Book a Call
Home / Services / FedRAMP Cloud Architecture
Service · S/01 Federal Compliance

FedRAMP cloud architecture, built to pass the boundary review.

We architect and ship FedRAMP Moderate and High cloud environments for federal contractors, defense industrial base, and AI/SaaS vendors selling into federal buyers. NIST 800-53 control coverage built into Terraform, identity, network boundary, logging, and key management, not bolted on before assessment.

Book a 30-minute call See engagement options
EngagementFixed-fee build
or readiness audit
Timeline3 weeks (audit)
12+ weeks (build)
AuthorizationFedRAMP Mod / High
Agency ATO · JAB · Tailored
CloudsAWS GovCloud · GCP AW
Azure Government
01 — The Problem

FedRAMP is the moat. Most teams underestimate the engineering.

Selling into federal buyers without an authorization is increasingly off the table. Selling with one takes most teams 18 months and a six-figure engineering bill. Not because the controls are exotic. Because the architecture decisions made in month one are still being unwound in month fourteen.

We have shipped FedRAMP-aligned environments for AI SaaS vendors selling into federal buyers, defense subcontractors moving from commercial cloud into GovCloud, and federal systems integrators rebuilding inherited infrastructure under a tighter authorization boundary. The pattern is the same: the security controls are knowable, the deadline is real, and the engineering bottleneck is architectural decisions that should have been made before anyone wrote Terraform.

Stonebridge does the architectural work first, so the assessment phase becomes evidence collection against a system that was built to satisfy the controls, not a remediation sprint against one that was not.

02 — Control Mapping

NIST 800-53 controls the infrastructure must satisfy by design.

FedRAMP Moderate inherits roughly 325 controls from NIST 800-53 Rev. 5. High inherits more. Most of those controls touch the cloud environment directly. A correctly-built FedRAMP environment satisfies the technical controls through how the infrastructure operates, not through policy documents that describe what it is supposed to do.

The control families the infrastructure most directly touches:

  • AC · Access ControlIdentity federation, role separation, least-privilege IAM, and session management that survives FedRAMP assessment scrutiny.
  • AU · Audit & AccountabilityCentralized, tamper-evident logging across every account, region, and service with retention that meets High baselines.
  • CM · Configuration ManagementInfrastructure as code with signed, reviewed, and versioned changes. Drift detection on the production boundary.
  • IA · Identification & AuthenticationFIPS-validated cryptography, phishing-resistant MFA, and PIV/CAC integration where required.
  • SC · System & Communications ProtectionBoundary defense, encrypted transit, KMS-backed encryption at rest, and zero-trust network architecture inside the boundary.
  • SI · System & Information IntegrityContinuous vulnerability scanning, patch management, and signed-artifact deployment so production state is provably derived from approved code.

None of these are exotic. All are routinely missed in cloud environments designed without FedRAMP boundaries in mind from day one.

03 — The Architecture Pattern

Boundary discipline, not boundary creep.

The architecture pattern that consistently survives 3PAO assessment rests on four principles. The implementation differs across AWS GovCloud, GCP Assured Workloads, and Azure Government, but the architecture is identical.

Principle 1: An explicit, narrow authorization boundary

Most FedRAMP failures begin with a boundary diagram that includes too much. Every service, account, network range, and data store inside the boundary is in scope; every dependency outside must be inherited from another authorized service or excluded entirely. We draw the boundary before writing Terraform, and we hold the line on it.

Principle 2: Identity and network isolation by account, not by tag

Production, staging, logging, and shared services live in separate accounts (AWS), projects (GCP), or subscriptions (Azure) with explicit network peering and zero implicit trust. Identity federates from a central IdP with role-based, time-bounded access. This survives the assessment question that kills most quick-fix architectures: "show me that a developer cannot reach production data."

Principle 3: Logging as the system of record

Every account ships every relevant log to a centralized, write-once, retention-locked logging account. CloudTrail, VPC Flow Logs, EKS audit logs, KMS key usage, IAM Access Analyzer findings: all of it. Logging is not a feature. It is the system of record auditors will use to validate every other control.

