Built for government contractor agencies — 14-day free trial

Cert expiry inside a FedRAMP authorization boundary isn't a downtime event — it's an SC-8(1) Transmission Confidentiality POA&M entry.
A critical-severity finding may require Significant Change notification to the JAB or sponsoring agency. Reauthorization risk is real.

Government contractor agencies building tech for federal and state contractors operating under FedRAMP, FISMA, StateRAMP, and CMMC compliance frameworks deal with FedRAMP Moderate baseline control SC-8(1) Transmission Confidentiality cert expiry triggering POA&M entries and potential 3PAO Significant Change notifications to the JAB or sponsoring agency, CMMC L2 + DFARS 252.204-7012 cert chain failures on CUI submission to SAM.gov / CDM / C3PAO portals triggering SPRS score drops that can disqualify the contractor from future DoD awards, and StateRAMP authorization boundary cert expiry triggering POA&M cycles at TX DIR, AZ DOA, OH DAS, MI DTMB, GA Tech and other state authorization bodies. Merlonix monitors every authorization-boundary subdomain so the FedRAMP + CMMC + StateRAMP exposure surfaces 30 days before the ConMon review can flag the cert-expired window.

Start free for 14 days How it works

No credit card for the trial. Cancel any time.

Check cadence (Agency): 5 min
SSL pre-expiry alert: 30 days
Independent DNS resolvers: 3
Vendors watched: 11

Where government contractor agencies get caught out

Three failure modes where SSL expiry creates FedRAMP SC-8(1) POA&M entries with potential Significant Change notifications, CMMC L2 + DFARS 252.204-7012 CUI submission failures triggering SPRS score drops, and StateRAMP authorization boundary cert expiry triggering multi-state IV&V coordination overhead.

Government contractor agencies building tech for federal and state contractors under FedRAMP, FISMA, StateRAMP, and CMMC compliance frameworks deal with FedRAMP Moderate baseline control SC-8(1) Transmission Confidentiality cert expiry triggering POA&M entries reportable to customer agency CIOs (and potentially the JAB) and risking interim authorization suspension under SCR, CMMC L2 + DFARS 252.204-7012 cert chain failures on CUI submission to SAM.gov / CDM (CISA) / C3PAO assessment portals triggering SPRS score drops that affect DoD award eligibility under DFARS 252.204-7019 + 7020, and StateRAMP authorization boundary cert expiry triggering multi-state IV&V coordination and potential per-state interim authorization suspensions.

FedRAMP (Federal Risk and Authorization Management Program; OMB memo M-22-09 codified it as the federal standard for cloud security authorizations) operates on the NIST SP 800-53 Rev. 5 control catalog with FedRAMP-specific baselines (Low, Moderate, High). Control SC-8(1) Transmission Confidentiality and Integrity requires implementing cryptographic mechanisms to prevent unauthorized disclosure of information during transmission. Within a FedRAMP authorization boundary, every subdomain handling federal data must comply with SC-8(1). Cert expiry on a boundary endpoint where federal data transmits over an unencrypted connection triggers a POA&M (Plan of Action and Milestones) entry. The 3PAO (Third Party Assessment Organization) evaluates the severity. A critical-severity SC-8(1) finding is reportable to the customer agency's CIO under the FedRAMP Continuous Monitoring (ConMon) program. If the cert-expired window exposed CUI or PII, the 3PAO may require Significant Change notification to the JAB (Joint Authorization Board for FedRAMP P-ATO holders) or to the sponsoring agency (for FedRAMP ATO holders). Significant Change notifications can trigger interim authorization suspension pending re-assessment

A government contractor agency operates a FedRAMP Moderate-authorized SaaS platform (saas.fedrampcontractor.com) used by 8 federal agency customers (DHS, DOI, DOC, USDA, EPA, NASA, USPS, GSA). The platform handles agency-uploaded PII (background check data for federal employee credentialing). The cert on saas.fedrampcontractor.com expires due to a Let's Encrypt renewal failure caused by a CAA tightening introduced during the contractor's annual SOC 2 + FedRAMP joint hardening cycle. The cert expires on a Friday afternoon; the on-call rotation is reduced for the weekend. By Monday morning, 47 agency users have submitted PII through the platform over the expired cert. The contractor's 3PAO (one of FedRAMP's 50+ accredited 3PAOs) is notified Monday afternoon. The ConMon monthly assessment is 2 weeks away

