What is Cybertorch MDR?

Cybertorch is Quzara's FedRAMP High Authorized Managed Extended Detection and Response (MXDR) platform. It provides 24/7 security monitoring, threat detection, incident response, and vulnerability management staffed entirely by U.S. citizens on Azure Government infrastructure.

How does Cybertorch help with CMMC compliance?

Cybertorch allows defense contractors to inherit FedRAMP High Authorized security controls rather than building their own SOC. This accelerates CMMC Level 2 compliance by satisfying continuous monitoring, incident response, and security operations requirements with a proven, audited platform.

Is Cybertorch FedRAMP authorized?

Yes. Cybertorch is FedRAMP High Authorized and operates on Azure Government, authorized for DoD Impact Level 4. It supports Microsoft GCC High environments and meets CMMC, FISMA, and NIST SP 800-171 requirements.

High-end managed detection and response center, realistic futuristic SOC environment, modern security operations center with multiple monitors displaying threat intelligence, cybersecurity analysts at workstations, real-time threat detection das...-2

Inheritable FedRAMP Controls

FedRAMP control inheritance is the mechanism by which a cloud service operating on top of a FedRAMP-authorized platform can claim that the platform's controls satisfy the service's requirements for those same controls. This page covers how inheritance works, the specific control families Cybertorch makes inheritable, what inheritance removes from your authorization scope, and how NISTCompliance.AI generates the inheritance matrix automatically.

A foundational design principle, not a shortcut

How Inheritance Works

FedRAMP control inheritance is the mechanism by which a cloud service operating on top of a FedRAMP-authorized platform can claim that the underlying platform's controls satisfy the service's requirements for those same controls. Inheritance is not a workaround or a shortcut; it is a foundational design principle of the program. Done correctly, inheritance eliminates duplicate work across the federal cloud ecosystem and lets each layer of the stack focus on the controls it actually owns.

Every cloud service operates on top of infrastructure it does not fully control. A SaaS provider runs on a cloud platform. The cloud platform runs on physical data centers. At each layer, certain security controls are the layer's own responsibility, and certain controls are the responsibility of the layer beneath. FedRAMP inheritance formalizes this relationship. A service documents which controls it inherits from the platform, which it shares with the platform, and which it implements itself. For controls fully inherited, the service is not responsible for implementing them; the platform's authorization stands.

AU, IR, CA, SI, and adjacent families

Control Families Inheritable from Cybertorch

Cybertorch is FedRAMP Certified at Class D on Azure Government. Cloud providers operating workloads protected by Cybertorch can inherit substantial portions of the control families that cover security operations, continuous monitoring, incident response, and audit. The list below covers the major control families and specific high-impact controls.

Audit and Accountability (AU)

Cybertorch operates centralized log collection, SIEM, log retention, and continuous security event analysis across the protected boundary. A cloud provider inheriting from Cybertorch documents the inheritance for AU-2 (Event Logging), AU-3 (Content of Audit Records), AU-6 (Audit Record Review, Analysis, and Reporting), AU-9 (Protection of Audit Information), AU-11 (Audit Record Retention), AU-12 (Audit Record Generation), and related controls. Building this infrastructure independently is a multi-quarter project; inheriting it is documentation work.

Incident Response (IR)

Cybertorch operates 24/7 incident response with U.S.-citizen analysts, response playbooks aligned to federal reporting requirements, and integration with agency-specific incident reporting. A cloud provider inheriting from Cybertorch inherits the IR-4 (Incident Handling), IR-5 (Incident Monitoring), IR-6 (Incident Reporting), IR-7 (Incident Response Assistance), IR-8 (Incident Response Plan), and related control implementations rather than standing up an independent SOC.

Continuous Monitoring (CA and SI)

Cybertorch's continuous validation telemetry covers CA-7 (Continuous Monitoring), SI-4 (System Monitoring), SI-5 (Security Alerts, Advisories, and Directives), and related controls. The cloud provider documents the inheritance and focuses its own implementation on the controls specific to its service.

System and Information Integrity (SI) Extensions

Beyond the core continuous monitoring controls, Cybertorch contributes to SI-3 (Malicious Code Protection) for endpoints in the monitored boundary, SI-7 (Software, Firmware, and Information Integrity) through the configuration monitoring posture, and SI-10 (Information Input Validation) through application telemetry analysis.

Risk Assessment (RA) Overlap

Cybertorch's continuous vulnerability scanning and threat intelligence integration contribute to RA-5 (Vulnerability Monitoring and Scanning). The cloud provider's RA-5 implementation can reference Cybertorch's scanning posture for the monitored boundary as a contributing component.

Configuration Management (CM) Overlap

Cybertorch's continuous configuration drift detection contributes to CM-2 (Baseline Configuration), CM-3 (Configuration Change Control), CM-6 (Configuration Settings), and CM-8 (Information System Component Inventory) for the monitored boundary. This is an overlap area rather than full inheritance; the cloud provider remains responsible for its own application-layer configuration.

