Compliance evidence
FedRAMP — domain & certificate controls
Cloud Service Providers (CSPs) offering services to US federal agencies.
Authority: US General Services Administration (GSA) / FedRAMP PMO
What FedRAMP actually requires
FedRAMP authorizations are based on NIST SP 800-53 control baselines (Low, Moderate, High). The Moderate baseline is the most common tier for SaaS. Cryptographic and boundary-protection controls directly apply to TLS certificate lifecycle.
Full name: FedRAMP (Federal Risk and Authorization Management Program).
Controls that touch certificates and domains
These are the 4 controls most directly affected by TLS certificate and domain lifecycle. CertRadar produces evidence bundles mapped to each.
| Control | Title | How CertRadar helps |
|---|---|---|
SC-8 | Transmission Confidentiality and Integrity | Information in transit must be protected — current, trusted TLS certificates are the implementation. |
SC-12 | Cryptographic Key Establishment and Management | Key lifecycle — which includes certificate renewal — must be managed. |
SC-13 | Cryptographic Protection | FIPS-validated cryptography must be used; certificate signature algorithms are in scope. |
SC-7 | Boundary Protection | External interfaces must enforce boundary controls including TLS. |
What the evidence pack contains
CertRadar’s one-click export for FedRAMP includes:
- SSP-mapped inventory of all authorization-boundary certificates
- Continuous-monitoring output (FedRAMP ConMon artifacts)
- POA&M entries for expiring certificates with remediation targets
- FIPS algorithm compliance report per certificate
Example domains in FedRAMP scope
Representative domains often monitored for FedRAMP evidence. Check any of them live:
Ship the FedRAMP evidence your auditor asks for.
CertRadar gives security, IT, and compliance teams a complete inventory of every domain and cert your company owns — plus a one-click evidence pack mapped to FedRAMP controls. Beta in weeks. Early members get a lifetime Pro discount.
Join the waitlist