---
title: FedRAMP compliance for feature flags
description: 'FedRAMP compliant feature flags at scale with Unleash.'
---

# FedRAMP compliance

## Overview

When operating in a [FedRAMP-compliant](https://www.fedramp.gov/program-basics/) environment, it's crucial to ensure that all integrated systems, including feature flagging solutions, adhere to the same compliance standards. Using a homegrown or third-party feature flag system that does not support FedRAMP standards can compromise your certification and introduce unnecessary risks.

This guide provides an overview of how [Unleash Enterprise](https://www.getunleash.io/pricing) features align with FedRAMP controls, helping your organization meet its compliance requirements. 

## Access Control

| **FedRAMP Control**                                                                                                           | **Unleash Feature**                                                                                                                                                                                                                                                                                                           |
|-------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [AC-02 Account Management](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-2) | Unleash uses [role-based access control](/reference/rbac) (RBAC) with configurable permissions. In addition, you can integrate Unleash roles with other identity systems using [SCIM](/reference/scim). You can control authorization at different levels with [single sign-on](/reference/sso) (SSO) and [personal access tokens](/reference/api-tokens-and-client-keys#personal-access-tokens). |
| [AC-04 Information Flow Enforcement](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-4) | Unleash supports information flow control with architectural system components like [Unleash Proxy](/reference/unleash-proxy) or [Unleash Edge](/reference/unleash-edge), and configuration-level options like IP allow-lists.                                                                                                              |
| [AC-07 Unsuccessful Logon Attempts](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-7) | Unleash restricts user logins after 10 failed attempts.                                                                                                                                                                                                                                                                      |

## Audit and Accountability

| **FedRAMP Control**                                                                                      | **Unleash Feature**                                                                                                                                                                                |
|----------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [AU-02 Event Logging](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-2)           | Unleash provides detailed [audit logs and event tracking](/reference/events), accessible through the Admin UI or exportable for integration with other systems.                                      |
| [AU-12 Audit Record Generation](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-12) | Unleash provides detailed [audit logs and event tracking](/reference/events), accessible through the Admin UI or exportable for integration with other systems.                                      |

## Security Assessment and Authorization

| **FedRAMP Control**                                                                             | **Unleash Feature**                                                                                                                       |
|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [CA-8 Penetration Testing](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CA-8) | Unleash conducts annual penetration testing by external auditors; results are available upon [request](https://www.getunleash.io/plans/enterprise).                                                      |

## Configuration Management

| **FedRAMP Control**                                                                                          | **Unleash Feature**                                                                                                                                          |
|--------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [CM-02 Baseline Configuration](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-2)         | Unleash provides [Export](/how-to/how-to-environment-import-export) functionality that facilitates keeping a configuration snapshot of feature flags and related entities in the audit records. Instance-wide configurations, such as projects, users, and roles, can be managed and restored using the [Unleash Terraform provider](/reference/terraform).                                           |
| [CM-05 Access Restrictions for Change](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-5) | Unleash provides advanced [role-based access control](/reference/rbac) (RBAC) controls to implement logical access restrictions. [Change Requests](/reference/change-requests) help you define and track approval flows. |

## Identification and Authentication

| **FedRAMP Control**                                                                                                         | **Unleash Feature**                                                                                                      |
|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
| [IA-02 Identification and Authentication](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-2) (Organizational Users)                | Unleash provides single sign-on (SSO) to enable customers to enforce multi-factor authentication (MFA) for all Unleash users. |
| [IA-02 (01) Identification and Authentication](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-2) (Organizational Users); Multi-factor Authentication to Privileged Accounts     | Unleash provides SSO to enable customers to enforce multi-factor authentication (MFA) for all Unleash users.              |
| [IA-02 (02) Identification and Authentication](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-2) (Organizational Users); Multi-factor Authentication to Non-privileged Accounts | Unleash provides SSO to enable customers to enforce multi-factor authentication (MFA) for all Unleash users.              |
| [IA-02 (08) Identification and Authentication](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-2) (Organizational Users); Access to Accounts — Replay Resistant                  | Unleash restricts user logins after 10 failed attempts.                                                                   |

## System and Communications Protection

| **FedRAMP Control**                                                                                   | **Unleash Feature**                                                                                                         |
|-------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|
| [SC-08 (01) Transmission Confidentiality and Integrity](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-8) (Cryptographic Protection) | Unleash implements cryptographic protection for data in transit, as detailed in our SOC2 report (available upon [request](https://www.getunleash.io/plans/enterprise). |
| [SC-17 Public Key Infrastructure Certificates](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-17)                              | Unleash uses PKI certificates issued by AWS and Google.                                                                    |