Advanced security controls in Omnissa FedRAMP High cloud

Introduction

This document provides a general overview of the security controls implemented in Omnissa FedRAMP High cloud offerings and includes information on the following services:

  • Omnissa Workspace ONE® Unified Endpoint Management (UEM) FedRAMP offering
  • Omnissa Access and Omnissa Workspace ONE ® Hub Services FedRAMP offering
  • Omnissa Intelligence FedRAMP offering

Within this whitepaper, these services are collectively referred to as “Omnissa FedRAMP cloud services” unless otherwise specified. Omnissa FedRAMP cloud services are hosted in Amazon Web Services (AWS) GovCloud infrastructure.

GovRAMP

GovRAMP is a uniquely tailored compliance program based on NIST 800-53 requirements and structured to support the unique requirements of state, local, and education (SLED) users. It further aims to expand the market of available services by enabling smaller service providers to compete alongside larger providers for government and education contracts. GovRAMP provides SLED users with managed review of authorized products including initial/annual assessment packages and monthly Continuous Monitoring (ConMon) reporting.

GovRAMP reciprocally recognizes the FedRAMP authorization process, and so Omnissa is able to support both FedRAMP and GovRAMP authorizations through a single environment and Continuous Monitoring (ConMon) process. For more information on the certification status of GovRAMP, see the Omnissa trust center.

For more information about GovRAMP visit the GovRAMP website

You can find the Omnissa listing on the GovRAMP Approved Products List at: Authorized Product List - GovRAMP

DOD Impact Level

The Department of Defense (DOD) Cloud Computing Security Requirements Guide (SRG) provides a standardized assessment and authorization approach for cloud products and services serving DOD customers. Omnissa FedRAMP environments currently certified for DOD CC SRG Impact Level (IL) 2. DOD CC SRG IL5 non-NSS is currently undergoing a Defense Information Systems Agency (DISA) review.

For more information on certification status, see our FedRAMP page in the Omnissa trust center.

CMMC

The DOD recognizes FedRAMP Moderate and above authorized systems as meeting CMMC requirements. As a FedRAMP High authorized system, Workspace ONE is suitable for commercial contractors who need a CMMC compliant Mobile Device Management (MDM) solution. For CMMC use cases, we will supplement the FedRAMP High authorization package with a certified letter of attestation from our CMMC third-party assessment organization (C3PAO) affirming the system’s complete compliance with CMMC requirements as well as a Customer Responsibilities Matrix (CRM) tailored to the NIST 800-171 rev 2 control baseline.

Further, should a customer relationship require the transmission of CUI data to Omnissa outside of the Workspace ONE customer tenant environment, Omnissa is certified to handle and store such data using solutions integrated into the administrative control plane of the Omnissa FedRAMP environment FedRAMP environment. Interested customers will find our C3PAO certification for CMMC Level 2 listed on DOD’s Supplier Performance Risk System (SPRS) website and can obtain a copy of the CMMC L2 SSP and CRM upon request.

Purpose

The intent of this document is to provide readers with an understanding of the key differentiators of the Omnissa FedRAMP cloud services security approach beyond that of our commercial cloud offerings.

Audience

This document is intended for Omnissa FedRAMP cloud administrators. It assumes at least intermediate knowledge of our cloud services and focuses on the policies, processes, and controls supporting the cloud-delivered services.

For an overview of our general information security program, see our commercial cloud security whitepaper: Workspace ONE Cloud Service Security Whitepaper.

Technical differentiators

Key technical differentiators for the Omnissa FedRAMP environments include encryption standards, key management procedures, system hardening guidelines, and data separation.

Encryption standards

FedRAMP requires the use of FIPS 140-2 (or higher) validated cryptographic modules for all encryption used to protect sensitive data, both in transit and at rest. For Omnissa FedRAMP services, we use FIPS validated modules across all states of encryption used in the cloud service, including encryption in transit, at rest, private keys, certificates and secrets. Specific details can be found in the Omnissa FedRAMP System Security Plan (SSP), Appendix Q.

Encryption key management

Omnissa has implemented steps in maintaining control of security functions regarding key management.  We utilize AWS Key Management Service (KMS) to generate and securely manage key lifecycle, and we also ensure that Omnissa, not AWS, maintains control of all keys via the Customer Managed Key capabilities within AWS KMS. This enables us to maintain complete control over the entire key lifecycle.

System hardening

For all Omnissa cloud environments, we follow best practices in applying secure configurations across all layers starting from the hardware up to the operating system, container, and the application.  This includes deactivating unnecessary ports, protocols, and services as part of baseline hardening standards and using Center for Internet Security (CIS) Level 1 benchmarks. In our FedRAMP environments, we extend these general system hardening guidelines to include more stringent hardening guidelines by implementing Department of Defense (DOD) Security Technical Implementation Guides (STIGs) and CIS Level 2 benchmarks.

