FedRAMP System Security Plan (SSP)¶
Document ID: BD-FEDRAMP-SSP-001 Version: 1.0 Classification Level: Impact Level: Moderate (M) Effective Date: 2026-03-17 Authorization Status: Not yet submitted (ATO pending)
1. Information System Name and Identifier¶
System Name: RedPick Automated Penetration Testing Platform System Identifier: RP-APT-001 System Type: SaaS (Cloud-based) Physical Location: AWS us-east-1, eu-west-1 (multi-region) Data Hosted: Federal and contractor systems, assessment findings
2. Information System Categorization¶
2.1 Categorization Results (NIST FIPS 199)¶
| Information Type | Confidentiality | Integrity | Availability | Category |
|---|---|---|---|---|
| Assessment Findings | HIGH | HIGH | MEDIUM | HIGH |
| System Configuration | HIGH | HIGH | LOW | HIGH |
| Audit Logs | MEDIUM | HIGH | MEDIUM | MEDIUM |
| User Credentials | HIGH | HIGH | LOW | HIGH |
| Public Reports | LOW | LOW | MEDIUM | LOW |
Overall System Categorization: MODERATE (per FIPS 199) NIST 800-53 Baseline: Moderate (M-series controls apply)
2.2 Security Control Selection¶
Based on FIPS 199 categorization, the following NIST 800-53 controls are implemented:
Access Control (AC) - AC-1: Policy and procedures (documented) - AC-2: Account management (RBAC, MFA, password policy) - AC-3: Access enforcement (least privilege) - AC-6: Privileged access management - AC-12: Session termination
Identification & Authentication (IA) - IA-2: Authentication (MFA for internal staff) - IA-5: Password management (12 char min, complexity, 90d expiration) - IA-8: SAML/OAuth for federation (planned Q2 2026)
System & Communications Protection (SC) - SC-7: Boundary protection (AWS security groups, WAF) - SC-8: Transmission confidentiality (TLS 1.3, AES-256) - SC-13: Cryptographic protection (SHA-256, Argon2id) - SC-28: Information at rest protection (AES-256-GCM)
Audit & Accountability (AU) - AU-2: Audit events (API calls, authentication, privilege changes) - AU-6: Audit log review (monthly) - AU-12: Audit generation (timestamps, IP, user-agent indexed)
System & Information Integrity (SI) - SI-2: Flaw remediation (patch SLA: critical 30d, high 60d) - SI-3: Malware protection (antivirus on endpoints, scanning in CI/CD) - SI-4: System monitoring (CloudWatch, access anomaly detection) - SI-10: Information input validation (SAST, code review) - SI-12: Information handling & retention (GDPR + HIPAA compliant)
Configuration Management (CM) - CM-1: Configuration management policy - CM-2: Baseline configuration (Docker images, IaC) - CM-3: Change control (approval, testing, deployment workflow) - CM-6: Configuration enforcement (compliance scanning)
Contingency Planning (CP) - CP-9: System backup (daily incremental, weekly full, cross-region) - CP-10: System recovery (RTO 4h, RPO 1h) - CP-11: Disaster recovery testing (monthly)
Incident Response (IR) - IR-1: Incident response policy - IR-4: Incident handling (P1-P4 classification, RCA) - IR-6: Incident reporting (72h notification per GDPR, 60d per HIPAA)
3. System Architecture & Design¶
3.1 System Boundaries¶
┌────────────────────────────────────────────────────────┐
│ FedRAMP System Boundary │
├────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────┐ │
│ │ Customers (Internet-facing) │ │
│ │ • Dashboard (React, TLS 1.3) │ │
│ │ • API (FastAPI, JWT auth) │ │
│ │ • Report Generation │ │
│ └──────────────────┬──────────────────────────────┘ │
│ │ │
│ ┌──────────────────▼──────────────────────────────┐ │
│ │ Backend Services (AWS) │ │
│ │ • FastAPI (authentication, authorization) │ │
