FedRAMP
What it is — The Federal Risk and Authorization Management Program (FedRAMP ) is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is based on NIST SP 800-53 security controls and is required for cloud service providers (CSPs) serving federal agencies.
Appsec relevance — FedRAMP requires implementation of NIST 800-53 controls including RA-5 (Vulnerability Scanning), SI-2 (Flaw Remediation), SI-10 (Information Input Validation), CA-8 (Penetration Testing), and SA-11 (Developer Testing) — all of which have direct DAST applicability.
How Detectify Supports FedRAMP
| NIST 800-53 Control | What it requires | Detectify Capability | Coverage |
|---|---|---|---|
| RA-5 | Scan for vulnerabilities in the system and hosted applications; analyse reports and remediate legitimate vulnerabilities | Application Scanning, API Scanning, Internal Scanning, and Surface Monitoring provide continuous web application and API vulnerability scanning across multiple CWEs. FedRAMP also requires OS and infrastructure scanning | Partial |
| RA-5(2) | Update the list of vulnerabilities scanned on a defined frequency or when new vulnerabilities are identified | Alfred AI generates new test modules from public CVE disclosures; Crowdsource network continuously adds new vulnerability modules | Full |
| RA-5(5) | Implement privileged access authorisation for selected vulnerability scanning activities | Authenticated scanning supports testing with credentials; Internal Scanning tests internal applications | Full |
| SI-2 | Identify, report, and correct system flaws; test software and firmware updates for effectiveness | Vulnerability tracking with severity-based prioritization (CVSS), re-testing to verify remediation, historical reports showing remediation timelines | Full |
| SI-10 | Check the validity, accuracy, completeness, and authenticity of information inputs | Injection testing: SQL injection CWE-89 , XSS CWE-79 , command injection CWE-78 , SSRF CWE-918 , XXE CWE-611 | Full |
| CM-6 | Establish and document mandatory configuration settings for system components using security benchmarks | Security misconfiguration detection CWE-16 , default credentials, exposed administrative interfaces, directory listings | Full |
| SA-11 | Require developers to create a security testing plan, perform testing, and produce evidence of execution | API-triggered scanning integrates into CI/CD pipelines for pre-deployment security testing | Partial |
| SC-7 | Monitor and control communications at the external managed interfaces and key internal boundaries | Surface Monitoring discovers exposed services at system boundaries but does not implement boundary protections | Partial |
| AC-2 through AC-6 | Manage accounts, enforce access policies, separate duties, and apply least privilege | Detects access control vulnerabilities but does not implement access control mechanisms | Partial |
What Detectify Covers
Detectify addresses the web application and API scanning components of FedRAMP’s vulnerability scanning (RA-5), flaw remediation (SI-2), input validation (SI-10), and configuration management (CM-6) controls. These are among the most frequently assessed controls in FedRAMP continuous monitoring.
FedRAMP RA-5 requires both web application and infrastructure vulnerability scanning. Detectify satisfies the web application DAST component. Infrastructure vulnerability scanning (OS, databases, network devices) requires additional tools such as Qualys, Tenable, or Nessus. FedRAMP assessors (3PAOs) would accept Detectify reports as evidence for the web application scanning portions of these controls.
FedRAMP encompasses the full NIST 800-53 control catalog — access control, audit logging, incident response, contingency planning, and many other control families are outside DAST scope.
Complementary Tools You May Need
- Penetration testing services — For CA-8 (annual penetration testing requirement)
- SIEM / audit logging — For AU (Audit and Accountability) control family
- IAM — For AC (Access Control) control family
- Incident response platform — For IR (Incident Response) control family
- Backup and DR — For CP (Contingency Planning) control family
- Network security — For SC-7 (Boundary Protection) implementation
- SAST — For SA-11 (Developer Testing) at the source code level
- FedRAMP authorization platform — For managing the authorization package and POA&M