Archibus for Government - Secure Configuration Guide

Last updated
Save as PDF

Version History


Version	Publication Date	Summary of changes
1.00	March, 12, 2026	Initial version

Overview

This guide provides FedRAMP Rev. 5–aligned secure configuration guidance for Archibus for Government production deployments. It maps Archibus security practices to the FedRAMP Recommended Secure Configuration (RSC) framework to help U.S. federal customers operate securely.

This guidance helps U.S. federal customers deploy and operate Archibus in line with FedRAMP Rev. 5 security principles using established Archibus capabilities.

Archibus offers security features and recommended configurations; customers must choose, implement, and maintain settings that meet their regulatory, contractual, and risk requirements.

Scope:

Archibus Web Central for Government deployments (SaaS and non-SaaS)
Production environments handling sensitive or regulated data
Customers and partners responsible for configuring tenant-level and application-level security controls

Review this guide during initial deployment, major changes, and periodic security audits. Each section aligns Archibus capabilities with FedRAMP Rev. 5 expectations to support informed operational decisions.

The information on this page should be used secure configuration recommendations for all customers and partners: Securing Web Central for Production Deployment.

FedRAMP Rev. 5 Secure Configuration Context (FRR‑RSC‑01)

FRR‑RSC‑01 – Public Secure Configuration Guidance requires Cloud Service Providers to publish customer-consumable documentation describing how to securely configure, operate, and decommission the service.

This document itself fulfills FRR‑RSC‑01 by:

Providing publicly available, role-agnostic secure configuration guidance
Describing security-relevant configuration options and their implications
Referencing authoritative Archibus Knowledge Center documentation

Secure Deployment Principles for Archibus

Production vs. Non-Production Configuration (FRR‑RSC‑02)

FRR‑RSC‑02 – Secure Defaults and Non‑Secure Configurations requires providers to clearly distinguish between secure production configurations and insecure or non-production defaults.

Archibus Web Central is delivered with configurations intended for demonstration, training, and development use. These default settings are not appropriate for production environments. Production deployments must explicitly enable stronger authentication mechanisms, encrypted communications, and infrastructure hardening controls.

This section documents:

Non-production defaults that are insecure by design
Production hardening expectations required for regulated deployments

Authentication and Identity Management (FRR‑RSC‑03, FRR‑RSC‑04)

FRR‑RSC‑03 – Identity, Credential, and Access Configuration and FRR‑RSC‑04 – Privileged Access Configuration require clear documentation of authentication options and administrative account protections.

For production deployments, Archibus recommends integrating with an external Identity Provider (IdP) using SAML or OpenID Connect (OIDC). This approach provides stronger security controls than native Archibus authentication, including support for modern password policies and multi-factor authentication (MFA).

Use of the Archibus afm_users table for authentication is intended only for non-production scenarios. If used in production, all credentials must be encrypted, and customers and partners should understand that this approach does not provide the same level of protection as IdP-based authentication.

This section supports:

Documentation of supported authentication mechanisms
Clear articulation of security tradeoffs and risks
Protection of administrative and privileged accounts

Transport Security and Network Protection (FRR‑RSC‑05)

FRR‑RSC‑05 – Network and Communications Security Configuration requires documentation of encrypted communications and network-level protections.

All Archibus production deployments should enforce TLS (HTTPS) for all user and system communications. Encrypted transport protects credentials, session tokens, and application data from interception.

Additional infrastructure hardening recommendations include:

Disabling directory browsing on the application server
Preventing search engine indexing of Web Central endpoints and exported content
Applying security-related HTTP response headers such as HSTS and content-type protections

Application and Data Access Controls (FRR‑RSC‑06, FRR‑RSC‑07)

FRR‑RSC‑06 – Application-Level Security Configuration and FRR‑RSC‑07 – Data Protection and Segmentation Configuration require documentation of how customers configure access controls and data separation.

Archibus provides multiple layers of application-level security that customers must configure as part of a secure production deployment:

Security Groups and Roles to control which data fields and tasks users may access
Hierarchical Security to reflect organizational structure and limit access based on role aggregation
Virtual Private Archibus (VPA) to enforce row-level data partitioning across regions, divisions, or organizations

These controls support FedRAMP principles of least privilege and tenant responsibility for data access configuration.

Database and Backend Security (FRR‑RSC‑08)

FRR‑RSC‑08 – Backend and Dependency Configuration requires providers to document security-relevant backend dependencies and shared-responsibility boundaries.

Database security is a shared responsibility between the Archibus platform and the customer’s database administrators. Archibus separates database connections by role (data, schema, security), and customers must ensure that database credentials, permissions, patch levels, and encryption settings are managed according to organizational security policies.

This section documents:

Backend role separation
Customer responsibility boundaries
Security implications of database configuration choices

Continuous Hardening, Updates, and Change Management (FRR‑RSC‑09)

FRR‑RSC‑09 – Ongoing Secure Operation and Configuration Drift Awareness requires documentation addressing updates, changes, and evolving security posture.

Security best practices evolve over time. Customers and partners should review Archibus secure configuration guidance whenever making system changes, applying updates, or modifying authentication or infrastructure components.

This supports FedRAMP expectations for:

Continuous secure operation
Awareness of configuration drift
Periodic reassessment of security posture

Decommissioning and Secure Removal Considerations (FRR‑RSC‑10)

FRR‑RSC‑10 – Secure Decommissioning and Customer Offboarding requires providers to document security considerations for service termination.

When decommissioning an Archibus environment, customers should ensure:

User access is revoked at the IdP and application layers
Application servers and databases are securely decommissioned per organizational policy
Archived data, backups, and exports are handled according to regulatory retention and destruction requirements

Additional Archibus Security Resources

For more detailed information on specific security topics, refer to the following Archibus Knowledge Center resources:

Securing Web Central for Production Deployment – Core production hardening guidance for Web Central: Securing Web Central for Production Deployment
Security Overview – Application, hierarchical, and data-level security concepts: Security Overview
Introducing Archibus Application Security – Roles, users, and security groups: Introducing Archibus Application Security

Appendix A – Customer Responsibilities

This appendix summarizes customer responsibilities when deploying and operating Archibus in a production environment, consistent with FedRAMP Rev. 5 shared-responsibility expectations. While Archibus provides secure configuration guidance and security-capable features, customers are responsible for selecting, enabling, and maintaining configurations appropriate to their regulatory and risk requirements.