Federal compliance without a roadmap is aspirational rather than actionable — developers patch individual findings without understanding which controls feed into ATO (Authority to Operate), which gaps block a FedRAMP assessment, or in what sequence remediation should proceed. NIST 800-53 rev5 PL-2 (System Security Plan) requires a documented security plan with milestones; CA-2 (Control Assessments) requires planned assessment cycles. FedRAMP rev5 PL-2 gates the authorization process on a compliant System Security Plan (SSP). Without a roadmap, audit findings pile up in a backlog with no prioritization framework, and federal procurement windows close before the system reaches assessable maturity.
Info because a missing roadmap does not introduce a technical vulnerability, but its absence means remediation is reactive and uncoordinated — audit findings accumulate without a path to authorization.
Create docs/fedramp-compliance-roadmap.md with at least three phases, specific target months, and references to this audit's findings as input. Phase 1 should address every critical and high finding from this audit before any documentation work.
# FedRAMP / FISMA Compliance Roadmap
## Current Assessment
- Audit: gov-fisma-fedramp | Score: [score] | Date: [date]
- Critical gaps: TLS enforcement, hardcoded secrets, MFA
- Documentation gaps: privacy policy, incident response plan, security.txt
## Phase 1 — Technical Foundation (Months 1–2)
- [ ] Enforce HTTPS + HSTS on all auth flows (SC-8, SC-23)
- [ ] Remove hardcoded secrets; rotate any exposed credentials (IA-5)
- [ ] Implement MFA for admin routes (IA-2)
- [ ] Deploy all four required security headers (SC-8, SI-3)
- [ ] Add input validation to all API routes (SI-10)
## Phase 2 — Accountability Controls (Months 3–4)
- [ ] Implement structured audit logging (AU-2, AU-3, AU-12)
- [ ] Configure 30-minute session timeout (AC-12)
- [ ] Deploy RBAC with least-privilege roles (AC-2, AC-6)
- [ ] Tamper-evident log storage in managed log service (AU-9)
## Phase 3 — Documentation & Authorization (Months 5–6)
- [ ] Publish privacy policy, security.txt, incident response plan (PT-1, IR-8)
- [ ] Document backup/recovery procedures with RTO/RPO (CP-9)
- [ ] Third-party security assessment and POA&M submission
ID: gov-fisma-fedramp.documentation-readiness.compliance-roadmap
Severity: info
What to look for: Look for a compliance roadmap or project plan that documents steps toward FISMA/FedRAMP authorization. Count the number of phases or milestones defined. Check for timelines, milestones, and known gaps. Verify the roadmap includes at least 3 phases with specific month targets.
Pass criteria: A roadmap is documented outlining at least 3 phases: current compliance status assessment, remediation plan with specific timelines (month targets), and authorization preparation. It references this audit or other security control assessments.
Fail criteria: No roadmap found, or roadmap has fewer than 3 defined phases with timelines.
Skip (N/A) when: The project is not pursuing federal compliance.
Detail on fail: "No FISMA/FedRAMP compliance roadmap found. Project goals and timeline unclear."
Cross-reference: For continuous monitoring requirements that feed into the compliance roadmap, see the continuous-monitoring-plan check in this category.
Remediation: Create a compliance roadmap:
# FISMA/FedRAMP Compliance Roadmap
## Current Status
- Audit conducted: [date]
- Key findings: [summary]
- Current compliance score: [score]
## Phase 1: Foundation (Month 1-2)
- [ ] Fix critical authentication issues (HTTPS TLS, no hardcoded secrets)
- [ ] Implement MFA for all users
- [ ] Deploy security headers (CSP, HSTS, etc.)
## Phase 2: Hardening (Month 3-4)
- [ ] Implement RBAC and audit logging
- [ ] Add input validation and sanitization
- [ ] Conduct security scanning in CI/CD
## Phase 3: Documentation (Month 5-6)
- [ ] Complete incident response plan
- [ ] Document backup/recovery procedures
- [ ] Publish privacy policy and security.txt
## Phase 4: Assessment (Month 7)
- [ ] Third-party security assessment
- [ ] POA&M submission
- [ ] Final compliance review