Clarity
for FedRAMP

ccppmop159
2
Announcing
Clarity
for FedRAMP
: CA Technologies, a Broadcom Company successfully achieved its sponsor-endorsed authorization to operate (ATO) status for federal agencies and departments procuring cloud services.
Clarity
is FedRAMP authorized.
FedRAMP Overview
The Federal Risk and Authorization Management Program (FedRAMP) program provides a standard approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses an efficient framework that saves time and costs previously associated with performing redundant agency security assessments.
  • Security
    : Provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Federal and government-based agencies are required to use highly secure cloud-based solutions that adhere to stringent levels of security while meeting U.S. government compliance regulations.
  • Mandatory
    : All federal agencies and departments are required to use FedRAMP authorized cloud services. FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low, moderate, and high-risk impact levels. Agencies must submit a quarterly report showing any of their cloud services that do not meet FedRAMP requirements with the appropriate rationale and proposed resolutions for achieving compliance. Private cloud deployments intended for single organizations and implemented fully within federal facilities are the only exception.
  • Value
    : The
    do-once, use-many-times
    framework saves cost, time, and staff required to conduct redundant agency security assessments.
Broadcom General Support System (GSS) for FedRAMP
As a portfolio software company, CA Technologies, a Broadcom Company, has implemented a General Support System (GSS) to host Broadcom FedRAMP SaaS offerings. The GSS is currently hosted on the Microsoft Azure Government IaaS cloud and could be expanded to include other FedRAMP-authorized government cloud offerings.
The GSS implements common policies and procedures, tools, and authentication services that may be consumed by the SaaS offerings. Hosted in the U.S. and operated by U.S. citizens employed by Broadcom, the GSS empowers our SaaS offerings to inherit greater than 70 percent of the 325 FedRAMP moderate baseline security controls for initial authorization, continuous monitoring, and run/operate costs.
On April 16, 2019,
Clarity
officially obtained its sponsor agency Authorization to Operate (ATO) designation from a major international healthcare and research organization. GSS is FedRAMP authorized as of July 09, 2019.
Leading the Way
:
Clarity
is the first Broadcom SaaS offering to be hosted on the GSS.
The following image shows the core components in the GSS:
image2019-5-7_19-42-46.png
Clarity
Commercial vs. FedRAMP Feature Differences and Alternatives
The following table lists the notable differences between commercial
Clarity
and the FedRAMP edition of
Clarity
:
In FedRAMP environments, HTML portlets are also not supported.
Capability(1)
Available Alternatives
Remediation Targets(3)
1
XOG, GEL, and NSQL Support
  • XOG, GEL, or NSQL (application administrators must include the "@WHERE:SECURITY:" clause in their NSQL queries)
  • GEL scripts cannot use "sql:update" tag with read/write sql statements
  • GEL scripts can use the "nsql" tag to read data
This capability is a
Clarity
FedRAMP roadmap item being considered for a future release. Contact your
Clarity
account director for details.
2
Jaspersoft Studio(2), CA JDBC Adapter, and TIBCO JasperMobile app for use with
Clarity
  • Use the built-in Jaspersoft reporting capabilities in
    Clarity
    for ad-hoc reports, views, tables, and to schedule reports
  • Use the stock reports provided with Clarity
  • Use the PMO Accelerator and PMO Advanced Reporting content
  • Develop portlets and dashboards in
    Classic PPM
    Studio
  • Extend the default fields for projects, resources, and other domains with custom attributes or sub-objects created in Clarity
No target
: Jaspersoft client tools do not support SSO with multi-factor authentication. Building reports using REST API is not supported in Jaspersoft Studio.
3
OData Access to the Data Warehouse
  • Flat-file exchange over SFTP (only supported with
    Clarity
    workflows or GEL scripts)
This capability is a
Clarity
FedRAMP roadmap item being considered for a future release. Contact your
Clarity
account director for details.
4
Third-Party Integrations (Customizations)
  • ODATA endpoints and SOAP calls into the service are generally not supported
  • Integrations might be possible with agency authorization
Agency Authorization Required:
(5)
5
External XML Open Gateway (XOG) Support
  • FedRAMP environments support the same integrations using SFTP as the commercial product; therefore, data exchange using flat file drop and retrieval is supported. (In a secure boundary, place a file on the SFTP server for flat file drop, which authenticates using
    key exchange.
