Somnoware Secure Configuration Guide (SCG)
(v1.0) - 10 March 2025
For FedRAMP Rev5 Compliance
1. Purpose
This Secure Configuration Guide (SCG) provides Somnoware customers with clear, actionable guidance for securely configuring the Somnoware SaaS environment in compliance with FedRAMP Rev5 Secure Configuration Guide (SCG‑CSO‑RSC) requirements. It satisfies FedRAMP Rev5 Recommended Secure Configuration (RSC) requirements that Cloud Service Providers produce clear, actionable guidance.
2. Scope
This guide applies to:
- All Somnoware SaaS tenants
- All Somnoware top‑level administrative accounts and privileged accounts
- Configuration settings with security implications
3. Infrastructure – Shared Responsibility Statement
Somnoware is hosted on AWS GovCloud (US). Somnoware inherits platform security capabilities and aligns AWS account and service configurations with the AWS FedRAMP Rev5 Secure Configuration Guidance, including protections for top‑level administrative accounts, secure defaults, and per‑service hardening. Customers may reference AWS’s RSC/SCG documentation for details on the underlying platform configuration. This Somnoware Secure Configuration Guide (SCG) applies those principles to the Somnoware application layer and provides the required service‑specific instructions for securely accessing, configuring, operating, and decommissioning Somnoware’s top‑level and privileged accounts, and explains security‑relevant settings and their implications for this service
4. Top‑Level Administrative Accounts (SCG‑CSO‑RSC)
Top-Level Administrative Accounts (TLAs): Identities with enterprise-wide control over the Somnoware tenant, including the ability to modify global security settings, assign privileged roles, and change audit settings.
4.1 Somnoware TLAs (per role/permission model)
| Account Type | Description |
| Centralized Admin | Delegated admin with broad privileges provisioned during onboarding |
| Lab Manager | A top‑level administrative account assigned an administrative role that provides substantial, though more limited, operational and configuration authority. |
4.2 Secure Access Requirements
- Ensure only the minimum required number of top‑level administrative accounts are created
- PIV Authentication - All access to Somnoware Federal environment (including top-level admin consoles and tenant admin UI) requires a FIPS-201-compliant PIV card via agency IdP federation.
- No shared credentials - Each top-level account must be unique, non-shared, and individually assigned.
- Use admin accounts only for provisioning, break‑glass, and recovery
- Auditing - All top-level admin actions are logged, with alerts for role changes
- Enable alerting for privilege changes, policy changes, and authentication anomalies
4.3 Secure Configure
- Somnoware requires PIV smart card login for every user, including TLAs.
- Assign the Correct Somnoware Role
- Prevent shared accounts—each TLA must be tied to a unique PIV card.
4.4 Secure Operations
- Use separate user and admin accounts
- Quarterly review of admin role privilege and activity logs
4.5 Decommissioning Procedures
- Immediately disable admin accounts for departing personnel
- Revoke PIV Certificate from the PKI.
- Disable the Account, monitor logs.
- Retain deactivation and configuration change logs per FedRAMP Moderate retention policy
5. Privileged Accounts & Role‑Based Access Control (RBAC)
Somnoware documents privileged settings and their security implications as required by SCG‑CSO‑RSC.
5.1 Somnoware Privileged Roles
- Medical Director - responsible for overseeing medical workflows, approving patient‑related documentation, ordering/interpreting studies, and managing clinical tasks within Somnoware.
- Lab Facilitator - assist with day‑to‑day sleep lab operations, helping the Lab Manager and clinical team manage studies, patient workflows, and certain administrative tasks—but with limited system authority and no security‑critical administrative permissions.
