FedRAMP Moderate

Suitable for many federal and public-sector workloads that require serious protection around confidentiality, integrity, and availability.

Public, Private, and Hybrid

Workloads can be designed around public-cloud, private-cloud, or hybrid patterns depending on security, connectivity, and integration needs.

Managed Security and Compliance Operations

Operational services can wrap the environment with monitoring, backup, patching, logging, vulnerability management, recovery support, and compliance-oriented controls.

Platform and Infrastructure Management

• Provisioning of the hosted environment
• Network and segmentation setup
• Compute, storage, and core platform administration
• Capacity planning and resource optimization
• Environment lifecycle management

Security Operations

• Centralized logging and audit support
• Alerting, monitoring, and incident triage
• Vulnerability scanning and remediation coordination
• Patch orchestration and maintenance windows
• Privileged access controls and MFA alignment

Compliance Support

• Control inheritance mapping support
• Evidence collection support
• Operational process alignment for audits
• Change-management discipline
• POA&M and risk-tracking support

Application Hosting Support

• Hosting of third-party application stacks
• Support for multi-tier application architecture
• Database and storage hosting patterns
• Secure connectivity to external systems
• Support for production and non-production environments

Identity and Access

• MFA and privileged access controls
• Least privilege and role separation
• Account lifecycle and periodic review

Logging and Monitoring

• Centralized log collection
• Alerting and response workflows
• Audit trail and operational visibility

System Hardening

• Secure baselines and controlled configurations
• Patch management and maintenance discipline
• Vulnerability management processes

Continuity and Recovery

• Backups and restore procedures
• Alternate processing and storage strategies
• Recovery testing and contingency planning

Common In-Scope Elements

• Web applications and portals
• API services and integration tiers
• Databases and data services
• File transfer and secure document exchange
• Background services and scheduled jobs

Typical Hosting Responsibilities

• Secure environment deployment
• Operational monitoring and incident support
• Backup and restore support
• Patching and maintenance coordination
• Access, logging, and change-control administration

Customer and Vendor Coordination Areas

• Application ownership and release process
• Integration dependencies and external endpoints
• Security testing coordination
• Data-retention and records expectations
• Performance and uptime requirements

Boundary Considerations

The hosting provider may manage much of the environment, but the application owner or vendor often still owns key application-layer controls, secure development practices, business rules, and certain audit artifacts.

High Availability

• Redundant infrastructure components
• Multi-zone or equivalent availability design
• Load balancing and failover paths
• Redundant storage and continuity measures
• Monitoring-driven operational escalation

Disaster Recovery

• Backup strategy with tested recovery procedures
• Alternate storage and alternate processing strategy
• Replication or data copy model appropriate to the workload
• Documented RTO and RPO targets
• Runbooks for failover and failback

Daily and Ongoing

• Monitoring and alert review
• Ticket and incident handling
• Access administration
• Backup monitoring
• Routine health checks

Scheduled and Periodic

• Patching and maintenance windows
• Vulnerability remediation cycles
• Access reviews and control checks
• Capacity reviews
• Recovery testing exercises

Compliance-Oriented Support

• Evidence support for reviews
• Operational records and audit support
• Change-management documentation
• Issue tracking and risk follow-up
• Stakeholder coordination

Technical Drivers

• Application tiers and component count
• Database type, size, and performance profile
• Storage volume and retention duration
• User concurrency and traffic patterns
• External integrations and network complexity

Compliance and Support Drivers

• Required uptime and recovery commitments
• Security monitoring depth
• Severity-based support model
• Audit and evidence expectations
• Migration and vendor coordination effort

Application and Business Context

• What is the application and what core function does it support?
• Who owns the application: customer, vendor, or shared ownership?
• Is this a new deployment, migration, or modernization effort?
• Which environments are needed: dev, test, staging, production, training, DR?
• What go-live timeline is being targeted?

Compliance and Security Expectations

• Is FedRAMP Moderate the target baseline?
• Are there agency-specific overlays or contract requirements?
• Will Oxcyon support audit evidence or control mapping?
• What logging, retention, and monitoring expectations exist?
• Are there specific MFA or privileged-admin requirements?

Architecture and Infrastructure

• How many application tiers are there?
• What operating systems, middleware, databases, or runtimes are required?
• What are the CPU, memory, storage, and IOPS expectations?
• Are there autoscaling or burst requirements?
• Are there special network, firewall, VPN, or peering needs?

Usage and Performance

• How many internal users, external users, and admins will the system have?
• What is the expected daily and peak transaction volume?
• Are there seasonal spikes or event-driven surges?
• What are the response-time expectations?
• What is the projected storage growth?

Application Operations

• Who handles application deployments and release management?
• Who owns application patching versus infrastructure patching?
• What maintenance windows are acceptable?
• Is 24x7 support required?
• What severity-based response expectations exist?

Backup, HA, and DR

• What backup retention is required?
• What RTO and RPO targets are required?
• Is a warm standby acceptable?
• How often should failover testing occur?
• Are there archive-retention obligations affecting storage design?

Integration and Connectivity

• What external systems, APIs, or identity providers must connect?
• Are there existing VPNs or secure network paths to preserve?
• Will data move between regulated and non-regulated zones?
• Are there batch windows or dependency windows?
• Are there vendor-managed endpoints or support dependencies?

Migration and Onboarding

• Is data migration included, and how much data must be moved?
• Is application refactoring required?
• Will cutover require phased rollout or big-bang migration?
• Who is responsible for validation and UAT?
• Are there fixed deadlines tied to contract or audit milestones?

Commercial and Contractual Inputs

• What contract term is desired?
• Is pricing expected as fixed monthly, usage-based, or hybrid?
• Should onboarding and migration be separated from recurring operations?
• Are there subcontractor or invoice-structure requirements?
• Is there a target budget range or ceiling?

Governance and Stakeholders

• Who are the technical, security, procurement, and operational decision-makers?
• Who approves changes and emergency actions?
• Who receives compliance and operational reports?
• Will there be recurring governance meetings?
• What is the handoff model between Oxcyon and the application owner?