    )
  • Perform XOG import/export using GEL scripts
This capability is a
Clarity
FedRAMP roadmap item being considered for a future release. Contact your
Clarity
account director for details.
6
Direct Database Access
  • No workaround due to GEL script restrictions for SQL tags (VPN access is also not available)
No target
7
Clarity
Integration with CA Open WorkBench (OWB) and Microsoft Project (MSP) client tools
  • Obtain an authorization to implement this configuration
  • Native
    Clarity
    Scheduler, Gantt view, WBS, and task management capabilities
Agency Authorization Required:
(4)(5)
8
Clarity
Integration with Rally
  • Use the current on-premise edition of Rally with the portfolio item integration type and basic authentication
Agency Authorization Required
(5)
9
CA Productivity Accelerator
  • No workaround at this time
No target:
Investigating a resolution.
10
ODUM SaaS Utility and SaaS Integration Adaptor
  • Data exchange is supported by flat file drop and retrieval (for example, for resource loading); within a secure boundary, place a file on the SFTP server for flat-file drop (which authenticates using
    key exchange
    )
  • Perform XOG import/export using GEL scripts
  • FedRAMP editions of
    Clarity
    support SAML 2.0
No target
: See
Available Alternatives
.
(1) The features listed in this column are not available in FedRAMP-compliant editions of
Clarity
.
(2) Jaspersoft Studio is used to develop more advanced customer-specific reports.
(3) Remediation target dates are subject to change at any time, with or without notice.
(4) OWB and MSP clients cannot authenticate with Clarity without a valid SSO session. Agency authorization is required because OWB and MSP client users must enter their username and password to authenticate without SSO. With agency authorization, Broadcom provides a Clarity OData endpoint to enable SSO authentication; users can launch OWB or MSP clients from
Clarity
.
(5) Agency Authorization Required: Any approved solutions must conform to FedRAMP integration standards. Contact Broadcom or your partner for more information.
Supported GEL/CORE Tags in FedRAMP
Location
FedRAMP Tags
Enabled
FedRAMP
com.niku.pmo.gel.tags.BPAUpgrade
NO
FedRAMP
com.niku.union.gel.tags.ExprTag
NO
FedRAMP
com.niku.union.gel.tags.PropertyTag
NO
FedRAMP
com.niku.union.gel.tags.SetDataSourceTag
NO
FedRAMP
org.apache.commons.jelly.tags.sql.QueryTag
NO
FedRAMP
com.niku.union.gel.tags.CallPMDTag
YES
FedRAMP
com.niku.union.gel.tags.IncludeTag
YES
FedRAMP
com.niku.union.gel.tags.LogTag
YES
FedRAMP
com.niku.union.gel.tags.NSQLTag
YES
FedRAMP
com.niku.union.gel.tags.OutTag
YES
FedRAMP
com.niku.union.gel.tags.ParseTag
YES
FedRAMP
com.niku.union.gel.tags.PMDParameterTag
YES
FedRAMP
com.niku.union.gel.tags.ScriptTag
YES
FedRAMP
com.niku.union.gel.tags.SetTag
YES
FedRAMP
com.niku.union.gel.tags.soap.InvokeTag
YES
FedRAMP
com.niku.union.gel.tags.soap.MessageTag
YES
FedRAMP
org.apache.commons.jelly.tags.core.CatchTag
YES
FedRAMP
org.apache.commons.jelly.tags.core.ChooseTag
YES
FedRAMP
org.apache.commons.jelly.tags.core.ForEachTag
YES
FedRAMP
org.apache.commons.jelly.tags.core.IfTag
YES
FedRAMP
org.apache.commons.jelly.tags.core.InvokeStaticTag
YES
FedRAMP
org.apache.commons.jelly.tags.core.NewTag
YES
FedRAMP
org.apache.commons.jelly.tags.core.OtherwiseTag
YES
FedRAMP
org.apache.commons.jelly.tags.core.SetTag
YES
FedRAMP
org.apache.commons.jelly.tags.core.WhenTag
YES
FedRAMP
org.apache.commons.jelly.tags.sql.ParamTag
YES
FedRAMP
com.niku.union.gel.tags.NSQLParameterTag
YES
Frequently-Asked Questions
Q1: How Do FedRAMP Editions of
Clarity
differ from Mainstream Commercial Editions?
