FedRAMP compliance for feature flags

Overview

When operating in a FedRAMP-compliant environment, it’s crucial to ensure that all integrated systems, including feature flagging solutions, adhere to the same compliance standards. Using a homegrown or third-party feature flag system that does not support FedRAMP standards can compromise your certification and introduce unnecessary risks.

This guide provides an overview of how Unleash Enterprise features align with FedRAMP controls, helping your organization meet its compliance requirements.

Access Control

FedRAMP Control	Unleash Feature
AC-02 Account Management	Unleash uses role-based access control (RBAC) with configurable permissions. In addition, you can integrate Unleash roles with other identity systems using SCIM. You can control authorization at different levels with single sign-on (SSO) and personal access tokens.
AC-04 Information Flow Enforcement	Unleash supports information flow control with architectural system components like Unleash Edge, and configuration-level options like IP allow-lists.
AC-07 Unsuccessful Logon Attempts	Unleash restricts user logins after 10 failed attempts.

Audit and Accountability

FedRAMP Control	Unleash Feature
AU-02 Event Logging	Unleash provides detailed audit logs and event tracking, accessible through the Admin UI or exportable for integration with other systems.
AU-12 Audit Record Generation	Unleash provides detailed audit logs and event tracking, accessible through the Admin UI or exportable for integration with other systems.

Security Assessment and Authorization

FedRAMP Control	Unleash Feature
CA-8 Penetration Testing	Unleash conducts annual penetration testing by external auditors; results are available upon request.

Configuration Management

FedRAMP Control	Unleash Feature
CM-02 Baseline Configuration	Unleash provides Export functionality that facilitates keeping a configuration snapshot of feature flags and related entities in the audit records. Instance-wide configurations, such as projects, users, and roles, can be managed and restored using the Unleash Terraform provider.
CM-05 Access Restrictions for Change	Unleash provides advanced role-based access control (RBAC) controls to implement logical access restrictions. Change Requests help you define and track approval flows.

Identification and Authentication

FedRAMP Control	Unleash Feature
IA-02 Identification and Authentication (Organizational Users)	Unleash provides single sign-on (SSO) to enable customers to enforce multi-factor authentication (MFA) for all Unleash users.
IA-02 (01) Identification and Authentication (Organizational Users); Multi-factor Authentication to Privileged Accounts	Unleash provides SSO to enable customers to enforce multi-factor authentication (MFA) for all Unleash users.
IA-02 (02) Identification and Authentication (Organizational Users); Multi-factor Authentication to Non-privileged Accounts	Unleash provides SSO to enable customers to enforce multi-factor authentication (MFA) for all Unleash users.
IA-02 (08) Identification and Authentication (Organizational Users); Access to Accounts — Replay Resistant	Unleash restricts user logins after 10 failed attempts.

System and Communications Protection

FedRAMP Control	Unleash Feature
SC-08 (01) Transmission Confidentiality and Integrity (Cryptographic Protection)	Unleash implements cryptographic protection for data in transit, as detailed in our SOC2 report (available upon request.
SC-17 Public Key Infrastructure Certificates	Unleash uses PKI certificates issued by AWS and Google.