Data separation

The security architecture of the FedRAMP production environment is logically separated to protect data, systems, and assets leveraging a defense-in-depth approach to protect customer data.  DOD customers have an additional physical separation layer to meet their more stringent security requirements.

Process differentiators

Key process differentiators include more advanced access control requirements, vulnerability management remediation, and a tightly controlled process for significant changes.

Access controls

Omnissa FedRAMP production environments are only accessible to a limited number of authorized and approved U.S.-based personnel. All privileged access into the FedRAMP environment is initiated through Amazon WorkSpaces and users are authenticated by unique identifiers via directory services and AWS Identity and Access Management (IAM). Additionally, all personnel with access to the FedRAMP production environment are required to authenticate using an identity provider (Omnissa Access) with a FIPS 140-validated hardware-based authenticator (token).

Vulnerability management

Within today’s highly complex and integrated information systems, new vulnerabilities are identified daily. FedRAMP requires that service providers meet specific remediation timelines based on the severity of the vulnerability:

  • Critical / High – 30-day remediation
  • Moderate – 90-day remediation
  • Low - 180-day remediation

Omnissa has deployed automated vulnerability management tools into the FedRAMP infrastructure to ensure we maintain visibility into our vulnerability footprint and to remediate findings within the requirement parameters.  Our code pipeline includes automated testing procedures and scanning for hosts and containers, and host and external-facing endpoint vulnerability scans are conducted weekly.

Continuous monitoring

To ensure our FedRAMP baseline hardening standards are enforced across all services within the environment, we leverage automated tools to perform continuous monitoring and vulnerability scanning.  In addition to these tools, Omnissa FedRAMP environments employes host-based intrusion protection and file integrity monitoring with tools that monitor and track changes in real-time.

In line with FedRAMP ConMon program requirements, Omnissa generates monthly reporting deliverables, including Plan of Action & Milestones (POA&M) report , system inventories, a risk deviation log, and Significant Change Notifications (SCN) as described below. These artifacts are shared and discussed monthly with customers in an Omnissa-hosted ConMon Collaboration Group meeting.

Change management process

Within the FedRAMP production environment, system changes are monitored, tracked and approved in accordance with FedRAMP requirements.  Every change goes through a Significant Impact Analysis to determine if there are changes to confidentiality, integrity, and availability of the FedRAMP system or the data hosted there. Omnissa will adhere to FedRAMP and DOD SRG requirements to communicate changes, and if necessary, coordinate for testing activity with a certified 3PAO.

Key personnel differentiators

Key personnel differentiators include a U.S- based support team, dedicated Security Operations Center (SOC), and additional FedRAMP-specific training.

U.S.-based support

All personnel with access to the FedRAMP environment are U.S. persons who are based in the U.S. These individuals are required to meet specific background check and identity proofing processes in accordance with FedRAMP requirements.

Dedicated SOC

Omnissa hosts a dedicated and separate FedRAMP-specific security operations center (SOC). All security events and audit logs are centrally collected in our Security Information and Event Management (SIEM) solution.  Automated rules are built into the SIEM to analyze data in near-real time and trigger alerts that are actioned by staff who operate the SOC 24/7/365. In the event of a confirmed incident, Omnissa will report within one (1) hour to relevant stakeholders such as the Cybersecurity and Infrastructure Security Agency (CISA), JFHQ-DODIN, affected customers, and FedRAMP/agency contacts.

Extended training

To ensure all personnel with access to the Omnissa FedRAMP environment understand their security responsibilities, Omnissa has developed FedRAMP specific training modules that must be completed prior to gaining access into the FedRAMP production systems. These modules are designed and developed in accordance with FedRAMP’s training requirements.  Additionally, all users are required to complete refresher training annually.

Summary and additional resources

  The intent of this document is to provide readers with an understanding of the key differentiators of the Omnissa FedRAMP cloud services security approach beyond that of our commercial cloud offerings, including key technical, process, and personnel differentiators.

Additional resources

For more information about Omnissa FedRAMP, you can explore the following resources:

  • For a comprehensive explanation of how Omnissa implements FedRAMP and DOD security controls, review the FedRAMP Security Plan (SSP). You can request a copy of the SSP through your assigned solution specialist or sales representative.
  • Omnissa trust center

Changelog

The following updates were made to this guide:

Date

Description of Changes

August 26, 2025

  • Whitepaper published

About the author and contributors

The following people contributed their knowledge and assistance with this document:

  • Phil Hickson, Program Manager, Omnissa Government Services
  • Mark Judd, Information Systems Security Officer, Omnissa Government Services
  • Andrea Smith, Sr. Program Manager, Customer Security Assurance

Feedback

Your feedback is valuable. To comment on this paper, either use the feedback button or contact us at tech_content_feedback@omnissa.com.

 

Filter Tags

Document WhitePaper Intermediate