Device Security and FedRAMP
Device Security is authorized for FedRAMP Moderate/High.
| Where Can I Use This? | What Do I Need? |
|---|
NGFW (Managed by PAN-OS or Panorama) Device Security (Managed by Strata Cloud Manager) (Legacy) IoT Security (Standalone portal)
|
One of the following subscriptions:
Device Security subscription for an advanced
Device Security product (Enterprise,
OT, or Medical)
Device Security X subscription
|
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government program that
promotes the use of secure cloud services by the federal government. Cloud computing
systems categorized at the Moderate/High security impact level in accordance with the FIPS
Publication 199 security categorization are authorized to store and process government
data. The Palo Alto Networks Device Security cloud is FedRAMP Moderate/High authorized.
Device Security supports both FedRAMP Moderate and FedRAMP High on
Prisma Access.
Device Security supports only FedRAMP Moderate on Next-Generation Firewalls.
The Device Security FedRAMP Moderate/High solution is intended for use by U.S. government agencies
requiring a standardized approach to the security assessment, authorization, and
continuous monitoring of cloud products and services. It is also intended for use by
commercial entities that do business with the U.S. government. The Device Security
FedRAMP Moderate/High solution operates as a separate and distinct entity.
The Device Security commercial solution and the Device Security
FedRAMP Moderate/High solution have the following differences:
You must purchase an additional SKU to get a
Device Security FedRAMP Moderate/High solution.
The Device Security FedRAMP Moderate/High solution permits only
FedRAMP-authorized personnel access to data.
Because Palo Alto Networks enforces strict incoming security policy rules for FedRAMP tenants,
you must provide Palo Alto Networks
customer
services with a list of IP addresses for the administrative users who will be accessing your
Device Security portal. When user traffic to the portal passes through a NAT device on a perimeter
firewall, edge router, or VPN gateway, provide the IP address to which NAT translates the users’
original IP addresses. After you submit a support ticket with these addresses, customer services will
create an allow list for the addresses you provided, which will let users log in from these addresses and
access the portal.
When integrating with third-party products, use a full on-premises
Cortex XSOAR
server. FedRAMP recommends running on-premises components of the solution using a vendor-approved
FIPS version
that complies with the FIPS 140-2 standard.
Device Security supports Security policy rule recommendations and Device-ID based automated Zero Trust enforcement for
Prisma Access and for next-generation firewalls in
FIPS mode.
Configure PAN-OS Edge Services to retrieve Device-ID verdicts and
Device Security Policy Recommendations
using the CLI.
fw> configure
fw# set deviceconfig setting iot edge address \
iot.services-edge.pubsec-cloud.paloaltonetworks.com
fw# commit
fw# quit
fw> debug software restart process icd
For more information about Palo Alto Networks Device Security FedRAMP authorization, visit these websites:
