Forward Deployed Engineer 101: Compliance Frameworks (SOC2, FedRAMP, GDPR, HIPAA, CMMC – Basics)

Compliance Frameworks (SOC2, FedRAMP, GDPR, HIPAA, CMMC – Basics)

Compliance Frameworks (SOC2, FedRAMP, GDPR, HIPAA, CMMC) – Field-Ready Study Guide

For Forward Deployed Engineers (FDEs) who need to ship secure, compliant software in high-stakes environments—without getting blocked by auditors or breaking production.

What This Is

Compliance frameworks are rulebooks that dictate how software must handle data, security, and operations to meet legal, regulatory, or contractual requirements. As an FDE, you’ll deploy systems where compliance isn’t just a checkbox—it’s a hard dependency for go-live. Example: You’re building a disaster-response dashboard for a government agency, but the data pipeline must comply with FedRAMP Moderate to run on their AWS GovCloud. If you miss a control (e.g., encrypting data at rest), the system gets rejected, and the mission fails. Your job is to design for compliance from day one, not bolt it on later.

Key Terms & Concepts

• SOC2 (Service Organization Control 2):
  A voluntary audit framework for SaaS companies, focusing on security, availability, processing integrity, confidentiality, and privacy. Customers (especially enterprises) will demand a SOC2 report before signing contracts. Field tool: Use Vanta or Drata to automate evidence collection (e.g., screenshots of IAM policies, log exports).

• FedRAMP (Federal Risk and Authorization Management Program):
  The U.S. government’s security standard for cloud services. FedRAMP Moderate is the baseline for most agencies (e.g., DoD, DHS). Field trap: FedRAMP requires FIPS 140-2 validated encryption—your standard TLS won’t cut it. Use AWS KMS with FIPS endpoints or BoringSSL.

• GDPR (General Data Protection Regulation):
  EU law governing personal data (PII) of EU citizens. Key rules: right to erasure, data minimization, and 72-hour breach notification. Field example: A customer in Germany asks you to delete a user’s data—you must audit all backups and logs to ensure no traces remain.

• HIPAA (Health Insurance Portability and Accountability Act):
  U.S. law protecting protected health information (PHI). Requires access controls, audit logs, and encryption at rest/transit. Field tool: Use AWS HIPAA-eligible services (e.g., RDS with encryption, S3 with SSE-KMS) and log everything (e.g., CloudTrail + SIEM like Splunk).

• CMMC (Cybersecurity Maturity Model Certification):
  DoD’s framework for defense contractors. CMMC Level 2 (the most common) requires 110 controls (e.g., multi-factor authentication, incident response plans). Field trap: CMMC audits are in-person—you’ll need to show physical security (e.g., locked server racks) and documented processes.

• ATO (Authority to Operate):
  The formal approval to run a system in a government environment (e.g., FedRAMP ATO, DoD ATO). Field process: You’ll work with a Designated Approving Authority (DAA) to submit a System Security Plan (SSP) and Plan of Action & Milestones (POA&M).

• FIPS 140-2:
  A U.S. government standard for cryptographic modules. Field command: On Linux, enable FIPS mode with: bash sudo fips-mode-setup --enable sudo reboot

• Data Classification:
  Labeling data by sensitivity (e.g., Public, Internal, Confidential, Secret). Field example: A customer marks a dataset as Secret—you must disable logging, encrypt with hardware keys, and restrict access to cleared personnel.

• Least Privilege:
  Users/systems get only the permissions they need. Field tool: Use AWS IAM Access Analyzer or Open Policy Agent (OPA) to enforce this.

• Audit Trail:
  Immutable logs of who did what, when. Field tool: AWS CloudTrail (for AWS), ELK Stack (for on-prem), or Splunk (enterprise). Field trap: Logs must be tamper-proof—use write-once storage (e.g., AWS S3 Object Lock).

• Zero Trust:
  "Never trust, always verify." Field example: Even inside a VPN, require MFA and short-lived credentials (e.g., AWS STS tokens).

• POA&M (Plan of Action & Milestones):
  A document listing compliance gaps and remediation timelines. Field process: You’ll write this after a gap assessment (e.g., "Missing audit logs for database access → Fix by Q3").

Step-by-Step / Field Process

How to Deploy a Compliant System (e.g., FedRAMP Moderate)

1. Map Requirements to Controls
2. Grab the FedRAMP Moderate baseline (171 controls) and customer-specific overlays (e.g., DoD adds extra rules).

3. Field action: Use a spreadsheet to map controls to your system (e.g., "AC-2: Account Management → IAM policies in Terraform").

4. Design for Compliance Early

5. Field example: If the customer requires FIPS 140-2, use AWS GovCloud (not commercial AWS) and FIPS-validated endpoints (e.g., kms-fips.us-gov-west-1.amazonaws.com).

