identity Modernization Guide | Add FIDO2/PIV/CAC mapping section and PAW guidance | IA-2(6), AC-6(7) | High |
| PKI Modernization Guide | Add FIPS 140-2/140-3 validation requirements and HSM guidance for CA key protection | SC-12, SC-13 | High |
| DR Playbook | Add Business Impact Analysis, annual DR test requirement, stakeholder communication plan | CP-2, CP-4 | High |
| Operations Runbook | Add formal Change Advisory Board process, incident severity classification matrix, maintenance window policy | CM-3, IR-4, MA-2 | High |
| Platform Server Build Guide | Add STIG/CIS benchmark cross-reference for Windows Server 2025 and SCAP scanning procedure | CM-6, RA-5 | Medium |
| End User Training Guide | Add IT staff security training modules, training records tracking, phishing simulation program | AT-3, AT-4 | Medium |
| Git Infrastructure ADR | Add formal ATO language and risk acceptance documentation | CA-6 | Medium |
| IIS web.config | Add TLS 1.2+ enforcement and cipher suite specification | SC-8, SC-13 | Medium |
| Gitea app.ini | Add session timeout mapping to AC-12 and FIPS mode configuration | AC-12, SC-13 | Medium |
| Master Project Plan | Add milestone-to-control-family traceability matrix and risk register | PL-2, RA-3 | Medium |
| Quarto Pipeline Guide | Add pipeline integrity verification and artifact signing procedures | SA-10, SI-7 | Standard |
| Git Hooks | Add hook integrity verification mechanism and bypass attempt alerting | SI-7, AU-6 | Standard |
| Conditional Access Policy Library | Add device compliance enforcement policy and policy change tracking procedure | AC-3, CM-3 | Medium |
| Active-Passive Replication Guide | Add replication monitoring, failover test schedule, and encryption verification | CP-7, CP-4, SC-8 | Standard |
| Governance Dashboard Design | Add role-based access control, data retention policy, and Trust Center page specification | AC-3, SI-12 | Standard |
7.3 Priority 3 — Code Artifact Enhancements
| Module | Enhancement | Controls Addressed |
|---|---|---|
| UIAODriftDetection | Add OSCAL-formatted output generation for machine-readable compliance evidence | CA-7, SA-4 |
| UIAOImportAdapters | Add KEV catalog cross-reference function and OSCAL schema validation for imported data | RA-5, SA-4 |
| UIAOPlanGenerators | Add FedRAMP-compliant POA&M format output with required fields and risk ratings | CA-5 |
| All Modules | Implement Authenticode code signing for all PowerShell modules | SI-7, SA-10 |
| All Modules | Publish SHA-256 integrity hashes in a signed manifest file | SI-7 |
| UIAODriftDetection | Add CDM data feed export capability for CISA reporting | CA-7 |
| New: UIAOScuBARunner | Native ScubaGear execution wrapper with scheduled assessment and results import | CM-6 (BOD 25-01) |
| UIAOADAssessment | Add 7-day scheduled discovery cycle enforcement with compliance tracking | CM-8 (BOD 23-01) |
| UIAOImportAdapters | Add input data sanitization and validation documentation | SI-10 |
| UIAOPKIAssessment | Add CVSS severity scoring for ESC1-ESC8 findings | RA-5 |
7.4 Remediation Timeline
| Phase | Timeline | Deliverables | Controls Addressed |
|---|---|---|---|
| Phase 1 | Weeks 1–4 | SSP Template, Incident Response Plan, critical document amendments (Identity Modernization, PKI Modernization, DR Playbook, Operations Runbook) | PL-2, IR-1 through IR-8, IA-2(6), SC-12, SC-13, CP-2, CP-4, CM-3, MA-2 |
| Phase 2 | Weeks 5–8 | POA&M Template, Security Awareness and Training Program, Supply Chain Risk Management Plan | CA-5, AT-1 through AT-4, SR-1 through SR-12 |
| Phase 3 | Weeks 9–12 | Continuous Monitoring Strategy, Privacy Impact Assessment, code artifact enhancements (code signing, OSCAL output, KEV integration) | CA-7, PT family, SI-7, SA-10, RA-5 |
| Phase 4 | Ongoing | FedRAMP 20x KSI definitions and thresholds, Trust Center publication, CDM integration, UIAOScuBARunner module, annual review cycle establishment | CA-7, CM-6 (BOD 25-01), CA-2, CM-8 (BOD 23-01) |
Implementation Note Phases 1 and 2 address the most critical compliance gaps and should be considered prerequisites for any FedRAMP authorization activity. Phase 3 enhances existing capabilities. Phase 4 establishes continuous improvement processes aligned with FedRAMP 20x's ongoing validation philosophy. |
8. Compliance Inheritance Model
As a SaaS-focused governance platform operating in the GCC-Moderate boundary, UIAO inherits certain security controls from underlying Cloud Service Providers (CSPs). Understanding the inheritance model is essential for accurately scoping UIAO's compliance responsibilities and avoiding duplication of effort on controls already addressed by the infrastructure provider.
