FedRAMP Recommended Secure Configuration (RSC) for Incydr

Updated

Overview

This article provides guidance on securely configuring Incydr Gov environments to meet FedRAMP Recommended Secure Configuration (RSC) requirements.

Secure configuration guidance for Incydr Gov

RSC-CSO-SCG

Top-level administrative accounts

Top-level administrative user accounts are assigned the Customer Cloud Admin role. This role provides complete control over the Incydr environment, including the ability to configure security settings, manage user access, and control organization-wide features. 

Access to Customer Cloud Admin accounts is restricted to authorized users with valid credentials. To securely access top-level administrative accounts:

  1. Go to the Incydr Gov sign-in page.
  2. Provide valid credentials using one of these secure authentication methods:
    • Single sign-on (SSO) through your identity provider (recommended)
    • Local authentication with username, password, and two-factor authentication

Configuring top-level administrative accounts

When setting up Customer Cloud Admin accounts:

  • Enable two-factor authentication for all local accounts. See Two-factor authentication for local Incydr users for setup instructions.
  • Use complex passwords that meet your organization's security standards.
  • If using SSO, configure it before creating additional admin accounts.
  • Limit the number of users with the Customer Cloud Admin role to only those who require full administrative access.

Decommission top-level administrative accounts

  1. Sign in to the Incydr Gov console as a Customer Cloud Admin.
  2. Go to Administration > Environment > Users.
  3. Select the user.
    The User details appear.
  4. To remove Customer Cloud Admin permissions while still allowing access to other areas of Incydr:
    1. Select Roles, then click the Edit icon BlueEditPen.png.
    2. Deselect the Customer Cloud Admin role and click Save.
  5. To completely remove Incydr access for a Customer Cloud Admin, select Actions > Deactivate.

It is best practice to always have at least one active Customer Cloud Admin to maintain administrative access to your environment.

Top-level administrative accounts security settings guidance

Customer Cloud Admin accounts can perform all functions in Incydr and have exclusive access to critical security settings that affect your entire Incydr environment. Understanding these settings and their implications helps you maintain a secure configuration.

Security settings unique to Customer Cloud Admins

Customer Cloud Admin role assignment

  • Only Customer Cloud Admins can assign this role to others.
  • Prevents privilege escalation by lower-privileged administrators.
  • Provides unrestricted access to all Incydr functionality and data.
  • For the complete list of unique Customer Cloud Admin capabilities, see the Roles reference.

Support access

  • Only Customer Cloud Admins can toggle support access on or off.
  • Controls whether Mimecast support can access your environment for troubleshooting.
  • When enabled, support can view your configuration and data.
  • Enable only when assistance is needed. For details, see the Support Access reference.
Local accounts
  • Only Customer Cloud Admins can configure emergency local account authentication in SSO environments.
  • Local accounts provide emergency access if your SSO provider becomes unavailable. However, they also create an authentication path outside your identity provider's controls. 
  • Limit local accounts to a small number of Customer Cloud Admins.
  • Require two-factor authentication on these accounts
  • Document their existence in your security procedures.

Recommended security configuration

For Customer Cloud Admin accounts:

  • Use SSO authentication whenever possible.
  • Enable two-factor authentication for all local accounts.
  • Limit the number of users with this role.
  • When using SSO, maintain at least one local Customer Cloud Admin account as an emergency option for troubleshooting authentication provider issues.
  • Regularly review who has the Customer Cloud Admin role and remove access when no longer needed.

Privileged accounts security settings guidance

Privileged accounts in Incydr are defined as users with access to data or configurations beyond their own personal settings.

  • Non-privileged account criteria:
    • Users with only the Desktop User, Agent User, or PROe User role
    • Users with no assigned roles 
  • Privileged account criteria:
    • Users with any other role than Desktop User, Agent User, or PROe User.
    • Privileged account users' access to security-related settings varies by role.

Security settings controlled by privileged accounts

SSO configuration

Users with the Identity Management Administrator role can add, remove, and update SSO configurations in the Identity Management panel.

Security implications: SSO configuration controls how users authenticate to Incydr. Incorrect settings can lock users out or create security gaps. Only assign this role to administrators who understand your identity provider's integration requirements. Changes to SSO affect all users who authenticate through your identity provider.

Two-factor authentication requirements

Users with the Multi-Factor Auth Admin role can enable or disable two-factor authentication requirements for organizations and reset individual users' two-factor authentication configurations.

Security implications: Disabling two-factor authentication weakens your security posture by allowing password-only authentication. Resetting a user's two-factor authentication configuration should be reserved for situations where an administrator cannot access their authenticator device, such as a lost or replaced mobile device. See Two-factor authentication for local Incydr users for more details.

