Appearance
Federal Compliance Overview
Document ID: PLCY-FED-001
Version: 1.0
Effective Date: December 30, 2025
Last Review: December 30, 2025
Owner: Hop And Haul Team
CONFIDENTIAL
This document is CONFIDENTIAL and for internal use only. Do not distribute outside the organization.
1. Purpose
This document establishes Hop And Haul' approach to achieving FedRAMP Moderate authorization and NIST 800-53 compliance. It provides an overview of the federal compliance program, gap analysis, and roadmap for federal readiness.
2. Scope
2.1 Authorization Target
| Attribute | Value |
|---|---|
| Target Authorization | FedRAMP Moderate |
| Baseline Controls | ~325 controls |
| NIST Framework | SP 800-53 Rev 5 |
| FIPS 199 Categorization | Moderate-Moderate-Moderate |
2.2 System Boundary
The Hop And Haul authorization boundary includes:
| Component | Included | Notes |
|---|---|---|
| Hop And Haul API (Swift Vapor) | Yes | Core application |
| RDS PostgreSQL Database | Yes | Primary data store |
| AWS Infrastructure | Inherited | FedRAMP High authorized |
| Cloudflare Zero Trust | Inherited | FedRAMP Moderate authorized |
| Mobile Applications | Yes | iOS/Android clients |
| Admin Portal | Yes | Internal management interface |
2.3 Inherited Controls
Hop And Haul inherits controls from FedRAMP-authorized cloud service providers:
| Provider | Authorization Level | Inherited Control Families |
|---|---|---|
| AWS (GovCloud eligible) | FedRAMP High | PE, PS (partial), CP (partial) |
| Cloudflare | FedRAMP Moderate | SC (partial), AC (partial) |
3. Existing Compliance Foundation
Hop And Haul has established a comprehensive SOC 2 Type II compliance program that provides a strong foundation for FedRAMP authorization.
3.1 SOC 2 Trust Service Criteria Coverage
| TSC Category | Coverage | Primary Documents |
|---|---|---|
| Security (CC1-CC9) | Complete | PLCY-SEC-001, PLCY-ACC-001 |
| Availability (A1) | Complete | PLCY-DRP-001, PLCY-INF-001 |
| Processing Integrity (PI1) | Complete | PLCY-PTV-001, PLCY-AUD-001 |
| Confidentiality (C1) | Complete | PLCY-DAT-001, PLCY-RET-001 |
| Privacy (P1-P8) | Complete | PLCY-CON-001 |
3.2 Regulatory Alignment
| Regulation | Status | Relevance |
|---|---|---|
| 49 CFR 392.80/392.82 | Compliant | DOT texting/phone prohibition |
| 49 CFR 390.6 | Compliant | Coercion prohibition |
| FMCSA HOS | Compliant | Hours of Service |
4. NIST 800-53 Control Family Mapping
4.1 Control Family Coverage Summary
| Family | Name | Controls | Implemented | Planned | Gap |
|---|---|---|---|---|---|
| AC | Access Control | 25 | 18 | 5 | 2 |
| AT | Awareness & Training | 6 | 3 | 3 | 0 |
| AU | Audit & Accountability | 16 | 14 | 2 | 0 |
| CA | Assessment & Authorization | 9 | 4 | 5 | 0 |
| CM | Configuration Management | 11 | 7 | 3 | 1 |
| CP | Contingency Planning | 13 | 10 | 3 | 0 |
| IA | Identification & Authentication | 12 | 9 | 2 | 1 |
| IR | Incident Response | 10 | 8 | 2 | 0 |
| MA | Maintenance | 6 | 3 | 3 | 0 |
| MP | Media Protection | 8 | 5 | 3 | 0 |
| PE | Physical & Environmental | 20 | Inherited | - | - |
| PL | Planning | 9 | 6 | 3 | 0 |
| PM | Program Management | 16 | 10 | 6 | 0 |
| PS | Personnel Security | 9 | Inherited | - | - |
| RA | Risk Assessment | 9 | 7 | 2 | 0 |
| SA | System & Services Acquisition | 22 | 12 | 8 | 2 |
| SC | System & Communications Protection | 41 | 25 | 10 | 6 |
| SI | System & Information Integrity | 23 | 16 | 5 | 2 |
| SR | Supply Chain Risk Management | 12 | 6 | 4 | 2 |
4.2 Overall Readiness
| Metric | Value |
|---|---|
| Total FedRAMP Moderate Controls | ~325 |
| Implemented | ~220 (68%) |
| Planned (Phase 1-3) | ~90 (27%) |
| Gap (Requires New Implementation) | ~15 (5%) |
5. Gap Analysis Summary