Boundary precision

What Inheritance Does and Does Not Cover

Inheritance is precise. A cloud provider cannot inherit controls Cybertorch does not operate. Application-layer controls, the service's own access controls, the service's data handling, the service's specific configuration management, all remain the provider's responsibility. Inheritance reduces scope; it does not eliminate the provider's authorization work. The boundary between inherited and owned controls is documented in the inheritance matrix, a standard artifact in FedRAMP packages. Under 20x, the inheritance matrix becomes part of the OSCAL Component Definition that Cybertorch publishes, and the provider's OSCAL SSP references the Component Definition directly. The provider's SSP lists each control with its inheritance status: fully inherited, shared (provider implements its portion, platform implements its portion), or fully owned by the provider. For application-layer security controls (input validation, business-logic access controls, application-specific encryption keys, application user identity management), inheritance does not apply. These remain the cloud provider's responsibility regardless of the platform underneath. The cloud provider's SSP must implement these controls independently and document the implementation in detail. For controls that are partially in scope for the platform and partially in scope for the provider (Configuration Management, Identification and Authentication for human users, Access Control), the inheritance is documented as shared. Shared controls are common in federal cloud architectures and require careful documentation in the inheritance matrix. The practical implication: inheritance is a meaningful but not total reduction in the provider's authorization scope. A typical Class C (Moderate) authorization without inheritance requires implementing approximately 323 controls. With substantive inheritance from a Class D platform, the provider's owned control count drops materially, with 30 to 40 percent reductions achievable for services that use the platform's security operations as part of their architecture.

MDR vs EDR vs SIEM vs MSSP vs XDR comparison

Why inheritance compresses the path

Timeline and Cost Impact of Class D Inheritance

The timeline impact is larger than the control-count reduction suggests, because the inherited controls are typically the operationally heaviest ones. The items below cover where inheritance delivers the most material time and cost compression.

Eliminates Multi-Quarter SOC Buildout

Building a 24/7 Security Operations Center is a multi-quarter project: hiring and clearing U.S.-citizen analysts, deploying a SIEM, instrumenting log collection, writing incident response playbooks, integrating threat intelligence. Inheriting these from Cybertorch compresses the project to weeks of documentation rather than quarters of implementation.

Eliminates 24/7 Staffing Burden

Maintaining 24/7 SOC operations requires three shifts of analysts with primary and secondary coverage on every tier, sustained year-round across all U.S. holidays. The ongoing staffing burden is significant. Inheritance shifts that burden to the platform; the cloud provider does not maintain its own 24/7 analyst team.

Reduces Audit Surface Area

Inherited controls are documented in the inheritance matrix and referenced in the SSP, but the 3PAO does not re-assess them; the platform's authorization stands. This reduces the cloud provider's audit surface area meaningfully, with the assessor focusing on the provider's owned and shared controls.

Compresses Authorization Timeline

The Phase 1 20x pilot demonstrated authorizations in weeks for cloud-native providers operating on FedRAMP-authorized infrastructure with substantial inheritance. The 18-plus-month Rev5 baseline compresses meaningfully under the combination of cloud-native architecture, KSI-driven evidence emission, OSCAL machine-readable submission, and substantive inheritance from a Class D platform.

Over-Satisfies Lower Class Requirements

Inheriting from a Class D platform delivers controls implemented to the High baseline standard. A Class C service inheriting Class D controls receives implementations that exceed Moderate requirements, which is operationally valuable for missions that may expand into higher-sensitivity data over time.

How NISTCompliance.AI Generates the Inheritance Matrix

NISTCompliance.AI ingests Cybertorch's Component Definition (the OSCAL artifact documenting inheritable controls) and generates the inheritance matrix and inherited control sections of the cloud provider's OSCAL SSP automatically. The platform handles the cross-references between the provider's SSP, the platform's Component Definition, and the underlying NIST SP 800-53 control catalog, producing a submission-ready artifact that documents inheritance correctly the first time.

From contract to OSCAL artifact

How to Claim Inheritance from Cybertorch in Your Authorization Package

Claiming inheritance is a documentation discipline. The provider must obtain the platform's Component Definition, document the inheritance scope in the SSP, and maintain the inheritance documentation through continuous monitoring. The items below cover the operational steps.

Establish the Service Relationship Inheritance presupposes that the cloud provider's workloads are actually protected by the inheriting platform. For Cybertorch inheritance, this means the provider's in-scope systems are monitored by Cybertorch's SOC, with log collection, SIEM analysis, and incident response covering the provider's authorization boundary. The service relationship is established through a Customer Responsibility Matrix and a service agreement.

Obtain the Cybertorch Component Definition Cybertorch publishes an OSCAL Component Definition documenting the inheritable controls customers receive from the Class D platform. The Component Definition is the machine-readable source for the inheritance scope. Cloud providers reference the Component Definition directly in their SSPs rather than restating the inherited controls.

Document Inheritance in the SSP For each control in the provider's target baseline, the SSP documents the inheritance status: fully inherited, shared (with the provider's portion and the platform's portion delineated), or fully owned by the provider. The SSP references the Component Definition for inherited controls and provides full implementation details for shared and owned controls.

