NetSfere Vault Secure Configuration Guide

FedRAMP Secure Configuration Requirements (FRR-RSC) Mapping.

Return to Compliance Hub

Introduction

This document provides the recommended secure configuration guidance for the NetSfere Vault archiving platform, organized by the FedRAMP Secure Configuration Requirements (FRR-RSC). This guide is intended for federal agency compliance officers and administrators to ensure the Vault environment meets NIST SP 800-53 Rev 5 standards.

FRR-RSC-01 - Top-level administrative accounts guidance

Providers must create and maintain guidance that includes instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering.

NetSfere Vault distinguishes between emergency accounts using built-in authentication and standard enterprise accounts using Single Sign-On (SSO).

Emergency Built-in Authentication (Break-Glass Accounts)

Agency administrators must limit the number of accounts using built-in authentication to a minimum (typically two). These accounts are intended for "break-glass" emergency scenarios, such as when the primary Identity Provider (IdP) is unavailable.

  • Configuration: Administrative users can be accessed from the Users view on the sidebar. When creating a new user or updating an existing one via the Modify User button, ensure the MFA Type setting is set to use Email.
  • Operation: These accounts utilize email-based MFA to ensure secure access even when the enterprise IdP is bypassed.

Standard Enterprise Authentication (SAML 2.0)

For all standard administrative and user access, the agency must utilize an enterprise Identity Provider.

  • Configuration: Navigate to the Single Sign-On view on the sidebar to configure the agency's SAML 2.0 Identity Provider.
  • MFA Enforcement: MFA must be strictly enforced at the Identity Provider level before granting access to the NetSfere Vault application.

FRR-RSC-02 - Top-level administrative accounts security settings guidance

Providers must create and maintain guidance that explains security-related settings that can be operated only by top-level administrative accounts and their security implications.

The following settings can be operated only by the Administrator role:

  • Message Retention Period: Agencies must configure the "Message Retention Period" to define the length of time messages are stored within the Vault for later retrieval. It is recommended that this period be set to match the minimum duration required to fulfill the agency's specific legal, regulatory, and record-keeping requirements (e.g., GRS 5.2).
  • Legal Hold Management: The authority to place specific users or groups on "Legal Hold," which overrides automated retention cycles to preserve data for active investigations.

FRR-RSC-03 - Privileged accounts security settings guidance

Providers should create and maintain guidance that explains security-related settings that can be operated only by privileged accounts and their security implications.

NetSfere Vault only has an Administrator role and does not have an elevated privilege account other than the Administrator. All security-related settings and their implications are therefore managed exclusively by the Administrator as detailed in Section FRR-RSC-02.

FRR-RSC-04 - Secure defaults on provisioning

Providers should set all settings to their recommended secure defaults for top-level administrative accounts and privileged accounts when initially provisioned.

While NetSfere Vault is provisioned with secure-by-default configurations, some modification is necessary to achieve the highest security posture as detailed in this guide.

FRR-RSC-05 - Comparison capability

Providers should offer the capability to compare all current settings for top-level administrative accounts and privileged accounts to the recommended secure defaults.

This capability is not available.

FRR-RSC-06 - Export capability

Providers should offer the capability to export all security settings in a machine-readable format.

This capability is not available.

FRR-RSC-07 - API capability

Providers should offer the capability to view and adjust security settings via an API or similar capability.

This capability is not available.

FRR-RSC-08 - Machine-readable guidance

Providers should provide recommended secure configuration guidance in a machine-readable format that can be used by customers or third-party tools to compare against current settings.

This capability is not available.

FRR-RSC-09 - Publish guidance

Providers should make recommended secure configuration guidance available publicly.

Secure configuration guidance for the NetSfere Vault is published publicly via the NetSfere Help Center and is updated as needed.

FRR-RSC-10 - Versioning and release history

Review the document revision history for the FedRAMP Secure Configuration Guide.

Version Date Description of Change
1.0 February 2026 Initial Release of the NetSfere Vault Secure Configuration Guide.