Principle 4: Continuous control evidence emission

The pipeline that deploys into the boundary emits evidence on every change: SBOMs, vulnerability scans, signature chains, policy decisions, change tickets. These are stored separately from CI infrastructure with retention locks. When the auditor asks for evidence of a specific control at a specific point in time, the answer is a query, not a project.

04 — What You Get

Six artifacts your 3PAO will ask for.

A FedRAMP Boundary Build engagement produces a defined set of deliverables, each mapped to controls and ready for assessment package inclusion. Nothing is bespoke that does not need to be.

D/01

Boundary architecture

  • Authorization boundary diagram
  • Data flow diagrams (in / out / within)
  • Network topology diagrams
  • Inherited service mapping
D/02

Infrastructure as code

  • Terraform modules for the boundary
  • State backend in the regulated region
  • OPA / Sentinel policy gates
  • Drift detection wired to alerting
D/03

Identity & access

  • IdP federation (Entra / Okta / IAM IC)
  • Role catalog with least-privilege scopes
  • Break-glass procedure (documented)
  • Access review automation
D/04

Logging & monitoring

  • Centralized logging account / project
  • Retention locks (S3 Object Lock / equivalent)
  • SIEM integration (Splunk / Sentinel / Chronicle)
  • Control-mapped dashboards
D/05

Key & secret management

  • KMS / Cloud HSM topology
  • FIPS 140-3 validated configuration
  • Secret rotation runbooks
  • Customer-managed key boundaries
D/06

Control documentation

  • SSP-ready control narratives
  • Continuous monitoring plan
  • Incident response runbooks
  • 3PAO assessment readiness pack
05 — Common Mistakes

Five patterns that fail boundary review.

We see the same mistakes repeatedly when teams pursue FedRAMP without architectural help. None are about not knowing what FedRAMP wants. They are about not knowing how to structure the boundary so it works.

  1. Boundary scope creep

    Pulling shared developer tooling, observability stacks, and corporate identity into the authorization boundary expands scope by 3-5x and adds months of remediation. Inherit from authorized services where possible. Keep the boundary narrow and defensible.

  2. Commercial-region habits inside the boundary

    Using non-FIPS endpoints, non-regulated services, or commercial-region defaults inside GovCloud will fail assessment. The infrastructure-as-code library has to enforce regulated defaults. Engineers cannot be expected to remember.

  3. Logging that an engineer can edit

    If audit logs live in an account where engineers have write access, the entire AU control family is compromised. Logging needs its own account, retention locks, and access boundary distinct from production engineering.

  4. Manual evidence collection at assessment time

    Producing evidence by hand the week before 3PAO assessment burns weeks and often fails to produce point-in-time evidence the auditor asks for. Evidence emission is a property of the pipeline; the assessment phase is querying it.

  5. Treating the SSP as documentation, not architecture

    System Security Plans written after the build always lie. Write the control narratives alongside the Terraform. Every module ships with the controls it implements, and the SSP is generated from that source of truth.

06 — Engagement

Two ways to engage. Fixed scope, fixed price.

Most clients start with the readiness audit. It is faster, cheaper, and produces a written roadmap that often gets approved as a follow-on build engagement. Clients with a known ATO deadline come straight to the build.

07 — Recent Work

A representative engagement.

One of our FedRAMP engagements involved architecting the authorization boundary for an AI SaaS vendor that needed to sell into federal buyers. The internal team had strong engineering practice but no prior federal experience and a real customer deadline.

AI SAAS · FEDERAL

FedRAMP Moderate architecture for an AI SaaS vendor.

The team was running production on commercial AWS with a strong engineering culture but no boundary discipline. A federal customer had committed to procurement contingent on a FedRAMP Moderate path, with an aggressive timeline.

