Clarity
for FedRAMP

ccppmop1592
2
Announcing
Clarity
for FedRAMP
: CA Technologies, a Broadcom Company successfully achieved its sponsor-endorsed authorization to operate (ATO) status for federal agencies and departments procuring cloud services.
Clarity
is FedRAMP authorized.
FedRAMP Overview
The Federal Risk and Authorization Management Program (FedRAMP) program provides a standard approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses an efficient framework saving time and costs previously associated with performing redundant agency security assessments.
  • Security
    : Provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Federal and government-based agencies are required to use highly secure cloud-based solutions that adhere to stringent levels of security while meeting U.S. government compliance regulations.
  • Mandatory
    : All federal agencies and departments are required to use FedRAMP authorized cloud services. FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low, moderate, and high-risk impact levels. Agencies must submit a quarterly report showing any of their cloud services that do not meet FedRAMP requirements with the appropriate rationale and proposed resolutions for achieving compliance. Private cloud deployments intended for single organizations and implemented fully within federal facilities are the only exception.
  • Value
    : The
    do-once, use-many-times
    framework saves cost, time, and staff required to conduct redundant agency security assessments.
Broadcom General Support System (GSS) for FedRAMP
As an enterprise software company, CA Technologies, a Broadcom Company, has implemented a General Support System (GSS) to host Broadcom FedRAMP SaaS offerings. The GSS is currently hosted on the Microsoft Azure Government SaaS cloud and could be expanded to include other FedRAMP-authorized government cloud offerings.
The GSS implements common policies and procedures, tools, and authentication services that may be consumed by the SaaS offerings. Hosted in the U.S. and operated by U.S. citizens employed by Broadcom, the GSS empowers our SaaS offerings to inherit greater than 70 percent of the 325 FedRAMP moderate baseline security controls for initial authorization, continuous monitoring, and run/operate costs.
On April 16, 2019,
Clarity
officially obtained its sponsor agency Authorization to Operate (ATO) designation from a major international healthcare and research organization. GSS is FedRAMP authorized as of July 09, 2019.
Leading the Way
:
Clarity
is the first Broadcom SaaS offering to be hosted on the GSS.
The following image shows the core components in the GSS:
image2019-5-7_19-42-46.png
Clarity
Commercial vs. FedRAMP Feature Differences and Alternatives
The table below lists notable
Clarity
commercial capabilities and the
Clarity
FedRAMP differences or alternatives:
In FedRAMP environments, HTML portlets are not supported.
Commercial Capability
FedRAMP Alternatives
Remediation Targets(3)
1
XOG, GEL, and NSQL Support
  • Use either XOG, GEL, or NSQL
  • Application administrators must include the "@WHERE:SECURITY:" clause in their NSQL queries
  • GEL scripts cannot use "sql:update" tag with read/write sql statements
  • GEL scripts can use the "nsql" tag to read data
N/A
2
Jaspersoft Studio(2), CA JDBC Adapter, and TIBCO JasperMobile app for use with
Clarity
  • Use out-of-box Jaspersoft reporting capabilities in
    Clarity
    for ad-hoc reports, views, tables, and to schedule reports
  • Use the stock reports provided with
    Clarity
    .
  • Use the PMO Accelerator and PMO Advanced Reporting content.
  • Develop portlets and dashboards in
    Classic PPM
  • Extend the default fields for projects, resources, and other domains with custom attributes or sub-objects created in
    Clarity
    .
No target
: Jaspersoft client tools, integrated with
Clarity
, does not support SSO with multi-factor authentication directly to Jaspersoft.
3
OData access to the Data Warehouse
  • Use flat-file exchange over SFTP.
  • This is supported by using
    Clarity
    workflows or GEL scripts.
This capability is a
Clarity
FedRAMP roadmap item being considered for a future release. Contact your
Clarity
account director for details.
4
Third-party integrations and external XML Open Gateway (XOG) Support (4)
  • FedRAMP environments support integrations using SFTP as the commercial product; therefore, data exchange using flat-file drop and retrieval is supported.
  • In a secure boundary, place a file on the SFTP server for the flat-file drop, which authenticates using the key exchange. To learn more, see Key-based Authentication.
  • Perform XOG import/export using GEL scripts
This capability is a
Clarity
FedRAMP roadmap item being considered for a future release. Contact your
Clarity
account director for details.
5
Direct Database Access
  • No workaround due to GEL script restrictions for SQL tags (VPN access is also not available)
  • NSQL tags are supported where application administrators include the "@WHERE:SECURITY:"
  • VPN access is also not available
No target
6
Clarity
Integration with CA Open WorkBench (OWB) and Microsoft Project (MSP) client tools
  • Obtain authorization to implement this configuration
  • Native
    Clarity
    Scheduler, Gantt view, WBS, and task management capabilities
This capability is a
Clarity
FedRAMP roadmap item being considered for a future release. Contact your
Clarity
account director for details
7
Clarity
Integration with Rally
  • Use the current on-premise edition of Rally with the portfolio item integration type and basic authentication
This capability is dependent upon the introduction of a Rally FedRAMP service.
