Frequently Asked Questions

TekRamp supports FedRAMP Class C / Moderate, which covers 325 controls from NIST 800-53 Rev 5. Support for additional Certification Classes (A through D) and FedRAMP 20x KSI-based authorization is included. TekRamp supports both Rev 5 and 20x authorization paths from a single platform.

TekRamp includes pre-built templates for controls inherited from AWS GovCloud and Azure Gov. The platform automatically identifies which controls are fully inherited, shared, or your responsibility.

OSCAL (Open Security Controls Assessment Language) is a machine-readable format for compliance data. FedRAMP 20x requires OSCAL packages. TekRamp is built OSCAL-native from the ground up, so your packages are designed for compliance — with validation being continuously hardened against FedRAMP schemas.

Yes! TekRamp supports multi-party collaboration with role-based access. Consultants can edit documentation, and 3PAOs get read-only access with commenting for efficient assessments.

Connect your AWS account with a read-only IAM role. TekRamp collects evidence from CloudTrail, AWS Config, GuardDuty, and Inspector, automatically linking it to relevant controls.

The SSP export follows the official FedRAMP template structure with auto-populated control implementation narratives. Export to Word, PDF, or OSCAL JSON format.

FedRAMP is replacing impact levels (Low, Moderate, High) with Certification Classes A through D under the Consolidated Rules of 2026 (CR26). Class A replaces FedRAMP Ready for low-impact SaaS, Class B maps to Low, Class C to Moderate, and Class D to High. TekRamp supports all Certification Classes with backward-compatible impact level labels during the transition.

Yes. TekRamp supports both Rev 5 (NIST 800-53 control-based) and 20x (KSI outcome-based) authorization. Each package declares its path at creation, and the platform loads the appropriate compliance catalog.

KSIs are outcome-based security requirements introduced by FedRAMP 20x, replacing the traditional control-by-control approach of NIST 800-53. Instead of documenting how you implement AC-2, a KSI asks whether your access management is effective. TekRamp includes KSI catalog integration, evidence mapping, and pass/fail validation scoring.

Yes — CR26 introduces Program Certification, which allows CSPs to pursue FedRAMP certification without an agency sponsor. TekRamp includes a guided workflow with readiness gates for this new sponsorless path.

Yes. TekRamp has full CMMC Level 2 support with NIST 800-171 (110 practices) pre-loaded, CUI scoping tools, supply chain flow-down documentation, SPRS score simulation, and C3PAO assessment readiness workflows. Because CMMC shares NIST control foundations with FedRAMP Moderate, evidence and inheritance you collect for one framework accelerates the other.

TekRamp calculates your SPRS score in real time as you mark controls implemented — so you know exactly where you stand before submitting to DoD's Supplier Performance Risk System. The simulator also runs "what-if" analyses: select a pending POA&M item and see the score impact of closing it, so you can prioritize remediation by SPRS lift. Historical tracking gives you the quarterly trend line for reporting.

Yes. TekRamp's Supply Chain Flow-Down Portal gives prime contractors a single dashboard view of every sub-contractor's CMMC posture. Flow-down requirements auto-determine from CUI classification, subs self-attest with evidence upload, and a weighted risk score aggregates supply chain compliance — so primes can demonstrate DFARS 7012 oversight without managing dozens of spreadsheets.

CMMC Phase 1 (self-assessments) began November 2025. The critical deadline is November 10, 2026, when Phase 2 starts — Level 2 contractors handling CUI must pass third-party C3PAO assessments to retain DoD contracts. With only ~80 C3PAOs authorized today and 16,000+ companies needing Level 2 certification, assessment capacity is a major bottleneck. Starting readiness work now is essential.

Yes — this is one of our sharpest CMMC differentiators. CUI scoping is where most CMMC projects stall, and consultants charge $50–100K for it alone. TekRamp's AI-Powered CUI Scoping Assistant analyzes your uploaded network diagrams and data-flow descriptions, identifies CUI touchpoints, recommends scope reductions (e.g., "move CUI to an enclave, drop from 110 practices to 17"), and flags common scoping mistakes like forgotten backups and shared infrastructure. A six-step guided wizard handles everything from asset inventory through AI analysis to final scope approval.

Yes. A failed C3PAO assessment costs $50–150K and sets programs back 3–6 months. TekRamp's Mock Assessment mode simulates a C3PAO walkthrough before you commit — highlighting the findings a real assessor is likely to flag based on evidence completeness, practice maturity, and a common-findings library built from assessment patterns. Per-practice red/yellow/green indicators show you exactly where you're weak, and anonymized industry benchmarking compares your readiness against other organizations who've already been through assessment.