Most compliance platforms claim they automate "100% of FedRAMP controls." That claim does not survive contact with the NIST SP 800-53 Rev. 5 control catalog. Some controls, like PE-6 (Physical Access Monitoring), require a human to walk a facility and sign an attestation. No API call replaces that.
The FedRAMP Moderate baseline contains 323 controls as of the Rev. 5 update released May 30, 2023. FedRAMP's authorization data shows that Moderate baseline authorizations represent the majority of active ATOs (approximately 80% of portfolio), making Moderate control automation a high-leverage compliance investment. If you are a SaaS company selling to federal agencies, this is your baseline.
Here is how those 323 controls actually break down by automation potential, what "evidence" means in NIST's definition, and how to build a realistic timeline for control satisfaction.
Not every control responds to the same approach. Mycroft's control categorization framework (based on evidence type and automation potential) identifies controls with varying levels of automatable capability. Understanding these categories helps you allocate resources realistically.
The 27% that are fully automatable represents the honest ceiling for controls requiring only technical log evidence. Any vendor claiming higher automation rates is either redefining "automation" or counting workflow reminders as control satisfaction.
Category A controls are technical. They require log data, scan results, alert records, or configuration snapshots. A platform with the right integrations can collect this evidence continuously.
Take CA-7 (Continuous Monitoring). NIST requires a system-level continuous monitoring strategy with logged results. To satisfy CA-7, you need scan logs, alert records, and metrics, all fed from SIEM integration and vulnerability management tools. Raw vulnerability scans alone do not satisfy CA-7; the evidence must be contextualized with alert correlation and trend data.
Similarly, SI-4 (System Monitoring) requires security alerts sent to security personnel. That means SIEM integration is not optional. SI-5 (Security Alerts and Advisories) requires documented receipt and response to advisories from sources like CISA.
Mycroft's internal analysis shows 58 Category A controls (fully automatable via log-based evidence) in typical implementations, while competing platforms typically target 30-40 controls in this automation tier based on published feature comparisons. The difference comes from deeper integrations: pulling not just scan results, but contextualized evidence packages that tie logs to specific control requirements.
Category B is where platforms differentiate. These controls require technical evidence plus a human decision.
Consider AC-2 (Account Management). A platform can pull identity provider logs, verify MFA enforcement via scanning, and flag accounts with excessive privileges. But NIST also requires periodic account review sign-offs. Someone must review the list and attest that every active account is still needed.
The same pattern applies to SC-7 (Boundary Protection), where firewall rules can be scanned but network architecture decisions need human review, and RA-5 (Vulnerability Scanning), where scan execution is automated but risk acceptance decisions are not.
Across Category A and Category B combined, Mycroft supports automation capabilities for approximately 145 controls (87 fully automated plus partial automation scenarios for Category B controls), addressing roughly 45% of the 323 baseline with varying automation depths. The platform automates evidence collection, creates review workflows, and logs the human attestation when it happens. What it does not do is fake the human step. If you are evaluating platforms, this is the category to pressure-test. Ask vendors exactly which controls still require your sign-off, and avoid shortcuts that create security debt.
Some controls cannot be automated because their evidence is physical, procedural, or judgmental.
PE-3 (Physical Access Control) and PE-6 (Physical Access Monitoring) require site-visit attestations. If your infrastructure runs on AWS or Azure, you may be able to mark these as inherited from your cloud provider, but you still need documentation of the inheritance.
AT-3 (Role-Based Security Training) requires attendance records and completion evidence for security training programs.
CP-1 (Contingency Planning Policy) requires a written, reviewed, and approved policy document.
A platform cannot produce these artifacts. What it can do is automate the attestation workflow (reminders, deadlines, approval chains), store evidence with full audit trails, and track who attested, when, and with what supporting documents. This approach focuses on audit trail automation; every attestation captures the signer, the date, the linked evidence, and the control it satisfies. When your 3PAO (Third-Party Assessment Organization) reviews the package, they see a clean chain of custody instead of a folder of screenshots.
