[Fundamentals] Added page for FedRAMP High In Process products #25913
Conversation
|
This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:
|
|
Preview URL: https://5d420a34.preview.developers.cloudflare.com Files with changes (up to 15)
|
| - SSL/TLS | ||
| - Tiered Cache | ||
| - Video Stream Delivery | ||
| - WAF |
There was a problem hiding this comment.
Not all WAF components are FedRAMP High "In-Process" — only the following components:
- Malicious uploads detection
- Leaked credentials detection
- The following managed rulesets:
- Cloudflare Managed Ruleset
- Sensitive Data Detection
- OWASP Core Ruleset
- Free Managed Ruleset
Besides these components, also "Rate Limiting", which is already in the list as a separate entry (line 60).
| - Cloudflare One | ||
| - Zero Trust Infrastructure Access | ||
| - Cloudflare Queues | ||
| - Cloudflare Spectrum |
There was a problem hiding this comment.
Exception: BYOIP (Bring Your Own IP) service bindings and related CDN configurations are not supported; customers must use Spectrum HTTP/HTTPS applications to route FedRAMP traffic via the CDN.
| - Bots, aka Bot Management | ||
| - Browser Isolation | ||
| - CDN Cache | ||
| - **Exception:** Smart Tiered Cache is not supported. |
There was a problem hiding this comment.
I think this exception should be in Tiered Cache.
| - Page Shield | ||
| - R2 Object Storage | ||
| - Rate Limiting | ||
| - SSL/TLS |
There was a problem hiding this comment.
There are several exceptions within the SSL/TLS offerings.
| - CDN Cache | ||
| - **Exception:** Smart Tiered Cache is not supported. | ||
| - Cache Reserve | ||
| - Cloudflare for SaaS |
There was a problem hiding this comment.
If it means the same as SSL for SaaS, it should be removed.
| - Zero Trust Network Access | ||
| - **Exception:** Browser-based SSH and VNC is not supported. | ||
| - **Exception:** Storing SSH logs on Cloudflare is not supported. | ||
| - Advanced Certificate Manager |
There was a problem hiding this comment.
Technically, this is part of SSL/TLS.
| - Tiered Cache | ||
| - Video Stream Delivery | ||
| - WAF | ||
| - Waiting Room |
There was a problem hiding this comment.
Exception: Custom hostnames are not supported for FedRAMP High.
|
|
||
| - Zero Trust Network Access | ||
| - **Exception:** Browser-based SSH and VNC is not supported. | ||
| - **Exception:** Storing SSH logs on Cloudflare is not supported. |
There was a problem hiding this comment.
technically SSH logs are part of Zero Trust Infrastructure Access
There was a problem hiding this comment.
Think this is probably OK since Access for Infra is underneath Access' umbrella
| - Cloudflare Workers | ||
| - Cloudflare Workers KV | ||
| - Cloudflare Zero Trust | ||
| - **Note:** Third-party integrations will appear in the FedRAMP Zero Trust dashboard, but users will need to indpendently verify their integrations are FedRAMP High compliant. |
There was a problem hiding this comment.
| - **Note:** Third-party integrations will appear in the FedRAMP Zero Trust dashboard, but users will need to indpendently verify their integrations are FedRAMP High compliant. | |
| - **Note:** Third-party integrations will appear in the Cloudflare One dashboard, but customers will need to independently verify their integrations are FedRAMP High compliant. |
| - Customer Metadata Boundary | ||
| - Data Loss Prevention (DLP) | ||
| - Data Localization Suite | ||
| - DDoS Protection |
There was a problem hiding this comment.
| - DDoS Protection | |
| - DDoS Protection | |
| - **Exception:** Adaptive rules from HTTP and Network-layer DDoS Protection Managed Ruleset are not supported. |
| - Cloudflare Turnstile | ||
| - Cloudflare WARP client | ||
| - **Exception:** Directly route Microsoft 365 traffic is not supported. | ||
| - **Note:** Users will need to exempt a new of of IPs in their firewall. |
There was a problem hiding this comment.
| - **Note:** Users will need to exempt a new of of IPs in their firewall. | |
| - **Note:** Customers will need to exempt a new set of IPs in their firewall. Refer to the FedRAMP High requirements listed in the [WARP with firewall](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/) documentation. |
| - Cloudflare Tunnel | ||
| - Cloudflare Turnstile | ||
| - Cloudflare WARP client | ||
| - **Exception:** Directly route Microsoft 365 traffic is not supported. |
There was a problem hiding this comment.
| - **Exception:** Directly route Microsoft 365 traffic is not supported. | |
| - **Exception:** When using the [Directly route Microsoft 365 traffic](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#directly-route-microsoft-365-traffic) feature, customers must independently verify that the excluded IPs are FedRAMP Authorized. |
There was a problem hiding this comment.
The M365 preconfigured split tunnel feature is supported in FedRamp dash but we want to warn customers to be responsible and verify all the IPs are what they want to exclude. The recommendation to manually exclude IPs they need in Fedramp is right.
The M365 feature note we have in the dashboard for reference is:
Note: You must confirm excluded IPs are FedRAMP Authorized before directly routing Microsoft 365 traffic.
There was a problem hiding this comment.
updated the proposed text to:
"When using the Directly route Microsoft 365 traffic feature, customers must independently verify that the excluded IPs are FedRAMP Authorized."
8 participants
Added page to list products that are under FedRAMP High In Process status. PCX-17927