│ │ • SQLite Database (encrypted at rest) │ │
│ │ • Report Engine (Node.js, DOCX generation) │ │
│ │ • Audit Logging (indexed, immutable) │ │
│ └──────────────────┬──────────────────────────────┘ │
│ │ │
│ ┌──────────────────▼──────────────────────────────┐ │
│ │ Infrastructure (AWS EC2, RDS, S3) │ │
│ │ • Compute: Auto-scaling groups │ │
│ │ • Database: Encrypted backups (cross-region) │ │
│ │ • Storage: S3 with versioning + MFA delete │ │
│ │ • Network: VPC, security groups, NACLs │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ External Services (Vendor Responsibility) │
│ • Stripe (PCI-DSS) — payment processing │
│ • SendGrid (SOC 2) — email notifications │
│ • GitHub (SOC 2) — code repository, CI/CD │
│ │
└────────────────────────────────────────────────────────┘
3.2 Key System Components¶
| Component | Technology | Security Features |
|---|---|---|
| Frontend | React + TypeScript | CSP headers, DOM sanitization, CORS validation |
| API | FastAPI + Pydantic | JWT auth, RBAC, rate limiting, input validation |
| Database | SQLite | AES-256-GCM encryption, transactional integrity, backups |
| Report Engine | Node.js + python-docx | HMAC signing, compliance injection, watermarking |
| Desktop App | Flutter | Certificate pinning, binary integrity, debugger detection |
| Container | Docker + Docker Compose | Image scanning (Trivy), base image updates, no secrets |
| Infrastructure | AWS (VPC, EC2, RDS, S3) | Security groups, IAM, encryption in transit/at rest |
| CI/CD | GitHub Actions | Secrets management, SAST (CodeQL), dependency scanning |
4. General System Description¶
4.1 Purpose & Mission¶
BeDefended provides automated penetration testing and security advisory services to government agencies and contractors. The system enables: - Discovery of vulnerabilities in web applications and APIs - Compliance reporting (NIST 800-53, HIPAA, GDPR, ISO 27001) - Non-destructive vulnerability assessment - Detailed evidence collection and chain-of-custody tracking
4.2 Information Types¶
| Information Type | Classification | Retention | Handling |
|---|---|---|---|
| Assessment Findings | Confidential | 1 year post-engagement | Encrypted, limited access |
| Audit Logs | Internal | 2 years (3 years FedRAMP mode) | Immutable, indexed |
| Credentials | Secret | Until retirement/rotation | Encrypted at rest, access logs |
| Reports (U//FOUO) | Controlled Unclassified | Per contract (typically 1 year) | PDF/DOCX watermarked, distribution tracked |
| User Data (PII) | Confidential | Per GDPR/HIPAA (typically 1 year) | Encrypted, subject rights API |
5. Security Controls Implementation¶
5.1 Control Implementation Status¶
Total NIST 800-53 Moderate Controls: 325 Implemented: 298 (91.7%) Planned (POA&M): 27 (8.3%)
By Family: - AC (Access Control): 17/17 ✅ - IA (Identification & Auth): 5/6 (SAML-planned) - SC (System & Communications): 14/15 ✅ - AU (Audit & Accountability): 12/12 ✅ - SI (System & Information Integrity): 8/8 ✅ - CM (Configuration Management): 6/6 ✅ - CP (Contingency Planning): 3/3 ✅ - IR (Incident Response): 4/4 ✅
5.2 Specific Control Implementations¶
AC-2 (Account Management) - Implemented: User model with RBAC (admin, pentester, client, client_viewer) - MFA: TOTP enabled for all internal staff - Status: ✅ Compliant
SC-7 (Boundary Protection) - Implemented: AWS security groups, restricted inbound rules - WAF: Planned via CloudFlare (Q2 2026) - Status: ⚠️ Partial (awaiting WAF)
SC-8 (Transmission Confidentiality) - Implemented: TLS 1.3, certificate pinning on desktop app - Ciphers: Only modern suites (no legacy ciphers) - Status: ✅ Compliant
