for FedRAMP

for FedRAMP
: CA Technologies, a Broadcom Company successfully achieved its sponsor-endorsed authorization to operate (ATO) status for federal agencies and departments procuring cloud services.
is FedRAMP authorized.
FedRAMP Overview
The Federal Risk and Authorization Management Program (FedRAMP) program provides a standard approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses an efficient framework saving time and costs previously associated with performing redundant agency security assessments.
  • Security
    : Provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Federal and government-based agencies are required to use highly secure cloud-based solutions that adhere to stringent levels of security while meeting U.S. government compliance regulations.
  • Mandatory
    : All federal agencies and departments are required to use FedRAMP authorized cloud services. FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low, moderate, and high-risk impact levels. Agencies must submit a quarterly report showing any of their cloud services that do not meet FedRAMP requirements with the appropriate rationale and proposed resolutions for achieving compliance. Private cloud deployments intended for single organizations and implemented fully within federal facilities are the only exception.
  • Value
    : The
    do-once, use-many-times
    framework saves cost, time, and staff required to conduct redundant agency security assessments.
Broadcom General Support System (GSS) for FedRAMP
As an enterprise software company, CA Technologies, a Broadcom Company, has implemented a General Support System (GSS) to host Broadcom FedRAMP SaaS offerings. The GSS is currently hosted on the Microsoft Azure Government SaaS cloud and could be expanded to include other FedRAMP-authorized government cloud offerings.
The GSS implements common policies and procedures, tools, and authentication services that may be consumed by the SaaS offerings. Hosted in the U.S. and operated by U.S. citizens employed by Broadcom, the GSS empowers our SaaS offerings to inherit greater than 70 percent of the 325 FedRAMP moderate baseline security controls for initial authorization, continuous monitoring, and run/operate costs.
On April 16, 2019,
officially obtained its sponsor agency Authorization to Operate (ATO) designation from a major international healthcare and research organization. GSS is FedRAMP authorized as of July 09, 2019.
Leading the Way
is the first Broadcom SaaS offering to be hosted on the GSS.
The following image shows the core components in the GSS:
Commercial vs. FedRAMP Feature Differences and Alternatives
The table below lists notable
commercial capabilities and the
FedRAMP differences or alternatives:
In FedRAMP environments, HTML portlets are not supported.
Commercial Capability
FedRAMP Alternatives
Remediation Targets(3)
XOG, GEL, and NSQL Support
  • Use either XOG, GEL, or NSQL
  • Application administrators must include the "@WHERE:SECURITY:" clause in their NSQL queries
  • GEL scripts cannot use "sql:update" tag with read/write sql statements
  • GEL scripts can use the "nsql" tag to read data
Jaspersoft Studio(2), CA JDBC Adapter, and TIBCO JasperMobile app for use with
  • Use out-of-box Jaspersoft reporting capabilities in
    for ad-hoc reports, views, tables, and to schedule reports
  • Use the stock reports provided with Clarity.
  • Use the PMO Accelerator and PMO Advanced Reporting content.
  • Develop portlets and dashboards in
    Classic PPM
  • Extend the default fields for projects, resources, and other domains with custom attributes or sub-objects created in Clarity.
No target
: Jaspersoft client tools, integrated with
, does not support SSO with multi-factor authentication directly to Jaspersoft.
OData access to the Data Warehouse
  • Use flat-file exchange over SFTP.
  • This is supported by using Clarity workflows or GEL scripts.
This capability is a
FedRAMP roadmap item being considered for a future release. Contact your
account director for details.
Third-party integrations and external XML Open Gateway (XOG) Support (4)
  • FedRAMP environments support integrations using SFTP as the commercial product; therefore, data exchange using flat-file drop and retrieval is supported.
  • In a secure boundary, place a file on the SFTP server for the flat-file drop, which authenticates using the key exchange. To learn more, see Key-based Authentication.
  • Perform XOG import/export using GEL scripts
This capability is a
FedRAMP roadmap item being considered for a future release. Contact your
account director for details.
Direct Database Access
  • No workaround due to GEL script restrictions for SQL tags (VPN access is also not available)
  • NSQL tags are supported where application administrators include the "@WHERE:SECURITY:"
  • VPN access is also not available
No target
Integration with CA Open WorkBench (OWB) and Microsoft Project (MSP) client tools
  • Obtain authorization to implement this configuration
  • Native
    Scheduler, Gantt view, WBS, and task management capabilities
This capability is a Clarity FedRAMP roadmap item being considered for a future release. Contact your Clarity account director for details
Integration with Rally
  • Use the current on-premise edition of Rally with the portfolio item integration type and basic authentication
This capability is dependent upon the introduction of a Rally FedRAMP service.
(2) Jaspersoft Studio is used to develop more advanced customer-specific reports.
(3) Remediation target dates are subject to change at any time, with or without notice.
(4) OWB and MSP clients cannot authenticate with Clarity without a valid SSO session. Agency authorization is required because OWB and MSP client users must enter their username and password to authenticate without SSO. With agency authorization, Broadcom provides a Clarity OData endpoint to enable SSO authentication; users can launch OWB or MSP clients from
UnSupported GEL/CORE Tags in FedRAMP
The following GEL tags are unsupported due to possible unauthorized data access or environmental concerns. The FedRAMP SaaS operations team will work directly with agencies or services partners to identify needed GEL tags for a Clarity implementation for compliance.
FedRAMP Tags
Frequently Asked Questions
Q1: How Do Clarity SaaS FedRAMP differ from Clarity SaaS Commercial?
A1: Clarity is available in multiple commercial releases with overlapping support lifecycles. The application can be deployed in on-premise environments, SaaS environments, and hosted environments with dev, test, and prod configurations. Our FedRAMP ATO does not transfer to on-premise deployments. To meet strict FedRAMP security requirements, some Clarity commercial features are disabled in Clarity FedRAMP environments. See Clarity Commercial vs. FedRAMP Feature Differences and Alternatives above.
Q2: Is FedRAMP Preferred or Required?
A2: Both. Cloud services are
due to their reduced infrastructure costs, better scalability, Disaster Recovery (DR) features, and other technological benefits. They are also
. In 2010, the Office of Management and Budget (OMB) established a
Cloud First
policy for federal departments. The original requirements have resulted in a significant shift toward using authorized cloud offerings. Today, all federal departments and agencies are
to use FedRAMP-authorized cloud services.
Q3: Why Would a
SaaS Commercial Customer Switch to the FedRAMP Service?
A3: Clarity commercial customers with Federal contract requirements to protect controlled unclassified information should consider the FedRAMP service. For example, an aerospace firm is looking to expand their jet engine business to include military aircraft. DFARS requires protecting controlled unclassified mission-oriented information for weapon systems (to meet 125 controls).
Q4: To What Extent Do Broadcom and
Support My FedRAMP Needs?
A4: Broadcom is committed to offering FedRAMP authorized solutions. You can rely on robust support from Broadcom and the GSS.
has achieved FedRAMP authorized status with an official FedRAMP Moderate Impact Agency ATO. See the top of this page to learn more.
Q5: How is My Data Encrypted in the
FedRAMP Service?
A5: All data in transit and at rest is encrypted using FIPS 140-2 validated encryption modules.
Q6: Does the Clarity FedRAMP Service Accept Native PIV/CAC card access?
A6: Yes, the Clarity FedRAMP service does accept SAML assertions from an identity provider. Agencies are required to implement proper authentication strategies to support PIV/CAC card access.
Q7: We Are Not Sure We Need FedRAMP, But Must Check the Box on FISMA; What Can We Do?
A7: You could request and use FedRAMP SSP as guidance for on-premise SSP. However, the
FedRAMP ATO is not transferable to on-premise environments.
Q8: Is the
Mobile App supported?
A8: Yes. Clarity mobile can be used in a FedRAMP environment in concert with the SSO Login option.
Q9: Do FedRAMP contracts have separate SaaS Service Listing documentation?
A: Yes, FedRAMP SaaS Service Listing documentation is available upon request.
Q10: Is
Section 508 Compliant?
Clarity performs accessibility validation on every major release and completes the requisite VPAT. For a copy of the current VPAT, please contact your Broadcom sales representative.
Q11: How Do I gain access
FedRAMP system security package (SSP) Documentation?
A:  Please visit the FedRAMP marketplace. Complete the Package Access Request Form.
Q12: Does Clarity FedRAMP limit concurrent user sessions?
A: Not at this time; however, this capability is a
FedRAMP roadmap item being considered for a future release.
Q13: Does Clarity FedRAMP support Unicode?
Yes. Clarity supports UTF8.
Q14: Does Clarity FedRAMP support the Clarity Modern User Experience?
Yes. The Modern User Experience is now supported for Clarity FedRAMP.
Q15: Does Clarity FedRAMP support REST APIs?
Yes. Clarity FedRAMP supports REST APIs. However, agencies need to use API keys in
. To learn more about using API keys, see Key-based Authentication.