03 Fedramp20X Crosswalk
UIAO FedRAMP 20x Compliance Crosswalk
| Field | Value |
|---|---|
| Version | 1.0 |
| Date | 2026-03 |
| Classification | Public |
| Source Plane(s) | Identity, Network, Addressing, Telemetry, Security, Management |
| Document Type | Compliance Crosswalk (02_Appendices) |
2. Purpose
This document provides the authoritative FedRAMP 20x compliance crosswalk for the Unified Identity-Addressing-Overlay (UIAO) architecture. It maps UIAO’s core concepts, control planes, and runtime model to the NIST SP 800-53 Rev 5 controls required for a FedRAMP Moderate (Class C) authorization under the 20x telemetry-based validation framework.
The mappings below are canonical design artifacts, not an authorization claim. UIAO (v0.2.1) is in active development; it holds no FedRAMP authorization today and has not been assessed by a 3PAO. Statements of “alignment”, “satisfies”, or “supports” describe target capability derived from canon design, not operational posture. Operational state is tracked on the Substrate Status page.
3. Scope
Included
- Mapping of UIAO concepts to NIST 800-53 Rev 5 controls
- KSI (Key Security Indicator) alignment
- Evidence sources for telemetry-based validation
- Mandatory 2026 infrastructure requirements
- Audit anchors and continuous monitoring expectations
Excluded
- Implementation-specific configurations
- Vendor deployment guides
- Project plan sequencing (covered in modernization timeline)
4. Control Plane Alignment
This crosswalk spans all six UIAO control planes:
| Plane | Compliance Role |
|---|---|
| Identity | Identity assurance, MFA, lifecycle governance |
| Network | Segmentation, routing, overlay security |
| Addressing | Deterministic IPAM, DNS/DHCP integrity |
| Telemetry & Location | Continuous monitoring, KSI generation |
| Security & Compliance | Zero Trust enforcement, FedRAMP alignment |
| Management | CMDB, drift detection, remediation workflows |
Each plane contributes evidence to FedRAMP 20x telemetry validation.
5. Core Concepts
The crosswalk maps the Eight Core Concepts to NIST controls:
- Single Source of Truth (SSOT) — UIAO operates on the principle that every claim has one authoritative origin. All other representations are pointers, not copies. This ensures provenance, prevents drift, and enables federated truth resolution across boundaries.
- Conversation as the atomic unit → AC-4, SI-4
- Identity as the root namespace → IA-2, AC-2
- Deterministic addressing → CM-8, AC-4
- Certificate-anchored overlay → SC-8, IA-5
- Telemetry as control → CA-7, SI-4
- Embedded governance & automation → CM-2, CM-3
- Public service first → PT-2 (privacy and minimization)
These mappings are frozen and must appear identically across all UIAO compliance documents.
6. Architecture Model
6.1 FedRAMP 20x Overview
FedRAMP 20x replaces narrative-based compliance with telemetry-based validation, requiring:
- Machine-readable OSCAL packages
- Real-time Key Security Indicators (KSIs)
- Automated evidence generation
- Continuous monitoring (CA-7)
- Identity-anchored access control
- Deterministic asset inventory
UIAO is designed to satisfy these requirements at target scale. Coverage of each requirement is partial today; per-component maturity lives on the Substrate Status page.
6.2 Fundamental Concept Mapping
| UIAO Concept | NIST Control | KSI Category | Evidence Source |
|---|---|---|---|
| Conversation as Atomic Unit | AC-4 | KSI-CNA | SD-WAN flow telemetry |
| Identity as Root Namespace | IA-2 / AC-2 | KSI-IAM | Entra ID & CyberArk logs |
| Deterministic Addressing | CM-8 / AC-4 | KSI-PIY | Infoblox BloxOne DDI API |
| Certificate-Anchored Overlay | SC-8 / IA-5 | KSI-SVC | SD-WAN mTLS configuration |
| Telemetry as Control | CA-7 / SI-4 | KSI-MLA | M365 & SD-WAN telemetry |
| Embedded Governance | CM-2 | KSI-CMT | GitHub YAML baseline |
| Public Service First | PT-2 | KSI-CED | Identity & overlay minimization |
These mappings are canonical and must not be altered.
7. Runtime Model
UIAO’s runtime model is designed to support FedRAMP 20x telemetry validation. The behaviors below are target-state; collectors and generators that produce this telemetry are partially scaffolded and not yet in operational use at scale.
7.1 Conversation-Level Telemetry
Every conversation is designed to produce:
- Identity metadata
- Addressing metadata
- Certificate metadata
- Path and QoS telemetry
- Security and assurance signals
7.2 Deterministic Evidence
Given identical inputs, UIAO is designed to produce identical telemetry outputs — enabling reproducible compliance when the full collector/generator stack is operational.
7.3 Continuous Monitoring
The telemetry model is designed to feed:
- CA-7 continuous monitoring
- SI-4 anomaly detection
- AC-4 segmentation enforcement
- SC-8 certificate validation
When operational, this will satisfy FedRAMP’s requirement for machine-generated evidence. Today, these feeds are under construction; coverage is tracked on the Substrate Status page.
8. Compliance Mapping
8.1 Mandatory 2026 Infrastructure Requirements
| ID | Requirement | Status | Deadline |
|---|---|---|---|
| NTC-0003 | Automated Security Inbox | Required | 2026-01-05 |
| RFC-0024 | OSCAL Machine-Readability | Required | 2026-09-30 |
| M-24-15 | Phishing-Resistant MFA | Required | 2026-09-30 |
UIAO is designed to satisfy all three through Entra ID, SD-WAN telemetry, and GitHub-based governance. No operational submission has been produced from this pipeline; readiness is target-state.
