FedRAMP 20x Toolkit: Open-Source KSI Mappings & Example Packages

Preparing a FedRAMP 20x submission means turning abstract Key Security Indicators into concrete evidence — and figuring out, indicator by indicator, exactly which cloud signals prove each one. Boundera's open-source FedRAMP 20x Toolkit gives you a practitioner-grade head start: real AWS-to-KSI evidence mappings and machine-readable example packages you can use as references. It's MIT-licensed and free.

Key takeaways

• It publishes detailed AWS evidence mappings for two KSI families — Identity & Access Management (KSI-IAM) and Monitoring, Logging & Auditing (KSI-MLA).
• It ships machine-readable JSON example packages — a sample KSI package and an SSP fragment — so you know what good looks like.
• It's alpha (v0.1.x), targets FRMR v0.9.43-beta, and covers 2 of the 11 KSI families publicly — a free reference, with full coverage in Boundera's product.

Why a toolkit?

The hardest part of a 20x submission isn't understanding what a KSI means — it's the gap between the requirement and the evidence. "Enforce phishing-resistant MFA" is clear enough; what's not obvious is which AWS Config rule, which Security Hub control, or which CloudWatch metric an assessor will actually accept as proof, and what a well-formed evidence reference looks like in OSCAL. Teams burn weeks rediscovering those mappings from scratch.

This toolkit writes them down. For each indicator it maps, it states the requirement in plain English, names two or three concrete AWS evidence sources that satisfy it, shows the shape of valid evidence, and flags the gaps engineers commonly hit during readiness. Shared, public mappings reduce ambiguity for everyone preparing a 20x submission — which is why it's open source.

What's inside

Component	What it gives you
ksi-mappings/aws/iam	All 7 KSI-IAM indicators mapped to AWS evidence sources (MFA, passwordless, non-user auth, just-in-time, least privilege, suspicious-activity response, automated account management)
ksi-mappings/aws/mla	All 5 KSI-MLA indicators (SIEM operation, log review, configuration evaluation, event-type logging, log-access authorization)
examples/	A full machine-readable JSON KSI package and an SSP snippet referencing KSI evidence
docs/	Plain-language explainers, including how the repo relates to the commercial product

Each mapping file carries provenance — the FRMR version it targets and a last-validated date — so you can trust which release it reflects. The indicator IDs follow the current mnemonic naming (for example KSI-IAM-MFA, KSI-MLA-OSM), with the older numeric IDs preserved as a "formerly known as" field for packages authored against earlier releases.

Validating your KSI package

The example packages exist so you can see exactly what a well-formed KSI package looks like before you build your own. A KSI-specific validator — one that adds structure and indicator-level checks — is on the roadmap rather than shipped today. If your package is in OSCAL, you can also run it through the official NIST OSCAL CLI for schema validation.

For the role OSCAL plays in FedRAMP — and how to get your documentation into it — see our guide to converting an SSP to OSCAL and the OSCAL for FedRAMP explainer.

What it covers — and what it doesn't

The toolkit maps two of the eleven KSI families on AWS. The other nine families — and Azure and GCP coverage — are not in the public repo; that's where Boundera's commercial product comes in, with automated evidence collection across all indicators and clouds, continuous posture, and audit-ready package generation. The toolkit is a genuine, useful reference on its own; it's just honest about its scope rather than pretending to be a complete solution.

It pairs naturally with the FedRAMP 20x KSI GitHub Action, which validates Terraform IaC against the configuration KSIs in CI, and with our deeper write-up on implementing KSI checks as first-class objects.

Frequently asked questions

What is the FedRAMP 20x Toolkit?

An open-source, MIT-licensed repository of AWS-to-KSI evidence mappings and machine-readable example packages, intended to help Cloud Service Providers prepare FedRAMP 20x submissions. It's maintained by Boundera.

How many KSIs does it map?

It publicly maps two of the eleven KSI families on AWS — KSI-IAM (7 indicators) and KSI-MLA (5 indicators). The full FRMR set is 11 families and 60 indicators; the remaining families and other clouds are covered in Boundera's commercial product.

Is there a tool to validate my KSI package?

Not yet in this toolkit — a KSI-specific validator is on the roadmap. Today, use the toolkit's example packages as a reference for correct structure; if your package is in OSCAL, the official NIST OSCAL CLI can confirm it is schema-valid.

Can I submit the example packages?

No. The examples/ files are illustrative references to show the correct structure; they aren't based on any real system. Use them as a template, not a submission.

What FRMR version does it target?

The mappings target FRMR v0.9.43-beta (last updated April 2026). Each mapping carries a version and last-validated field, and the project aims to update mappings shortly after FedRAMP publishes changes upstream.

Is it stable?

It's alpha (v0.1.x) — the mappings and validator work, but interfaces may change before v1.0, with breaking changes flagged by a SemVer major bump.

Sources

• Boundera/fedramp-20x-toolkit (GitHub)
• FedRAMP 20x Key Security Indicators (fedramp.gov)
• NIST OSCAL
• GSA fedramp-automation

---

Last updated: June 2026. Written by the Boundera team.