Compliance Guide

TAC and FedRAMP

How Total Access Control maps to FedRAMP security controls and supports federal cloud authorization — including deployment guidance for government and contractor environments.

↓ Download as PDF Talk to a Specialist

Overview

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide programme that provides a standardised approach to security assessment, authorisation, and continuous monitoring for cloud products and services used by federal agencies.

FedRAMP is based on NIST SP 800-53 security controls and requires independent third-party assessment by an accredited 3PAO (Third Party Assessment Organization). Authorisation levels are Tailored, Low, Moderate, and High — each with progressively more rigorous control requirements.

TAC’s single-tenant, on-premises-capable architecture makes it uniquely suited to federal environments — including classified, controlled, and air-gapped deployments where shared cloud infrastructure is not permitted.

FedRAMP Impact Levels

Tailored / LI-SaaS

Low-impact SaaS with limited controls

Low

Non-sensitive, publicly available data

Moderate

Most federal agency data — CUI, PII

High

Law enforcement, emergency, classified-adjacent

Note: This guide describes how TAC’s technical capabilities support FedRAMP control requirements. FedRAMP authorisation is granted to cloud service providers by a sponsoring federal agency or through the JAB (Joint Authorization Board). PortSys recommends working with an accredited 3PAO and your agency’s ISSO for your specific authorisation path.

Control Mapping

TAC vs. NIST 800-53 / FedRAMP Controls

AC Family — NIST 800-53

Access Control (AC)

FedRAMP Requirement	How TAC Delivers
AC-2 — Account Management	TAC identity federation connects to all agency directory sources (Active Directory, LDAP, SAML, OIDC). User account lifecycle managed centrally with real-time revocation capability.
AC-3 — Access Enforcement	Reverse-proxy architecture enforces access decisions at the application layer. No user reaches a protected resource without passing TAC’s policy evaluation.
AC-4 — Information Flow Enforcement	All traffic flows through a single encrypted channel. TAC controls and logs every information flow between users and protected federal systems.
AC-7 — Unsuccessful Login Attempts	Failed authentication attempts logged with full attribution — identity, device, location, time. Supports configurable lockout policies.
AC-12 — Session Termination	Session timeout policies enforced at the proxy layer. Idle sessions terminated automatically. Policy changes take effect mid-session.
AC-17 — Remote Access	VPN eliminated. All remote access authenticated, device-posture-validated, and policy-governed through a single TLS 1.3 encrypted channel.
AC-20 — Use of External Systems	Continuous device posture validation ensures only compliant, known devices can access federal systems — including from external or contractor networks.

IA Family — NIST 800-53

Identification and Authentication (IA)

FedRAMP Requirement	How TAC Delivers
IA-2 — Identification and Authentication (Org Users)	Every user uniquely identified and authenticated against agency identity sources before any access to federal systems is granted.
IA-2(1) — MFA for Privileged Accounts	MFA mandatory for all privileged access. FIDO2 phishing-resistant authentication available — meeting OMB M-22-09 phishing-resistant MFA requirements.
IA-2(2) — MFA for Non-Privileged Accounts	MFA enforced on all user access regardless of privilege level. 7+ MFA methods included — FIDO2, push, TOTP, OTP, SMS, hardware tokens.
IA-3 — Device Identification	Continuous device posture validation identifies and validates every device on every access request — OS version, patch level, domain join, certificate validity.
IA-5 — Authenticator Management	Multi-directory federation manages authenticators across AD, LDAP, SAML, RADIUS, and OIDC. Credential lifecycle integrated with existing agency identity infrastructure.
IA-8 — Identification and Authentication (Non-Org Users)	Contractor and partner access governed by the same policy engine as agency users. No separate access path — no governance gaps.

AU Family — NIST 800-53

Audit and Accountability (AU)

FedRAMP Requirement	How TAC Delivers
AU-2 — Event Logging	Every access event logged — successful and failed — with full attribution: user identity, device, location, application, policy decision, timestamp.
AU-3 — Content of Audit Records	Forensic-grade audit records include: who, what, when, where, which device, which application, and what policy outcome. Complete attribution chain.
AU-6 — Audit Record Review	Centralised audit logs support SIEM integration for automated review, correlation, and alerting of anomalous access patterns.
AU-9 — Protection of Audit Information	TAC audit logs stored separately from application data. Tamper-evident logging with full identity attribution for all access events.
AU-12 — Audit Record Generation	TAC generates audit records for all access attempts to all protected federal systems — human users and AI agents — without exception.

