Clarity PPM for FedRAMP

Clarity PPM for FedRAMP
ccppmop1551
Announcing Clarity PPM for FedRAMP
: CA Technologies, a Broadcom Company successfully achieved its sponsor-endorsed authorization to operate (ATO) status for federal agencies and departments procuring cloud services. We are working toward our official FedRAMP ATO, expected before the end of the current calendar year.
FedRAMP Overview
The Federal Risk and Authorization Management Program (FedRAMP) program provides a standard approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses an efficient framework that saves time and costs previously associated with performing redundant agency security assessments.
  • Security
    : Provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Federal and government-based agencies are required to use highly secure cloud-based solutions that adhere to stringent levels of security while meeting U.S. government compliance regulations.
  • Mandatory
    : All federal agencies and departments are required to use FedRAMP authorized cloud services. FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low, moderate, and high risk impact levels. Agencies must submit a quarterly report showing any of their cloud services that do not meet FedRAMP requirements with the appropriate rationale and proposed resolutions for achieving compliance. Private cloud deployments intended for single organizations and implemented fully within federal facilities are the only exception.
  • Value
    : The 
    do-once, use-many-times
     framework saves cost, time, and staff required to conduct redundant agency security assessments.
The following image highlights the Clarity PPM journey to becoming a FedRAMP cloud service offering:
image2019-5-7_19-53-20.png
Broadcom General Support System (GSS) for FedRAMP
As a portfolio software company, CA Technologies, a Broadcom Company, has implemented a General Support System (GSS) to host Broadcom FedRAMP SaaS offerings. The GSS is currently hosted on the Microsoft Azure Government IaaS cloud and could be expanded to include other FedRAMP-authorized government cloud offerings.
The GSS implements common policies and procedures, tools, and authentication services that may be consumed by the SaaS offerings. Hosted in the U.S. and operated by U.S. citizens employed by Broadcom, the GSS empowers our SaaS offerings to inherit greater than 70 percent of the 325 FedRAMP moderate baseline security controls for initial authorization, continuous monitoring, and run/operate costs.
On April 16, 2019, Clarity PPM officially obtained its sponsor agency Authorization to Operate (ATO) designation from a major international healthcare and research organization. This customer has converted from commercial PPM to the FedRAMP service. Additional interest continues to be received and we continue to add new customers for this service as we seek our formal FedRAMP ATO designation.
Leading the Way
: Clarity PPM is the first Broadcom SaaS offering to be hosted on the GSS.
The following image shows the core components in the GSS:
image2019-5-7_19-42-46.png
Clarity PPM Commercial vs. FedRAMP Feature Differences and Alternatives
The following table lists the notable differences between commercial Clarity PPM and the FedRAMP edition of Clarity PPM:
Capability(1)
Available Alternatives
Remediation Targets(3)
1
Clarity PPM
New User Experience
  • Until supported, this feature remains disabled
  • Use Classic PPM
  • Apply the Phoenix UI theme for a more modern user experience
This capability is a Clarity PPM FedRAMP roadmap item being considered for a future release. Contact your Clarity PPM account director for details.
2
REST API Support
  • XOG, GEL, or NSQL (application administrators must include the "@WHERE:SECURITY:" clause in their NSQL queries)
  • The REST API is not externally accessible by agencies due to lack of key exchange and no SSO support
This capability is a Clarity PPM FedRAMP roadmap item being considered for a future release. Contact your Clarity PPM account director for details.
3
Jaspersoft Studio(2), CA JDBC Adapter, and TIBCO JasperMobile app for use with Clarity PPM
  • Use the built-in Jaspersoft reporting capabilities in Clarity PPM for ad-hoc reports, views, tables, and to schedule reports
  • Use the stock reports provided with Clarity
  • Use the PMO Accelerator and PMO Advanced Reporting content
  • Develop portlets and dashboards in Classic PPM Studio
  • Extend the default fields for projects, resources, and other domains with custom attributes or sub-objects created in Clarity
No target
: Jaspersoft client tools do not support SSO with multi-factor authentication. Building reports using REST API is not supported in Jaspersoft Studio.
4
OData Access to the Data Warehouse
  • Flat-file exchange over SFTP (only supported with Clarity PPM workflows or GEL scripts)
This capability is a Clarity PPM FedRAMP roadmap item being considered for a future release. Contact your Clarity PPM account director for details.
5
Third-Party Integrations (Customizations)
  • ODATA endpoints and SOAP calls into the service are generally not supported
  • Integrations might be possible with agency authorization
Agency Authorization Required:
(5)
6
External XML Open Gateway (XOG) Support
  • FedRAMP environments support the same integrations using SFTP as the commercial product; therefore, data exchange using flat file drop and retrieval is supported. (In a secure boundary, place a file on the SFTP server for flat file drop, which authenticates using
    key exchange.
    )
  • Perform XOG import/export using GEL scripts
This capability is a Clarity PPM FedRAMP roadmap item being considered for a future release. Contact your Clarity PPM account director for details.
7
Direct Database Access
  • No workaround due to GEL script restrictions for SQL tags (VPN access is also not available)
No target
8
Clarity PPM Integration with CA Open WorkBench (OWB) and Microsoft Project (MSP) client tools
  • Obtain an authorization to implement this configuration
  • Native Clarity PPM Scheduler, Gantt view, WBS, and task management capabilities
Agency Authorization Required:
(4)(5)
9
Clarity PPM Integration with Rally
  • Use the current on-premise edition of Rally with the portfolio item integration type and basic authentication
Agency Authorization Required
(5)
10
CA Productivity Accelerator
  • No workaround at this time
No target:
Investigating a resolution.
