04 Fedramp20X Phase2 Summary
UIAO FedRAMP 20x Phase 2 Compliance Summary
1. Title Page
| Field | Value |
|---|---|
| Version | 1.0 |
| Date | March 2026 |
| Classification | Public |
| Source Planes | Identity, Network, Addressing, Telemetry, Security, Management |
| Document Type | Compliance Summary (02_Appendices) |
2. Purpose
This document provides the authoritative summary of how the Unified Identity-Addressing-Overlay (UIAO) architecture satisfies the requirements of FedRAMP 20x Phase 2. It explains the modernization drivers, architectural alignment, control-plane contributions, and compliance outcomes required for a telemetry-based, identity-anchored, Zero Trust-aligned federal enterprise.
3. Scope
Included
- Phase 2 modernization drivers
- Architectural alignment across all six control planes
- Core concepts supporting FedRAMP 20x
- Frozen state compliance risks
- Compliance outcomes and mission impact
Excluded
- Detailed crosswalk mappings (see
03_FedRAMP20x_Crosswalk.md) - Project plan sequencing (see
08_ModernizationTimeline.md) - Vendor-specific deployment instructions
4. Control Plane Alignment
FedRAMP 20x Phase 2 compliance is achieved through coordinated operation of all six UIAO control planes:
| Plane | Phase 2 Compliance Role |
|---|---|
| Identity | MFA, lifecycle governance, identity assurance |
| Network | Cloud-first routing, segmentation, mTLS overlay |
| Addressing | Deterministic IPAM, DNS/DHCP modernization |
| Telemetry and Location | Real-time KSI generation, INR/E911 readiness |
| Security and Compliance | Zero Trust enforcement, FedRAMP alignment |
| Management | Drift detection, CMDB integrity, device compliance |
Each plane contributes mandatory telemetry and evidence for FedRAMP 20x validation.
5. Core Concepts
FedRAMP 20x Phase 2 is supported by the Eight Core Concepts of UIAO:
- Single Source of Truth (SSOT) — UIAO operates on the principle that every claim has one authoritative origin. All other representations are pointers, not copies. This ensures provenance, prevents drift, and enables federated truth resolution across boundaries.
- Conversation as the atomic unit
- Identity as the root namespace
- Deterministic addressing
- Certificate-anchored overlay
- Telemetry as control
- Embedded governance and automation
- Public service first
These concepts ensure that compliance is continuous, automated, and identity-anchored.
6. Architecture Model
6.1 Modernization Drivers
The agency’s legacy environment exhibits structural constraints that prevent compliance with FedRAMP 20x Phase 2:
- TIC 2.0 hairpinning degrades M365 performance
- Identity anchored in on-prem AD with inconsistent governance
- Fragmented IPAM across spreadsheets and disconnected tools
- Siloed telemetry preventing conversation-level correlation
- Manual governance processes incompatible with continuous monitoring
- Perimeter-centric security models unable to enforce Zero Trust
These constraints create direct mission impact:
- Poor cloud performance
- Increased cyber risk
- Compliance gaps (TIC 3.0, FedRAMP 20x, SCuBA)
- Operational inefficiencies
UIAO resolves these constraints through identity-driven, telemetry-informed modernization.
6.2 Architecture Supporting FedRAMP 20x Phase 2
Identity Control Plane
- Entra ID as authoritative identity
- ICAM governance (NIST 800-63, OMB M-19-17)
- Conditional Access enforcing device trust
- PIM for privileged access
- Automated lifecycle (joiner/mover/leaver)
Network Control Plane
- Cisco SD-WAN for cloud-first routing
- Identity-aware segmentation
- Cloud OnRamp for M365
- INR integration for location-aware routing
Addressing Control Plane
- Infoblox IPAM replacing spreadsheets
- Deterministic, identity-derived addressing
- Unified DNS/DHCP across cloud and on-prem
- Accurate telemetry correlation
Telemetry and Location Control Plane
- M365, SD-WAN, DNS, endpoint telemetry
- Conversation-level correlation
- E911 dynamic location mapping
- IPAM-based location inference
Security and Compliance Plane
- TIC 3.0 Cloud + Branch
- Zero Trust enforcement
- FedRAMP 20x telemetry validation
- NIST 800-63 identity governance
Together, these planes produce continuous, machine-generated evidence.
7. Runtime Model
UIAO’s runtime model directly satisfies FedRAMP 20x Phase 2 requirements.
