Documentation
Start typing to search…

FedRamp - Secure configuration guide for SRA

Fedramp Moderate - SaaS

Document Information

  • Product Name: BeyondTrust Secure Remote Access (SRA)
  • Deployment Model: SaaS (Single-Tenant)
  • Authorization Level: FedRAMP Moderate (Authorized)
  • Document Version: 25.3.1
  • Document Date: February 2026
  • Applies To Product Release: 25.3.x

Versioning and Release History

VersionRelease DateProduct Version AlignmentDescription of ChangesSecurity Impact
25.3.1Dec 202525.3.1Initial Secure Configuration Guide for FedRAMP Moderate aligned to 25.3.1 releaseBaseline configuration documentation
25.3.2Feb 202625.3.2Maintenance updatesLatest iteration of security patches and bug fixes
26.1.1TBD26.1.xNext major feature release alignmentReviewed for configuration impact

Versioning Model

  • 25.3.1 = Major feature release
  • 25.3.2 = Maintenance release within 25.3 branch
  • 26.1.1 = First major release of 2026

Each product release is evaluated for configuration impacting changes and this guide is updated accordingly.

System Overview

BeyondTrust Secure Remote Access (SRA) version 25.3.1 is a FedRAMP Moderate authorized SaaS solution providing secure, audited remote access to endpoints and systems.

Each customer receives a dedicated single-tenant SaaS environment.

Security Enforcement

  • TLS 1.2+ (TLS 1.3 where supported)
  • FIPS 140-3 validated cryptography
  • Immutable audit logging
  • Role-based access control (RBAC)
  • Secure configuration defaults at provisioning

Administrative Account Security

Top-Level Administrative Role

The highest privilege role in SRA is Admin.

Admin users may:

  • Configure authentication settings
  • Manage RBAC permissions
  • Modify session policies
  • Configure IP allowlisting
  • Manage logging settings
  • Configure integration settings

Permissions can be assigned individually or through Group Policies.

Reference documentation:
https://docs.beyondtrust.com/rs/docs/cloud-users-security

Secure Access to Administrative Accounts

SRA 25.3.1 supports:

  • SAML federation
  • OIDC federation
  • LDAP integration
  • Local authentication (allowed but discouraged)

FedRAMP Secure Practice

  • Federated authentication with MFA enforced at the IdP is strongly recommended
  • MFA is supported at both the Identity Provider and local SRA levels
  • Administrative access must use MFA

Administrative Lifecycle Management

Provisioning

  • Admin accounts are created by existing Admin users
  • RBAC follows least privilege principles
  • Permissions may be scoped through Group Policies

Deprovisioning

  • Federated users: governed by IdP lifecycle
  • SCIM: minimal support

When an Admin account is removed:

  • Access is immediately revoked
  • Audit logs remain intact and immutable

Privileged Account Controls

Role-Based Access Control (RBAC)

SRA 25.3.1 uses granular RBAC with:

  • Preconfigured least-privilege baseline at provisioning
  • Customer assigned roles post provisioning
  • Delegated administrative capabilities
  • Group policy based permission assignment

Security sensitive settings require Admin level privileges.

Privileged Security Settings

Settings restricted to the Admin role include:

  • Authentication configuration
  • IP allowlisting
  • Session recording enforcement
  • Jump/Access policy configuration
  • Credential injection controls
  • Logging and retention policies

All security sensitive changes are logged.

Secure Defaults

Configuration AreaSecure Default
TLS1.2 enforced; 1.3 where supported
CryptographyFIPS 140-3 validated modules
Audit LoggingEnabled by default
Log IntegrityImmutable
IP AllowlistingEnabled by default; configurable
Anonymous AccessDisabled
RBACLeast privilege baseline
Session RecordingEnabled by policy

Logging and Auditing

SRA 25.3.1 provides:

  • Full session recording
  • Command logging
  • File transfer logging
  • Authentication event logging
  • Administrative configuration change logging

Audit logs:

  • Are immutable
  • Cannot be modified by Admin users
  • Persist after user deprovisioning
  • Support compliance review and forensic analysis

Network Security Configuration

IP Allowlisting

  • Enabled by default
  • Configurable by Admin users
  • Restricts administrative access to approved IP ranges

Encryption

  • All data in transit encrypted using TLS 1.2+
  • TLS 1.3 enabled where supported
  • FIPS 140-3 validated cryptographic modules used

Session Security Controls

SRA 25.3.1 enforces:

  • VPN-less secure connectivity
  • Session recording
  • Credential injection (no credential exposure to end user)
  • External access controls
  • Policy based session governance

Decommissioning Procedures

Administrative Account Removal

  • Access is immediately revoked
  • RBAC associations removed
  • Historical audit logs preserved
  • No log deletion occurs

Tenant Decommissioning

  • Data retention follows contractual and FedRAMP requirements
  • Logs preserved per retention policy
  • Environment securely decommissioned per FedRAMP Moderate requirements

Customer Configuration Responsibilities

Customers are responsible for:

  • Assigning Admin roles appropriately
  • Enforcing MFA at IdP (if federated)
  • Maintaining secure IdP lifecycle controls
  • Reviewing audit logs regularly
  • Maintaining IP allowlist configuration
  • Applying least privilege RBAC assignments

Compliance Alignment Summary

This Secure Configuration Guide for SRA 25.3.1 addresses FedRAMP Moderate requirements related to:

  • Secure access to top-level administrative accounts
  • Privileged account governance
  • Secure defaults at provisioning
  • Role-based restriction of security settings
  • Administrative lifecycle management
  • Immutable logging
  • Encryption enforcement

Updated about 3 hours ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.