8.1 Controls Inherited from Microsoft (GCC-Moderate)
The following control families and specific controls are fully inherited from Microsoft's GCC-Moderate infrastructure:
PE family (Physical and Environmental Protection) — Entirely inherited from Microsoft's GCC datacenters. Physical access controls, environmental protections (fire suppression, HVAC, power conditioning), and physical security monitoring are the responsibility of Microsoft's datacenter operations team.
MP family (Media Protection) — Largely inherited from Microsoft's data handling procedures. Digital media sanitization, transport, and disposal are managed by Microsoft per their FedRAMP-authorized procedures.
Portions of SC family — Data center network protections, DDoS mitigation at the infrastructure layer, and physical network boundary controls are inherited.
Portions of CP family — Datacenter redundancy, power systems, cooling infrastructure, and geographic distribution of availability zones are inherited.
8.2 Controls Requiring Shared Responsibility
The following control areas operate under a shared responsibility model where Microsoft provides the platform capability and UIAO is responsible for configuration and policy enforcement:
| Control Area | Microsoft Responsibility | UIAO Responsibility |
|---|---|---|
| AC (Access Control) | Provides Entra ID platform, Conditional Access engine, RBAC framework | Configures access policies, defines roles, manages user assignments, enforces least privilege |
| CM (Configuration Management) | Provides Intune, Azure Policy, Settings Catalog, Endpoint Security profiles | Defines configuration baselines, creates policy templates, monitors compliance drift |
| IA (Identification & Authentication) | Provides Entra ID authentication services, FIDO2/passkey infrastructure, certificate-based auth | Configures authentication policies, defines MFA requirements, manages authenticator lifecycle |
| AU (Audit & Accountability) | Provides Unified Audit Log, Azure Monitor, Microsoft Sentinel infrastructure | Configures audit retention, defines log review procedures, manages alert rules |
8.3 Controls Fully UIAO Responsibility
The following control areas are entirely the responsibility of UIAO and cannot be inherited from any CSP:
All governance pipeline controls — Git hooks, drift detection, governance dashboard, canon management
All assessment module controls — AD discovery, DNS assessment, PKI assessment, Identity assessment, import adapters
All operational controls — DR playbook execution, runbook operations, training delivery
All planning controls — Project plan execution, ADR documentation, policy library management, compliance gap tracking
All development controls — PowerShell module development, Quarto pipeline management, code quality and integrity
Inheritance Statement Physical and Environmental Protection (PE) and Media Protection (MP) controls are not applicable to the UIAO SaaS governance layer and are inherited from Microsoft's GCC-Moderate infrastructure, which maintains its own FedRAMP Moderate authorization (FedRAMP ID: F1603047952). This inheritance must be formally documented in the System Security Plan (SSP) with specific control-by-control inheritance statements. |
9. Conclusion
The UIAO Governance OS corpus demonstrates strong alignment with federal cybersecurity frameworks, addressing approximately 58% of FedRAMP Moderate controls directly and facilitating many more through its governance pipeline architecture. The Git-based, machine-readable approach positions UIAO exceptionally well for FedRAMP 20x's automation-first philosophy, representing a significant advantage over traditional document-heavy compliance approaches.
Seven new documents and approximately 12 document amendments are recommended to achieve comprehensive compliance coverage. The most critical gap is the absence of a formal System Security Plan (SSP) — the foundational document for any FedRAMP authorization. The second most critical gap is a standalone Incident Response Plan covering the complete IR control family.
UIAO's unique strength lies in its governance-as-code approach: Git hooks enforce classification boundaries at the point of change, drift detection provides continuous monitoring with severity-scored alerts, and the assessment pipeline generates machine-readable evidence across five infrastructure domains. These capabilities directly align with FedRAMP 20x's vision of Trust Centers, Key Security Indicators, and Vulnerability Detection and Response — positioning UIAO ahead of the compliance maturity curve.