Recommendation: Limit use of two-factor authentication resets to situations where users have lost access to their authenticator. Document each reset and ensure users reconfigure two-factor authentication promptly.

Local authentication for emergency access

When using SSO as the primary authentication method, administrators can create local authentication accounts that do not require SSO. These emergency access accounts allow administrators to sign in directly to Incydr if the SSO provider becomes unavailable.

Security implications: Local authentication accounts bypass your identity provider's controls and represent an alternative authentication path. These accounts should be limited to 1-2 Customer Cloud Admin accounts and must have two-factor authentication enabled. Document the existence of these accounts in your security procedures.

Role assignment

Users with the Insider Risk Admin, Cross Org Admin, or Org Admin roles can assign roles to other users within their scope of authority. However, only the Customer Cloud Admin can assign the Customer Cloud Admin role.

Security implications: Role assignment controls who can access sensitive insider risk data and perform administrative functions. Assigning excessive roles grants users more permissions than necessary to perform their jobs. Follow the principle of least privilege: give users only the roles they need to do their work.

Account activation and deactivation

Privileged users can activate and deactivate other user accounts.

Security implications: Deactivating accounts prevents unauthorized access when employees leave or change roles. Failing to deactivate accounts promptly creates security risks by leaving access pathways open. Activating accounts without proper authorization can grant access to individuals who shouldn't have it.

Privileged roles with access to sensitive data

The Insider Risk Admin, Insider Risk Analyst, Insider Risk Read Only, and Insider Risk Respond roles provide access to sensitive insider risk data, including user activity monitoring, security alerts, forensic search results, and file event details. Users with these roles can view information about what files users are accessing, sharing, and exfiltrating from your organization. 

The Insider Risk Analyst and Insider Risk Admin roles additionally allow downloading the contents of exfiltrated files when combined with the Security Center - Restore role. Because these roles grant access to potentially sensitive employee data and business information, they should only be assigned to security personnel who are authorized to conduct insider risk investigations and who understand the privacy and ethical implications of accessing this data.

Recommended security configuration

For privileged accounts:

  • Use SSO authentication for all privileged users when possible.
  • Enable two-factor authentication for any privileged accounts using local authentication.
  • Document the purpose and scope of each privileged role assignment. Document any exceptions to your standard security configuration.
  • Reserve local accounts for genuine emergencies and document each use.
  • Regularly review privileged account access. Incydr's Audit Log can be used to monitor account access.
    •  Remove roles that are no longer needed.
    • Deactivate accounts for users who no longer require access.

Secure defaults on provisioning

RSC-CSO-SDF

When your Incydr Gov environment is initially provisioned, some settings are configured by default to establish a secure baseline. Other settings require you to configure them based on your organization's security requirements.

Initial provisioning defaults

Initial Customer Cloud Admin account

A single Customer Cloud Admin user account is created for you when your Incydr Gov environment is initially provisioned.

Default behavior: This account is created with local authentication enabled. Upon first login, the user is forced to reset the initial password provided during provisioning.

Security implications: The forced password reset ensures that the default password is never used beyond initial access. After resetting the password, immediately configure additional security measures for this account.

Required post-provisioning security configuration steps

To establish a secure configuration after initial provisioning:

  1. Sign in to the Incydr Gov console using the initial Customer Cloud Admin account.
  2. Reset the password when prompted.
  3. Configure SSO integration or enable two-factor authentication.
  4. Create a limited number of additional Customer Cloud Admin accounts as needed.
  5. If using SSO, configure an emergency local account with two-factor authentication enabled.
  6. Assign roles to other users following the principle of least privilege.

Comparison capability

RSC-CSO-CMP

Follow the steps below to compare your current security settings for administrative and privileged accounts against the recommended secure configuration. 

Review user settings

Option 1: Get user role assignments via API

Use the Incydr API to retrieve role information:

  • List all users: GET /v1/users
  • Get roles for a specific user: GET /v1/users/{userId}/roles

See the User Roles API documentation for complete details.

Option 2: Get user role assignments via the Incydr console

  1. Sign in to the Incydr Gov console as a Customer Cloud Admin.
  2. Go to Administration > Environment > Users.
  3. Click the filter icon Filter_icon.png and then select specific organizations, user roles, or status to identify privileged users.

Review authentication settings

  1. Go to Administration > Environment > Organizations.
  2. Select each organization and review the Authentication tab.
  3. Document whether SSO is configured and whether two-factor authentication is enabled.

Compare with the recommended secure configuration baseline

Compare the user and authentication settings against the recommended secure configuration for top-level administrator accounts and for privileged accounts.

