Secure Configuration for FedRAMP (Rev 5)
Federal Risk and Authorization Management Program (FedRAMP) Revision 5 introduces 10 Recommended Secure Configuration (FRR-RSC) requirements that cloud service providers address to help federal agencies secure their cloud environments. MuleSoft Government Cloud aligns with these requirements and provides FedRAMP-specific documentation guidance for MuleSoft services, as well as access to Open Security Controls Assessment Language (OSCAL) formatted documents for consumption into your own tooling.
-
Coverage: All Administrative guidance requirements
-
Requirements: All 10 FRR-RSC controls
This table lists each FRR-RSC control, how it applies to MuleSoft Government Cloud, and your responsibilities where applicable. In the platform-as-a-service (PaaS) model, MuleSoft is the provider platform; and you administer your organizations, users, roles, and applications.
FRR-RSC Controls
| Control | Requirement | Description | MuleSoft Solution |
|---|---|---|---|
SCG-CSO-RSC (FRR-RSC-01) |
Top-Level Administrative Accounts Guidance |
Providers must create and maintain guidance that includes instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering. Note: This guidance should explain how top-level administrative accounts are named and referred to in the cloud service offering. |
MuleSoft fulfills this requirement in this PaaS model. MuleSoft documents how to create accounts, manage access, and use organization-level admin—including the "Organization Administrator" permission, "organization owner," and "Organization Administrators" roles, as well as access (sign-in, single sign-on (SSO), multi-factor authentication (MFA)), configuration (users, business groups, roles), operation (managing users, roles, permissions), and decommissioning (deleting accounts, migrating owners). The documentation explicitly names the "Organization Administrators" and "organization owner" roles and "Organization Administrator" permission. For details, refer to: |
SCG-CSO-RSC (FRR-RSC-02) |
Administrative Security Settings |
Providers must create and maintain guidance that explains security-related settings that can be operated only by top-level administrative accounts and their security implications. |
MuleSoft documents security-relevant settings that only top-level (organization) administrators can change. MuleSoft documentation covers security-related actions that require the Organization Administrators (or equivalent) role—for example, trusted domains (Gov Cloud security), user and role management, MFA and identity provider (IdP) configuration, client applications, virtual private cloud (VPC) and load balancer permissions, and organization details. The security and Access Management documentation describes these implications (for example, trusted domains, MFA). For details, refer to:
|
SCG-CSO-RSC (FRR-RSC-03) |
Privileged Accounts Security |
Providers should create and maintain guidance that explains security-related settings that can be operated only by privileged accounts and their security implications. |
MuleSoft documents privileged (non–top-level) roles and their security-relevant capabilities. MuleSoft documentation lists default roles (for example, API Versions Owner, CloudHub Admin, Exchange Administrators, Audit Log Viewers) and their permission scopes, and explains custom roles. MuleSoft documentation describes security implications so you can understand what each role can do and how to manage privileged-account settings. For details, refer to: |
SCG-CSO-SDF (FRR-RSC-04) |
Secure Defaults on Provisioning |
Providers should set all settings to their recommended secure defaults for top-level administrative accounts and privileged accounts when initially provisioned. |
MuleSoft sets platform-level secure defaults (for example, Government Cloud requirement for two-factor authentication (2FA) for all users, password rules, documented Federal Information Processing Standards (FIPS), Transport Layer Security (TLS), and secure hosting). MuleSoft creates default roles automatically when you create an organization or business group. You provision organizations and users, assign roles, and enable MFA or IdP per your policy. You can align admin and privileged accounts with recommended secure defaults by following MuleSoft guidance when provisioning. For details, refer to: |
SCG-ENH-CMP (FRR-RSC-05) |
Comparison Capability |
Providers should offer the capability to compare all current settings for top-level administrative accounts and privileged accounts to the recommended secure defaults. |
MuleSoft doesn’t provide a built-in capability to compare current settings to recommended secure defaults for admin or privileged accounts in this PaaS model. You can view current roles and permissions in the UI and via the Access Management API. You are responsible for fulfilling the intent (for example, comparing to internal baselines) using exported data or internal processes. |
CSG-ENH-EXP (FRR-RSC-06) |
Export Capability |
Providers should offer the capability to export all security settings in a machine-readable format. |
MuleSoft provides programmatic access to some security-relevant data via the Access Management API (organizations, business groups, users, roles, permissions) and API Manager (export of API instances). MuleSoft doesn’t offer a single machine-readable export of all security settings (identity and access management (IAM), policies, audit config, and so on) in one format. You can use the APIs to export or script identity and access security settings and to build your own export. For details, refer to: |
SCG-ENH-API (FRR-RSC-07) |
API Capability |
Providers should offer the capability to view and adjust security settings via an API or similar capability. |
MuleSoft supports viewing and adjusting security-relevant settings via API. MuleSoft provides the Access Management API for programmatic access to user and client management, organizations, business groups, roles, and permissions. MuleSoft provides API Manager and related APIs for API and configuration management. The platform satisfies this requirement for the access and API-management settings it exposes. For details, refer to: |
SCG-RSC-MRG (FRR-RSC-08) |
Machine-Readable Guidance |
Providers should provide recommended secure configuration guidance in a machine-readable format that can be used by customers or third-party tools to compare against current settings. |
MuleSoft doesn’t provide a machine-readable secure-configuration baseline (for example, Security Content Automation Protocol (SCAP), Open Vulnerability and Assessment Language (OVAL), or JSON schema) for admin or privileged account settings in this PaaS model. MuleSoft provides human-readable guidance in documentation. You can use the Access Management API response formats for your own tooling. You are responsible for fulfilling the intent (for example, comparing to internal baselines) using exported data or internal processes. For details, refer to: |
SCG-CSO-PUB (FRR-RSC-09) |
Publish Guidance |
Providers should make recommended secure configuration guidance available publicly. |
For details, refer to: |
SCG-ENH-VRH (FRR-RSC-10) |
Versioning and Release History |
Providers should provide versioning and a release history for recommended secure default settings for top-level administrative accounts and privileged accounts as they are adjusted over time. |
MuleSoft provides product and documentation versioning. MuleSoft does not maintain a dedicated release history for recommended secure default settings for admin or privileged accounts. For details, refer to MuleSoft Release Notes. |