FedRAMP docs #8815
FedRAMP docs #8815
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files |
There was a problem hiding this comment.
Looks good @melindafekete. My review is complete pending Diego's verification of the 3 places he was tagged.
| | **FedRAMP Control** | **Unleash Features** | | ||
| |-------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------| | ||
| | [SC-08 (01) Transmission Confidentiality and Integrity](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-8) (Cryptographic Protection) | Unleash implements cryptographic protection for data in transit, as detailed in our SOC2 report (available upon [request](mailto:[email protected])). | | ||
| | [SC-17 Public Key Infrastructure Certificates](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-17) | Unleash uses PKI certificates issued by AWS and Google. | |
There was a problem hiding this comment.
Would service accounts as well as personal access tokens be based on PKI as well @dsusa72 ?
There was a problem hiding this comment.
I don't know, but I don't think it's relevant because we're not going to list here all the points in the solution where we use encryption. When we implement my suggestion in cell G15 (Encryption overview diagram), we will get down to this detail level.
There was a problem hiding this comment.
this section isn't about encryption, but rather PKI, e.g. certificates. Saying that we use certificates only on AWS and Google, if we in fact use certificate-based auth on our API seems like an omission. Unless of course we don't use certs on those services. Could an engineer validate this quickly?
There was a problem hiding this comment.
@michaelferranti , This was already validated with a principal eng. For clarification: we're not saying we use certificates "on" AWS & Google. We're saying "issued by" them, which is different. We're saying these are the only two CAs (Certification Authorities) that we get certificates from, as opposed to using certs from a Gov authority or self-signed ones. In the NIST control wording these two CAs sohuld be considered "approved service providers".
I.e. this is about the type of certs se use and not "where" we use them. If we attempt to describe "where", I still recommend my suggestion on cell G15.
Co-authored-by: Michael Ferranti <[email protected]>
More info on this Linear ticket. Based on the following Google Sheet from Diego.