A government contractor agency operates FederalSaaS, a FedRAMP Moderate-authorized SaaS platform for federal credentialing workflows. The platform is in the FedRAMP Marketplace with a P-ATO (Provisional Authorization to Operate) issued by the JAB in 2023; the platform serves 8 federal agency customers (DHS, DOI, DOC, USDA, EPA, NASA, USPS, GSA) handling PII for federal employee credentialing. The authorization boundary includes saas.federalsaas.com (the primary application endpoint), api.federalsaas.com (the agency API integration endpoint), and admin.federalsaas.com (the contractor admin console — restricted to contractor personnel with appropriate clearance). The cert on saas.federalsaas.com is provisioned via Let's Encrypt with a 90-day cycle. The contractor runs an annual joint SOC 2 + FedRAMP hardening cycle in Q4 2025; one recommendation is CAA tightening to pin to commercial CAs only (DigiCert, Entrust). The contractor's IT team implements the CAA tightening at federalsaas.com. The next 90-day cert renewal for saas.federalsaas.com hits the tightened CAA record; Let's Encrypt is no longer permitted; renewal fails. The contractor's renewal automation logs the failure but doesn't alert (the failure looks like a transient LE outage). The previous cert is valid for another 30 days. 30 days later, the previous cert expires on a Friday afternoon at 4:48 PM ET. The on-call rotation is reduced for the weekend (one engineer covers ConMon + production). By Monday morning at 8 AM, 47 federal-agency users (across the 8 agency customers) have submitted PII through the platform over the expired cert — background check data, federal employee Suitability File extracts, NACI (National Agency Check with Inquiries) results. The federal-agency user-agents range from modern Edge/Chrome on agency-issued GFE (Government-Furnished Equipment) which handles the cert error with a click-through, to legacy IE-mode/Edge on older agency devices which auto-allow the click-through, to mobile (federal employees increasingly accessing on agency-issued mobile devices) where iOS Safari may hard-block. Discovery happens Monday at 9 AM when an agency security officer at DHS notices the cert warning during a routine user-acceptance test and emails the contractor's ConMon point of contact. The ConMon POC engages the agency engineer, who renews the cert (after fixing the CAA tightening or obtaining a DigiCert cert) by 11 AM. The contractor's 3PAO is notified Monday afternoon per FedRAMP ConMon requirements. The 3PAO evaluates the severity: critical because PII was potentially exposed; high because of the 60+ hour cert-expired window; medium because of the limited blast radius (the 8 agency customers represent ~120 active users total, of whom 47 transmitted over the expired cert). The 3PAO classifies the finding as Critical-Severity SC-8(1). Per FedRAMP ConMon, Critical-Severity findings must be reported to the JAB within 1 business day (the JAB issued the P-ATO; the JAB-managed package requires CIO-level visibility). The 3PAO files the report on Tuesday. The JAB reviews the finding; if the Critical-Severity finding includes PII exposure plus a 60+ hour cert-expired window, the JAB may require Significant Change notification under FedRAMP's SCR (Significant Change Request) process. SCR triggers interim authorization suspension pending re-assessment; the platform is removed from active FedRAMP Marketplace status during the SCR review (typically 6-12 weeks for a moderate-impact SCR). During the suspension, the 8 federal agency customers cannot use the platform for new procurements (existing usage typically continues under interim agency authorization but new agency onboarding is paused). The contractor's revenue impact: 6-12 week paused-procurement window for new agency customers; sponsoring-agency support for the existing 8 customers may require additional agency-side approvals depending on each agency's ATO policy. The contractor's SPRS (Supplier Performance Risk System) score is also impacted via the FedRAMP-to-SPRS data flow; for any DoD contractor in the FedRAMP authorization, the SPRS score drop can affect DoD award eligibility for the 12-month assessment window. The agency's engagement contract with the contractor includes cybersecurity SLAs + FedRAMP-compliance SLAs with indemnity; the indemnity is triggered for SCR-related revenue impact and 3PAO reassessment costs. The agency's E&O policy is triggered.