SC Family — NIST 800-53

System and Communications Protection (SC)

FedRAMP Requirement	How TAC Delivers
SC-5 — Denial of Service Protection	Applications are never directly exposed to the internet. TAC reverse proxy absorbs and filters all inbound traffic before it reaches protected systems.
SC-7 — Boundary Protection	Single encrypted port architecture closes all inbound firewall ports except one TLS 1.3 channel. Network boundary is clearly defined and minimised.
SC-8 — Transmission Confidentiality	All traffic encrypted via TLS 1.3. No unencrypted transmission paths to any protected federal application or resource.
SC-28 — Protection of Information at Rest	Single-tenant SVA architecture ensures federal data is never co-mingled with other organisations’ data. Dedicated infrastructure per agency deployment.

CM Family — NIST 800-53

Configuration Management (CM)

FedRAMP Requirement	How TAC Delivers
CM-6 — Configuration Settings	TAC device posture validation enforces approved configuration baselines on every access request — OS patches, antivirus, disk encryption, firewall status.
CM-7 — Least Functionality	Reverse proxy architecture ensures applications only expose the functionality accessible through TAC’s policy engine. No direct application access possible.
CM-8 — System Component Inventory	TAC governs access to the complete application inventory — every system that requires access control is proxied through TAC’s unified policy engine.

Deployment

TAC Deployment Options for Federal Environments

TAC’s single-tenant architecture supports every federal deployment scenario — from on-premises classified environments to FedRAMP-authorised cloud.

Option 1

On-Premises / Air-Gapped

Deploy TAC SVA within agency data centres on VMware, Hyper-V, or bare metal. No external dependencies. Full air-gap capability for classified or sensitive compartmented environments.

Classified, SCIF, JWICS, SIPRNet environments

Option 2

FedRAMP-Authorised Cloud

Deploy TAC SVA in AWS GovCloud, Azure Government, or other FedRAMP-authorised IaaS as a dedicated VM in the agency’s own cloud tenancy. TAC operates within the agency’s existing authorisation boundary — the agency or sponsor authorises TAC as part of their system, leveraging the underlying IaaS FedRAMP authorisation.

Civilian agencies, moderate/high impact workloads

Option 3

GovCloud Hybrid

TAC Global Array spans on-premises and cloud SVAs — governing access to both on-prem legacy systems and cloud-hosted applications from a single policy engine and admin console.

Hybrid agencies migrating to cloud, DoD Components

Option 4

Contractor / Integrator Deployment

Prime contractors and system integrators can deploy TAC to protect federal systems under their management — supporting CMMC, DFARS, and FedRAMP control requirements simultaneously.

DoD contractors, CMMC Level 2/3 environments

Key Advantages

Why TAC for Federal Environments

Single-Tenant by Design

Every TAC deployment is a dedicated, isolated Secure Virtual Appliance. There is no shared infrastructure across agencies or customers. FedRAMP assessors and agency ISSOs can verify data isolation directly — it is architectural, not contractual.

Phishing-Resistant MFA

TAC includes FIDO2/WebAuthn authentication — satisfying OMB M-22-09 requirements for phishing-resistant MFA for federal employees and contractors. No additional identity provider purchase required.

Legacy Federal System Support

Federal agencies operate some of the oldest application portfolios in existence. TAC injects MFA, device posture, and continuous validation into legacy mainframe systems, thick-client apps, and forms-based logins without any code changes.

Summary

FedRAMP Control Coverage

Control Family	Coverage	Key TAC Capability
AC — Access Control	Comprehensive	Reverse proxy, least privilege, MFA, session control, remote access
IA — Identification & Auth	Comprehensive	FIDO2, multi-directory federation, device identification, IA-2(1)/(2)
AU — Audit & Accountability	Comprehensive	Forensic audit trail, SIEM integration, tamper-evident logging
SC — System & Comms Protection	Comprehensive	TLS 1.3, single encrypted port, boundary protection, data isolation
CM — Configuration Management	Strong	Device posture enforcement, configuration baseline validation
SI — System & Info Integrity	Addressed	Continuous device posture, real-time revocation, anomaly logging
RA — Risk Assessment	Addressed	Attack surface reduction, port closure, stealth infrastructure

Pursuing FedRAMP Authorisation?

Our team has deep experience with federal deployments across civilian agencies, DoD components, and contractors. We can walk through your specific authorisation path and control requirements.

Talk to a Federal Specialist Back to Resources

TAC and FedRAMP Compliance Guide