FlakeHub now has FedRAMP High Authorization

United States federal agencies and their partners build and maintain some of the highest-stakes software on Earth—software that protects essential infrastructure, safeguards classified information, and delivers benefits and services to millions of people. These are exactly the stakes Nix was built for thanks to its reproducibility guarantees and its profound implications for the software supply chain.
Today, we at Determinate Systems are excited to announce that we’re bringing the power of Nix to federal agencies directly: FlakeHub has now achieved FedRAMP High Authorization and is listed in the FedRAMP Marketplace, a result that we achieved by partnering with Knox Systems, the largest, longest-running federal managed cloud.
High Authorization means that our platform is now available to teams operating under the federal government’s strictest security requirements and to any organization that handles Controlled Unclassified Information (CUI), whether or not FedRAMP itself is a requirement for them.
In this announcement, we’ll tell you what FlakeHub is, why FedRAMP High specifically is a big deal, who this is for, and how it fits into a larger story about Nix, Determinate, and the right foundation for critical infrastructure.
FlakeHub, a platform for privately sharing and caching Nix flakes
FlakeHub is our all-in-one platform for Nix flakes, offering:
- Private flakes. Share Nix flakes across your team or org without needing to handle SSH keys or static credentials.
- FlakeHub Cache. A Nix binary cache that enables you to skip redundant builds by fetching pre-built artifacts, providing developers, CI runners, and production systems zero-evaluation deployments in resource-constrained and high-assurance environments.
- Federated auth and fine-grained access control. Integrate with identity providers like GitHub, Entra, Okta, AWS STS, and enforce access policies.
- Trusted publishing and provenance. Semantic versioning for Nix flakes, cryptographic provenance, and publishing restricted to authorized CI/CD systems, so you can answer “what’s running, and where did it come from?” with certainty instead of hope.
FlakeHub essentially Nix and flakes with a governed platform: the same reproducibility guarantees Nix is known for, plus the access control, auditability, and publishing discipline that a real organization—especially one under regulatory scrutiny—actually needs.
The significance of FedRAMP High
FedRAMP is the U.S. government’s program for vetting the security of software services before federal agencies and their partners are permitted to use them. FedRAMP has three distinct impact levels:
- Low is for systems in which a breach would have a limited adverse effect.
- Moderate is the level that most commercial SaaS FedRAMP authorizations target and the minimum level for most non-public federal data.
- High is reserved for the government’s most sensitive unclassified data (CUI) and systems. Organizations that require this level include law enforcement, emergency services, and financial systems, all of which are domains where security breaches can have catastrophic consequences.
Only a small fraction of FedRAMP Authorized offerings in the FedRAMP Marketplace hold a High authorization. Given the needs of our current and future customers, we opted to make sure that FlakeHub clears the highest available bar.
CUI and why it matters
While FedRAMP High Authorization is of vital importance for federal agencies and their partners, it also has benefits for other organizations that handle Controlled Unclassified Information (CUI) in the cloud. That’s because CUI often shows up well outside standard government IT shops: in defense supply chains, aerospace, critical infrastructure operators, research institutions, and commercial entities under federal contracts or handling federally funded data.
Many of these organizations don’t need to become FedRAMP Authorized themselves, nor do they need every vendor they use to be FedRAMP Authorized. But they do need a FedRAMP High Authorized vendor if their software handles CUI in any way, and if your organization uses Nix, FlakeHub now closes this crucial gap for you. So if your organization has been stuck choosing between using Nix and maintaining a strong compliance posture, the trade-off has been effectively dissolved.
Nix for critical infrastructure
Achieving FedRAMP High Authorization is consistent with the argument we’ve been making since day one: that Nix’s core design—reproducible builds, content-addressed artifacts, an explicit and complete dependency graph—makes it uniquely well suited for the high-security, high-assurance environments that have traditionally presented enterprises with costly challenges.
Determinate’s whole thesis—from Determinate Nix’s provenance tracking to FlakeBOM’s SBOMs to FlakeHub’s trusted platform publishing model—is that Nix’s guarantees compound in value the higher the stakes get.
FedRAMP High Authorization for FlakeHub is that thesis showing up in a form federal agencies and CUI-handling organizations can actually act on today.
The Determinate platform
While FedRAMP High Authorization applies only to FlakeHub directly, it has important implications for the other pillars of our platform:
-
Determinate Secure Packages, our curated subset of Nixpkgs with SLA-backed CVE remediation, optional FIPS-140-2-compliant builds, full cache coverage, and more, uses FlakeHub as its distribution mechanism, so it now inherits the FedRAMP High Authorized controls behind that distribution.
-
Determinate Nix can certainly be used without FlakeHub, but it really shines when paired with it since its provenance tracking relies on FlakeHub to record and verify build metadata—services that are now backed by FlakeHub’s FedRAMP High Authorization, even though Determinate Nix itself sits outside the authorization boundary.
The compliance foundation for enterprise Nix
FedRAMP High for FlakeHub is a crucial milestone for us at Determinate Systems but not at all out of step with our trajectory thus far. It joins a growing list of reasons Determinate has become the most compliant and trusted way to use Nix in production:
- We’ve built our platform as SOC-2-Type-II-compliant infrastructure that’s independently audited on an ongoing basis.
- We offer FIPS-140-2-compliant package builds through Determinate Secure Packages for organizations with strict federal cryptographic requirements.
- Determinate Secure Packages includes FlakeBOM, our CLI for generating spec-compliant SBOMs directly from Nix flakes, enabling enterprises to demonstrate what’s in their Nix-built software in granular, exhaustive detail.
- We offer AWS GovCloud and AWS European Sovereign Cloud support for NixOS deployments that need to stay inside a specific jurisdiction’s compliance boundary.
Together, this adds up to an end-to-end Nix platform that your enterprise security team, the federal compliance office you’re accountable to, and the auditor with CUI on the line can all sign off on, without needing your engineers to sacrifice any of the superpowers that drew them to Nix in the first place.
Getting started
If you’re a federal agency, a contractor, or any organization that handles CUI and has been waiting for a Nix platform that meets your compliance requirements, FlakeHub is ready for you.
Find FlakeHub’s listing in the FedRAMP Marketplace or reach out to us directly at sales@determinate.systems to talk to us about your requirements and how we can help. And if you want the full picture of how we run our infrastructure, our Trust Center has the details.
Written by
Graham is a Nix and Rust developer with a passion and focus on reliability in the lower levels of the stack. He is a co-founder of Determinate Systems, alongside Eelco Dolstra, as well as its Chief Technology Officer.