CMMC (Cybersecurity Maturity Model Certification) L2 + DFARS 252.204-7012 require DoD contractors handling Controlled Unclassified Information (CUI) to implement NIST SP 800-171 controls. Control 3.13.8 specifies cryptographic mechanisms to prevent unauthorized disclosure during transmission. CMMC L2 assessment is performed by a C3PAO (Certified Third-Party Assessment Organization). Cert chain failures on CUI submission to SAM.gov (System for Award Management), CDM (Continuous Diagnostics and Mitigation submission endpoint at CISA), or the C3PAO assessment portal trigger CMMC L2 assessment findings. A SPRS (Supplier Performance Risk System) score drop can disqualify the contractor from future DoD awards under DFARS 252.204-7019 + 7020. The CMMC L2 self-assessment must be re-affirmed annually; a cert chain issue identified during self-assessment that wasn't flagged in the prior assessment can require an unscheduled C3PAO re-engagement

A government contractor agency operates the CUI submission relay (cui.dodcontractor.com) for a DoD contractor with active prime contracts at the Army, Navy, and Air Force levels handling export-controlled CUI. The cert on cui.dodcontractor.com renews from a Let's Encrypt chain. SAM.gov accepts (SAM.gov was updated in 2023 to accept LE chains). The CDM submission endpoint at CISA rejects (CDM's 2019 portal redesign hard-coded a Sectigo + Entrust + DigiCert approved list). The C3PAO assessment portal (the contractor uses Redspin as their C3PAO) rejects (Redspin's assessment platform uses InCommon chain validation). The DoD contractor cannot submit CDM reports for the 60 days before the next quarterly CDM submission deadline. The C3PAO self-assessment affirmation cycle (annual) is approaching; the contractor cannot upload assessment evidence to Redspin's portal

A government contractor agency operates DoD-CUI-Relay, the CUI submission infrastructure for DoD-Contractor-Inc, a mid-tier DoD contractor with active prime contracts at the Army (PEO STRI for training simulators), Navy (NAVSEA for shipboard electronic-warfare systems), and Air Force (AFLCMC for cyber-resilience for aircraft avionics) levels. All three contract portfolios involve export-controlled CUI under ITAR / EAR. The contractor maintains CMMC L2 certification (effective for DoD contracts since the CMMC 2.0 rule went into final-form effective December 2024) and SPRS scoring. The CUI submission infrastructure includes cui.dodcontractor.com (CUI ingress for incoming CUI from DoD program offices) and cdm.dodcontractor.com (the contractor's outgoing CDM submission relay to CISA's CDM dashboard). The cert on cui.dodcontractor.com is provisioned via Let's Encrypt with a 90-day cycle. The cert renewal in early 2026 issues a new chain through ISRG Root X1. SAM.gov (System for Award Management at the GSA) was updated in 2023 to accept LE chains as part of a federal-acquisition modernization initiative; SAM.gov accepts. The CDM submission endpoint at CISA (cdm.cisa.gov) rejects: CDM's 2019 portal redesign hard-coded a Sectigo + Entrust + DigiCert approved-CA list; LE was never added because CDM's IT team prefers commercial CAs for federal-data submission paths. The C3PAO assessment portal at Redspin (which the contractor uses for CMMC L2 third-party assessment) rejects: Redspin's assessment platform uses InCommon chain validation (InCommon is the higher-ed-focused CA used by federally-funded research labs and many government-adjacent infrastructure providers); LE doesn't chain through InCommon. The contractor's submission code logs each TLS failure. CDM submissions queue for 60 days before the next quarterly CDM submission deadline (CISA's CDM cycle is quarterly; submissions due February 28, May 31, August 31, November 30). The Redspin C3PAO self-assessment affirmation cycle (annual) is approaching with a March 31 deadline. The contractor's SPRS score depends on timely CMMC + CDM submissions. Discovery happens during a CDM dashboard review when the CISA CDM POC notices missing submissions from DoD-Contractor-Inc; the POC emails the contractor's ISSO. The ISSO investigates with the agency engineer; identifies the cert chain rejection. Resolution requires obtaining a new cert from Sectigo + DigiCert for the CDM-facing config and an InCommon cert for the Redspin-facing config; SNI-based serving for each downstream. Lead time: Sectigo + DigiCert are immediate; InCommon takes 3-5 business days because it's typically issued to federal-funded research institutions and the contractor must qualify under InCommon's eligibility criteria (the contractor qualifies as a DoD prime contractor with federally-funded R&D efforts but the validation takes time). During the resolution window: CDM submissions queue further; the C3PAO assessment affirmation cycle is at risk. The contractor's SPRS score drops due to the missed CDM submissions; the drop is in the "yellow" range (60-79 on the SPRS 0-100 scale) which under DFARS 252.204-7019 may trigger a Solicitation Provision review for new DoD awards. Two pending DoD award decisions (Army cyber-resilience for $4.5M; Air Force avionics resilience for $12M) are at the source-selection stage; the SPRS drop may affect award outcome. The DoD-Contractor-Inc's engagement contract with the agency includes cybersecurity SLAs + CMMC-compliance SLAs with indemnity; the indemnity is triggered for the SPRS-score-related award-eligibility impact. The agency's E&O policy is triggered.