A1:
Clarity
is available in multiple commercial releases with overlapping support lifecycles. The application can be deployed in on-premise environments, SaaS environments, and hosted environments with dev, test, and prod configurations. Our FedRAMP ATO does not transfer to on-premise deployments. To meet strict FedRAMP security requirements, some
Clarity
features are disabled in FedRAMP environments. See
Clarity
Commercial vs. FedRAMP Differences and Alternative Options
above.
Q2: Is FedRAMP Preferred or Required?
A2: Both. Cloud services are
preferred
due to their reduced infrastructure costs, better scalability, Disaster Recovery (DR) features, and other technological benefits. They are also
required
. In 2010, the Office of Management and Budget (OMB) established a
Cloud First
policy for federal departments. The original requirements have resulted in a significant shift toward using authorized cloud offerings. Today, all federal departments and agencies are
required
to use FedRAMP-authorized cloud services.
Q3: Why Would a
Clarity
Commercial Customer Switch to the FedRAMP Service?
A3: Clarity commercial customers with Federal contract requirements to protect controlled unclassified information should consider the FedRAMP service. For example, an aerospace firm is looking to expand their jet engine business to include military aircraft. DFARS requires protecting controlled unclassified mission-oriented information for weapon systems (to meet 125 controls).
Q4: To What Extent Do Broadcom and
Clarity
Support My FedRAMP Needs?
A4: Broadcom is committed to offering FedRAMP authorized solutions. You can rely on robust support from Broadcom and the GSS.
Clarity
has achieved FedRAMP authorized status with an official FedRAMP Moderate Impact Agency ATO. See the top of this page to learn more.
Q5: How is My Data Encrypted in the
Clarity
FedRAMP Service?
A5: All data in transit and at rest is encrypted using FIPS 140-2 validated encryption modules.
Q6: Does the Clarity FedRAMP Service Accept Native PIV/CAC card access?
A6: Not at this time; however, the Clarity FedRAMP service does accept SAML assertions from your identity provider (for example, Active Directory).
Q7: We Are Not Sure We Need FedRAMP, But Must Check the Box on FISMA; What Can We Do?
A7: You could request and use FedRAMP SSP as guidance for on-premise SSP. However, the
Clarity
FedRAMP ATO is not transferable to on-premise environments.
Q8: Is the
Clarity
Mobile App supported?
A8: Yes. You can use the
Log in with SSO
option to use the new Clarity mobile app with the FedRAMP service.
Q9: Do FedRAMP contracts have separate SaaS Service Listing documentation?
A: Yes, the current commercial SaaS Service Listing documentation was updated for FedRAMP.
Q10: Does the
Clarity
FedRAMP Service Integrate with Rally On-Premise?
A10: From an authentication perspective, the Clarity / Rally product teams are currently testing if this configuration using ‘basic authentication’ (single-factor authentication) operates as expected. Should the validation prove positive, the implementing agency will be required to obtain an authorization to implement this configuration. Using the Portfolio Item Integration type,
Clarity
establishes a connection with Rally OP to pull work execution details.
Clarity
passwords are encrypted in both the application and the database. Currently, Rally on-premise does not support API Keys or the Investment integration type.
Q11: What Integration Support is Included with the
Clarity
FedRAMP solution?
A: Existing commercial integrations are not supported; however, some legacy integrations from select partners are being reviewed to identify a body of knowledge for meeting FedRAMP authentication and data transfer requirements.
Q12: Is
Clarity
Section 508 Compliant?
Clarity performs accessibility validation on every major release and completes the requisite VPAT. For a copy of the current VPAT, please contact your Broadcom sales representative.
Q13: How Do I Access
Clarity
FedRAMP Product Documentation?
A: Security documentation is requested from the PMO. The customer-facing product documentation for
Clarity
is available at techdocs.broadcom.com
Q14: Does Clarity for FedRAMP limit concurrent user sessions?
A: Not at this time; however, this capability is a
Clarity
FedRAMP roadmap item being considered for a future release.
Q15: Does Clarity for FedRAMP support Unicode?
Yes. Clarity supports UTF8.
Q15: Does Clarity for FedRAMP support the Clarity New User Experience?
Yes. The New User Experience is now supported by Clarity for Fedramp.
Q16: Does Clarity for FedRAMP support REST APIs?
Yes. Clarity for Fedramp supports REST APIs. However, agencies need to use API keys in
Clarity
. To learn more about using API keys, see REST API: Define Clients and Generate Keys for Integrations with Clarity.
FedRAMPlogo_FINAL_2017.png