Recipe: FedRAMP readiness checklist
A step-by-step guide to preparing your Meridian deployment for FedRAMP authorization. Covers boundary definition, control mapping, and evidence collection.
1. Define system boundary
Document every Meridian component: loader, payload, dashboard, CDN, KV store, Discord bot. Identify data flows between each. Mark external dependencies (Vercel, Upstash, KeyAuth, SellAuth) as inherited controls.
2. Map NIST 800-53 controls
Cross-reference your boundary against the FedRAMP Moderate baseline. Focus on AC (access control), AU (audit), IA (identification), SC (system integrity). Meridian's Ed25519 signing and HMAC offline caches satisfy SC-8 and SC-28.
3. Collect evidence artifacts
- Authenticode signatures on all shipped binaries
- Vercel deployment logs with immutable SHAs
- Upstash KV encryption-at-rest attestation
- KeyAuth audit trail exports
- Self-hash integrity check source code
4. Prepare SSP appendices
Draft the System Security Plan appendix covering Meridian-specific controls. Include your anti-tamper architecture, hardware fingerprinting rationale, and ETW consumer design. Reference Meridian's circuit breaker and offline grace cache as continuity measures.
5. Engage a 3PAO
Select a FedRAMP-accredited Third Party Assessment Organization. Provide them with your boundary diagram, control mapping, and evidence package. Schedule a pre-assessment walkthrough of the Meridian loader's self-verification chain.
This recipe assumes Meridian Enterprise tier with dedicated tenant infrastructure. Contact support for GovCloud deployment options.