StateRAMP (modeled on FedRAMP for state government cloud authorizations) operates similar controls. State governments increasingly require StateRAMP Authorized for any vendor handling state-controlled data. TX DIR (Department of Information Resources) requires StateRAMP for state-procured cloud services. AZ DOA, OH DAS, MI DTMB, GA Tech, CO OIT, AR DIS, MS ITS, NC DIT all have similar requirements at varying maturity levels. Cert expiry on a StateRAMP authorization boundary endpoint triggers the same POA&M cycle as FedRAMP — the state IV&V (Independent Verification & Validation) team evaluates severity, may require Significant Change notification to the state authorization body, and may suspend the authorization pending re-assessment. State-level enforcement is increasingly active as states tighten cybersecurity-procurement requirements

A government contractor agency operates a StateRAMP Authorized SaaS platform (statesaas.contractoroperations.com) used by 12 state government customers (TX, AZ, OH, MI, GA, CO, NC, IN, OK, TN, MS, AR). The cert on statesaas.contractoroperations.com expires during a holiday weekend. State-government users in 4 states submit data through the platform during the expired window. The TX DIR Cybersecurity Office is notified via the state-level ConMon-equivalent; an IV&V team is engaged to evaluate severity. The TX-specific finding may require Significant Change notification to TX DIR; the multi-state nature requires coordinating with 11 other state authorization bodies

