Here is what I see when I look at a federal contractor's onboarding stack: Workday HCM on one screen, Greenhouse ATS on another, and somewhere in between, a coordinator has emailed a scanned passport to a personal Gmail account because the upload portal timed out. Not malice. Just the path of least resistance.
I spent four years with Onfido building document NFC and liveness-check pipelines for government and financial-services customers. The compliance failures we traced almost never came from bad actors inside the organization. They came from systems that were not designed to enforce a boundary most HR tools do not even recognize as their problem.
That problem has a name in federal contracting: the FedRAMP authorization boundary. And understanding where Workday and Greenhouse sit relative to it is the difference between an audit that closes in a day and a corrective action plan that costs you 38 days and a contract modification.
Where Workday and Greenhouse Actually Sit
Workday HCM holds a FedRAMP Moderate authorization. So does Greenhouse ATS, under its government offering. On paper, that sounds like you are covered. In practice, the authorization boundary covers the core application data, not every integration point, not every document attachment workflow, and not the identity verification data your coordinator collects during onboarding.
Here is the thing: when a coordinator uploads a government-issued ID scan, a completed I-9, or a Social Security card image through the standard Workday document upload interface, that file moves through Workday's content storage layer. Whether that storage is inside or outside the FedRAMP boundary depends on your tenant configuration, your Workday contract tier, and whether your implementation partner set up GovCloud-designated document vaults at deployment. Most mid-size contractors never verified this. We see it regularly.
Greenhouse is the same story. The standard ATS document attachment workflow was designed for resumes, offer letters, and interview feedback. It was not designed to handle biometric data, government-issued ID images, or SSA Consent-Based SSN Verification response codes. When coordinators use it for those documents anyway, because it is where the candidate record lives, those files sit in Greenhouse's standard cloud infrastructure, which carries a FedRAMP Agency ATO but with a boundary that does not cover candidate identity verification documents as a data category.
What This Creates During Audit Reviews
DCSA and CMMC Level 2 assessors ask two questions about every identity verification record: where is it stored, and who accessed it. If you cannot answer both questions with a complete chain-of-custody log that traces the record from initial collection to current storage, you have a documentation gap. Documentation gaps become audit findings.
In our experience building verification pipelines, a single finding in this category costs a mid-size contractor between 15,000 and 90,000 dollars in delayed contract start, corrective action plan preparation, and staff time. That range is not hypothetical. It comes from contractors who contacted us after the audit, not before.
The root cause, almost every time: identity verification records were stored in a system that the contracting team believed was FedRAMP-authorized for that data type, but was not. Workday and Greenhouse had the authorization banner. The specific data category and storage path did not match the authorization scope.
One more thing worth naming directly. The 2022 DCSA policy update on identity document storage explicitly requires that biometric data and government-issued identity documents collected for clearance-adjacent onboarding be stored in a FedRAMP-authorized environment with a complete audit trail. That policy is now being enforced in CMMC Level 2 assessments as well. If you have not reviewed your document storage paths since 2022, this is the year it matters.
How API Connectors Change the Risk Profile
The fix is not to rip out Workday or Greenhouse. Those systems are your HRIS and ATS backbone. The fix is to stop using them as the identity verification storage layer, and use them only as the downstream destination for a verified record summary.
Fact: an identity verification record does not need to live in Workday for Workday to know the verification passed.
What Workday needs is a structured status update: hire identity verified, date and time, reference ID, adjudication outcome. That data is not sensitive in the same way that biometric images or government-issued ID scans are. It can move into Workday's onboarding module through an API write, the identity documents and biometric data stay in a FedRAMP Moderate-authorized GovCloud environment, and your audit log is complete on both sides.
This is exactly what the Verifyfed Workday HCM connector and Greenhouse ATS connector do. The verification workflow runs entirely inside Verifyfed's FedRAMP Moderate ATO boundary: document capture, NFC chip read or OCR extraction, AAMVA DMV cross-reference, SSA CBSV response, liveness check, face comparison. The complete audit trail, every access and transform event, stays in GovCloud. When the workflow closes, the connector writes a structured verification summary to Workday or Greenhouse: verified, timestamp, reference ID, outcome code. The coordinator's dashboard in Workday sees a closed onboarding task. The records auditors need are in a place that can produce them.
