Compliance crosswalk · FedRAMP
FedRAMP (US federal cloud) - email + domain controls, mapped to Wiredepth
Framework version: Rev. 5 baselines (effective May 2023), aligned to NIST SP 800-53 Rev. 5
Who this is for. Cloud service providers (CSPs) pursuing FedRAMP authorisation: Agency ATO (through a sponsoring federal agency) or P-ATO (through the Joint Authorization Board). Three baselines by impact level: FedRAMP Low (most), FedRAMP Moderate (the bulk; cloud SaaS handling moderate-impact federal data), and FedRAMP High (highest-sensitivity workloads).
Where email + domain controls fit.FedRAMP is grounded in NIST SP 800-53. The email-relevant control families are AC (Access Control), AU (Audit and Accountability), IA (Identification and Authentication), IR (Incident Response), SC (System and Communications Protection), SI (System and Information Integrity), and SR (Supply Chain Risk Management). Rev. 5 elevated SR (supply chain) from an addendum to a top-level family, with explicit expectations around third-party email senders.
How to use this page. Mappings below cite the NIST 800-53 Rev. 5 control id (e.g. SC-7, SC-8). FedRAMP applies a parameterised baseline on top of those - your specific baseline (Low / Moderate / High) may apply tailored enhancements. Verify the exact enhancement for your authorisation level against the FedRAMP baseline document.
Clause-by-clause mapping
Each row maps a specific FedRAMPrequirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).
| Clause | Requirement | Wiredepth response |
|---|---|---|
AU-2 / AU-12 Audit events + generation Monitoring | The system should generate audit records for events identified as relevant to security. Audit records must include sufficient detail to support after-the-fact investigation. | Audit-log Merkle chain (see /docs/verify) generates tamper-evident audit records. The free public verifier lets an independent assessor confirm the records were not modified after the fact - a property FedRAMP Moderate + High auditors explicitly look for. |
IA-2 / IA-5 Identification + authenticator management Authentication | The system should uniquely identify and authenticate organisational users. For email: domain-level sender authentication via SPF, DKIM, DMARC. | DMARC enforcement checker + DKIM analyser produce the per-domain authentication evidence. The free email-auth scorecard PDF is shareable with assessors. |
IR-4 Incident handling Reporting | Implement an incident-handling capability covering preparation, detection + analysis, containment, eradication, and recovery. Coordinated with the FedRAMP incident-response plan. | Hosted DMARC report inbox provides the detection signal for inbound-mail authentication failures. Incident-readiness workpaper documents the response plan in the format an IR-4 assessor expects. |
IR-6 Incident reporting Reporting | Report incidents to designated authorities. FedRAMP High: report to US-CERT and the FedRAMP PMO within 1 hour of detection for confirmed incidents. | Webhook + SIEM forwarding routes Wiredepth incident detections directly into the SOC pipeline that triggers US-CERT notification. Action prefix allow-listing covers compliance-segregated channels. |
SC-7 Boundary protection Transport | The system should monitor and control communications at external boundaries and key internal boundaries. Email is an external-boundary protocol. | MX + MTA-STS analyser + DNS posture monitoring document the boundary-protection control for the email channel. Spoofability checker is the testing artefact. |
SC-8 Transmission confidentiality + integrity Transport | Protect the confidentiality and integrity of transmitted information using cryptographic mechanisms. For email: TLS 1.2+ on submission, relay, and delivery. | TLS analyser scores per-domain transmission encryption + protocol versions. Per-port testing (25 / 587 / 465 / 443) covers the submission + relay surface. |
SC-12 / SC-13 Cryptographic key establishment + protection Authentication | Establish cryptographic keys with secure key management. Use FIPS-validated cryptographic modules where required. | DKIM key inventory + rotation reminder cover the email-specific key management surface. NIST + PCI both recommend annual rotation; Wiredepth Pro+ tracks DKIM selector age and reminds before expiry. |
SI-4 System monitoring Monitoring | Monitor the system to detect attacks, indicators of potential attacks, and unauthorised local, network, and remote connections. | Continuous TLS + DMARC + DNS + threat-intel monitoring with alerting routes to the SOC pipeline. CT-log monitoring catches certificates issued for the domain that the org did not authorise. |
SR-2 Supply chain risk management plan (NEW in Rev. 5) Inventory | Develop and maintain a supply chain risk management plan. Identify and document supply chain risks across system components, services, and vendors. | Vendor consolidation audit enumerates every authorised email-sending vendor as a supply-chain component. Per-vendor posture grade quantifies the risk for the SCRM plan. |
SR-3 Supply chain controls + processes Inventory | Implement controls and processes to mitigate supply chain risks identified in the SCRM plan. Includes vetting of suppliers and ongoing monitoring. | Scheduled vendor rescans + per-vendor alerting cover the ongoing-monitoring side. De-authorisation guides at /docs/deauthorize cover offboarding when a supplier relationship ends. |
CM-8 System component inventory Inventory | Develop and document an inventory of system components. Update at a defined frequency. | Subdomain inventory + vendor consolidation audit together cover the email-facing components an assessor would check inventory against. Workpapers/vendor produces a sign-off-ready artefact. |
What auditors actually look at
A FedRAMP 3PAO (third-party assessment organisation) reviewing the email + domain surface would typically request:
- The Rev. 5 SSP (System Security Plan) entries for SC-7, SC-8, SI-4, SR-2, SR-3 with implementation evidence
- Sampled audit-log entries with chain verification + the published anchor head used during the assessment window
- The SCRM-plan supply-chain register of email senders + their last-assessed dates
- The incident-response plan + sampled IR-6 notification records
Note: FedRAMP baselines may parameterise these controls differently (e.g. enhancement (1) on SI-4 for High versus Moderate). Verify against your specific authorisation level's baseline.
Generate a FedRAMP-tagged evidence pack (Wiredepth Prove)
Prove subscribers can generate a ZIP of all five workpapers + a FedRAMP README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).
Other compliance crosswalks
Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.