FedRAMP – Secure Configuration Guide for ISI
Document Information.
Product Name: BeyondTrust Identity Security Insights for Government
Deployment Model: SaaS
Authorization Level: FedRAMP Moderate (Authorized)
Document Version: 26.03
Document Date: March 2026
Applies To Product Release: 26.03
Versioning and Release History
| Version | Release Date | Product Version Alignment | Description of Changes | Security Impact |
|---|---|---|---|---|
| 26.03 | March 5, 2026 | 26.03 | Initial Secure Configuration Guide for FedRAMP | Baseline configuration documentation |
Versioning Model
Each product release is evaluated for configuration‑impacting changes, and this guide is updated accordingly.
System Overview
BeyondTrust Identity Security Insights for Government version 26.03 is a FedRAMP Moderate authorized SaaS solution providing visibility across:
- Human identities
- Machine identities
- Secrets
- AI identities
The certification provides reciprocity for Department of Defense (DoD) organizations, aligning with CC SRG Impact Level 2 (IL2).
ISI is deployed as a multi‑tenant SaaS environment in AWS GovCloud (us‑gov‑west‑1).
ISI analyzes identity data collected from:
-
Connectors
Customers configure cloud connectors by providing credentials with specific scopes and permissions per the connector setup guides. -
Insights Collector
An on‑premises component installed on a member server in the customer environment. The collector authenticates securely to ISI and transmits identity data for analysis.
Supported Integrations
ISI supports forwarding security events to customer‑configured integrations:
- SIEM
- Splunk
- Elastic
- Webhooks
- Custom webhook integrations for security event delivery
Security Enforcement
- TLS 1.2+ (TLS 1.3 where supported)
- FIPS 140‑3 validated cryptography
- AWS KMS encryption on all data stores
- Immutable audit logging
- Role‑based access control
- Secure configuration defaults at provisioning
Administrative Account Security
Top‑Level Administrative Role
The highest‑privilege role in ISI is Administrator.
Administrators may:
- Configure authentication settings (SAML 2.0 SSO)
- Manage user access (users, sites, products)
- Invite, edit, and delete users
- Reset user MFA configurations
- Manage default access rules for SAML users
- View audit logs
Reference documentation:
https://docs.beyondtrust.com/bt-docs/docs/user-management
Secure Access to Administrative Accounts
ISI supports:
- SAML 2.0 SSO (per‑organization, domain‑based)
- MFA via authenticator app (TOTP)
- Local authentication (allowed but discouraged)
Federated authentication with MFA enforced at the IdP is strongly recommended.
Administrative Lifecycle Management
Provisioning
- First user is provisioned as an Administrator
- Activation requires email‑based invitation
- Subsequent users added via invitation or SAML
- Access is explicitly assigned by an administrator
Deprovisioning
- Federated users are governed by IdP lifecycle
- When a user is deleted:
- Access is immediately revoked
- Audit logs remain intact and immutable
Privileged Account Controls
Role‑Based Access Control
ISI uses an access control model based on:
- Organization role
- Site access
- Product access
Roles:
-
Administrator
- Manage users
- Configure authentication
- Manage site/product access
- View audit logs
-
Standard User
- No access to administration functions
Privileged Security Settings
Settings restricted to the Administrator role include:
- Authentication configuration (SAML 2.0 SSO)
- User management (invite, edit, delete)
- MFA reset for users
- Default access rules for SAML users
- Site and product access management
- Audit log viewing
All security‑sensitive changes are logged.
Secure Defaults
| Configuration Area | Secure Default |
|---|---|
| TLS | 1.2 enforced; 1.3 where supported |
| Cryptography | FIPS 140‑3 validated modules |
| Encryption at Rest | Enabled on all data stores (AWS KMS managed) |
| Key Rotation | AWS KMS auto‑rotation enabled |
| Audit Logging | Always enabled |
| Log Integrity | Immutable |
| Access Control | Explicit admin assignment required |
| SAML 2.0 SSO | Supported (per‑organization, domain‑based) |
Logging and Auditing
ISI provides:
- Authentication event logging
- Administrative configuration change logging
- 30+ audited event types
Audit logs:
- Are immutable
- Cannot be modified by customer administrators
- Persist after user deprovisioning
- Support compliance review
Network Security Configuration
Encryption
- All data in transit encrypted using TLS 1.2+
- TLS 1.3 enabled where supported
- FIPS 140‑3 validated cryptographic modules
Session Security Controls
- 20‑minute inactivity timeout (automatic logout)
- Tenant isolation enforced at the database level
Decommissioning Procedures
Administrative Account Removal
- Access is immediately revoked
- Audit logs remain intact and immutable
- Historical audit logs preserved
Data Retention
- Data retention follows contractual and FedRAMP requirements
- Logs preserved per retention policy
Customer Configuration Responsibilities
Customers are responsible for:
- Assigning Administrator access appropriately
- Enforcing MFA at the IdP (if federated)
- Maintaining secure IdP lifecycle controls
- Reviewing audit logs regularly
- Configuring connectors with least‑privilege credentials
- Deploying and securing the Insights Collector
- Configuring SIEM and webhook integrations
- Managing SAML provider configurations
- Applying least‑privilege site and product access assignments
Compliance Alignment Summary
This Secure Configuration Guide for ISI 26.03 addresses FedRAMP Moderate requirements related to:
- Secure access to top‑level administrative accounts
- Privileged account governance
- Secure defaults at provisioning
- Role‑based restriction of security settings
- Administrative lifecycle management
- Immutable logging
- Encryption enforcement
Sales: https://www.beyondtrust.com/contact
Support: https://www.beyondtrust.com/support
© 2026 BeyondTrust Corporation. All rights reserved.
Updated about 3 hours ago