A government contractor agency operates State-SaaS, a StateRAMP Authorized SaaS platform for state-government workforce-services workflows (used by state-level HR, training, and credentialing offices). The platform serves 12 state government customers (TX, AZ, OH, MI, GA, CO, NC, IN, OK, TN, MS, AR) handling state-employee PII. The authorization boundary includes statesaas.stateoperations.com (primary application) and api.statesaas.stateoperations.com (state-agency API integration). The cert on statesaas.stateoperations.com is provisioned via Let's Encrypt with a 90-day cycle. The cert expires on a Friday afternoon during a 4-day Memorial Day weekend. The contractor's on-call rotation is reduced for the weekend; the renewal alert (Slack-based) is monitored only during business hours. Over the 4-day weekend: state-government users in 4 of the 12 states (TX, AZ, OH, GA — the states with active workforce-services workflows scheduled for the weekend) submit data through the platform. About 180 state-employee PII submissions occur during the cert-expired window. Discovery happens Tuesday morning when the TX DIR Cybersecurity Office receives an auto-alert from the state-level cybersecurity-monitoring service (TX DIR runs a Statewide Information Security Operations Center). The TX DIR POC contacts the contractor; the contractor engineer renews the cert by 11 AM Tuesday. The TX DIR Cybersecurity Office initiates an IV&V (Independent Verification & Validation) review per StateRAMP ConMon-equivalent. The IV&V team classifies the finding as Significant for TX: PII exposure during a 4-day window affecting an estimated 60 TX state employees. Per TX StateRAMP authorization terms, Significant findings require Significant Change notification to the TX DIR Cybersecurity Office and may trigger interim authorization suspension. The TX DIR suspension lasts 4 weeks pending re-IV&V. During the suspension, the contractor cannot accept new TX-state-agency onboarding; existing TX-state-agency usage continues under interim agency-level approval. Concurrently, the multi-state nature requires the contractor to notify each of the other 11 state authorization bodies. Each state has its own response: AZ DOA initiates a parallel state-level IV&V (the AZ-specific incident was less severe because no AZ state employees were among the 180 affected submissions, but AZ DOA reviews the cert-expired window as a multi-state ConMon event). OH DAS requires a written response within 5 business days. MI DTMB initiates an Information Security Risk Review. GA Tech (Georgia Technology Authority) requires a status update at the next quarterly StateRAMP committee meeting. The other 7 states (CO, NC, IN, OK, TN, MS, AR) each have varying response cadences. The contractor's state-government revenue mix: TX accounts for 35% of state-vertical revenue (multi-year contract worth $8M annual); the TX-specific 4-week suspension represents ~$300K in delayed new-procurement plus opportunity-cost. Across the 11 other states, the response burden is significant operational overhead (the contractor must coordinate with each state's IV&V process). The contractor's SPRS score (if applicable for any DoD-related state-government contracts — Texas operates several state-DoD-overlap contracts including the Texas State Guard cyber-mission program) may also be affected via the FedRAMP-to-SPRS data flow. The agency's engagement contract with the contractor includes cybersecurity SLAs + StateRAMP-compliance SLAs with indemnity; the indemnity is triggered for the TX suspension revenue impact, the IV&V coordination overhead across 11 states, and outside-counsel fees for the multi-state response posture. The agency's E&O policy is triggered.

How it works

SSL and DNS monitoring for government contractor agencies across FedRAMP Moderate authorization boundaries (SC-8(1) Transmission Confidentiality + ConMon exposure), CMMC L2 + DFARS 252.204-7012 CUI submission relays (SPRS score + DoD award eligibility exposure), and StateRAMP authorization boundaries (TX DIR, AZ DOA, OH DAS, MI DTMB, GA Tech with their own IV&V processes).

Merlonix monitors SSL expiry and DNS integrity across every authorization-boundary subdomain — saas.* (primary application), api.* (federal or state agency integration), admin.* (contractor admin console), cui.* (CUI ingress for DoD contractors), cdm.* (CDM submission to CISA) — and catches cert expiry on boundary subdomains before any federal or state data can transmit over an unencrypted connection and trigger the FedRAMP SC-8(1) / StateRAMP- equivalent / CMMC 3.13.8 POA&M cycle, before any CUI submission to SAM.gov / CDM / C3PAO assessment portals can silently reject and cause SPRS score drops, and before any StateRAMP authorization boundary cert expiry can trigger multi-state IV&V coordination overhead. Each boundary subdomain gets independent monitoring because each one carries independent regulatory exposure under the contractor's cybersecurity SLAs.

