How a lean cyber compliance SaaS platform team used FIPS-validated encryption to meet federal security requirements and unlock revenue growth

Introducing IntelliGRC

Founded with a mission to empower service providers to deliver high-caliber cybersecurity compliance at scale, IntelliGRC exists to help the Defense Industrial Base (DIB) navigate an increasingly complex regulatory landscape. IntelliGRC provides a purpose-built AI native Cybersecurity GRC (Governance, Risk, and Compliance) platform designed first and foremost to enable service providers (i.e., MSPs, MSSPs, consultants) to operationalize CMMC services efficiently and confidently. In addition to its deep focus on CMMC, the platform also supports frameworks such as ISO 27001, SOC 2, CIS, NIST 800-171, NIST 800-53, FedRAMP, HIPAA, and NIST CSF, giving providers a unified, enterprise-grade foundation to deliver consistent, audit-ready compliance outcomes for federal contractors and regulated organizations.

With a team of five US-based engineers, IntelliGRC manages over 42 microservices across production and development Kubernetes clusters on Azure. The team operates a single production cluster with additional dev/test environments, all requiring the same rigorous security standards. Like many lean engineering teams, they needed solutions that would scale without requiring additional headcount dedicated solely to infrastructure management.

The path to FedRAMP: a business imperative

With the need to validate over 300,000 direct Department of Defense (DoD) contractors, subcontractors, and suppliers and deadlines quickly approaching for CMMC, IntelliGRC saw an extraordinary demand for their CMMC compliance platform. But with growth came an unexpected barrier: their larger customers, particularly MSPs managing compliance for 70+ end clients and large enterprises, requested that IntelliGRC implement FedRAMP Moderate Equivalency before signing contracts.

FedRAMP Moderate requires satisfying over 300 security controls, with one of the most technically demanding being FIPS 140-2 validated encryption for all data in transit and at rest,including east-west communication between every pod in their cluster. For a small engineering team, meeting these requirements could pose a significant challenge and strain on existing resources. 

“Without FedRAMP compliance, we risked losing out on business opportunities and our philosophy is that good security shouldn't cost a premium to our customers and should be guaranteed,” said Ozzie Saeed, CEO of IntelliGRC. We knew we needed to act fast and implement the right solutions,not just good security, but also for scale.

Linkerd: The answer to FIPS-validated encryption

IntelliGRC needed a solution that would solve the FIPS encryption requirement without introducing operational overhead for their containerized microservices architecture. They were already using Linkerd with great success, appreciating its lightweight approach and operational simplicity. When FedRAMP became a business imperative, the path forward became clear: upgrade to Buoyant Enterprise for Linkerd (BEL) to gain access to FIPS 140-2 validated encryption modules. The team's engineering philosophy of investing in simplicity aligned perfectly with Linkerd's design principles. Like many companies evaluating service mesh options, the IntelliGRC team looked at both Linkerd and Istio. They had brief exposure to both in the past but found Istio would not meet the needs of their team.

 "We found Istio to be unnecessarily complicated," said Matthew DuVal, Head Engineer at IntelliGRC. "We would have spent months just learning the system, which isn’t an option when you’re in a high growth stage like IntelliGRC. With Buoyant Enterprise for Linkerd, we could get it running immediately and focus on the hundreds of other FedRAMP controls we needed to address."

The implementation

Over several months, the IntelliGRC team pursued dual FedRAMP implementations, the traditional FedRAMP Moderate assessment with a FedRAMP 3PAO for meeting FedRAMP Moderate Equivalency and the new FedRAMP 20x Low automated authorization process. This ambitious timeline included:

• Six months rebuilding their entire architecture using Infrastructure as Code with Terraform and the Azure Well-Architected Framework
• Three months waiting for C3PAO (Certified Third-Party Assessment Organization) availability
• The assessment process itself, completed in September 2025

Throughout the process, Linkerd provided the critical encryption layer that satisfied FedRAMP's strict FIPS requirements for Kubernetes pod-to-pod communication. The auditors validated the service mesh approach during their assessment, confirming that Linkerd's FIPS-validated modules met all requirements for encryption in transit.

Beyond FIPS, Linkerd delivered crucial operational capabilities that the team leveraged throughout their FedRAMP journey:

• FIPS mTLS across all 42+ microservices without manual certificate rotation or management overhead
• Out-of-the-box observability providing visibility into service communication patterns and health
• Circuit breaking and reliability features improving application resilience during the assessment period

"The ‘drop-in’ nature of Linkerd means we can bring new infrastructure engineers up to speed quickly as we continue to grow and scale," DuVal notes. "They don't need weeks of training on service mesh complexity—they can be productive immediately."

Achieving FedRAMP and unlocking 4x revenue growth

The business impact of achieving FedRAMP readiness has been dramatic. Monthly recurring revenue grew more than 4x and doubled new opportunities since receiving the FedRAMP 20x Low Authorization and FedRAMP Moderate Equivalency attestation from the 3PAO. IntelliGRC estimates that implementing FIPS with Linkerd eliminated at least three months of development time, much of that would have been spent building and maintaining a custom certificate management solution — if such a solution would have even been feasible for their team.

"Our FedRAMP Moderate readiness position has enabled us to continue to grow fast in the industry and ensures we bring truly secure and compliant solutions to the market," Saeed shares. "It's opened doors with MSPs and larger customers that simply wouldn't engage with us otherwise. We're now competing for contracts we couldn't even bid on before."

For DuVal and his team, Linkerd provided crucial peace of mind during an intense sprint to FedRAMP authorization. Rather than constantly firefighting certificate expiration issues or worrying about the security implications of manual processes, they could focus on architecting robust, compliant infrastructure.

Looking ahead

IntelliGRC continues to leverage Linkerd as they scale and the company recently closed a capital raise to fund expansion. Their technical roadmap includes multi-cluster communication for geographic failover scenarios and VM integration using Linkerd's recently added capabilities. 

With their FedRAMP Moderate assessment complete and passed and FedRAMP 20x Low Authorization Completed, IntelliGRC exemplifies how the right technical choices can unlock business growth. By choosing Linkerd, a five-person US-based engineering team achieved what would have taken a much larger team significantly longer, or might not have been achievable at all.

Ready to fast-track your FedRAMP authorization journey? Navigating FIPS compliance, especially within a Kubernetes environment, requires careful planning and the right technical foundation. At Buoyant, we understand the requirements firsthand and have partnered with multiple companies on their successful compliance requirements for FedRAMP, CMMC, FISMA, and more. Learn more about Buoyant Enterprise for Linkerd and FIPS-validated encryption at buoyant.io.

‍