CMx Federal

CloudCheckr has launched CMx Federal—designed for any organization that must adhere to federal IT security standards.

CMx Federal is inspired by:

  • the Federal Information Security Management Act (FISMA)—a US law signed into legislation in 2002 that outlines a framework to protect government information, operations, and assets from natural or man-made threats
  • the Federal Risk and Authorization Management Program (FedRAMP)—a US government program that provides standards on security assessment, authorization, and monitoring of cloud-based resources


The table identifies some of the key features in this product:




  • Secured by more than 300 NIST 800-53 controls
  • Artificial Intelligence (AI) threat detection analysis
  • Scanned daily for vulnerabilities
  • Access to Security Assessment Report (SAR) annually

Uptime and Availability

  • Active-Active data center deployment
  • 15-minute Recovery Time Objective (RTO): maximum time to restore functionality in the event of sudden loss of service
  • 99.9% Uptime Service-Level Agreement (SLA)

Managed by Approved Staff

  • Background checks for all CloudCheckr staff

Frequent Software Updates

  • Same software version as commercial SaaS
  • Enabled by CloudCheckr's modern deployment and audit pipeline

Corporate Compliance Friendly

  • Easier customer stakeholder approval via Compliance as a Code

Fast Purchase Approval

  • Provides InfoSec teams with highly detailed and stringent compliance data to expedite the procurement process

NIST 800-53 Controls

NIST 800-53 corresponds to the special publication and database of the same name, which is created and maintained by the National Institute of Standards and Technology (NIST), a division of the US Department of Commerce.

NIST 800-53 Controls represent the security controls and associated assessment procedures defined in NIST SP 800-53 (Revision 4) Recommended Security Controls for Federal Information Systems and Organizations.

Control Families

CMx Federal includes the following control families, which support the development of secure and resilient federal information systems:

  • Access Control (AC)
  • Audit and Accountability (AU)
  • Awareness and Training (AT)
  • Configuration Management (CM)
  • Contingency Planning (CP)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical and Environmental Protection (PE)
  • Planning (PL)
  • Risk Assessment (RA)
  • Security Assessment and Authorization (CA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)
  • System and Services Acquisition (SA)
  • Multi-Factor Authentication (MFA) access requirement
  • High availability and contingency planning
  • Minimum of three data and system backups
  • Encryption validated by the US government computer security standard, Federal Information Processing Standard (FIPS) Publication 140-2
  • Encryption of all data at rest an in transit
  • Regular assessment by a third-party assessment organization to ensure NIST 80053 compliance—including monthly reviews of Threat and Vulnerability Management
  • Domain Name System Security Extensions (DNSSEC) support
  • Infrastructure that meets and adheres to NIST 80-53 controls
  • Additional security monitoring including intrusion detection, file integrity, and AI-based threat detections

How did we do?