Add every authorization-boundary subdomain — saas., api., admin., cui., cdm.* — with DNS TXT verification that catches cert expiry on FedRAMP / CMMC / StateRAMP-boundary infrastructure 30 days before the ConMon review can flag the cert-expired window

Verify ownership with a DNS TXT record on the apex domain. All authorization-boundary subdomains under that apex — saas.* (primary application), api.* (federal agency or state agency API integration), admin.* (contractor admin console), cui.* (CUI ingress for DoD contractors), cdm.* (CDM submission relay to CISA) — are added without additional verification. Monitoring every authorization-boundary subdomain catches cert expiry 30 days before the failure window opens — well before any federal or state data can transmit over an unencrypted connection and trigger the FedRAMP SC-8(1) / StateRAMP equivalent / CMMC 3.13.8 POA&M cycle. Under two minutes per contractor.

Per-downstream cert chain monitoring against the federal submission endpoints (SAM.gov, CDM at CISA, the major C3PAO assessment platforms) plus state authorization bodies (TX DIR, AZ DOA, OH DAS, MI DTMB, GA Tech) — surfacing chain compatibility failures the moment a cert renewal happens, not 60 days into a queued-submission backlog

Each federal submission endpoint and state authorization body has its own approved-CA list with different update cadences. Merlonix maintains a database of per-endpoint chain compatibility, and on every cert renewal at a contractor-attached subdomain, validates the new chain against each downstream endpoint's accepted list. When a cert renewal would render a CDM submission relay incompatible with CDM's 2019 portal redesign (Sectigo + Entrust + DigiCert only) or a C3PAO assessment portal incompatible with Redspin's InCommon chain validation, the failure is surfaced immediately — before the contractor's submission code starts logging TLS failures that don't surface in the producer-facing UI.

SSL monitoring 30 days before expiry across authorization-boundary subdomains, federal submission endpoints, and state authorization body submission relays — independent per-subdomain checks because each one has independent compliance exposure

Full SSL chain validation on every contractor-attached subdomain. Independent checks catch cert expiry 30 days before the failure window opens — enough time to validate the new chain against every downstream federal endpoint (SAM.gov, CDM at CISA, federal customer agency endpoints) and every in-scope state authorization body, obtain a non-LE cert from Sectigo / Entrust / DigiCert / InCommon if a federal or state mix requires it (InCommon takes 3-5 business days for new contractor enrollment), and avoid deploy collisions with ConMon assessment windows (FedRAMP ConMon is monthly; StateRAMP varies per state).

Vendor status for SAM.gov, CDM at CISA, the major C3PAO platforms (Redspin, Coalfire, A-LIGN, ITP, Schellman), and the state authorization bodies (TX DIR, AZ DOA, OH DAS, MI DTMB, GA Tech, CO OIT) — to distinguish vendor-side incidents from per-contractor SSL configuration failures

Merlonix monitors SAM.gov status, CDM at CISA status, the major C3PAO platforms' status, and state authorization body status pages alongside the contractor's cert state — so when CDM has a platform-wide TLS incident or SAM.gov has scheduled-maintenance affecting cert validation, you see the vendor event clearly rather than spending hours investigating whether the contractor's cdm.* or sam.* submission relay has a per-tenant cert problem. C3PAO platform status is particularly important during the annual CMMC self-assessment affirmation cycle (typically March 31 deadline) when C3PAO portal load is highest.

What the numbers mean for government contractor agencies

Monitoring built for government contractor agencies where one contractor portfolio means a FedRAMP Moderate-authorized SaaS platform (SC-8(1) Transmission Confidentiality + ConMon JAB-reportable exposure), a CMMC L2 + DFARS 252.204-7012 CUI submission relay (SPRS score + DoD award eligibility exposure under DFARS 252.204-7019 + 7020), and a StateRAMP authorization boundary serving 12+ state customers (multi-state IV&V coordination + per-state interim authorization suspension exposure).

Government contractor agencies operating tech for federal and state contractors need monitoring that recognizes each authorization-boundary subdomain has independent compliance exposure — because the FedRAMP SC-8(1) failure is silent (the cert expires over a holiday weekend and federal-agency users continue submitting data through the platform; the 3PAO finding lands days later but is reportable to the JAB), the CMMC CUI submission failure is silent (CDM submissions queue for 60 days before the next quarterly deadline; SAM.gov retries succeed while CDM retries fail; the SPRS score drop only surfaces at the next solicitation review), and the StateRAMP failure is silent (state-by-state IV&V response cadences vary; the contractor's response burden is significant operational overhead).

