Build dd72814b67b256dc8e32c255590faa8fb1a10f89 Wed 04 Mar 2026 05:03:10 PM UTC master NetSfere Help Center - NetSfere Messaging Secure Configuration Guide

NetSfere Messaging Secure Configuration Guide

FedRAMP Secure Configuration Requirements (FRR-RSC) Mapping.

Return to Compliance Hub

Introduction

This document provides the recommended secure configuration guidance for the NetSfere Messaging platform, organized by the FedRAMP Secure Configuration Requirements (FRR-RSC). This guide is intended for federal agency compliance officers and administrators to ensure the messaging environment meets NIST SP 800-53 Rev 5 standards.

FRR-RSC-01 - Top-level administrative accounts guidance

Providers must create and maintain guidance that includes instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering.

NetSfere distinguishes between emergency accounts using built-in authentication and standard enterprise accounts using Single Sign-On (SSO).

Emergency Built-in Authentication (Break-Glass Accounts)

Agency administrators must limit the number of accounts using built-in authentication to a minimum (typically two). These accounts are intended for "break-glass" emergency scenarios, such as when the primary Identity Provider (IdP) is unavailable.

  • Configuration: Navigate to Settings -> Security Policy. On the General tab, ensure MFA For Login is enabled and set to Mandatory.
  • Operation: These accounts must utilize NetSfere's native MFA (Authenticator App or SMS) to ensure security even when the enterprise IdP is bypassed.

Standard Enterprise Authentication (SAML 2.0)

For all standard administrative and user access, the agency must utilize an enterprise Identity Provider.

  • Configuration: Navigate to Settings -> Identity Providers to configure the agency's SAML 2.0 Identity Provider.
  • MFA Enforcement: MFA must be strictly enforced at the Identity Provider level before granting access to the NetSfere application.

FRR-RSC-02 - Top-level administrative accounts security settings guidance

Providers must create and maintain guidance that explains security-related settings that can be operated only by top-level administrative accounts and their security implications.

Administrators should carefully review and configure the following security policies to harden the messaging environment:

Inactivity and Login Hardening

Hardening the session and login parameters is critical for preventing unauthorized access to unattended devices.

  1. Navigate to Settings -> Security Policy.
  2. On the General tab, locate the Inactivity setting. Adjust this to the minimum practical setting for your agency (e.g., 15 minutes) to ensure sessions are automatically locked or terminated.
  3. Enable Failed Login Notification. This ensures that administrators or users are alerted to repeated failed attempts, allowing for the timely identification of potential brute-force or intrusion attempts.

IP Restriction (Conditional Access)

Restricting access to the NetSfere web application by IP range ensures that administrative and user portals are only accessible from trusted agency networks.

  1. Navigate to Settings -> Security Policy.
  2. Select the Controlled Device Logins tab.
  3. Define the authorized IP ranges that represent the agency's trusted network egress points (VPN, Office, etc.). Access attempts from outside these ranges will be denied.

Application Screen Lock (PIN Requirement)

Enforcing a screen lock requires users to enter a PIN or provide biometrics whenever the NetSfere app is brought to the foreground, providing an additional layer of protection for data at rest on the device.

  1. Navigate to Settings -> Security Policy.
  2. Select the Screen Lock tab.
  3. Enable the requirement for a PIN. This ensures that even if a device is unlocked, the NetSfere application remains secured behind a second authentication factor.

Messaging and Data Governance

Agencies should carefully evaluate communication features and data retention policies to minimize the potential attack surface and ensure data is only retained as long as necessary.

  1. Navigate to Settings -> Messaging.
  2. Guest User Access: If the agency does not intend to interact with outside entities, ensure that Allow Guest Users is set to Off. This prevents unauthorized external participants from joining internal channels.
  3. Message Retention (Device & Cloud): Evaluate the storage duration for messages on endpoint devices and in the NetSfere cloud. Administrators should set these to the minimum practical settings required to meet agency mission and record-keeping requirements.
  4. Attachment Restrictions: Review the permitted file types and maximum sizes for attachments. Restricting attachments by content type (e.g., blocking executables) and limiting size reduces the risk of malware delivery and data exfiltration.
  5. Message Deletion: Determine whether users should be permitted to delete their own messages and define the duration during which deletion is allowed. This policy should align with the agency's evidentiary and archival standards.
  6. Real-Time Media Controls: Evaluate the need for integrated Audio and Video calling. If these features are not required for agency operations, they should be disabled or restricted to align with the organization's communication security policies.

FRR-RSC-03 - Privileged accounts security settings guidance

Providers should create and maintain guidance that explains security-related settings that can be operated only by privileged accounts and their security implications.

NetSfere only has an Administrator role and does not have an elevated privilege account other than the Administrator. All security-related settings and their implications are therefore managed exclusively by the Administrator as detailed in Section FRR-RSC-02.

FRR-RSC-04 - Secure defaults on provisioning

Providers should set all settings to their recommended secure defaults for top-level administrative accounts and privileged accounts when initially provisioned.

While NetSfere Messaging is provisioned with secure-by-default configurations, some modification is necessary to achieve the highest security posture as detailed in this guide.

FRR-RSC-05 - Comparison capability

Providers should offer the capability to compare all current settings for top-level administrative accounts and privileged accounts to the recommended secure defaults.

This capability is not available.

FRR-RSC-06 - Export capability

Providers should offer the capability to export all security settings in a machine-readable format.

The messaging service does not currently support exporting all security settings. However, it does provide the capability to export user accounts and metadata:

  1. Navigate to the Users & Groups section.
  2. Select the Active Users view.
  3. Click on the Export Users button to download the machine-readable file.

FRR-RSC-07 - API capability

Providers should offer the capability to view and adjust security settings via an API or similar capability.

This capability is not available.

FRR-RSC-08 - Machine-readable guidance

Providers should provide recommended secure configuration guidance in a machine-readable format that can be used by customers or third-party tools to compare against current settings.

This capability is not available.

FRR-RSC-09 - Publish guidance

Providers should make recommended secure configuration guidance available publicly.

Recommended secure configuration guidance is published publicly via the NetSfere Help Center and is updated as needed.

FRR-RSC-10 - Versioning and release history

Review the document revision history for the FedRAMP Secure Configuration Guide.

Version Date Description of Change
1.0 February 2026 Initial Release of the NetSfere Messaging Secure Configuration Guide.