No document in the corpus contains FOUO markings — all use "Controlled" classification as required. The GCC-Moderate boundary is consistently stated throughout the corpus and enforced programmatically by the pre-receive Git hook, which rejects commits containing unauthorized classification markings.
The remediation roadmap presented in Section 7 provides a phased 12-week plan to address the most critical gaps, followed by an ongoing continuous improvement phase. Completion of Phases 1 and 2 would bring UIAO's coverage from 58% to an estimated 78–82% of FedRAMP Moderate controls, with the remaining controls either inherited from Microsoft's GCC-Moderate authorization or addressed through agency-specific policy decisions.
Appendices
Appendix A: NIST 800-53 Rev 5 Control Family Quick Reference
| Code | Family Name | Moderate Baseline Count | Description |
|---|---|---|---|
| AC | Access Control | 43 | Policies and mechanisms for controlling access to systems and information |
| AT | Awareness and Training | 6 | Security awareness and role-based training requirements |
| AU | Audit and Accountability | 16 | Audit record generation, review, analysis, and reporting |
| CA | Assessment, Authorization, and Monitoring | 14 | Security assessments, authorizations, and continuous monitoring |
| CM | Configuration Management | 27 | Baseline configurations, change control, and least functionality |
| CP | Contingency Planning | 23 | Business continuity, disaster recovery, and backup procedures |
| IA | Identification and Authentication | 27 | Identity verification and authenticator management |
| IR | Incident Response | 17 | Incident detection, handling, reporting, and recovery |
| MA | Maintenance | 10 | System maintenance policies, tools, and personnel |
| MP | Media Protection | 7 | Physical and digital media protection, sanitization, and transport |
| PE | Physical and Environmental Protection | 19 | Physical access, environmental controls, and facility security |
| PL | Planning | 7 | Security plans, rules of behavior, and system architecture |
| PM | Program Management | N/A | Organization-wide security program management (not baselined) |
| PS | Personnel Security | 10 | Personnel screening, termination, transfer, and agreements |
| PT | PII Processing and Transparency | N/A | Privacy controls for PII handling (not baselined) |
| RA | Risk Assessment | 11 | Risk identification, analysis, and vulnerability scanning |
| SA | System and Services Acquisition | 20 | SDLC, development standards, acquisition controls |
| SC | System and Communications Protection | 29 | Encryption, boundary protection, and communications security |
| SI | System and Information Integrity | 24 | Flaw remediation, malware protection, system monitoring |
| SR | Supply Chain Risk Management | 12 | Supply chain controls, SBOM, component authenticity |
Appendix B: Federal Directive Quick Reference
| Directive | Date Issued | Core Requirements | UIAO Relevance |
|---|---|---|---|
| BOD 22-01 | November 2021 | Remediate CISA-cataloged Known Exploited Vulnerabilities within specified timelines | PKI ESC1-ESC8 detection; Nessus/Defender import adapters consume KEV-tagged findings |
| BOD 23-01 | October 2022 | Automated asset discovery every 7 days; vulnerability enumeration every 14 days for all IP assets | AD Assessment modules provide asset discovery; Read-Only Assessment achieves ~87% coverage with standard permissions |
| BOD 25-01 | December 2024 | Implement SCuBA Secure Configuration Baselines for M365; deploy ScubaGear; report to CISA | ScuBA import adapter; CA policies align with Entra ID baselines; Intune templates align with endpoint baselines |
| OMB M-22-09 | January 2022 | Federal Zero Trust Strategy across 5 pillars: Identity, Devices, Networks, Applications, Data | Strong Identity pillar coverage via Identity Modernization and CA policies; moderate Devices coverage via Intune |
| EO 14028 | May 2021 | Improving the Nation's Cybersecurity — SBOM, zero trust, incident reporting, supply chain | Governance-as-code approach aligns with software supply chain transparency; Git-based provenance tracking |
| FedRAMP 20x | 2024–2025 | Automation-first authorization: Trust Centers, KSIs, VDR, SCN | Git-based governance pipeline inherently aligned; dashboard as Trust Center; drift detection as KSI source |
Appendix C: Document-to-Control-Family Traceability Matrix
The following matrix maps each UIAO document to the NIST 800-53 control families it addresses. A checkmark (✓) indicates the document contains content directly addressing controls in that family. A dash (—) indicates no coverage.
