Industry: Public-sector and government technology
Identity disaster recovery for public-sector and government-technology vendors
Public-sector identity stacks carry FedRAMP, StateRAMP, CJIS, and FISMA expectations. The Okta tenant supporting a SaaS vendor's government customer base is also part of the ATO package the vendor maintains.
What goes wrong
Three incidents you have already seen variations of
Policy change breaks CJIS-aligned MFA enforcement
A simplification of authenticator-enrollment policy unintentionally allowed an authenticator class that does not satisfy CJIS advanced authentication. The non-compliant window was open for 36 hours.
FedRAMP audit cycle surfaces missing restore evidence
An annual FedRAMP continuous monitoring review asked for evidence of identity-layer restorability. The team had backups but no point-in-time restore evidence — the auditor flagged a CC7 control gap.
Workflows automation drops the FedRAMP audit-log feed
A Workflows flow forwarding Okta System Log events to the SIEM silently failed after a credential rotation. The audit-log gap had to be reported under FedRAMP IR procedures.
Regulatory shape
Compliance and audit angle
FedRAMP Moderate / High, FISMA, NIST 800-53 Rev 5, CJIS Security Policy 5.9, and StateRAMP all expect the identity layer to have demonstrable backup, restore, and audit-evidence controls. Butterfly's Audit Pack maps to NIST 800-53 CP-9, CP-10, AC-2, AC-6 control families.
How Butterfly fits
The recovery layer for public-sector and government technology identity
Butterfly captures every Okta resource your ATO package describes. Restore previews give the explicit per-resource evidence FedRAMP and StateRAMP auditors expect. The Audit Pack PDF is NIST 800-53 framework-filterable and includes a SHA-256 manifest for tamper-evident handling.
Frequently asked
FAQ
Is Butterfly itself FedRAMP-authorized?
Butterfly is not currently FedRAMP-authorized. We can support customers whose Okta tenant is part of their own ATO boundary; the Trust Center documents what data Butterfly handles and where it sits.
How does Butterfly map to NIST 800-53 controls?
The Audit Pack PDF is NIST 800-53 filterable. It maps backup posture and restore evidence to CP-9 (System Backup), CP-10 (System Recovery and Reconstitution), AC-2 (Account Management), and AC-6 (Least Privilege).
Can the Audit Pack be hashed and chain-of-custody preserved?
Yes. Every Audit Pack PDF includes a SHA-256 manifest. The export endpoint returns the hash alongside the document for chain-of-custody recording.
More