FedRAMP compliance
Overview
When operating in a FedRAMP-compliant environment, it's crucial to ensure that all integrated systems, including feature flagging solutions, adhere to the same compliance standards. Using a homegrown or third-party feature flag system that does not support FedRAMP standards can compromise your certification and introduce unnecessary risks.
This guide provides an overview of how Unleash features align with FedRAMP controls, helping your organization meet its compliance requirements.
Access Control
| FedRAMP Control | Unleash Features |
|---|---|
| AC-02 Account Management | Unleash uses role-based access control (RBAC) with configurable permissions. In addition, you can integrate Unleash roles with other identity systems using SCIM. You can control authorization at different levels with single sign-on (SSO) and personal access tokens. |
| AC-04 Information Flow Enforcement | Unleash supports information flow control with architectural system components like Unleash Proxy or Unleash Edge, and configuration-level options like IP allow-lists. |
| AC-07 Unsuccessful Logon Attempts | Unleash restricts user logins after 10 failed attempts. |
Audit and Accountability
| FedRAMP Control | Unleash Features |
|---|---|
| AU-02 Event Logging | Unleash provides detailed audit logs and event tracking, accessible through the Admin UI or exportable for integration with other systems. |
| AU-12 Audit Record Generation | Unleash provides detailed audit logs and event tracking, accessible through the Admin UI or exportable for integration with other systems. |
Security Assessment and Authorization
| FedRAMP Control | Unleash Features |
|---|---|
| CA-8 Penetration Testing | Unleash conducts annual penetration testing by external auditors; results are available upon request. |
Configuration Management
| FedRAMP Control | Unleash Features |
|---|---|
| CM-02 Baseline Configuration | Unleash provides Export functionality that facilitates keeping a configuration snapshot of feature flags and related entities in the audit records. Instance-wide configurations, such as projects, users, and roles, can be managed and restored using the Unleash Terraform provider. |
| CM-05 Access Restrictions for Change | Unleash provides advanced role-based access control (RBAC) controls to implement logical access restrictions. Change Requests help you define and track approval flows. |
Identification and Authentication
| FedRAMP Control | Unleash Features |
|---|---|
| IA-02 Identification and Authentication (Organizational Users) | Unleash provides single sign-on (SSO) to enable customers to enforce multi-factor authentication (MFA) for all Unleash users. |
| IA-02 (01) Identification and Authentication (Organizational Users); Multi-factor Authentication to Privileged Accounts | Unleash provides SSO to enable customers to enforce multi-factor authentication (MFA) for all Unleash users. |
| IA-02 (02) Identification and Authentication (Organizational Users); Multi-factor Authentication to Non-privileged Accounts | Unleash provides SSO to enable customers to enforce multi-factor authentication (MFA) for all Unleash users. |
| IA-02 (08) Identification and Authentication (Organizational Users); Access to Accounts — Replay Resistant | Unleash restricts user logins after 10 failed attempts. |
System and Communications Protection
| FedRAMP Control | Unleash Features |
|---|---|
| SC-08 (01) Transmission Confidentiality and Integrity (Cryptographic Protection) | Unleash implements cryptographic protection for data in transit, as detailed in our SOC2 report (available upon request. |
| SC-17 Public Key Infrastructure Certificates | Unleash uses PKI certificates issued by AWS and Google. |