From 5d420a34e24522594194a442b0d66188a2e2955f Mon Sep 17 00:00:00 2001 From: Denise Pena Date: Fri, 17 Oct 2025 15:55:17 -0500 Subject: [PATCH 1/2] Added page for FedRAMP High In Process products --- .../docs/fundamentals/reference/fedramp.mdx | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 src/content/docs/fundamentals/reference/fedramp.mdx diff --git a/src/content/docs/fundamentals/reference/fedramp.mdx b/src/content/docs/fundamentals/reference/fedramp.mdx new file mode 100644 index 00000000000000..09ad770ccb58e5 --- /dev/null +++ b/src/content/docs/fundamentals/reference/fedramp.mdx @@ -0,0 +1,66 @@ +--- +pcx_content_type: reference +title: FedRAMP Status +--- + +## FedRAMP High "In-Process" + +The following products are are under FedRAMP High "In-Process" status. Any exceptions are denoted with a note or exception. + +- Zero Trust Network Access + - **Exception:** Browser-based SSH and VNC is not supported. + - **Exception:** Storing SSH logs on Cloudflare is not supported. +- Advanced Certificate Manager +- Cloudflare Aegis +- AI Crawl Control +- Analytics, aka Cloudflare Analytics +- API Shield +- Email Security +- Argo Smart Routing +- Bots, aka Bot Management +- Browser Isolation +- CDN Cache + - **Exception:** Smart Tiered Cache is not supported. +- Cache Reserve +- Cloudflare for SaaS +- Cloudflare Images +- Cloudflare Logs +- Cloudflare One +- Zero Trust Infrastructure Access +- Cloudflare Queues +- Cloudflare Spectrum +- Cloudflare Stream +- Cloudflare Tunnel +- Cloudflare Turnstile +- Cloudflare WARP client + - **Exception:** Directly route Microsoft 365 traffic is not supported. + - **Note:** Users will need to exempt a new of of IPs in their firewall. +- Cloudflare Workers +- Cloudflare Workers KV +- Cloudflare Zero Trust + - **Note:** Third-party integrations will appear in the FedRAMP Zero Trust dashboard, but users will need to indpendently verify their integrations are FedRAMP High compliant. +- CASB, aka Cloud Access Security Broker +- Customer Metadata Boundary +- Data Loss Prevention (DLP) +- Data Localization Suite +- DDoS Protection +- DNS +- Cloudflare Durable Objects +- Cloudflare Gateway +- Hyperdrive +- Load Balancing + - **Exception:** Geo-steering is not supported. Only "FedRAMP High" and "FedRAMP High – All Datacenters" are supported as options for health monitoring regions. +- Magic Firewall +- Magic Network Monitoring +- Magic Transit +- Magic WAN +- Network Interconnect +- Page Shield +- R2 Object Storage +- Rate Limiting +- SSL/TLS +- Tiered Cache +- Video Stream Delivery +- WAF +- Waiting Room +- Web Analytics \ No newline at end of file From f98c31974f5ae0d141945b0d491c8c5ae5ade5a7 Mon Sep 17 00:00:00 2001 From: Denise Pena Date: Wed, 12 Nov 2025 15:44:25 -0600 Subject: [PATCH 2/2] Implementing feedback --- .../docs/fundamentals/reference/fedramp.mdx | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/src/content/docs/fundamentals/reference/fedramp.mdx b/src/content/docs/fundamentals/reference/fedramp.mdx index 09ad770ccb58e5..5d513a378a1260 100644 --- a/src/content/docs/fundamentals/reference/fedramp.mdx +++ b/src/content/docs/fundamentals/reference/fedramp.mdx @@ -20,7 +20,6 @@ The following products are are under FedRAMP High "In-Process" status. Any excep - Bots, aka Bot Management - Browser Isolation - CDN Cache - - **Exception:** Smart Tiered Cache is not supported. - Cache Reserve - Cloudflare for SaaS - Cloudflare Images @@ -29,21 +28,23 @@ The following products are are under FedRAMP High "In-Process" status. Any excep - Zero Trust Infrastructure Access - Cloudflare Queues - Cloudflare Spectrum + - **Exception:** BYOIP (Bring Your Own IP) service bindings and related CDN configurations are not supported; customers must use Spectrum HTTP/HTTPS applications to route FedRAMP traffic via the CDN. - Cloudflare Stream - Cloudflare Tunnel - Cloudflare Turnstile - Cloudflare WARP client - - **Exception:** Directly route Microsoft 365 traffic is not supported. - - **Note:** Users will need to exempt a new of of IPs in their firewall. + - **Exception:** When using the [Directly route Microsoft 365 traffic](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#directly-route-microsoft-365-traffic) feature, customers must independently verify that the excluded IPs are FedRAMP Authorized. + - **Note:** Customers will need to exempt a new set of IPs in their firewall. Refer to the FedRAMP High requirements listed in the [WARP with firewall](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/) documentation. - Cloudflare Workers - Cloudflare Workers KV - Cloudflare Zero Trust - - **Note:** Third-party integrations will appear in the FedRAMP Zero Trust dashboard, but users will need to indpendently verify their integrations are FedRAMP High compliant. + - **Note:** Third-party integrations will appear in the Cloudflare One dashboard, but users will need to indpendently verify their integrations are FedRAMP High compliant. - CASB, aka Cloud Access Security Broker - Customer Metadata Boundary - Data Loss Prevention (DLP) - Data Localization Suite - DDoS Protection + - **Exception:** Adaptive rules from HTTP and Network-layer DDoS Protection Managed Ruleset are not supported. - DNS - Cloudflare Durable Objects - Cloudflare Gateway @@ -60,7 +61,17 @@ The following products are are under FedRAMP High "In-Process" status. Any excep - Rate Limiting - SSL/TLS - Tiered Cache + - **Exception:** Smart Tiered Cache is not supported. - Video Stream Delivery - WAF + - **Exception:** Only the following WAF components are under FedRAMP High "In-Process" status: + - Malicious uploads detection + - Leaked credentials detection + - The following managed rulesets: + - Cloudflare Managed Ruleset + - Sensitive Data Detection + - OWASP Core Ruleset + - Free Managed Ruleset - Waiting Room + - **Exception:** Custom hostnames are not supported by FedRAMP High. - Web Analytics \ No newline at end of file