FedRAMP Authorization

FedRAMP OSCAL export.
Zero manual assembly.

OSCAL becomes mandatory for FedRAMP submissions in September 2026. Zero organizations have submitted machine-readable OSCAL packages to date. MergeWhy generates OSCAL 1.1.2 JSON documents directly from your change evidence — SSP, Assessment Results, and POA&M — validated and ready for 3PAO review.

Cloud Service Providers spend months assembling FedRAMP evidence packages manually. MergeWhy captures it at merge time.

Install GitHub App — Free Talk to sales →

800+

NIST 800-53 controls

OSCAL document types

OSCAL submissions to date

Sept 2026

mandatory deadline

Capabilities

Everything you need for
FedRAMP change management.

OSCAL 1.1.2 Export EngineMandatory Sept 2026

Generate machine-readable OSCAL JSON documents — System Security Plans, Assessment Results, and Plans of Action and Milestones. Built-in structural validator ensures your submissions meet FedRAMP requirements before you upload.

NIST 800-53 Control Mapping

Every code change is automatically evaluated against NIST 800-53 controls. Configuration Management (CM), System and Information Integrity (SI), Access Control (AC), and Audit and Accountability (AU) families mapped out of the box.

SHA-256 Evidence Vault

All evidence is cryptographically sealed at merge time into a tamper-proof vault. When your 3PAO asks for proof of change management controls, you have cryptographic certainty — not screenshots.

Self-Hosted Deployment

Deploy MergeWhy in your own FedRAMP-authorized boundary. Docker or Kubernetes. OIDC authentication with any IdP. No data leaves your environment. Air-gapped collector agent available for classified networks.

Built-In OSCAL Validator

Validate OSCAL documents against structural requirements before submission. Checks required fields, UUID formats, control ID formats, and date consistency. Catch errors before your 3PAO does.

POA&M Tracking

Failed and warning controls automatically populate Plans of Action and Milestones. Track remediation progress per control. Generate updated POA&M documents as evidence gaps are resolved.

How It Works

Three steps to FedRAMP-ready evidence.

Install the GitHub App

Connect your repositories in under 2 minutes. MergeWhy begins capturing evidence from your very first PR.

Merge as usual

Engineers change nothing about their workflow. Every merge automatically generates a Decision Evidence Record mapped to NIST 800-53 controls.

Export OSCAL packages

Generate FedRAMP-ready OSCAL 1.1.2 JSON with one click. SSP, Assessment Results, and POA&M — validated and ready for submission.

Coverage

NIST 800-53 control families mapped.

CM — Configuration ManagementSI — System & Information IntegrityAC — Access ControlAU — Audit & AccountabilitySA — System & Services AcquisitionCA — Assessment & AuthorizationRA — Risk AssessmentSC — System & Communications Protection

OSCAL 1.1.2 Output

Three document types. One click.

SSP

System Security Plan

Describes your system and how each control is implemented. Generated from your change evidence and organizational data.

Assessment Results

Findings and observations from compliance evaluations. Maps each control to pass/fail status with evidence links.

POA&M

Plans of Action and Milestones for failed or warning controls. Tracks remediation progress with target dates.

Get Started

Don't wait for the
OSCAL deadline.

Start capturing FedRAMP-ready evidence today. Free for your first repository. Self-hosted deployment for FedRAMP boundaries.

Install GitHub App — Free Request a demo →

FedRAMP OSCAL export.Zero manual assembly.

Everything you need forFedRAMP change management.