5.1 Critical Gaps Requiring Immediate Attention
| Gap ID | Control | Description | Remediation |
|---|---|---|---|
| GAP-01 | SC-13 | FIPS 140-2 validated cryptographic modules | Phase 3: Federal Hardening |
| GAP-02 | IA-2(12) | PIV/CAC authentication support | Phase 3: Federal Hardening |
| GAP-03 | CM-8 | Automated component inventory | Phase 2: Safety Operations |
| GAP-04 | SI-7 | Code signing and integrity verification | Phase 3: Federal Hardening |
| GAP-05 | SA-4 | Formal acquisition security requirements | Phase 2: Safety Operations |
5.2 Enhancements Required
| Enhancement | Current State | Required State | Timeline |
|---|---|---|---|
| Encryption | AES-256-GCM | FIPS 140-2 validated | Phase 3 |
| Authentication | SSO + MFA | SSO + MFA + PIV/CAC | Phase 3 |
| Asset Management | Manual | Automated CMDB | Phase 2 |
| Code Integrity | Code review | Signed builds | Phase 3 |
| Vendor Assessment | Informal | Formal SA-4 process | Phase 2 |
6. Federal Compliance Document Suite
6.1 New Federal Documents
| Document ID | Title | Purpose |
|---|---|---|
| PLCY-FED-001 | Federal Compliance Overview | This document |
| PLCY-FED-002 | SSP-Lite | System Security Plan |
| PLCY-FED-003 | Risk Register (Federal) | High-consequence threat model |
| PLCY-FED-004 | Development Roadmap | Phase 1-3 implementation plan |
| PLCY-FED-005 | Control Mapping Matrix | NIST to SOC 2 crosswalk |
6.2 NIST 800-53 Policy Documents
| Document ID | Title | Control Family |
|---|---|---|
| PLCY-NIST-AC-001 | Access Control Policy | AC |
| PLCY-NIST-AU-001 | Audit & Accountability Policy | AU |
| PLCY-NIST-IR-001 | Incident Response Policy | IR |
| PLCY-NIST-CMSI-001 | Configuration Management & Integrity | CM, SI |
| PLCY-NIST-SA-001 | Vendor Risk Management | SA, SR |
7. Authorization Approach
7.1 Authorization Strategy
Hop And Haul will pursue FedRAMP Moderate authorization through the following approach:
| Phase | Activity | Dependencies |
|---|---|---|
| Preparation | Complete Phase 1-3 development roadmap | Internal |
| Readiness Assessment | 3PAO readiness assessment | 3PAO selection |
| Documentation | Complete SSP and supporting artifacts | Readiness assessment |
| Assessment | 3PAO security assessment | Documentation |
| Authorization | JAB P-ATO or Agency ATO | Assessment completion |
| Continuous Monitoring | Ongoing ConMon program | Authorization |
7.2 Third-Party Assessment Organization (3PAO)
| Requirement | Status |
|---|---|
| 3PAO Selection | Pending |
| Engagement Timeline | After Phase 2 completion |
| Scope Definition | Full system boundary |
8. Continuous Monitoring Strategy
8.1 ConMon Requirements
| Activity | Frequency | Owner |
|---|---|---|
| Vulnerability scanning | Monthly | Security Team |
| POA&M review | Monthly | Security Team |
| Configuration baseline review | Quarterly | Operations |
| Penetration testing | Annual | 3PAO |
| Security control assessment | Annual | 3PAO |
| Significant change assessment | As needed | Security Team |
8.2 Reporting Requirements
| Report | Frequency | Recipient |
|---|---|---|
| Monthly ConMon report | Monthly | FedRAMP PMO |
| Annual security assessment | Annual | FedRAMP PMO |
| Significant change report | As needed | FedRAMP PMO |
| Incident report | As needed | US-CERT, FedRAMP PMO |
9. Related Documents
| Document | Relationship |
|---|---|
| SSP-Lite | System Security Plan |
| Risk Register | Federal risk assessment |
| Control Mapping Matrix | NIST to SOC 2 crosswalk |
| Development Roadmap | Implementation timeline |
| PLCY-SEC-001 | Security controls baseline |
| PLCY-RSK-001 | Risk assessment methodology |
10. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | December 30, 2025 | Hop And Haul Team | Initial release |