FedRAMP's RFC-0024 (published January 2026 per FedRAMP's official RFC repository) signals a hard shift toward machine-readable authorization packages. The deadlines are concrete:
OSCAL (Open Security Controls Assessment Language), developed by NIST, is the leading format. It represents control implementations, assessment results, and system security plans in JSON, XML, or YAML. The RFC-0024 documentation notes that as of 2025, FedRAMP had not received any OSCAL-formatted submissions in the standard 2025 authorization cycle, underscoring the industry's transition timeline.
That gap is closing fast. Machine-readable evidence can accelerate 3PAO review processes by reducing document parsing time and enabling automated validation checks. Firms like Schellman have documented efficiency improvements in assessment workflows when evidence arrives in structured formats. Organizations that export OSCAL-formatted evidence now are building a structural advantage before the September 2026 deadline.
According to Mycroft's product team, the platform includes built-in support for RFC-0024 machine-readable evidence export. When a 3PAO can parse your CA-7 evidence programmatically instead of reading a 40-page Word document, reviews compress from weeks to days.
A typical cloud-native SaaS company does not implement all 323 controls directly. Some controls shift to your cloud provider under the shared responsibility model.
If your system runs entirely on AWS, Azure, or GCP, physical security controls (PE family) are generally inherited from the cloud provider. You document the inheritance and provide the provider's FedRAMP authorization as evidence. A typical SaaS applying the Moderate baseline can mark roughly 10-15 controls as inherited or not applicable, depending on architecture.
Getting this scoping right early reduces your control surface and focuses effort on the controls you actually own.
Automation does not happen on day one. Here is a realistic timeline based on what we see across customer implementations:
A customer scenario illustrates the difference: an organization that started with Category A controls fully integrated from day one reached roughly 45% automation across 145 combined Category A and B controls by month four. This focused approach meant building on a solid technical foundation before layering complex hybrid workflows on top.
The FedRAMP 20x program is accelerating these timelines. Phase 1 of the pilot delivered Low authorizations in weeks instead of months. Phase 2, running through March 2026, targets Moderate authorizations with roughly 10 pilot participants. Wide-scale adoption of the 20x process is expected in Q3-Q4 2026.
The traditional FedRAMP authorization process averages 12-18 months. FedRAMP reported in July 2025 that it authorized 114 cloud services in six months, more than double the entire fiscal year 2024 count of 49. The bottleneck is shifting from government review speed to how quickly CSPs can produce clean evidence packages.
To prepare your team for audit readiness, start building your evidence pipeline now.
The path to FedRAMP authorization gets faster when you stop pretending all 323 controls can be solved by a scanner. Automate what can be automated (Category A). Build workflows for what needs a human touch (Category B). Track and store attestations for everything else (Category C). Export it all in machine-readable format before the September 2026 deadline.
Of the 323 Moderate baseline controls, about 87 (27%) are fully automatable with technical evidence like logs, scans, and configuration data. Another 118 (36%) are partially automatable with hybrid workflows. The remaining 118 (37%) require human attestation or policy documentation.
OSCAL (Open Security Controls Assessment Language) is a NIST-developed format for representing security controls in machine-readable JSON, XML, or YAML. FedRAMP's RFC-0024 mandates machine-readable authorization packages by September 30, 2026, making OSCAL adoption a near-term priority for any CSP pursuing authorization.
The traditional process averages 12-18 months. The FedRAMP 20x program aims to reduce this significantly. Phase 1 pilot authorizations were completed in weeks. Your timeline depends heavily on evidence readiness; organizations with automated evidence collection and machine-readable export consistently move faster through 3PAO assessments.
Yes. Controls in the PE (Physical and Environmental Protection) family can typically be inherited from a FedRAMP-authorized cloud provider like AWS, Azure, or GCP. A typical cloud-only SaaS can mark roughly 10-15 controls as inherited or not applicable, depending on their system architecture and shared responsibility boundaries.
Mycroft automates evidence collection across all 323 Moderate baseline controls, from continuous log ingestion for Category A to structured attestation workflows for Category C. The platform integrates with 250+ tools, cross-maps controls across SOC 2, ISO 27001, HIPAA, and FedRAMP, and exports machine-readable OSCAL packages so your 3PAO review takes days instead of weeks.
Stop stitching together scanners, spreadsheets, and reminder emails. Book a demo to see how Mycroft handles FedRAMP control automation end to end.
.webp)