What Stays Inside the FedRAMP Boundary
- Government-issued ID document images (NFC chip data or OCR captures)
- Biometric liveness frames and face-comparison scores
- AAMVA MVAConnect response records
- SSA CBSV response codes and consent documentation
- Chain-of-custody log for every system access and API read on the record
- Signed audit package for DCSA or CMMC assessor export
What Moves to Workday or Greenhouse via API
- Verification status (pass / exception / pending human review)
- Timestamp of verification completion
- Verifyfed reference ID for cross-system lookup
- Exception flag if any step required human adjudicator review
The HRIS knows what it needs to know to close the onboarding task. The compliance record stays where auditors need it to be.
The Onboarding Coordinator Experience
Honestly, the reason this matters to me beyond the compliance angle is what it does for coordinators day to day. I have talked to onboarding teams managing 200-plus cleared hires per year. The compliance anxiety is real. They know they are supposed to keep identity documents in the right place, but no one gave them a workflow that made the compliant path the default path. So they improvise. Email. Shared drives. Screenshot attached to a note in Greenhouse.
When the verification workflow lives in Verifyfed and only a status record lands in Workday or Greenhouse, coordinators do not have to make a compliance decision every time they touch an identity document. The compliant path is the only path. The Verifyfed dashboard shows every active onboarding workflow in a kanban view: document collection initiated, liveness check complete, DMV verification returned, SSA CBSV confirmed, adjudication decision logged, package delivered to HRIS. Real-time status notifications land in the coordinator's queue when a milestone closes or when a workflow has been stalled for more than 24 hours.
For contractors managing multiple programs, workflows can be tagged by program and contract vehicle. A program manager can pull onboarding throughput per contract at any point in the period of performance. No manual status calls. No spreadsheets.
What to Check in Your Current Configuration
If you are running Workday or Greenhouse for federal contractor onboarding right now, three things are worth auditing before your next compliance review:
- Document storage path in Workday: Where does a file uploaded through the standard document attachment flow land? Is that storage node inside your Workday tenant's GovCloud designation, or in general commercial cloud? Your Workday implementation partner or account team can confirm this. Get it in writing.
- Greenhouse data classification: Is your Greenhouse tenant configured under the government-eligible deployment or the standard commercial deployment? What data categories does your ATO or agency authorization cover? Greenhouse support can provide the boundary documentation.
- Chain of custody: For any identity verification record currently stored in Workday or Greenhouse, can you produce an access log showing every system that touched that record from collection to current storage? If the answer requires manual reconstruction, that is the gap DCSA assessors will find.
None of those answers require replacing your HRIS or ATS. They require knowing exactly what your current configuration covers, and filling the gap with a workflow tool that enforces the boundary by design.
The Practical Starting Point
We built the Workday HCM connector and Greenhouse ATS connector specifically because the gap is at the integration layer, not at the HRIS layer. Contractors who have both systems in place do not need a new onboarding platform. They need a verification workflow that runs in a FedRAMP Moderate-authorized environment and writes only a compliant status record into the systems they already use.
For contractors who are not yet on Workday or Greenhouse, the CSV export path achieves the same boundary isolation: verification runs in GovCloud, the coordinator downloads a structured CSV with status records for import into whatever HRIS is in use, and no identity documents ever leave the FedRAMP boundary.
The audit-ready package for any hire, including verified document images, AAMVA and SSA response codes, liveness check result, face-comparison score, and the complete access-and-transform audit log, can be generated in under 60 seconds. That is what DCSA and CMMC assessors need. That is what should exist before the first audit notice arrives, not after.
In our view, the standard is not unreasonable. Store identity documents where they are authorized to be stored. Keep a complete audit trail. Make the compliant path the default path. The tools exist to make that straightforward. The question is whether your current workflow is actually doing it.