10+ Years of Proven FedRAMP &
Cloud Security Success

Celonis, a global leader in Process Mining, today announced it has received FedRAMP authorization through Knox, achieving the strictest standard in handling the U.S. federal government’s most sensitive, unclassified data in cloud computing environments.

Our federal government needs more options for data-driven insights and information analysis. Celonis provides a better alternative for agencies looking to unlock efficiency while retaining control over their data. This open approach ensures the federal government can modernize without sacrificing control to private interests.

With Celonis FedRAMP compliant, federal agencies like the Department of Defense can now use mission-critical tools to streamline operations, uncovering and resolving hidden inefficiencies to perform faster and better. 

Celonis partnered with Knox, the largest and longest-running managed federal cloud provider, to get authorized in just 45 days. Knox gets companies FedRAMP compliant quickly and easily by running their applications inside their pre-authorized federal boundary.

Knox powers the most secure and longest-running managed federal cloud, with FedRAMP-authorized environments across AWS, Azure, and GCP. Trusted by leaders like Adobe, Spacelift, and Class, Knox supports authorizations across 15+ federal agencies and is increasingly the backbone of compliance for the next generation of government SaaS.

‍

We’re proud to announce our $6.5 million seed round raise. TechCrunch covered the news this morning:

Knox, named after a giant gold storage fort in Kentucky, essentially provides a compliance management platform via a managed cloud that customers can connect their codebase to. The company's software runs a continuous series of tests and audits to identify where the customer's infrastructure, code and security controls are falling short of FedRAMP standards, and either remediates those issues itself or flags them to the customer. It also offers some non-software tools to track and verify policies like personnel training and vendor management.

Knox Raises Round Led by Felicis to Accelerate AI and SaaS Adoption by the Federal Government and DoD

We’re solving one of the most urgent problems in GovTech: how to safely accelerate the adoption of AI and cloud software at scale.

The investment, led by Felicis with participation from Ridgeline and FirsthandVC, will help us unlock thousands of secure, AI-powered SaaS apps for government and DoD use.

We’re on a mission to bring the best technology innovation to our government. Technologies such as AI can drive transformational growth and productivity gains, which is critical for the United States to stay competitive as the global leader. Knox is working closely with key agencies to pioneer a secure AI infrastructure model that enables access to these applications without sacrificing control or security.

Our AI-powered, turnkey platform offers a faster, more agile path to FedRAMP authorization by automating manual processes while also contextualizing decades of operational know-how into digital expert agents.

We’re working closely with the U.S. government to pioneer a secure AI infrastructure model that enables access to SaaS applications without sacrificing control or security. Knox supports all three major hyperscalers and is trusted by more than 15 federal and defense agencies, including the Department of Homeland Security, the Treasury Department, and the Marines.

Thanks again to Viviana Faga and Nancy Wang at Felicis, Ben Walker at Ridgeline and Simon Chan at FirsthandVC for their support as we build.

Part 3: Toward Continuous Compliance: Open Telemetry, Control Coverage, and the Role of the 3PAO

By Casey Jones, Chief Architect of Knox Systems

In Part 1, we proposed the concept of a Security Ledger: a cryptographically verifiable system of record for compliance that updates continuously based on real-time evidence. In Part 2, we detailed how risk-adjusted confidence scores can be calculated using Bayes’ Theorem and recorded immutably in LedgerDB.

In this third and final part of the series, we focus on the next frontier: standardizing telemetry coverage across controls, open-sourcing the control-to-evidence map, and redefining the role of the 3PAO to ensure integrity in a continuous compliance world.

Building the Open Compliance Telemetry Layer

In order for the Security Ledger to be trustworthy, it must be fed with comprehensive, observable evidence across the full FedRAMP boundary. That means creating a control-to-telemetry map that:

• Defines what evidence types are relevant for each FedRAMP control
• Maps those to Prometheus-compatible metrics
• Defines evidence freshness, decay windows, and severity
• Supports automated generation of control coverage reports
  
  

At Knox, we’re working to open-source this telemetry model so that:

• Every stakeholder (CSPs, 3PAOs, agencies) understands the required observability footprint
• No one is guessing what counts as evidence
• The community can contribute new detectors and mappings

Just like OWASP standardized threat awareness, we need a COTM — Common Observability for Trust Model.

Coverage Is the Control: Incomplete Telemetry ≠ Compliance

In the current FedRAMP model, it's possible to "pass" controls without actually observing the whole system. But in a ledger-based model, telemetry gaps are violations.

Examples of common pitfalls:

• Only scanning certain subnets or environments (e.g., “we forgot our staging VPN”)
• Disabling or misconfiguring logging for noisy subsystems
• Letting vulnerability scan coverage drop below 100% of the boundary
• Using static evidence from prior scans without freshness guarantees
• Allowing Prometheus exporters to fail silently without alerting
  
  

In a real-time, risk-scored model, all of these create confidence decay—and should result in lowered scores or even automated POA&M creation.

The New Role of the 3PAO: Continuous Verifier of Scope, Integrity, and Fair Play

In a world where compliance is driven by real-time evidence, the Third Party Assessment Organization (3PAO) becomes more critical—not less.

But their role shifts from "point-in-time validator" to continuous integrity checker.

Here’s what the 3PAO’s job looks like in a Knox-style system:

1. Boundary Enforcement

• Validate that all components within the FedRAMP boundary are included in telemetry coverage
• Detect "convenient omissions" (e.g., shadow servers, unmonitored edge cases)
  

2. Signal Integrity

• Confirm that metrics flowing into the Security Ledger are accurate, unmodified, and traceable
• Review sampling intervals, evidence freshness, and exporter health
• Perform forensic verification of selected evidence streams
  

3. Anti-Fraud Auditing

• Detect signs of foul play or negligence, such as:
  
  • Turning off scanning before high-risk deploys
  • Creating “burner” environments that avoid monitoring
  • Suppressing alert signals or log forwarders
  • Replaying old data to simulate real-time telemetry
    

4. Ledger Auditing

• Verify the cryptographic chain of trust in the ledger system (e.g., via Amazon Aurora PostresSQL or blockchain)
• Ensure control scores are only adjusted by valid evidence with assigned LLRs
• Validate that manual overrides are documented and signed
  

In this model, the 3PAO becomes the trust anchor of the continuous compliance pipeline.

They’re not just checking boxes—they’re inspecting the wiring.

Transparency Through Community

All of this only works if the model is open:

• The LLRs for each control must be public
• The control-to-metrics map must be versioned and community-governed
• The Security Ledger’s core schema must be inspectable and verifiable

Just as large language models opened their weights to gain credibility, compliance models must open their logic. Closed-source compliance logic is a liability.

The Future of FedRAMP Is Verifiable, Transparent, and Alive

We’re not just building for ATOs—we’re building for continuous trust.

FedRAMP’s future lies in:

• Real-time metrics
• Probabilistic control scoring
• Immutable audit trails
• Open-source control logic
• 3PAOs as continuous validators, not just periodic checkers

At Knox, we’re committed to that shift—because trust shouldn’t expire every 12 months.

‍