6. Field tool: Terraform snippet for FIPS-compliant KMS:
   hcl
resource "aws_kms_key" "fips_key" {
description = "FIPS-validated key for FedRAMP"
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
is_enabled = true
enable_key_rotation = true
policy = data.aws_iam_policy_document.kms_policy.json
}

7. Implement Security Controls

8. Field checklist:

   
   
   • Encryption: Enable AWS EBS encryption (for disks), TLS 1.2+ (for transit), and KMS (for keys).
   • Logging: Turn on CloudTrail, VPC Flow Logs, and OS-level auditing (e.g., auditd on Linux).
   • Access Control: Enforce MFA, least privilege, and session timeouts (e.g., AWS IAM max_session_duration = 3600).

9. Document Everything

10. Field documents you’ll write:

    
    
    • System Security Plan (SSP): Describes your system’s security controls (use FedRAMP SSP template).
    • Configuration Management Plan (CMP): How you’ll track changes (e.g., Terraform + GitHub).
    • Incident Response Plan (IRP): Steps for breaches (e.g., "Isolate affected systems → Notify CISO within 1 hour").

11. Test in the Customer’s Environment

12. Field process:

    
    
    • Deploy a staging environment that mirrors the customer’s (e.g., same VPC, same IAM roles).
    • Run compliance scans (e.g., OpenSCAP, AWS Config, or Prisma Cloud).
    • Field command: Check for open ports with nmap:
      bash
nmap -sV -p- <customer-ip> --script vuln

13. Submit for ATO

14. Field steps:
    • Work with the customer’s Information System Security Officer (ISSO) to submit the SSP and POA&M.
    • Schedule a 3PAO (Third-Party Assessment Organization) audit (for FedRAMP).
    • Field trap: If the auditor finds a critical finding (e.g., missing encryption), you’ll need to fix it before go-live.

Common Mistakes

FDE Interview / War Story Insights

Interview Questions They’ll Ask

1. "You’re deploying to a FedRAMP Moderate environment, but the customer’s ISSO says your Terraform doesn’t meet AC-2 (Account Management). What do you do?"

2. Answer: Ask for the specific control requirement (e.g., "Do they need IAM password policies or session timeouts?"). Then update Terraform to enforce it (e.g., aws_iam_account_password_policy resource) and document the change in the SSP.

3. "A customer demands a feature that violates GDPR (e.g., storing PII without encryption). How do you respond?"

4. Answer: Say: "I’ll escalate this to our legal team and the customer’s DPO (Data Protection Officer). We can explore alternatives like anonymization or tokenization."

War Stories

• The "We Forgot FIPS" Disaster:
  A team deployed to AWS GovCloud but used non-FIPS endpoints (e.g., kms.us-west-2.amazonaws.com instead of kms-fips.us-gov-west-1.amazonaws.com). The system failed the 3PAO audit, and they had to rebuild the entire KMS infrastructure in 2 weeks.

• The "Logs or It Didn’t Happen" Nightmare:
  A customer’s HIPAA auditor asked for 6 months of database access logs. The team had disabled CloudTrail to "save costs." They failed the audit and had to pay for a forensic investigation.

Quick Check Questions

1. You’re deploying to a FedRAMP environment, but the customer’s firewall blocks all outbound traffic. How do you install dependencies?

2. Answer: Use offline dependency management (e.g., pip download + dpkg -i for Debian, or Docker save/load). Explanation: Air-gapped environments require pre-approved media (e.g., USB drives with signed packages).

3. A customer asks you to delete a user’s data to comply with GDPR. What’s the first thing you check?

4. Answer: Verify all backups, logs, and replicas are included in the deletion. Explanation: GDPR’s "right to erasure" applies to all copies of the data.

5. You’re deploying to a DoD environment with CMMC Level 2. The customer says, "Just use our shared admin account." What do you do?

6. Answer: Push back and enforce individual accounts with MFA. Explanation: CMMC AC-2(1) requires unique user IDs and least privilege.

Last-Minute Cram Sheet

1. FedRAMP Moderate = 171 controls. FedRAMP High = 421 controls.
2. FIPS 140-2 = U.S. government crypto standard. Use fips-mode-setup --enable on Linux.
3. GDPR = 72-hour breach notification. HIPAA = 60-day breach notification.
4. CMMC Level 2 = 110 controls. Level 3 = 130 controls (for classified data).
5. ATO = Authority to Operate. 3PAO = Third-Party Assessment Organization (for FedRAMP).
6. SOC2 = Security, Availability, Processing Integrity, Confidentiality, Privacy (SAPCP).
7. Least Privilege = Only give permissions needed for the task.
8. Audit Trail = Immutable logs (e.g., CloudTrail, auditd).
9. ⚠️ Always test in the customer’s environment—what works in your lab may break behind their firewall.
10. POA&M = Plan of Action & Milestones (your compliance to-do list).