FedRAMP compliance for feature flags
Overview
When operating in a FedRAMP-compliant environment, it’s crucial to ensure that all integrated systems, including feature flagging solutions, adhere to the same compliance standards. Using a homegrown or third-party feature flag system that does not support FedRAMP standards can compromise your certification and introduce unnecessary risks.
This guide provides an overview of how Unleash Enterprise features align with FedRAMP controls, helping your organization meet its compliance requirements.
Access Control
| FedRAMP Control | Unleash Feature |
|---|---|
| AC-02 Account Management | Unleash uses role-based access control (RBAC) with configurable permissions. In addition, you can integrate Unleash roles with other identity systems using SCIM. You can control authorization at different levels with single sign-on (SSO) and personal access tokens. |
| AC-04 Information Flow Enforcement | Unleash supports information flow control with architectural system components like Unleash Edge, and configuration-level options like IP allow-lists. |
| AC-06 Least Privilege | Unleash provides granular role-based access control (RBAC) with permissions configurable at the instance, project, and environment levels. Custom roles can be defined to enforce least-privilege access patterns. Change requests add approval workflows that prevent unauthorized modifications to production flag state. |
| AC-07 Unsuccessful Logon Attempts | Unleash restricts user logins after 10 failed attempts. |
Audit and Accountability
| FedRAMP Control | Unleash Feature |
|---|---|
| AU-02 Event Logging | Unleash provides detailed audit logs and event tracking, accessible through the Admin UI or exportable for integration with other systems. |
| AU-12 Audit Record Generation | Unleash provides detailed audit logs and event tracking, accessible through the Admin UI or exportable for integration with other systems. |
Security Assessment and Authorization
| FedRAMP Control | Unleash Feature |
|---|---|
| CA-8 Penetration Testing | Unleash conducts annual penetration testing by external auditors; results are available upon request. |
Configuration Management
| FedRAMP Control | Unleash Feature |
|---|---|
| CM-02 Baseline Configuration | Unleash provides Export functionality that facilitates keeping a configuration snapshot of feature flags and related entities in the audit records. Instance-wide configurations, such as projects, users, and roles, can be managed and restored using the Unleash Terraform provider. |
| CM-05 Access Restrictions for Change | Unleash provides advanced role-based access control (RBAC) controls to implement logical access restrictions. Change Requests help you define and track approval flows. |
Identification and Authentication
| FedRAMP Control | Unleash Feature |
|---|---|
| IA-02 Identification and Authentication (Organizational Users) | Unleash provides single sign-on (SSO) to enable customers to enforce multi-factor authentication (MFA) for all Unleash users. |
| IA-02 (01) Identification and Authentication (Organizational Users); Multi-factor Authentication to Privileged Accounts | Unleash provides SSO to enable customers to enforce multi-factor authentication (MFA) for all Unleash users. |
| IA-02 (02) Identification and Authentication (Organizational Users); Multi-factor Authentication to Non-privileged Accounts | Unleash provides SSO to enable customers to enforce multi-factor authentication (MFA) for all Unleash users. |
| IA-02 (08) Identification and Authentication (Organizational Users); Access to Accounts — Replay Resistant | Unleash restricts user logins after 10 failed attempts. |
System and Communications Protection
| FedRAMP Control | Unleash Feature |
|---|---|
| SC-07 Boundary Protection | Unleash Edge operates as a boundary component that controls information flow between applications and the Unleash API. IP allow-lists can restrict access to the Unleash instance. For self-hosted deployments, customers deploy Unleash within their network perimeter and control all boundary protections using their existing infrastructure. |
| SC-08 (01) Transmission Confidentiality and Integrity (Cryptographic Protection) | Unleash implements cryptographic protection for data in transit, as detailed in our SOC2 report (available upon request. |
| SC-12 Cryptographic Key Establishment and Management | For self-hosted deployments, cryptographic key management is handled entirely by the customer’s infrastructure. Unleash delegates TLS termination, database encryption, and storage encryption to the infrastructure layer, allowing customers to apply their FIPS-compliant or NSA-approved key management solutions without requiring application-level changes. |
| SC-13 Cryptographic Protection | For self-hosted deployments, cryptographic protection is managed at the infrastructure layer. TLS termination and encryption happen at the level of infrastructure components (load balancers, reverse proxies, database connections). Unleash delegates all application-level cryptographic operations to the runtime’s OpenSSL modules and uses FIPS-approved algorithms (for example, SHA-256 for hashing). Unleash supports deployment on FIPS-enabled operating systems and runtimes, including container images built on FIPS-enabled base images. Customers operating in FedRAMP environments achieve FIPS 140-2/140-3 compliance by configuring their infrastructure stack to use validated cryptographic modules. Unleash provides access to source code, enabling customers to build and verify the application within their certified environments. |
| SC-17 Public Key Infrastructure Certificates | Unleash uses PKI certificates issued by AWS and Google. |
| SC-28 Protection of Information at Rest | Unleash stores feature flag configuration data in a PostgreSQL database. For self-hosted deployments, data-at-rest encryption is managed by the customer at the database and storage layer using their preferred encryption solution. |
System and Information Integrity
| FedRAMP Control | Unleash Feature |
|---|---|
| SI-07 Software, Firmware, and Information Integrity | Unleash Enterprise is built on an open-source foundation, enabling customers to inspect and verify the integrity of the application code. Self-hosted customers can integrate Unleash deployments into their existing software integrity verification processes, including container image signing and supply chain security tooling. |