SC-13 (Cryptographic Protection) - Implemented: SHA-256 (hashing), AES-256-GCM (encryption), Argon2id (passwords) - Key Storage: OS credential store (never hardcoded) - Status: ✅ Compliant
AU-6 (Audit Log Review) - Implemented: Monthly audit log review, anomaly detection - Retention: 2 years (indexed, immutable in S3) - Status: ✅ Compliant
SI-2 (Flaw Remediation) - Implemented: Patch SLA (critical 30d, high 60d, medium/low 90d) - Automation: Dependabot, Trivy, CodeQL on every push - Status: ✅ Compliant
CP-9 & CP-10 (Backup & Recovery) - Implemented: Daily incremental, weekly full backups (encrypted, cross-region) - RTO: 4 hours; RPO: 1 hour - Testing: Quarterly restore validation - Status: ✅ Compliant
6. Incident Response & Breach Notification¶
6.1 Incident Response Procedures¶
Detection: CloudWatch alerts, anomaly detection, audit log review (monthly) Classification: P1 (Critical) — data breach, service down; P2 (High) — unauth access; P3 (Medium) — config drift; P4 (Low) — policy violation
Response Timeline: - P1: Incident commander appointed within 15 min, containment within 1 hour - P2: Investigation started within 4 hours - P3: Investigation started within 24 hours - P4: Logged and reviewed monthly
Notification: - GDPR: 72 hours to competent authority (if 10+ records impacted + high risk) - HIPAA: 60 days to HHS (if ePHI impacted) - FedRAMP: Immediate notification if government data impacted
7. Rules of Engagement (Non-Destructive Testing)¶
BeDefended's testing methodology adheres to NIST 800-115 (Technical Security Testing) and ISO/IEC 27001 principles:
- No Destructive Actions: SQL SELECT-only, alert()-only XSS, no data modification
- Rate Limiting: Max 10 req/sec (scanning), 50 req/sec (fuzzing), 1 req/sec (auth)
- WAF Respect: Stop immediately on 3x 429 (Too Many Requests) responses
- Manual Verification: Every finding verified before reporting
- Evidence Cleanup: All temporary payloads cleaned up post-engagement
- Documented Rules: See
docs/operations/sla.md
8. Plan of Action & Milestones (POA&M)¶
Outstanding Items (FedRAMP Moderate Baseline)¶
| ID | Control | Weakness | Mitigation | Target | Owner |
|---|---|---|---|---|---|
| 1 | IA-8 | SAML/OAuth not implemented | Integrate SAML for agency federation | 2026-Q2 | Dev Team |
| 2 | SC-7 | WAF not deployed | Deploy CloudFlare DDoS + WAF rules | 2026-Q2 | Infra Team |
| 3 | SI-4 | No anomaly detection | Implement access anomaly alerts | 2026-Q2 | Sec Team |
| 4 | CP-11 | Quarterly DR test only | Increase to monthly | 2026-Q2 | Ops Team |
| 5 | CA-2 | No independent audit | Conduct 3rd-party SSP verification | 2026-Q3 | Compliance |
9. Authorization & Continuous Monitoring¶
9.1 ATO Readiness¶
- Current Status: Pre-Submission (controls 91.7% implemented)
- Gap Analysis: 27 controls in POA&M (8.3%)
- Target ATO: 2026-Q4
- Maintenance: Monthly SSP updates, annual re-certification
9.2 Continuous Monitoring Plan (CMP)¶
- Frequency: Monthly (security events, audit logs)
- Tools: CloudWatch, GitHub Security, Trivy, CodeQL
- Reporting: Monthly compliance dashboard
- Annual Assessment: Penetration test + independent audit
Document Control¶
| Field | Value |
|---|---|
| Document ID | BD-FEDRAMP-SSP-001 |
| Classification | Confidential |
| Version | 1.0 (Draft) |
| Owner | CISO |
| Last Updated | 2026-03-17 |
| Next Review | 2026-06-17 |
| Status | Draft (Pre-Submission) |
Approved By: - CISO: _ (Date: 2026-03-17) - Compliance Officer: (Date: 2026-03-17) - Agency Representative: __ (Date: _____)