| Document | AC | AT | AU | CA | CM | CP | IA | IR | MA | MP | PE | PL | PS | RA | SA | SC | SI | SR |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3.1 AD Computer Object Conversion | — | — | — | — | ✓ | — | — | — | — | — | — | — | — | — | ✓ | — | — | — |
| 3.2 Git on Windows Server 2025 | ✓ | — | ✓ | — | ✓ | — | — | — | — | — | — | — | — | — | — | ✓ | ✓ | — |
| 3.3 UIAO Git Server (UIAO-Specific) | ✓ | — | ✓ | — | ✓ | — | ✓ | — | — | — | — | — | — | — | — | ✓ | — | — |
| 3.4 Git Infrastructure ADR | — | — | — | ✓ | — | ✓ | — | — | — | — | — | ✓ | — | — | ✓ | — | — | — |
| 3.5 Platform Server Build Guide | — | — | — | — | ✓ | — | — | — | — | — | — | — | — | — | ✓ | — | ✓ | — |
| 3.6 CLI and Operations Guide | — | — | ✓ | — | ✓ | — | — | — | — | — | — | — | — | — | ✓ | — | — | — |
| 3.7 AD Interaction Guide | — | — | — | ✓ | ✓ | — | — | — | — | — | — | — | — | ✓ | — | — | — | — |
| 3.8 Read-Only AD Assessment | ✓ | — | — | ✓ | ✓ | — | — | — | — | — | — | — | — | ✓ | — | — | — | — |
| 3.9 UIAO vs Microsoft Native Tools | — | — | — | ✓ | — | — | — | — | — | — | — | ✓ | — | — | ✓ | — | — | — |
| 3.10 Identity Modernization | ✓ | — | — | — | — | — | ✓ | — | — | — | — | — | — | — | — | — | — | — |
| 3.11 DNS Modernization | — | — | — | — | — | — | — | — | — | — | — | — | — | — | — | ✓ | — | — |
| 3.12 PKI Modernization | — | — | — | — | — | — | ✓ | — | — | — | — | — | — | — | — | ✓ | — | — |
| 3.13 Master Project Plan | — | — | — | ✓ | — | — | — | — | — | — | — | ✓ | — | — | ✓ | — | — | — |
| 3.14 Conditional Access Policy Library | ✓ | — | — | — | — | — | ✓ | — | — | — | — | — | — | — | — | — | — | — |
| 3.15 Intune Policy Templates | — | — | — | — | ✓ | — | — | — | — | — | — | — | — | — | — | — | ✓ | — |
| 3.16 Azure Arc Policy Library | — | — | — | ✓ | ✓ | — | — | — | — | — | — | — | — | — | — | — | ✓ | — |
| 3.17 PowerShell Module Reference | — | — | — | — | — | — | — | — | — | — | — | — | — | — | ✓ | — | — | — |
| 3.18 Active-Passive Replication | — | — | — | — | — | ✓ | — | — | — | — | — | — | — | — | — | ✓ | — | — |
| 3.19 Governance Dashboard | — | — | ✓ | ✓ | — | — | — | — | — | — | — | — | — | — | — | — | ✓ | — |
| 3.20 Quarto Pipeline | — | — | ✓ | — | ✓ | — | — | — | — | — | — | — | — | — | ✓ | — | — | — |
| 3.21 Disaster Recovery Playbook | — | — | — | — | — | ✓ | — | ✓ | — | — | — | — | — | — | — | — | — | — |
| 3.22 Operations Runbook | — | — | ✓ | — | ✓ | — | — | ✓ | ✓ | — | — | — | — | — | — | — | — | — |
| 3.23 End User Training Guide | — | ✓ | — | — | — | — | — | — | — | — | — | — | — | — | — | — | — | — |
Note: Code artifacts (3.24–3.30) are mapped in Section 3 but omitted from this table for readability. Primary code artifact control families: RA (Assessment Modules), CA (Import Adapters, Drift Detection), CM (Git Hooks, Gitea config), AU (Git Hooks), SI (Drift Detection, Git Hooks), SC (IIS web.config, Gitea config), SR (Git Hooks provenance).
UIAO Compliance Mapping and Gap Analysis — Version 1.0 — April 2026
Classification: Controlled | Boundary: GCC-Moderate
Prepared by Michael Stratton | https://github.com/WhalerMike/uiao