8.2 Audit Anchor Summary
UIAO’s canonical design identifies continuous telemetry anchors at:
- Identity Pillar: Entra ID MFA, PIV/FIDO2
- Addressing Pillar: Infoblox deterministic IPAM
- Overlay Pillar: SD-WAN mTLS service chain
- Telemetry Pillar: M365, SD-WAN, DNS, endpoint signals
These anchors form the target evidence base for FedRAMP 20x. Operational collectors for each anchor are at varying stages of maturity; see Substrate Status for per-anchor readiness.
8.3 KSI Definitions
| KSI | Description |
|---|---|
| KSI-IAM | Identity authentication logs (Entra ID) |
| KSI-PIY | Deterministic asset inventory (Infoblox) |
| KSI-MLA | Network health & path telemetry |
| KSI-SVC | Certificate enforcement (mTLS) |
| KSI-CMT | Baseline drift detection (GitHub YAML) |
| KSI-CNA | Packet-level identity metadata |
| KSI-CED | Data minimization enforcement |
These KSIs are mandatory for FedRAMP 20x validation.
9. Dependencies & Sequencing
Upstream Dependencies
- Identity modernization (Workstream A)
- SD-WAN HLD/LLD (Workstream B)
- IPAM modernization (Workstream C)
- Telemetry integration (Workstream D)
Downstream Dependencies
- TIC 3.0 Cloud & Branch packages
- FedRAMP annual assessment
- Continuous monitoring dashboards
- Governance workflows
Timeline Alignment
This document aligns with Months 3-6 of the modernization timeline.
10. Governance & Drift Controls
Drift Detection
- GitHub YAML baseline comparison
- ServiceNow CMDB reconciliation
- Intune compliance
- SD-WAN overlay validation
- IPAM reconciliation
Remediation Workflow
- Automated ServiceNow change
- Conditional Access enforcement
- Certificate renewal
- IPAM correction
Audit Anchors
- Entra ID logs
- Infoblox API records
- SD-WAN telemetry
- Intune compliance reports
- ServiceNow audit trails
11. Appendices
Appendix A: Definitions
See docs/glossary.md
Appendix B: Tables
Fundamental Concept Mapping table is in Section 6.2. KSI Definitions table is in Section 8.3. Mandatory 2026 Requirements table is in Section 8.1.
Appendix C: Diagram References
See docs/images/ for all referenced architecture diagrams.
Appendix D: Evidence Sources
See data/parameters.yml and control-library entries for evidence source catalogs.
Appendix E: KSI Reference Model
KSI definitions are in Section 8.3. Machine-readable KSI mappings are in data/crosswalk-index.yml.
12. MAS-CSO Scope Effect by Signal Class
This section maps the FedRAMP 20x Minimum Assessment Scope rule (MAS-CSO-IIR + MAS-CSO-MDI) against the GCC-Moderate telemetry-gap classes catalogued in gcc-moderate-telemetry-gaps.yaml. Net estimate: roughly 30–40% of the prior gap matrix has a credible descope path under MAS-CSO; the identity / data / behavioral end remains in scope under prong (1).
| Signal class | Net effect under MAS-CSO | Reasoning |
|---|---|---|
| Network path metrics (latency / jitter / packet-loss; INR-style) | Favorable | Measurement-only, machine-generated, no federal customer data. Strong case as descoped metadata under MAS-CSO-MDI. |
| Endpoint performance counters (boot time, AppCrashCount, AvgProcessorUsage) | Favorable, with caveats | Anonymized perf data fits the deterministic-telemetry framing. Per-user-identified perf data approaches the “likely impact” line and may not. |
| Adoption Score behavioral baselines (chat/email ratios, mobility, content collaboration) | Mixed to unfavorable | User-behavior signals tied to identifiable communication. “Likely impact CIA of federal customer data” reads in. |
| Entra Identity Protection ML (impossible travel, atypical IP, leaked credentials) | Unfavorable | Sign-in events handle federal customer data by routine — fail prong (1) directly. |
| DLP behavioral analytics, sensitivity-label analytics, Copilot prompt richness | Unfavorable | Content-adjacent and policy-event-bearing — fail prong (1). |
| CAE real-time revocation paths | Neutral | Not a scope problem; a cross-boundary signaling architecture problem. 20x does not address. |
12.1 What this changes operationally
For an agency in GCC-Moderate today: very little until Microsoft files a 20x-aligned package or opts into the Rev5 Balance Improvement Releases for the GCC-Moderate offering.
What it changes strategically: the negotiation surface. Agency requests for descoped telemetry now have a named, documented mechanism to point at — MAS-CSO-MDI for measurement-only metadata, and the Rev5 opt-in path as the realistic near-term route for currently-authorized CSPs.
12.2 Cross-references
- Eleven KSI families and the Phase 2 Pilot framing:
04_FedRAMP20x_Phase2_Summary.qmd §12. - Per-row gap matrix:
gcc-moderate-telemetry-gaps.yaml. - Source memo:
inbox/New_FedRAMP_Boundary/FedRAMP_20x_Assessment_and_Implications.docx, §2 (“Effect on the GCC-Moderate telemetry gap inventory”). - Boundary assessment (the canonical gap matrix anchor):
B1-gcc-moderate-boundary-model.qmd. - ThousandEyes Networks-pillar adoption decision:
ADR-047.
13. Revision History
| Version | Date | Author | Summary of Changes |
|---|---|---|---|
| 1.0 | 2026-03 | UIAO Canon Engine | Initial canonical release |
| 1.1 | 2026-04-27 | UIAO Canon Engine | Added §12 — MAS-CSO scope effect by signal class. Source: inbox/New_FedRAMP_Boundary/FedRAMP_20x_Assessment_and_Implications.docx. |