Unleash · melindafekete · Nov 22, 2024 · Nov 20, 2024 · Nov 20, 2024 · Nov 20, 2024
@@ -0,0 +1,12 @@
+---
+title: Compliance for feature flags
+description: 'Secure and compliant feature flags at scale with Unleash.'
+---
+
+# Compliance
+
+## Overview
+
+Unleash is designed to help organizations meet strict compliance requirements, supporting frameworks like [FedRAMP](https://www.fedramp.gov/program-basics/), [SOC 2](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2), [ISO 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001), and more. Features such as [audit logs](/reference/events#event-log), [role-based access control](/reference/rbac) (RBAC), and [change request](/reference/change-requests) workflows enable secure feature management at scale.
+
+For a detailed overview of how Unleash can help you with FedRAMP requirements, refer to our [FedRAMP compliance documentation](/using-unleash/compliance/fedramp). For information regarding any other frameworks, [reach out to us](mailto:[email protected]).
@@ -0,0 +1,56 @@
+---
+title: FedRAMP Compliance for feature flags
+description: 'FedRAMP compliant feature flags at scale with Unleash.'
+---
+
+# FedRAMP compliance
+
+## Overview
+
+When operating in a [FedRAMP-compliant](https://www.fedramp.gov/program-basics/) environment, it's crucial to ensure that all integrated systems, including feature flagging solutions, adhere to the same compliance standards. Using a homegrown or third-party feature flag system that does not support FedRAMP standards can compromise your certification and introduce unnecessary risks.
+
+This guide provides an overview of how Unleash features align with FedRAMP controls, helping your organization meet its compliance requirements. 
+
+## Access Control
+
+| **FedRAMP Control**                                                                                                           | **Unleash Features**                                                                                                                                                                                                                                                                                                           |
+|-------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [AC-02 Account Management](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-2) | Unleash uses [role-based access control](/reference/rbac) (RBAC) with configurable permissions. In addition, you can integrate Unleash roles with other identity systems using [SCIM](/reference/scim). You can control authorization at different levels with [single sign-on](/reference/sso) (SSO) and [personal access tokens](/reference/api-tokens-and-client-keys#personal-access-tokens). |
+| [AC-04 Information Flow Enforcement](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-4) | Unleash supports information flow control with architectural system components like [Unleash Proxy](https://docs.getunleash.io/reference/unleash-proxy) or [Unleash Edge](/reference/unleash-edge), and configuration-level options like IP allow-lists.                                                                                                              |
+| [AC-07 Unsuccessful Logon Attempts](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-7) | Unleash restricts user logins after 10 failed attempts.                                                                                                                                                                                                                                                                      |
+
+## Audit and Accountability
+
+| **FedRAMP Control**                                                                                      | **Unleash Features**                                                                                                                                                                                |
+|----------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [AU-02 Event Logging](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-2)           | Unleash provides detailed [audit logs and event tracking](/reference/events), accessible through the Admin UI or exportable for integration with other systems.                                      |
+| [AU-12 Audit Record Generation](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-12) | Unleash provides detailed [audit logs and event tracking](/reference/events) to support auditors with the required evidence. Depending on the audit automation level, the evidence can be collected using the Unleash Admin UI, or exported to other systems. |
+
+## Security Assessment and Authorization
+
+| **FedRAMP Control**                                                                             | **Unleash Features**                                                                                                                       |
+|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [CA-8 Penetration Testing](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CA-8) | Unleash conducts annual penetration testing by external auditors. Results are available for download from the Trust Center.                                                     |
+
+## Configuration Management
+
+| **FedRAMP Control**                                                                                          | **Unleash Features**                                                                                                                                          |
+|--------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [CM-02 Baseline Configuration](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-2)         | Unleash provides [Export](/how-to/how-to-environment-import-export) functionality that facilitates keeping a configuration snapshot in the audit records.                                            |
+| [CM-05 Access Restrictions for Change](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-5) | Unleash provides advanced [role-based access control](/reference/rbac) (RBAC) controls to implement logical access restrictions. [Change Requests](/reference/change-requests) help you define and track approval flows. |
+
+## Identification and Authentication
+
+| **FedRAMP Control**                                                                                                         | **Unleash Features**                                                                                                      |
+|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
+| [IA-02 Identification and Authentication](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-2) (Organizational Users)                | Unleash provides single sign-on (SSO) to enable customers to enforce multi-factor authentication (MFA) for all Unleash users. |
+| [IA-02 (01) Identification and Authentication](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-2) (Organizational Users); Multi-factor Authentication to Privileged Accounts     | Unleash provides SSO to enable customers to enforce multi-factor authentication (MFA) for all Unleash users.              |
+| [IA-02 (02) Identification and Authentication](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-2) (Organizational Users); Multi-factor Authentication to Non-privileged Accounts | Unleash provides SSO to enable customers to enforce multi-factor authentication (MFA) for all Unleash users.              |
+| [IA-02 (08) Identification and Authentication](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-2) (Organizational Users); Access to Accounts — Replay Resistant                  | Unleash restricts user logins after 10 failed attempts.                                                                   |
+
+## System and Communications Protection
+
+| **FedRAMP Control**                                                                                   | **Unleash Features**                                                                                                         |
+|-------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|
+| [SC-08 (01) Transmission Confidentiality and Integrity](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-8) (Cryptographic Protection) | Unleash implements cryptographic protection for data in transit, as detailed in our SOC2 report (available upon [request](https://www.getunleash.io/plans/enterprise). |
+| [SC-17 Public Key Infrastructure Certificates](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-17)                              | Unleash uses PKI certificates issued by AWS and Google.                                                                    |
@@ -537,6 +537,21 @@ const sidebars: SidebarsConfig = {
                     ],
                 },
                 'generated/unleash-proxy',
+                {
+                    type: 'category',
+                    label: 'Compliance',
+                    link: {
+                        type: 'doc',
+                        id: 'using-unleash/compliance/compliance-overview',
+                    },
+                    items: [
+                        {
+                            type: 'doc',
+                            label: 'FedRAMP',
+                            id: 'using-unleash/compliance/fedramp',
+                        },
+                    ],
+                },
                 {
                     label: 'Troubleshooting',
                     type: 'category',