CybrIQ for government · FedRAMP posture
CybrIQ
Government/FedRAMP posture
Last reviewed: 2026-05-12. FedRAMP Marketplace status is verifiable directly at marketplace.fedramp.gov.
FedRAMP posture · transparent

CybrIQ has no FedRAMP status today. The deployment posture is built so an agency does not need it.

Federal evaluators look for FedRAMP status in the first 30 seconds of a vendor visit. We're not going to bury it. CybrIQ is not FedRAMP Authorized, is not "In Process" on the Marketplace, and does not have a sponsoring-agency arrangement. The customer-installed deployment shape is what we offer to agencies whose authorization route is FISMA, on-premise, or air-gapped — and the controls inheritance an agency's SSP can reference today.

Authorization-route decision tree with three paths from the question 'What is your authorization route?' Route 1: FedRAMP cloud service. Status: Not held today. CybrIQ has no FedRAMP status of any kind — no Marketplace listing, no In Process designation, no sponsoring agency. If FedRAMP is the gate, CybrIQ does not pass. Route 2: FISMA on-prem with customer-installed software on agency-owned hardware. Status: Supported. The agency's SSP describes the deployment it owns; controls inheritance is supplied against NIST SP 800-53 Rev 5 and SP 800-171 at Moderate or High baseline depending on system tier. Route 3: SCIF or air-gapped enclave with disconnected operation. Status: Supported. ESE and main instance installed inside the enclave; reference-library updates ship as signed offline packages for IL5 / IL6 environments and classified enclaves. The honest summary: FedRAMP-gated procurement does not proceed with CybrIQ today. FISMA on-prem, SCIF, and air-gapped do.

Current FedRAMP status

CybrIQ has no FedRAMP status today. No Marketplace listing, no "In Process" designation, no sponsoring-agency arrangement. The FedRAMP path is something we evaluate against demand from federal customers; it is not a current roadmap commitment with a date attached. We will say what is true at every stage, including the stage where the answer is "not yet."

If FedRAMP Authorized status is the gating criterion for your agency's procurement, this is the conversation: the customer-installed deployment shape (below) lets agencies that authorize under FISMA, run on-premise, or operate SCIF / air-gapped environments proceed without FedRAMP. For agencies whose procurement strictly requires a FedRAMP listing, CybrIQ does not meet that requirement today.

The customer-installed path

Agencies that cannot wait for FedRAMP have a different option

FedRAMP authorizes cloud services. CybrIQ is software that the agency installs on agency-owned hardware. For agencies whose authorization route is FISMA rather than FedRAMP, or whose deployment must be on-premise / air-gapped from the start, the customer-installed path does not require the vendor's cloud to be FedRAMP authorized — because no vendor cloud is in the path.

Two real configurations:

  • On-premise FISMA-authorized environment. The agency installs the External Scan Engine (ESE) and the main instance on agency-controlled hardware. The agency's SSP covers the deployment. Reference-library updates ship as signed offline packages.
  • SCIF and air-gapped enclaves. The agency installs both components in the disconnected environment. Reference-library updates move into the enclave through the agency's existing approved-media process. No outbound connectivity is required for operation.

Controls inheritance an agency's SSP can reference today

For agencies authorizing CybrIQ under FISMA Moderate or High, the following NIST SP 800-53 Rev. 5 controls are commonly cited in the SSP:

Controls CybrIQ supports compliance with

  • CM-8, CM-8(1), CM-8(2), CM-8(3) — System Component Inventory and automated discovery.
  • CA-7 — Continuous Monitoring strategy implementation.
  • SI-4, SI-4(2), SI-4(4) — System Monitoring, automated tools, inbound/outbound communications.
  • SR-3, SR-11 — Supply Chain Controls and Component Authenticity.
  • AC-19 — Access Control for Mobile Devices (device-discovery input).
  • IA-3 — Device Identification and Authentication (inventory-side input).
What does exist today

Product-side controls and posture

FedRAMP is the gap. The product-side security posture is not — these are the controls and properties that exist in CybrIQ today, that an agency's authorization team can evaluate directly:

  • Cryptography in the data path. TLS 1.2 in transit. AES-256 at rest.
  • Access controls. SAML 2.0 single sign-on, role-based access control (RBAC), multi-factor authentication.
  • Vulnerability and hardening program. Regular third-party penetration testing. DISA STIG vulnerability remediation against relevant baselines.
  • Tenancy options. Customer-installed on agency-owned hardware (the deployment shape covered above), or single-tenant Azure for the SaaS configuration where an agency prefers that route.
  • Marketplace presence. Microsoft Azure Marketplace listing exists. ServiceNow store certified application exists (Select Partner — Build level). Both are routes for procurement teams that prefer to transact through a Marketplace they already use.
Third-party attestations CybrIQ does hold

Commercial-cloud certifications

These are not FedRAMP, and we do not represent them as a FedRAMP substitute. They are the trust attestations the underlying product holds today, available on request under MNDA.

  • SOC 2 Type II. Certified. CPA-firm Type II report against the AICPA Trust Services Criteria.
  • ISO/IEC 27001. Certified Information Security Management System.
  • ISO 27017. Certified — cloud-services security.
  • ISO 27018. Certified — protection of PII in the cloud.
Where we are clear about the gap

Authorizations and validations CybrIQ does not hold

  • FedRAMP (any tier). See above. No Marketplace listing, no "In Process" designation.
  • NIAP Common Criteria and FIPS 140-3. Not pursued for the current product line; the deployment shape (customer-installed software, no embedded cryptography in the customer-data path beyond TLS) is the rationale.
  • StateRAMP / TX-RAMP / other state authorizations. Not held today.
  • DoD impact levels (IL4 / IL5 / IL6). Not held as product-level authorizations; the customer-installed deployment shape sits inside the program's existing authorization boundary instead.
Compliance framework mapping

Frameworks CybrIQ supports compliance with

CybrIQ does not certify against these — these are the frameworks the product's output is structured to feed evidence into, for an agency's own authorization or assessment:

  • CISA BOD 23-01 (hardware asset visibility for federal civilian)
  • NIST SP 800-53 Rev. 5 (the controls map above)
  • NIST SP 800-171 (CUI environments)
  • NIST Cybersecurity Framework
  • NIST SP 800-207 Zero Trust Architecture; CISA Zero Trust Maturity Model 2.0
  • NDAA Section 889(a)(1)(A) and (B); FAR 52.204-24/25/26
  • CMMC 2.0 Level 2 (CM.L2-3.4.1, CM.L2-3.4.2, and adjacent)
  • CIS Critical Security Controls v8
  • NRC cybersecurity requirements, NEI 08-09, NRC RG 5.71 (nuclear sector)
Other procurement vehicles

Routes to contract

  • GSA Multiple Award Schedule (MAS). Path under evaluation; reach out for current status.
  • SEWP V / VI, CIO-SP3, 2GIT. Channel-partner relationships under discussion; we can route a procurement conversation to a reseller on these vehicles.
  • Microsoft Azure Marketplace. Listing is live; agencies that transact through the Marketplace can procure that way directly.
  • ServiceNow Store. Certified application available for agencies that procure adjacent technology through ServiceNow.

Schedule a FedRAMP / authorization briefing

A 30-minute session: we walk the current FedRAMP track, the customer-installed alternative for your agency, and the SSP language your authorization team will need.

Request briefing