Security & Compliance

Evidence You Can
Hand to a 3PAO.

FedRAMP programs fail in the cracks between code, images, and documentation. We build the image layer and ship the evidence artifacts that close findings: signatures, SBOMs, provenance, and crypto module references.

View Image Catalog Download Samples
Principles

What We Ship With Every Release

We compete on evidence and operational rigor. Deliverables and timelines are defined per tier in contract.

Signatures (cosign)

Images are signed and verifiable using Sigstore identity policies.

Sample verification command

SBOM (CycloneDX)

SBOMs are generated per release and published alongside the artifact.

Sample SBOM

Provenance (SLSA)

Provenance attestations support source-to-artifact traceability and auditability.

Sample provenance statement

Evidence Pack

We provide assessor-ready documentation and guidance for verification steps.

Sample audit report format
FIPS

FIPS Is a Boundary,
Not a Checkbox.

When we say "FIPS-aligned" we mean: validated modules where required, pinned versions, verifiable build lineage, and documented crypto boundary assumptions.

  • Validated Where a validated module is required for your use case, we document the crypto module assumptions and provide references and verification steps as evidence. We avoid ambiguous "FIPS mode" claims without proof.
  • No Mystery We document verification commands (signatures, SBOMs, provenance) so auditors can independently reproduce checks.
  • Operational Patch SLAs, rebuild cadence, exception handling, and evidence retention are defined by service tier in your agreement.

Disclaimer: FLAMED.US is not a 3PAO and does not grant ATO. We provide engineered artifacts and evidence packages used by customers and assessors.

FedRAMP Evidence Focus
Signed artifacts, attached SBOMs, provenance attestations, and documented verification procedures designed for assessor review.
Contractual SLAs
Severity thresholds, remediation timelines, and escalation paths are contractual per tier. Exceptions are documented.
Designed to Be Minimal
Distroless-style approach: minimal packages, reduced attack surface, and consistent rebuild pipeline.
Competitive

If You're Comparing To Chainguard

Chainguard is a strong baseline for minimal images. FLAMED is built for teams who need FedRAMP-oriented evidence packaging and FIPS-specific boundaries.

Evidence First

We optimize for what closes findings: verifiable artifacts, documented verification commands, and evidence retention.

FedRAMP Workflows

We support SSP language, ConMon procedures, and assessor Q&A with the same engineer who built the images.