7.1 Conversation-Level Telemetry
Every interaction produces:
- Identity metadata
- Addressing metadata
- Certificate metadata
- Path and QoS telemetry
- Device posture
- Location inference
7.2 Deterministic Behavior
Given identical inputs, UIAO produces identical telemetry outputs — enabling reproducible compliance.
7.3 Continuous Evaluation
Telemetry drives:
- Routing decisions
- Access decisions
- Segmentation decisions
- Compliance posture
This satisfies CA-7 continuous monitoring and SI-4 anomaly detection.
8. Compliance Mapping
8.1 Frozen State Compliance Risks
| Domain | Frozen State | Compliance Risk |
|---|---|---|
| Identity | Siloed AD | Inconsistent governance |
| Addressing | Static spreadsheets | No correlation or inventory integrity |
| Network Security | L3/L4 firewalls | No identity-aware segmentation |
| Endpoint | Mixed tooling | No unified posture signal |
| App Delivery | Local auth | No workload identity |
| Telemetry | Siloed logs | No conversation-level visibility |
| Governance | Email/tickets | No automated enforcement |
| Data Protection | Manual classification | No data-aware routing |
UIAO resolves these risks through deterministic, identity-anchored modernization.
8.2 Compliance Outcomes
UIAO delivers measurable improvements:
- Performance: Cloud-first routing improves M365 performance
- Security: Identity-driven segmentation reduces attack surface
- Compliance: Telemetry enables FedRAMP 20x validation
- Governance: Automated workflows replace manual tickets
- Mission Readiness: Faster, more reliable, more secure services
These outcomes satisfy the intent and requirements of FedRAMP 20x Phase 2.
9. Dependencies and Sequencing
Upstream Dependencies
- Identity modernization (Workstream A)
- SD-WAN HLD/LLD (Workstream B)
- IPAM modernization (Workstream C)
- Telemetry integration (Workstream D)
Downstream Dependencies
- TIC 3.0 Cloud Use Case Package
- TIC 3.0 Branch Use Case Package
- CDM/CLAW integration
- Annual FedRAMP assessment
Timeline Alignment
This document aligns with Months 3-6 of the modernization timeline.
10. Governance and Drift Controls
Drift Detection
- ServiceNow CMDB reconciliation
- Intune compliance
- SD-WAN overlay validation
- IPAM reconciliation
Remediation Workflow
- Automated ServiceNow change
- Conditional Access enforcement
- Certificate renewal
- IPAM correction
Audit Anchors
- Entra ID logs
- Infoblox API records
- SD-WAN telemetry
- Intune compliance reports
- ServiceNow audit trails
11. Appendices
Appendix A: Definitions
See docs/11_GlossaryAndDefinitions.md
Appendix B: Tables
Frozen State Compliance Risks table is in Section 8.1. Control Plane Alignment table is in Section 4.
Appendix C: Diagram References
See docs/images/ for all referenced architecture diagrams.
Appendix D: Evidence Sources
See data/parameters.yml and control-library entries for evidence source catalogs.
Appendix E: KSI Reference Model
See 03_FedRAMP20x_Crosswalk.md Section 8 for KSI definitions and mappings.
12. Minimum Assessment Scope and the Eleven Key Security Indicators
FedRAMP 20x is the modernization track that replaces the assessment method, not the assessment scope. Phase 2 Pilot is active and the requirements published at fedramp.gov/docs/20x/ are authoritative. 20x materially changes the federal framing in which agencies and CSPs operate, and gives the deterministic-telemetry subset of the GCC-Moderate gap matrix a cleaner home as machine-readable evidence — but it does not by itself close the boundary-architecture gaps that remain Microsoft engineering decisions about commercial-cloud features.
12.1 Minimum Assessment Scope (the “what’s in” rule)
MAS replaces the prior FedRAMP authorization-boundary construct with a two-pronged inclusion test. Providers must identify information resources that are “likely to handle federal customer data or likely to impact the confidentiality, integrity, or availability of federal customer data” (MAS-CSO-IIR). Resources that fail both prongs are out of scope. Metadata follows the same rule (MAS-CSO-MDI): metadata is in scope only when the underlying resource is in scope.
| MAS-CSO id | Name | Test |
|---|---|---|
| MAS-CSO-IIR | Information Resources | Two-prong inclusion test |
| MAS-CSO-MDI | Metadata | In scope iff underlying resource is in scope |
| MAS-CSO-FLO | Federation / Federal Boundary Flows | (per spec) |
| MAS-CSO-TPR | Third-Party Resources | (per spec) |
| MAS-CSO-SUP | Supporting Resources | (per spec) |
Why this matters for GCC-Moderate. Telemetry that is measurement-only and does not itself handle federal customer data — synthetic network path metrics, anonymized endpoint performance counters, fleet-wide patch posture rollups — has a credible path to descoping under MAS-CSO-MDI. Telemetry that handles federal customer data routinely (sign-in events, mailbox-access events, sensitivity-label content) does not.