For accounts that don't follow the recommended secure configuration, choose the appropriate remediation step for each account:

  • Enable SSO: Configure SSO integration and migrate local accounts to SSO authentication.
  • Enable two-factor authentication: For accounts that must use local authentication, enable two-factor authentication.
  • Remove unnecessary roles: If a user doesn't need privileged access, remove the role.
  • Deactivate unused accounts: Remove accounts that are no longer needed.

Export capability

RSC-CSO-EXP

User role information can be exported in JSON format via the Incydr API. This allows you to programmatically analyze your security configuration, integrate with compliance tools, and maintain audit records.

Query capabilities:

  • Identify which users have specific roles, such as Customer Cloud Admin and Insider Risk Admin
  • Determine authentication method for users with privileged roles
  • Find users authenticating without SSO or two-factor authentication

Example use cases:

  • List all users with the Customer Cloud Admin role
  • Identify privileged users authenticating with local password only
  • Generate reports of role assignments by authentication method

For detailed API syntax, see the API Capability section below.

You can also use the Incydr console to filter by role and manually export the list, though this is less efficient for large environments.

API capability

RSC-CSO-API

Incydr provides API capabilities to both view and adjust security settings programmatically.

View user roles via API

  • List all users: GET /v1/users
    • Returns a JSON array of all users in your environment. You can then query each user's roles using the endpoint below. Optionally filter by a specific role ID. For example: GET /v1/users?roleId="customer-cloud-admin" 
  • Get roles for a specific user: GET /v1/users/{userId}/roles
    • Returns a JSON object containing all roles assigned to the specified user.
  • Include login type information: GET /v1/users?extendedUserDetails=true
    • Returns one of three values: CLOUD_SSO, LOCAL, or LOCAL_2FA

Identify top-level administrative accounts

Apply a filter for the Customer Cloud Admin role: GET /v1/users?roleId=customer-cloud-admin&extendedUserDetails=true 

Identify other privileged accounts

Query by the specific role IDs you want to review. For example: GET /v1/users?roleId=insider-risk-admin&extendedUserDetails=true 

For complete API documentation, see User Roles API reference.

Adjust user roles via API

  • Update roles for a user: PUT /v1/users/{userId}/roles
    • Allows you to add or remove role assignments programmatically.

Security considerations:

  • Only users with appropriate permissions can modify roles via API
  • API authentication requires a token from an account with role assignment privileges
  • Changes take effect immediately

Example use cases:

  • Bulk role assignment for new team members
  • Automated role removal when users change departments
  • Emergency revocation of privileged access

API documentation: Update user roles

API authentication requirements

Machine-readable guidance

RSC-CSO-MRG

Incydr provides configuration data in machine-readable JSON format, which can be used to compare your current settings against the recommended guidance.

Use the API export guidance in the previous sections (RSC-CSO-EXP and RSC-CSO-API) to generate a JSON output of user role and login type details for your environment.

Examples

SSO authentication (follows recommended configuration):

{
  "userId": "123456",
  "username": "admin@example.com",
  "loginType": "CLOUD_SSO",
  "roles": [
    {
      "roleName": "Customer Cloud Admin",
      "roleId": "12345"
    }
  ]
}

Local authentication with two-factor authentication (follows recommended configuration):

{
  "userId": "789012",
  "username": "admin-local",
  "loginType": "LOCAL_2FA",
  "roles": [
    {
      "roleName": "Security Administrator",
      "roleId": "23456"
    }
  ]
}

Local authentication only (does not meet recommended configuration):

{
  "userId": "901234",
  "username": "admin-local",
  "loginType": "LOCAL",
  "roles": [
    {
      "roleName": "Insider Risk Admin",
      "roleId": "34567"
    }
  ]
}

Remediation: Enable two-factor authentication for the user's organization or migrate the account to SSO.

Comparison logic

Use this logic to compare your settings against the recommended configuration:

  • Meets recommended configuration: (loginType == "SSO") OR (loginType == "LOCAL_2FA")
  • Does not meet recommended configuration: (loginType == "LOCAL")

Published guidance

RSC-CSO-PUB

This article serves as the publicly available recommended secure configuration guidance for Incydr Gov. 

Public accessibility

This guidance is publicly accessible without authentication and is intended for:

  • Customers implementing FedRAMP security controls
  • Auditors evaluating FedRAMP compliance
  • Security professionals assessing Incydr Gov's security posture

Related documentation

Additional security configuration information is available in these public support articles:

Versioning and release history

RSC-CSO-VRH

This section maintains a version history of the recommended secure configuration guidance for top-level administrative and privileged accounts in Incydr Gov. Updates are documented with dates and descriptions of changes to help customers and auditors track evolving security recommendations.

Current version: 1.0
Last updated: Feb 26, 2026

Version Date Changes
1.0 Feb 26, 2026 Initial release of FedRAMP Recommended Secure Configuration guidance

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.