Build the Inheritance Matrix The inheritance matrix is a standard FedRAMP artifact, traditionally maintained as a spreadsheet. Under 20x, the matrix is part of the OSCAL package. The matrix lists each control, the inheritance status, and the responsible party. NISTCompliance.AI generates the inheritance matrix automatically from the Component Definition and the provider's control implementations.

Maintain Inheritance Through Continuous Monitoring Inheritance is not a one-time documentation exercise. The provider must maintain the inheritance documentation through continuous monitoring, updating the SSP and inheritance matrix when the platform's inherited controls change or when the provider's relationship with the platform changes. Significant Change Notices may apply if the inheritance posture changes materially.

Validate Inheritance During Assessment During the 3PAO assessment, the assessor reviews the inheritance documentation and validates that the provider is actually receiving the inherited controls from the platform. The assessor does not re-assess the platform's controls; the platform's authorization stands. The assessment focuses on whether the inheritance is correctly documented and operationally real.

How NISTCompliance.AI Handles the Full Inheritance Workflow NISTCompliance.AI ingests the Cybertorch Component Definition, generates the inheritance matrix, populates the inherited control sections of the SSP, maintains the inheritance documentation through continuous monitoring, and produces the cross-references that the 3PAO assessment requires. The platform handles cross-framework mapping so the same inheritance documentation satisfies FedRAMP, CMMC Level 2, and FISMA Moderate from a single evidence base.

Building on a FedRAMP Certified Class D Platform?

Cybertorch is FedRAMP Certified at Class D on Azure Government, providing inheritable controls across the Audit, Incident Response, and Continuous Monitoring families. NISTCompliance.AI generates the inheritance matrix and inherited SSP sections automatically. Request a consultation to map your inheritance scope.

Common Questions About FedRAMP Control Inheritance

What does FedRAMP control inheritance mean? Inheritance is the mechanism by which a cloud service operating on top of a FedRAMP-authorized platform can claim that the platform's controls satisfy the service's requirements for those same controls. The service does not need to implement the inherited controls independently; the platform's authorization stands.

Is inheritance a shortcut? No. Inheritance is a foundational design principle of the FedRAMP program, intended to eliminate duplicate work across the federal cloud ecosystem. Each layer of the stack focuses on the controls it actually owns; inheritance documents which controls a layer relies on from the layer beneath.

What does Cybertorch make inheritable? Cloud providers operating workloads protected by Cybertorch can inherit substantial portions of the Audit and Accountability (AU), Incident Response (IR), and Continuous Monitoring (CA, SI) control families. Specific high-impact controls include AU-2, AU-3, AU-6, AU-9, AU-12, IR-4, IR-5, IR-6, IR-7, IR-8, CA-7, SI-4, and SI-5.

What does inheritance not cover? Application-layer controls remain the cloud provider's responsibility: input validation, business-logic access controls, application-specific encryption keys, application user identity management. These cannot be inherited from an underlying platform and must be implemented and documented independently.

What is the inheritance matrix? The inheritance matrix is a standard FedRAMP artifact documenting which controls the cloud provider inherits from the platform, which it shares with the platform, and which it owns entirely. Under 20x, the matrix is part of the OSCAL package, referenced from the SSP.

What is a Component Definition? A Component Definition is an OSCAL document that describes a reusable security component and the controls that component satisfies. Inheritable platforms publish Component Definitions that customers reference in their SSPs. Cybertorch publishes a Component Definition documenting the inheritable controls customers receive.

How much does inheritance reduce my control count? For services that use the platform's security operations as part of their architecture, 30 to 40 percent reductions in owned control count are achievable. The reduction varies by service architecture and the depth of integration with the platform.

Does inheritance from a Class D platform help my Class C service? Yes, substantively. Inheriting from a Class D platform delivers controls implemented to the High baseline standard, which over-satisfies the Class C (Moderate) requirements. The platform's controls over-satisfy the service's requirements when the platform operates at a higher class than the service targets.

How does the 3PAO validate inheritance? The 3PAO reviews the inheritance documentation and validates that the provider is actually receiving the inherited controls from the platform. The assessor does not re-assess the platform's controls; the platform's authorization stands. The assessment focuses on whether the inheritance is correctly documented and operationally real.

What happens if my inheritance relationship changes? Changes to the inheritance posture trigger a Significant Change Notice. The provider's SCN scope contracts when inheritance deepens and expands when inheritance changes. NISTCompliance.AI handles the SSP updates and SCN generation automatically when the Component Definition references change.

Can I inherit from multiple platforms? Yes. A cloud service can inherit different controls from different underlying platforms: identity from one provider, infrastructure from another, MDR from a third. Each platform publishes its own Component Definition, and the service's SSP references each separately.

How does NISTCompliance.AI handle inheritance? NISTCompliance.AI ingests the Cybertorch Component Definition and generates the inheritance matrix and inherited control sections of the cloud provider's OSCAL SSP automatically. The platform handles cross-references between the SSP, the Component Definition, and the underlying NIST SP 800-53 control catalog, and maintains the inheritance documentation through continuous monitoring.