For the per-signal-class projection across the GCC-Moderate gap matrix, see src/uiao/canon/data/fedramp-20x.yml (gap_matrix_scope_effect block) and the matrix itself at src/uiao/canon/data/gcc-moderate-telemetry-gaps.yaml.
12.2 The Eleven Key Security Indicators (the “how it’s measured” rule)
| KSI id | Family | Domain |
|---|---|---|
| KSI-AUTH | Authorization by FedRAMP | Authorization lifecycle, package status, agency reuse |
| KSI-CMT | Change Management | Significant Change Notifications, baseline drift, version control |
| KSI-CNA | Cloud-Native Architecture | Service composition, multi-tenant isolation, shared-responsibility model |
| KSI-CED | Cybersecurity Education | Workforce training, awareness, role-based education |
| KSI-IAM | Identity and Access Management | Authentication, authorization, MFA, privileged access |
| KSI-INR | Incident Response | Detection, containment, eradication, recovery, lessons learned |
| KSI-MLA | Monitoring / Logging / Auditing | Continuous monitoring, log aggregation, audit-record fidelity |
| KSI-PIY | Policy and Inventory | Policy artifacts, asset inventory, configuration baselines |
| KSI-RPL | Recovery Planning | Backup, restore, business continuity, disaster recovery |
| KSI-SVC | Service Configuration | Hardening baselines, secure defaults, configuration management |
| KSI-SCN | Supply Chain Risk | Third-party risk, vendor management, software supply-chain integrity |
KSIs sit above NIST 800-53 — they map to control families, but the artifact a CSP produces is a machine-readable, continuously-validated evidence payload rather than an SSP narrative. Compliance shifts from periodic-document-attesting toward continuous-evidence-emitting.
12.3 Three deployment surfaces
| Surface | Status | Note |
|---|---|---|
| Phase 2 Pilot | Required | Authoritative requirements at fedramp.gov/docs/20x/ for participants in the Moderate pilot. |
| Rev5 Balance Improvement Releases | Optional | Minimum Assessment Scope, Significant Change Notifications, Authorization Data Sharing, Vulnerability Detection and Response, and Collaborative Continuous Monitoring are available as opt-in updates to existing Rev5-authorized packages without going through full 20x. Most likely near-term path for currently-authorized CSPs. |
| Phase 1 Pilot | Archived | Reference-only. Phase 1’s “Minimum Assessment Standard” is the predecessor to the current “Minimum Assessment Scope” — same two-prong concept, different name and refined language. |
12.4 Cross-references
- MITRE Chains, gap matrix, and ZTMM ceiling:
docs/customer-documents/compliance/boundary-authorization/B1-gcc-moderate-boundary-model.qmd. - Canon reference (methodology, capabilities, MITRE chains, resolved positions):
src/uiao/canon/compliance/reference/gcc-moderate-boundary-assessment/. - Crosswalk by signal class: see §X of
03_FedRAMP20x_Crosswalk.qmd. - Source memo:
inbox/New_FedRAMP_Boundary/FedRAMP_20x_Assessment_and_Implications.docx.
12.5 Caveats
The standard does not use the word “telemetry” — it uses “information resources” and “metadata.” Whether a given telemetry stream qualifies as descoped metadata is a 3PAO interpretation, not a documented carve-out. The “likely” test is intentionally broad and open to assessor judgment; interpretation drift across 3PAOs is a primary risk. MAS-CSO does not by itself cause Microsoft to ship features into GCC-Moderate; it removes one formal obstacle, not the engineering work.
13. Revision History
| Version | Date | Author | Summary |
|---|---|---|---|
| 1.0 | 2026-03 | UIAO Canon Engine | Initial canonical release |
| 1.1 | 2026-04-27 | UIAO Canon Engine | Added §12 — Minimum Assessment Scope and the eleven KSIs. Source: inbox/New_FedRAMP_Boundary/FedRAMP_20x_Assessment_and_Implications.docx. |