FedRAMP Authorization

OSCAL export ready.
FedRAMP evidence automated.

Cloud Service Providers spend months assembling FedRAMP evidence packages manually. MergeWhy captures change management evidence automatically and exports OSCAL 1.1.2 documents ready for 3PAO review.

OSCAL becomes mandatory for FedRAMP submissions in September 2026. Zero organizations have submitted OSCAL packages to date.

Install GitHub App — Free Talk to sales →

800+

NIST 800-53 controls

OSCAL document types

OSCAL submissions to date

Sept 2026

mandatory deadline

Capabilities

Everything you need for
FedRAMP change management.

OSCAL 1.1.2 Export EngineMandatory Sept 2026

Generate machine-readable OSCAL JSON documents — System Security Plans, Assessment Results, and Plans of Action & Milestones. Built-in structural validator ensures your submissions meet FedRAMP requirements before you upload.

NIST 800-53 Control Mapping

Every code change is automatically evaluated against NIST 800-53 controls. Configuration Management (CM), System & Information Integrity (SI), Access Control (AC), and Audit & Accountability (AU) families mapped out of the box.

SHA-256 Evidence Vault

All evidence is cryptographically sealed at merge time into a tamper-proof vault. When your 3PAO asks for proof of change management controls, you have cryptographic certainty — not screenshots.

Self-Hosted Deployment

Deploy MergeWhy in your own FedRAMP-authorized boundary. Docker or Kubernetes. OIDC authentication with any IdP. No data leaves your environment. Air-gapped collector agent available.

How It Works

Three steps to FedRAMP-ready evidence.

Install the GitHub App

Connect your repositories in under 2 minutes. MergeWhy begins capturing evidence from your very first PR.

Merge as usual

Engineers change nothing about their workflow. Every merge automatically generates a Decision Evidence Record mapped to NIST 800-53 controls.

Export OSCAL packages

Generate FedRAMP-ready OSCAL 1.1.2 JSON with one click. SSP, Assessment Results, and POA&M — validated and ready for submission.

Coverage

NIST 800-53 control families mapped.

CM — Configuration ManagementSI — System & Information IntegrityAC — Access ControlAU — Audit & AccountabilitySA — System & Services AcquisitionCA — Assessment & AuthorizationRA — Risk AssessmentSC — System & Communications Protection

Get Started

Don't wait for the
OSCAL deadline.

Start capturing FedRAMP-ready evidence today. Free for your first repository.

Install GitHub App — Free Request a demo →

OSCAL export ready.FedRAMP evidence automated.

Everything you need forFedRAMP change management.