FedRAMP Rules of Behavior

The Federal Risk and Authorization Management Program (FedRAMP) is a Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based services. FedRAMP uses a “do once, use many times” framework that intends to save costs, time, and staff required to conduct redundant Agency security assessments and process monitoring reports.

FedRAMP was developed in collaboration with the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense (DOD), and the Department of Homeland Security (DHS). Many other Government Agencies and working groups participated in reviewing and standardizing the controls, policies and procedures.

The following Rules of Behavior describe security controls associated with user responsibilities and certain expectations of behavior for following security policies, standards, and procedures consistent with FedRAMP principles and guidelines. The Rules of Behavior apply only to customers who purchase Ivanti’s FedRAMP SaaS Environment (“Customer(s)”), along with the Customers’ system administrators, employees, contractors, end-users, and other third parties who are given access to the same. As an external user of Ivanti systems and networks, Customer agrees to abide by these Rules of Behavior and ensure that all users of the FedRAMP SaaS Environment likewise are given notice of, and abide by, the same.

Customer must conduct only authorized business on the system.

Customer’s level of access to systems and networks owned by Ivanti is limited to ensure Customer’s access is no more than necessary to perform Customer’s legitimate tasks or assigned duties. If Customer believes it is being granted access that it should not have, Customer must immediately notify the Ivanti Information Security Team.

Ivanti systems are classified as FedRAMP Moderate. Customer must not upload any information in the system that requires, or could potentially require, higher levels of protection.

Customer must maintain the confidentiality of Customer’s authentication credentials such as Customer’s password, and must not reveal Customer’s authentication credentials to anyone; an Ivanti employee should never ask Customer to reveal them.

Customer must follow proper logon/logoff procedures. Customer must manually logon to its session and must not store Customer’s password locally on its system or utilize any automated logon capabilities. Customer must promptly logoff when session access is no longer needed. If a logoff function is unavailable, Customer must close the browser and must never leave its computer unattended while logged into the system.

Customer must report all security incidents or suspected incidents (e.g., lost passwords, improper or suspicious acts) related to Ivanti systems and networks to the Ivanti Information Security Team.

Customer must not establish any unauthorized interfaces between systems, networks, and applications owned by Ivanti.

Customer’s access to systems and networks owned by Ivanti is governed by, and subject to, all federal laws, including, but not limited to, the Privacy Act, 5 U.S.C. 552a, if the applicable Ivanti system maintains individual Privacy Act information. Customer’s access to Ivanti systems constitutes Customer’s consent to the retrieval and disclosure of the information within the scope of Customer’s authorized access, subject to the Privacy Act, and applicable state and federal laws.

Customer must safeguard system resources against waste, loss, abuse, unauthorized use or disclosure, and misappropriation.

Customer must not process U.S. classified national security information on the system.

Customer must not browse, search or reveal information hosted by Ivanti except in accordance with that which is required to perform Customer’s legitimate tasks or assigned duties.

Customer must not retrieve information, or in any other way disclose information, for someone who does not have authority to access that information.

Customer must ensure that its web browser uses Secure Socket Layer (SSL) version 3.0 (or higher) and Transport Layer Security (TLS) 1.0 (or higher). SSL and TLS must use a minimum of 128-bit, encryption.

Customer must ensure that its web browser is configured to warn about invalid site certificates.

Customer must ensure that its web browser warns if the user is changing between secure and non-secure mode.

Customer must ensure that the web browser window used to access systems owned by Ivanti is closed before navigating to other sites/domains.

Customer must ensure that its web browser checks for a publisher’s certificate revocation, server certificate revocation, and signatures on downloaded files.

Customer must ensure that its web browser empties/deletes temporary Internet files when the browser is closed.

Customer understands that any person who obtains information from a computer connected to the Internet in violation of her employer’s computer-use restrictions is in violation of the Computer Fraud and Abuse Act.

Customer agrees to contact the Ivanti Chief Security Officer or the Ivanti Information Security Team if Customer does not understand any of these rules.

Customer must never share any confidential or non-public information pertaining to Ivanti and/or accessible as a result of Customer’s relationship with Ivanti on social media, unless authorized. 

Customer must respect brand, trademark, copyright, fair use, and trade secrets.

Customer must be aware that it is personally responsible for the content it publishes online.

Customer’s postings related to Ivanti or its industry must contain a disclaimer that the opinions expressed are strictly the poster’s opinions and may not reflect those of Ivanti.

When discussing Ivanti online, Customer must be transparent about its relationship to the company.

Customer must not make any claims concerning Ivanti or Ivanti products without an up-to-date, substantiated public source.

Customer may not participate in harassment, or slander towards anyone, including but not limited to: Ivanti, Ivanti employees, or Ivanti’s competition.

Customer may not participate in any obscene or discriminatory language or engage in any conduct not acceptable in a professional setting.

Customer may not refer to any Ivanti customer, partner, supplier, or employee without their approval.

If Customer has an issue or complaint about Ivanti, Customer shall contact Ivanti through the proper customer service channels.

Customer must use common sense, be aware of privacy issues, play nice, and be honest on social media.