6. Secure Defaults (SCG‑CSO‑SDF)
- Audit logging enabled for all actions
- PIV-only sign-in for TLA accounts
- Session timeout enforced
- Full audit logging of TLA authentications (including certificate identifiers), privilege changes, and security-setting edits to immutable storage
7. Security‑Related Configuration Settings & Implications
7.1 Security‑Related Settings that can be operated only by top-level accounts and their implications
| Security‑Related Setting | Centralized Admin | Lab Manager | Security Implication |
| Edit Security Settings | ✔ | ✔ | High‑risk—controls MFA, audit, access policies |
| Create/Edit User | ✔ | ✔ | Identity lifecycle & RBAC integrity |
| Modify Sleep Lab | ✔ | ✔ | Facility configuration & PHI routing |
| Create/Edit Physician | ✔ | ✔ | Clinical identity integrity |
| DME/Insurance Admin | ✔ | ✔ | Billing & compliance impact |
| Manage Study | ✔ | ✔ | Clinical workflow integrity |
| Create/Edit Schedule | ✔ | ✔ | Appointments & lab workflow integrity |
| View Settings | ✔ | ✖ | Visibility into system security posture |
7.2 Security‑Related Settings that can be operated only by privileged accounts and their implications
| Security‑Related Setting | Medical Director | Lab Facilitator | Security Implication |
| Change Study Type | ✔ | ✖ | Affects diagnostic workflow/accuracy |
| Create/Edit Interpretation Report | ✔ | ✖ | Alters legal clinical records |
| Access interpretation/diagnostic reports | ✔ | ✖ | High‑sensitivity PHI exposure |
| View PSG | ✔ | ✔ | Access to raw study |
| Modify Sleep Lab | ✖ | ✔ | Can alter PHI routing and lab config |
| Manage Study | ✖ | ✔ | Controls physician assignment |
| Perform Active Study Actions | ✖ | ✔ | Impacts active diagnostic pipeline |
| Delete Patient Notes | ✖ | ✔ | Removes medical documentation |
| DME Order Actions | ✖ | ✔ | Billing/compliance/treatment risk |
8. Obtaining and using the Somnoware Secure Configuration Guide (SCG‑CSO‑AUP)
This section provides mandatory instructions for federal agencies on how to obtain, access, and use the Somnoware Secure Configuration Guide (SCG), as required under the FedRAMP Secure Configuration Guidance (SCG‑CSO‑AUP). The SCG is included as part of the Somnoware FedRAMP Authorization Package and supports agency administrators in securely configuring the Somnoware Cloud Service Offering (CSO) in accordance with FedRAMP Rev5 requirements.
The secure configuration guide can be obtained:
8.1 Through the FedRAMP Authorization Package
Authorized federal agencies may obtain the Somnoware SCG through the FedRAMP Package Access Request process maintained by FedRAMP Program Management Office (PMO).
- Agencies request access to the Somnoware authorization package by submitting a package request through FedRAMP PMO.
- Upon approval, the SCG is accessible alongside the Security Assessment Report (SAR), System Security Plan (SSP), POA&M, and other required authorization artifacts.
8.2 Direct Access from Somnoware
Authorized agency personnel may also obtain the SCG directly from Somnoware via:
- The Somnoware FedRAMP Support Team
Somnoware ensures that the most recent approved version of the SCG is available to agencies at all times, consistent with FedRAMP Rev5 mandatory guidance
8.3 Using the Somnoware Secure Configuration Guide
The SCG is intended for agency administrators and security personnel responsible for securely managing Somnoware. It should be used during:
- During initial system setup and ongoing security operations - The SCG outlines secure configuration requirements for:
- Top‑level administrative accounts
- Privileged role assignment
- PIV‑based authentication enforcement
- Security‑relevant system settings
- Conducting configuration reviews
- Performing account audits or access recertifications
- Ensuring security‑relevant settings remain in compliance with FedRAMP baselines
- Somnoware maintains version control for all SCG releases. Agencies must:
- Verify that they are using the most recently approved SCG version
- Review SCG updates and ensure any revisions are incorporated into their own configuration documentation and risk registers
9 Public Availability of SCG (SCG-CSO-PUB)
In alignment with the FedRAMP Secure Configuration Guidance recommendation that Cloud Service Providers (CSPs) make Secure Configuration Guides publicly accessible to agency administrators and security personnel, Somnoware maintains a publicly available version of the Somnoware Secure Configuration Guide (SCG) for reference and operational use.
The Somnoware SCG can be accessed at the following URL:
Public SCG Access:
🔗 https://supportfed.somnoware.com/hc/en-us/articles/44191955802765-Somnoware-FedRAMP-Rev5-Secure-Configuration-Guide
This publicly available SCG provides:
- Detailed instructions for securely configuring Somnoware in accordance with FedRAMP Rev5 requirements
- Secure access and authentication guidance for top‑level administrative accounts
- Security‑relevant configuration explanations and implications
- Role‑based access recommendations supporting least‑privilege enforcement
References
- FedRAMP Rev5 Secure Configuration Guide (Secure Configuration Guide – Effective March 1, 2026)
- AWS FedRAMP Rev5 Secure Configuration Guidance - AWS FedRAMP Rev5 Secure Configuration Guidance - FedRamp Compliance Guide
Comments
0 comments
Please sign in to leave a comment.