(2) Jaspersoft Studio is used to develop more advanced customer-specific reports.
(3) Remediation target dates are subject to change at any time, with or without notice.
(4) OWB and MSP clients cannot authenticate with
Clarity
without a valid SSO session. Agency authorization is required because OWB and MSP client users must enter their username and password to authenticate without SSO. With agency authorization, Broadcom provides a
Clarity
OData endpoint to enable SSO authentication; users can launch OWB or MSP clients from
Clarity
.
UnSupported GEL/CORE Tags in FedRAMP
The following GEL tags are unsupported due to possible unauthorized data access or environmental concerns. The FedRAMP SaaS operations team will work directly with agencies or services partners to identify needed GEL tags for a
Clarity
implementation for compliance.
Location
FedRAMP Tags
FedRAMP
com.niku.pmo.gel.tags.BPAUpgrade
FedRAMP
org.apache.commons.jelly.tags.sql.QueryTag
Frequently Asked Questions
Q1: How Do
Clarity
SaaS FedRAMP differ from
Clarity
SaaS Commercial?
A1: 
Clarity
is available in multiple commercial releases with overlapping support lifecycles. The application can be deployed in on-premise environments, SaaS environments, and hosted environments with dev, test, and prod configurations. Our FedRAMP ATO does not transfer to on-premise deployments. To meet strict FedRAMP security requirements, some
Clarity
commercial features are disabled in
Clarity
FedRAMP environments. See
Clarity
Commercial vs. FedRAMP Feature Differences and Alternatives above.
Q2: Is FedRAMP Preferred or Required?
A2: Both. Cloud services are
preferred
due to their reduced infrastructure costs, better scalability, Disaster Recovery (DR) features, and other technological benefits. They are also
required
. In 2010, the Office of Management and Budget (OMB) established a
Cloud First
policy for federal departments. The original requirements have resulted in a significant shift toward using authorized cloud offerings. Today, all federal departments and agencies are
required
to use FedRAMP-authorized cloud services.
Q3: Why Would a
Clarity
SaaS Commercial Customer Switch to the FedRAMP Service?
A3:
Clarity
commercial customers with Federal contract requirements to protect controlled unclassified information should consider the FedRAMP service. For example, an aerospace firm is looking to expand their jet engine business to include military aircraft. DFARS requires protecting controlled unclassified mission-oriented information for weapon systems (to meet 125 controls).
Q4: To What Extent Do Broadcom and
Clarity
Support My FedRAMP Needs?
A4: Broadcom is committed to offering FedRAMP authorized solutions. You can rely on robust support from Broadcom and the GSS.
Clarity
has achieved FedRAMP authorized status with an official FedRAMP Moderate Impact Agency ATO. See the top of this page to learn more.
Q5: How is My Data Encrypted in the
Clarity
FedRAMP Service?
A5: All data in transit and at rest is encrypted using FIPS 140-2 validated encryption modules.
Q6: Does the
Clarity
FedRAMP Service Accept Native PIV/CAC card access?
A6: Yes, the
Clarity
FedRAMP service does accept SAML assertions from an identity provider. Agencies are required to implement proper authentication strategies to support PIV/CAC card access.
Q7: We Are Not Sure We Need FedRAMP, But Must Check the Box on FISMA; What Can We Do?
A7: You could request and use FedRAMP SSP as guidance for on-premise SSP. However, the
Clarity
FedRAMP ATO is not transferable to on-premise environments.
Q8: Is the
Clarity
Mobile App supported?
A8: Yes.
Clarity
mobile can be used in a FedRAMP environment in concert with the SSO Login option.
Q9: Do FedRAMP contracts have separate SaaS Service Listing documentation?
A: Yes, FedRAMP SaaS Service Listing documentation is available upon request.
Q10: Is
Clarity
Section 508 Compliant?
Clarity
performs accessibility validation on every major release and completes the requisite VPAT. For a copy of the current VPAT, please contact your Broadcom sales representative.
Q11: How Do I gain access
Clarity
FedRAMP system security package (SSP) Documentation?
A:  Please visit the FedRAMP marketplace. Complete the Package Access Request Form.
Q12: Does
Clarity
FedRAMP limit concurrent user sessions?
A: Not at this time; however, this capability is a
Clarity
FedRAMP roadmap item being considered for a future release.
Q13: Does
Clarity
FedRAMP support Unicode?
Yes.
Clarity
supports UTF8.
Q14: Does
Clarity
FedRAMP support the 
Clarity
Modern User Experience?
Yes. The Modern User Experience is now supported for
Clarity
FedRAMP.
Q15: Does
Clarity
FedRAMP support REST APIs?
Yes.
Clarity
FedRAMP supports REST APIs. However, agencies need to use API keys in
Clarity
. To learn more about using API keys, see Key-based Authentication.
FedRAMPlogo_FINAL_2017.png