Axonius FedRAMP Moderate authorization is a milestone—not the finish line

A conversation with Axonius Federal Systems’ Federal CTO Brian “Stretch” Meyer and State and Local Government, Education Field CISO Jennifer “JPL” Pittman-Leeper on what achieving FedRAMP Moderate authorization means, compliance credibility, and what’s next for public sector cybersecurity.

What was your first reaction when you got the FedRAMP Moderate authorization?

Stretch: We were in a room full of engineers doing training when the news came through, and we all just kind of looked at each other and said, “Finally.” Then we celebrated. 

This authorization unlocked the last gate for some of our customers in CISA’s Continuous Diagnostics and Mitigation (CDM) program. We’ve supported this critical federal initiative for years, often deploying on-prem or in private cloud environments to support highly sensitive missions for the DoD and intel community. 

But certain agencies within CDM had been waiting for a hosted FedRAMP-certified environment, and this authorization greenlights our Axonius Asset Cloud as an approved SaaS option. 

JPL: “Finally” definitely captures the feeling. I’ve helped a lot of public sector organizations navigate the “RAMPS”—TX-RAMP, AZ-RAMP, GovRAMP—and one thing I always tell them is this: even if you're not using a cloud deployment, you still want your vendors to go through processes like FedRAMP. Why? Because it shows a real commitment to security. 

We didn’t just do this because it was a requirement. We did it because we take that responsibility seriously. We were already operating this way, and now we have the certification to back it up. 

What does FedRAMP Moderate change for Axonius Federal Systems and your customers?

JPL: It gives customers confidence. Even if they’re not using the Axonius Asset Cloud today, they know we’ve passed one of the most rigorous assessments out there. 

It also removes a major barrier for agencies that need FedRAMP-certified tools. They no longer have to go through time-consuming, one-off reviews. 

Finally, it simplifies procurement through pre-cleared acquisition paths. That means faster decisions, less paperwork, and quicker time to mission impact.

Stretch: Right. We’ve deployed on-prem into DoD, intelligence, and civilian agencies for years. FedRAMP doesn’t change our capabilities; it validates them. 

Still, it’s huge for agencies with cloud-first mandates and budgeting restrictions. Many agencies have cloud funding lines that specifically require FedRAMP authorization. Without it, they’re often forced to build workarounds or delay projects. Now, we’re in a position where customers can align security, funding, and procurement without friction, which is exactly what they’ve been asking for.

So is this “mission accomplished”?

JPL: Not at all. The certification is the stamp: we were doing the work long before we had the paper. Security is either in your DNA or it isn’t. For us, it is and always will be, and we’ll keep pushing forward.

Stretch: FedRAMP Moderate is just a milestone. We’re already pursuing FedRAMP High, Impact Level 5, and GovRAMP. That’s what our customers need, and we’re investing in those next steps.

How does the Axonius platform help agencies with compliance and security?

JPL: During my career as a state leader, time was the one thing I couldn’t give my team more of. But Axonius does. It automates asset discovery, correlates data from over 1,200 sources, and delivers audit-ready dashboards. Whether you’re preparing for CDM, FISMA, or Executive Order 14028, it saves time and improves accuracy.

Stretch: We’ve got customers using the platform for continuous ATO, tool rationalization, license optimization—you name it. It’s not just a single pane of glass. It provides intelligent action, whether you’re on-prem, in the cloud, or somewhere in between.

Compliance isn’t just a checklist—it’s a moving target. How does Axonius help agencies maintain their long-term security?

JPL: Mandates change. Frameworks evolve. But what doesn’t change is the pressure on public sector teams to stay ahead, often without more staff or time. 

That’s where Axonius stands out. It’s not just about the toolset; it’s about the mindset. We built the platform to simplify complexity, with compliance baked in from day one. 

Stretch: And the reason we can keep pace is because we’ve lived it. Our team includes people who have managed IL5 environments, enforced STIGs, and stood up secure architectures under deadline. 

We understand what’s coming—things like Cybersecurity Maturity Model Certification (CMMC), Continuous Monitoring and Risk Scoring (CMRS), cATO, and Zero Trust—because we’ve helped agencies prepare for them. That’s why our roadmap reflects what customers actually need, not just what looks good in a demo. 

What’s your advice to public sector teams navigating today’s compliance demands?

JPL: No one should fear an audit. An audit is a good thing that helps you find and fix vulnerability gaps before they hurt you. The only difference between an audit and a hacker is that the hacker doesn’t give you the results. 

So, don’t fear the audit. Welcome it. Be ready. And make sure your vendors are, too. If they haven’t been through the same level of scrutiny, they shouldn’t be in your environment or be trusted with your data. 

Stretch: Exactly. Compliance is about building trust before something goes wrong. Agencies don’t just need tools that pass the test. They need partners who’ve lived the mission, understand what’s at stake, and help them stay ready every day. That’s the bar we hold ourselves to.

Let’s move forward together

While in pursuit of FedRAMP Moderate, Axonius and StackArmor established a strong partnership, dedicated to the highest standards of security. What does that mean for the future?

Our teams have already worked together to proactively implement the relevant FedRAMP High security controls well in advance of an upcoming assessment. 

“The Axonius team's professionalism and commitment to sound security practices in this FedRAMP High effort have been consistently impressive, making them a great partner in securing our nation’s federal networks, ”Johann Dettweiler, StackArmor CISO, shared.

“When we engaged with them, I was impressed to learn that they had already undertaken the process to obtain a STIG for their application configuration, and were already intimately familiar with the DoD control requirements having implemented a number of on prem deployments for DoD agencies and obtaining authorizations for those deployments.”

FedRAMP Moderate was the first milestone. But mission impact is the measure that matters—and we’re just getting started.

Request a demo to learn how Axonius helps federal agencies turn visibility into action.