11
ODUM SaaS Utility and SaaS Integration Adaptor
  • Data exchange is supported by flat file drop and retrieval (for example, for resource loading); within a secure boundary, place a file on the SFTP server for flat file drop (which authenticates using
    key exchange
    )
  • Perform XOG import/export using GEL scripts
  • FedRAMP editions of Clarity PPM support SAML 2.0
No target
: See
Available Alternatives
.
(1) The features listed in this column are not available in FedRAMP-compliant editions of CA Clarity PPM.
(2) Jaspersoft Studio is used to develop more advanced customer-specific reports.
(3) Remediation target dates are subject to change at any time, with or without notice.
(4) OWB and MSP clients cannot authenticate with Clarity without a valid SSO session. Agency authorization is required because OWB and MSP client users must enter their username and password to authenticate without SSO. With agency authorization, Broadcom provides a Clarity OData endpoint to enable SSO authentication; users can launch OWB or MSP clients from Clarity PPM.
(5) Agency Authorization Required: Any approved solutions must conform to FedRAMP integration standards. Contact Broadcom or your partner for more information.
Frequently-Asked Questions
Q1: How Do FedRAMP Editions of CA Clarity PPM Differ from Mainstream Commercial Editions?
A1: Clarity PPM is available in multiple commercial releases with overlapping support lifecycles. The application can be deployed in on-premise environments, SaaS environments, and hosted environments with dev, test, and prod configurations. Our FedRAMP ATO does not transfer to on-premise deployments. Only the SaaS edition of Clarity PPM 15.5.1 is certified for FedRAMP. To meet strict FedRAMP security requirements, some PPM features are disabled in FedRAMP environments. See
Clarity PPM Commercial vs. FedRAMP Differences and Alternative Options
above.
Q2: Is FedRAMP Preferred or Required?
A2: Both. Cloud services are
preferred
due to their reduced infrastructure costs, better scalability, Disaster Recovery (DR) features, and other technological benefits. They are also
required
. In 2010, the Office of Management and Budget (OMB) established a
Cloud First
policy for federal departments. The original requirements have resulted in a significant shift toward using authorized cloud offerings. Today, all federal departments and agencies are
required
to use FedRAMP-authorized cloud services.
Q3: Why Would a Clarity PPM Commercial Customer Switch to the FedRAMP Service?
A3: Clarity commercial customers with Federal contract requirements to protect controlled unclassified information should consider the FedRAMP service. For example, an aerospace firm is looking to expand their jet engine business to include military aircraft. DFARS requires protecting controlled unclassified mission-oriented information for weapon systems (to meet 125 controls).
Q4: To What Extent Do Broadcom and Clarity PPM Support My FedRAMP Needs?
A4: Broadcom is committed to offering FedRAMP authorized solutions. You can rely on robust support from Broadcom and the GSS. Clarity PPM has achieved FedRAMP authorized status with an official FedRAMP Moderate Impact Agency ATO. See the top of this page to learn more. 
Q5: How is My Data Encrypted in the Clarity PPM FedRAMP Service?
A5: All data in transit and at rest is encrypted using FIPS 140-2 validated encryption modules.
Q6: Does the Clarity FedRAMP Service Accept Native PIV/CAC card access?
A6: Not at this time; however, the Clarity FedRAMP service does accept SAML assertions from your identity provider (for example, Active Directory).
Q7: We Are Not Sure We Need FedRAMP, But Must Check the Box on FISMA; What Can We Do?
A7: You could request and use FedRAMP SSP as guidance for on-premise SSP. However, the Clarity PPM FedRAMP ATO is not transferable to on-premise environments.
Q8: Is the Clarity PPM Mobile App supported?
A8: Yes. You can use the 
Log in with SSO
option to use the new Clarity mobile app with the FedRAMP service.
Q9: Do FedRAMP contracts have separate SaaS Service Listing documentation?
A: Yes, the current commercial SaaS Service Listing documentation was updated for FedRAMP.
Q10: Does the Clarity PPM FedRAMP Service Integrate with Rally On-Premise?
A10: From an authentication perspective, the Clarity / Rally product teams are currently testing if this configuration using ‘basic authentication’ (single factor authentication) operates as expected. Should the validation prove positive, the implementing agency will be required to obtain an authorization to implement this configuration. Using the Portfolio Item Integration type, Clarity PPM establishes a connection with Rally OP to pull work execution details. Clarity PPM passwords are encrypted in both the application and the database. Currently, Rally on-premise does not support API Keys or the Investment integration type.
Q11: What Integration Support is Included with the Clarity PPM FedRAMP solution?
A: Existing commercial integrations are not supported; however, some legacy integrations from select partners are being reviewed to identify a body of knowledge for meeting FedRAMP authentication and data transfer requirements.
Q12: Is Clarity PPM Section 508 Compliant?
A: Yes, the current Voluntary Product Accessibility Template (VPAT) for CA Project and Portfolio Manager 13.3, 14.x, and 15.x is available upon request. Our current VPAT certification relates solely to the Classic user interface functionality that has not materially changed since late in 2015, when we began the
New User Experience
 transformation. However, the VPAT compliance testing standards have changed. The Clarity PPM product team is currently addressing a focused list of remediation items necessary to comply with the new testing standards. We tentatively plan to include associated fixes in Clarity PPM release targeted for FYQ1 2020. The remediation effort applies only to Classic PPM functionality.
Q13: How Do I Access Clarity PPM FedRAMP Product Documentation?
A: Security documentation is requested from the PMO. The customer-facing product documentation for Clarity PPM is available at docops.ca.com.
Q14: Does Clarity for Fedramp limit concurrent user sessions?
A: Not at this time; however, this capability is a Clarity PPM FedRAMP roadmap item being considered for a future release.
FedRAMPlogo_FINAL_2017.png