In the world of government compliance, 'fast' isn't usually a word thrown around lightly. Historically, taking a product from 'Ready' to 'Authorized' in the FedRAMP process is a marathon that can span multiple years, often forcing innovation to a standstill.
At Wiz, we viewed these historic challenges not as a barrier, but as an opportunity to prove that a modern, risk-based foundation can meet rigorous federal standards without sacrificing speed. We knew from experience working with customers for a range of regulatory challenges that systems can be compliant, secure, and maintain innovative agility.
Reflecting on our journey to FedRAMP High, it is remarkable to see how this agile approach has allowed the Wiz for Gov offering to grow in such a short time, to protect code, through cloud, runtime, and even AI risks as they rise in prevalence.
These innovations aren't just new features; they are the direct result of the same "secure-by-design" philosophy we used to accelerate our own authorization.
We focused on building a foundation that allowed us to navigate the FedRAMP journey while simultaneously reaching major feature parity. By using Wiz to secure Wiz, we proved that focusing on risk doesn’t just satisfy an audit; it clears the path for continuous innovation. In this series, we’re sharing the blueprint we utilize to stay fast under the federal microscope, so you can anchor in risk and accelerate your own journey to authorization.
Lesson One: Anchor in Risk, Not Just Compliance Checklists
While many organizations approach FedRAMP as a massive compliance exercise, we viewed it as a risk-prioritization challenge. At Wiz, our research teams focus on how threats actually manifest in the real world, where toxic combinations of vulnerabilities, overprivileged identities, misconfigurations, and other exposures lead to breaches. We applied this same “real-world” lens to our audit preparation, using automation to identify and mitigate the risks that truly mattered.
This risk-based philosophy isn't just an internal preference. The NIST SP 800-53r5 explicitly states that effective security requires a constant evaluation of how threats and vulnerabilities intersect:
…For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations…
NIST SP 800-53r5, Prologue
For our journey to FedRAMP High, we translated this foundational requirement into an agile three-stage approach to risk management:
Stage 1, Accurate Context- Automating complete visibility of cloud resources, technologies, and identities to identify and remediate risks before they can be exploited (proactive risk management)
Stage 2, Secure by Design- “Shifting security left” by moving risk assessment earlier into the software development lifecycle to identify and block the introduction of new risks at the developer level, before they can reach production (preventative risk management)
Stage 3, Context-Driven Response- Augmenting incident response activities with code and cloud context to filter noise, and ensure if a threat is detected teams are notified with root cause and “blast radius” already mapped out (reactive risk management)
By centralizing around this adaptive risk model, we weren't just checking boxes for families like Access Control (AC) or Incident Response (IR); we built a system that was inherently secure, and, by extension, inherently compliant. This made the uplift from Moderate to High more manageable and significantly reduced the manual burden of our month-to-month reporting.
Lesson Two: Replacing Manual Effort with Automated Context
The reality is no environment will ever be completely without risk. FedRAMP is designed around this truth, requiring organizations to not only identify risks but to have clear mitigation strategies in place. However, legacy approaches often rely on disconnected tools and manual processes, turning risk management into a documentation nightmare rather than a security win.
This is seen most clearly in the traditional Plan of Action and Milestones (POA&M) process. Historically, organizations treat a POA&M as a list of isolated Common Vulnerabilities and Exposures (CVEs), but a CVE by itself tells you very little. Previous vulnerability remediation guidance focused on the rating of the CVE itself, without broader context about the impact to the system. For example, a CVE with a low score within the Common Vulnerability Scoring System (CVSS) on a sensitive system should be a higher priority than a CVE with a high CVSS on a non-public asset w/o sensitive info. Focusing solely on the CVE score might require 30-day remediation on the high CVSS CVE and let the former go 180 days w/o consequences for not meeting that SLA. This can leave the system at a higher overall risk despite seemingly reducing a more critical CVE. This is why having the broader context matters, and can help with POA&M risk adjustments to prioritize vulnerability remediation around what matters most.
To move faster, we used the Wiz CNAPP to consolidate disparate security tools into a single, unified view. This allowed us to shift our focus from "fixing CVEs" to "remediating risk." By understanding which systems were exposed, which identities had access, and where the data lived, we were able to automate the discovery and documentation of our environment, and inject much-needed context into our audit.
Specifically, our use of the Wiz CNAPP helped to automate:
Malicious Code Protection
Inventory & Asset Management
Artifact Collection for Auditors
Continuous Monitoring (ConMon) for Continuous Authorization
By using Wiz to secure Wiz, we didn't just simplify the audit; we ensured that our security team was spending their time on the risks that actually mattered, rather than manually correlating data in a spreadsheet.
Lesson Three: Closing the Innovation Gap
One of the biggest challenges on the road to FedRAMP is time. Historically, the process can take years, creating an "innovation gap" where government cloud offerings fall behind their commercial counterparts. Once authorized, organizations must also maintain ongoing compliance through continuous monitoring (ConMon), which adds recurring monthly effort, and can further increase the timing between feature introduction within commercial and adoption within FedRAMP environments.
Throughout our FedRAMP Moderate assessment, we continued to release new commercial capabilities—including our Runtime Sensor and Data Security Posture Management (DSPM). By maintaining an agile risk management foundation, we were able to accelerate bringing these same capabilities into Wiz for Gov. In the months following our Moderate authorization, we successfully completed four Significant Change Requests (SCRs), bringing our government offering into major feature parity while simultaneously uplifting to FedRAMP High, achieved through an Agency-sponsored authorization.
We defined the path to parity through three milestones:
Establish the Baseline: Achieve FedRAMP Moderate authorization (Completed)
Elevate the Standard: Achieve Major Feature Parity and reach FedRAMP High (Completed)
Synchronize Innovation: Achieve Feature Release Parity, ensuring new features launch in Commercial and Wiz for Gov simultaneously (In Progress)
By documenting and automating our risk management process, we provided the transparency needed for our third-party assessors and Authorizing Officials to test, review, and approve. We transformed what is usually "compliance downtime" into development time, ensuring our U.S. Government customers have access to the same cutting-edge capabilities as the private sector.
The Path Forward: It's always about Risk
Modernizing your FedRAMP journey is about moving from static, manual reporting to a dynamic strategy rooted in automation. By embracing an agile foundation, organizations can discover, correlate, and document risk in a fraction of the time. This doesn't just simplify the path to initial authorization; it transforms the recurring requirements of continuous monitoring into a streamlined process that provides real-time transparency to strengthen your mission-critical security.
In Part 2 of The Agile FedRAMP Playbook, we’ll move from strategy to execution. We’ll dive deeper into Proactive Risk Management, and show you how to achieve high-fidelity continuous monitoring through full-stack visibility and automated context.