We architected the boundary in AWS GovCloud, federated identity from their existing IdP through IAM Identity Center, established a centralized logging account with retention locks, and codified the entire boundary in Terraform with policy gates that prevented common drift patterns. Control narratives were written alongside the modules, not after.

The team passed first-party 3PAO readiness review on schedule and is now in the assessment phase with an authorization boundary that matches their architecture diagrams and an evidence chain that survives audit queries.

FedRAMPModerate boundary
architected to spec
Passed3PAO readiness review
on first-party assessment
On trackAuthorization timeline
aligned with customer deadline
Read the full case study →
08 — Questions

Frequently asked, directly answered.

Q/01Are you a 3PAO?
No. We are an engineering firm, not an accredited Third Party Assessment Organization. We architect and build the boundary so it passes 3PAO assessment, and we work alongside your chosen 3PAO during the audit. Most clients prefer this separation because it keeps the engineer and the assessor independent.
Q/02Which authorization path do you support: agency ATO, JAB P-ATO, or Tailored?
All three. The technical architecture is largely the same across paths; what differs is the sponsor and the assessment cadence. Agency ATO is the most common starting point for SaaS vendors entering federal. JAB P-ATO is the higher bar and the longer timeline. FedRAMP Tailored (Li-SaaS) applies to a narrower set of services and is a faster path for low-impact tools.
Q/03Do we have to use GovCloud, or will commercial cloud regions work?
For Moderate and High, you generally need GovCloud (AWS), Assured Workloads (GCP), or Azure Government. Commercial regions can satisfy FedRAMP Low and some Tailored authorizations, but Moderate and High require the regulated boundary. We architect on whichever fits your customer requirements and existing footprint.
Q/04How long does FedRAMP authorization actually take?
From a standing start, 12 to 18 months is realistic for Moderate, often longer for High. The engineering portion (boundary architecture, control implementation, evidence collection) runs in parallel with documentation and 3PAO assessment. Most of the time savings come from getting the architecture right early so you do not redesign mid-audit.
Q/05Can you work inside our existing ATO without breaking it?
Yes. For clients with an existing ATO, we operate within the boundary as a Significant Change is documented for any architectural change. We do not push changes that would force a re-authorization without explicit sign-off, and we coordinate with your security officer and 3PAO ahead of any boundary-affecting work.
Q/06What about CMMC, DoD IL4/IL5, or StateRAMP?
The same control families and architectural patterns apply, with framework-specific overlays. We work CMMC 2.0 Level 2 for the defense supply base, DoD Impact Levels 4 and 5 for defense workloads, and StateRAMP for state and local government. The boundary discipline is what carries between them; the control mappings differ.

Sell into federal. Pass the boundary review.

Most discovery calls take 30 minutes. We come back with a written proposal within 48 hours. If we are not the right fit for the engagement, we will tell you in the first call and point you somewhere that is.

Book a 30-minute call
Related Reading

From the field.

CS/01 — CASE STUDY

FedRAMP Moderate architecture for an AI SaaS vendor

How we architected a Moderate boundary on AWS GovCloud against a customer-driven timeline.
FN/04 — FIELD NOTES

The HIPAA CI/CD audit checklist for engineering teams

The control map covers most FedRAMP Moderate technical safeguards under NIST 800-53 too.
FN/03 — FIELD NOTES

HIPAA CI/CD vs SOC 2 CI/CD: where the controls differ

Control-by-control map of how two compliance regimes shape pipeline architecture differently.
Related Services

Other ways we work.

S/01 — INFRASTRUCTURE

HIPAA Cloud Architecture

HIPAA-aligned cloud environments for healthcare engineering teams and clinical SaaS.
S/03 — PLATFORM

Kubernetes Platform Engineering

Production Kubernetes for regulated environments. EKS, GKE, AKS, OKE, including regulated variants.
S/02 — DELIVERY

HIPAA-Compliant CI/CD

The same pipeline architecture that satisfies HIPAA covers most FedRAMP Moderate technical controls.