< 10 min

Time from DNS change to alert — catches CAA tightening introduced during annual SOC 2 + FedRAMP joint hardening cycles that silently break Let's Encrypt renewal on authorization-boundary subdomains 60+ days before the next ConMon assessment, plus registrar nameserver changes and CNAME modifications on CUI submission relays

30 days

SSL expiry warning lead time — enough time to validate the new cert chain against every downstream federal submission endpoint (SAM.gov, CDM at CISA, customer agency endpoints) + every in-scope state authorization body, obtain a non-LE cert from Sectigo / Entrust / DigiCert / InCommon if a federal or state mix requires it (InCommon takes 3-5 business days for new contractor enrollment), and avoid ConMon assessment-window collisions

11 vendors

Upstream services monitored — SAM.gov, CDM at CISA, the major C3PAO platforms (Redspin, Coalfire, A-LIGN, ITP, Schellman), state authorization bodies (TX DIR, AZ DOA, OH DAS, MI DTMB, GA Tech, CO OIT), and Let's Encrypt. Distinguishes a vendor-side federal-endpoint incident from a per-contractor SSL configuration failure

200 assets

Maximum monitored domains on the Agency plan — covers a full government-contractor portfolio: 15+ contractors each with saas.*, api.*, admin.*, cui.*, cdm.*, and apex subdomains. Multi-product contractors with separate authorization boundaries per product (FedRAMP-scoped saas.fedramp.contractor.com + StateRAMP-scoped saas.stateramp.contractor.com) are absorbed without per-domain fees

Pricing

Flat monthly fee. Every authorization-boundary subdomain, every CUI submission relay, every state authorization body endpoint included.

No per-contractor charges. No per-authorization-body fees. Pick the tier that fits your government-contractor portfolio and monitor every FedRAMP / CMMC / StateRAMP-scope subdomain (saas.*, api.*, admin.*, cui.*, cdm.*) under each contractor's apex without billing surprises.

See full feature comparison →

Starter

For solo government-tech developers or two-person agencies operating a single contractor's FedRAMP-Low or StateRAMP-Authorized platform under one apex domain.

$29/ month

10 monitored assets
1 seat
15-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Starter

Most chosen

Team

For government contractor agencies managing 3-5 contractor clients with separate saas.*, api.*, admin.*, cui.*, and cdm.* subdomains per contractor, plus the contractor's primary marketing domain.

$79/ month

50 monitored assets
5 seats
10-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Team

Agency

For agencies with a full government-contractor client roster including FedRAMP Moderate / High-authorized contractors with multiple authorization boundaries, CMMC L2-certified DoD contractors handling CUI across Army / Navy / Air Force programs, and StateRAMP-authorized contractors serving 12+ state customers.

$199/ month

200 monitored assets
15 seats
5-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Agency

Know when an authorization-boundary subdomain is approaching cert expiry — 30 days before the ConMon review can flag the cert-expired window and trigger a Critical-Severity SC-8(1) POA&M finding reportable to the JAB.

Add your first contractor subdomain in under two minutes. FedRAMP / CMMC / StateRAMP authorization-boundary endpoints, CUI submission relays, federal customer agency API integrations, and state authorization body submission endpoints across every contractor in your portfolio are monitored from the same dashboard. 14-day trial, no card required.

Start free for 14 days Read the agency SSL checklist →

Cert expiry inside a FedRAMP authorization boundary isn't a downtime event — it's an SC-8(1) Transmission Confidentiality POA&M entry.A critical-severity finding may require Significant Change notification to the JAB or sponsoring agency. Reauthorization risk is real.

Add every authorization-boundary subdomain — saas.*, api.*, admin.*, cui.*, cdm.* — with DNS TXT verification that catches cert expiry on FedRAMP / CMMC / StateRAMP-boundary infrastructure 30 days before the ConMon review can flag the cert-expired window