WXP Collaboration FedRAMP Recommended Secure Configuration

{
  "CSP": "Workforce Experience Platform Collaboration",
  "PackageID": "FR2017459185",
  "Document": "Recommended Secure Configuration",
  "Version": "1.0",
  "Updated": "2026-02-14T00:25:47.631Z",
  "Records": [
    {
      "RSC_Number": "FRR-RSC-01",
      "RSC_Name": "Top-Level Administrative Accounts Guidance",
      "RSC_Description": "Requirements: Providers MUST create and maintain guidance that includes instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering.\n\nNote: This guidance should explain how top-level administrative accounts are named and referred to in the cloud service offering.\n\nApplies to: Low, Moderate, High",
      "CSP_Supported": "Yes",
      "WXPC_Guidance_Documentation": "CSP Secure Configuration guidance: Top-level administrative accounts are referred to as Administrators or IT Administrators.\n    ◦ Access: Administrators access the Admin Portal by navigating to WXP Collaboration and selecting Admin Portal from the blue navigation button in the web application.\n    ◦ Operation: Administrators manage account settings and configure infrastructure integrations.\n    ◦ Decommissioning: Administrators must maintain the accuracy of access lists by removing or updating outdated contacts and users when roles change."
    },
    {
      "RSC_Number": "FRR-RSC-02",
      "RSC_Name": "Top-Level Administrative Accounts Security Settings Guidance",
      "RSC_Description": "Requirements: Providers MUST create and maintain guidance that explains security-related settings that can be operated only by top-level administrative accounts and their security implications.\n\nApplies to: Low, Moderate, High",
      "CSP_Supported": "Yes",
      "WXPC_Guidance_Documentation": "CSP Secure Configuration guidance: Critical security and operational configurations are restricted to Administrators:\n    ◦ Adding Endpoints: IT Administrators are responsible for manually adding endpoints that are not automatically discovered or are managed via the cloud.\n    ◦ Adding Infrastructure: Only administrators have the privileges to integrate and enable data collection for infrastructure (such as CUCM or Zoom); this process includes using the Validate function to ensure integrations are error-free.\n    ◦ SSO Configuration: Only administrators can configure SAML 2.0 settings, including mapping group memberships for role assignments and providing the Identity Provider (IdP) details.\n    ◦ Security Contacts: Administrators designate Security Contacts who receive notifications if a security issue is detected with the account or during emergency patches."
    },
    {
      "RSC_Number": "FRR-RSC-03",
      "RSC_Name": "Privileged Accounts Security Settings Guidance",
      "RSC_Description": "Requirements: Providers SHOULD create and maintain guidance that explains security-related settings that can be operated only by privileged accounts and their security implications.\n\nApplies to: Low, Moderate, High",
      "CSP_Supported": "Yes",
      "WXPC_Guidance_Documentation": "CSP Secure Configuration guidance: Privileged accounts (Administrator roles) maintain exclusive control over:\n    ◦ Dashboard Management: Administrators have the unique ability to copy dashboards from one user to another within the same organization.\n    ◦ Monitoring Groups: Privileged users create and manage Monitoring Groups to segment endpoints, which requires assigning a service account to enable live status monitoring.\n    ◦ Collector Access: To download the Data Collector installer or generate a new vyoptacollector.xml configuration file, a user must have Administrator access to the Tech Insights Suite."
    },
    {
      "RSC_Number": "FRR-RSC-04",
      "RSC_Name": "Secure Defaults on Provisioning",
      "RSC_Description": "Requirements: Providers SHOULD set all settings to their recommended secure defaults for top-level administrative accounts and privileged accounts when initially provisioned.\n\nApplies to: Low, Moderate, High",
      "CSP_Supported": "Yes",
      "WXPC_Guidance_Documentation": "CSP Secure Configuration guidance: WXP Collaboration employs secure defaults during provisioning:\n    ◦ Default Role: New users are automatically assigned to the User Group Mapping role (Viewer or reader-only) unless otherwise specified via SSO attributes.\n    ◦ Report Defaults: When creating reports, the system defaults to Excel and Report Link as the standard selected export options.\n    ◦ Infrastructure Access: For monitoring, it is recommended to use a dedicated service account (e.g., wxpc_svc) with restricted Read-Only or CTI Enabled permissions rather than a standard user account."
    },
    {
      "RSC_Number": "FRR-RSC-05",
      "RSC_Name": "Comparison Capability",
      "RSC_Description": "Requirements: Providers SHOULD offer the capability to compare all current settings for top-level administrative accounts and privileged accounts to the recommended secure defaults.\n\nApplies to: Low, Moderate, High",
      "CSP_Supported": "No",
      "WXPC_Guidance_Documentation": "CSP Secure Configuration guidance: WXP Collaboration does not currently offer a native tool to perform an automated comparison of administrative settings against recommended secure defaults. This capability is not currently supported and is not included on the present product roadmap. To ensure alignment with secure defaults, administrators are encouraged to manually audit their configurations (such as SSO mappings and user roles) against the guidance provided in this document."
    },
    {
      "RSC_Number": "FRR-RSC-06",
      "RSC_Name": "Export Capability",
      "RSC_Description": "Requirements: Providers SHOULD offer the capability to export all security settings in a machine-readable format.\n\nApplies to: Low, Moderate, High",
      "CSP_Supported": "No",
      "WXPC_Guidance_Documentation": "CSP Secure Configuration guidance: The platform facilitates the export of extensive endpoint inventory—including serial numbers, IP addresses, and known vulnerabilities—as well as recurring reports in CSV and Excel formats. However, a dedicated machine-readable export of all account-level security settings is not supported at this time and is not on the current product roadmap."
    },
    {
      "RSC_Number": "FRR-RSC-07",
      "RSC_Name": "API Capability",
      "RSC_Description": "Requirements: Providers SHOULD offer the capability to view and adjust security settings via an API or similar capability.\n\nApplies to: Low, Moderate, High",
      "CSP_Supported": "No",
      "WXPC_Guidance_Documentation": "CSP Secure Configuration guidance: WXP Collaboration provides a Query Service API (Assurance API) primarily designed for viewing system data and collaboration insights. While this API uses OpenID for secure authentication, the ability to adjust security settings through an API interface is not a supported feature and is not currently on the product roadmap."
    },
    {
      "RSC_Number": "FRR-RSC-08",
      "RSC_Name": "Machine-Readable Guidance",
      "RSC_Description": "Requirements: Providers SHOULD provide recommended secure configuration guidance in a machine-readable format that can be used by customers or third-party tools to compare against current settings.\n\nApplies to: Low, Moderate, High",
      "CSP_Supported": "Yes",
      "WXPC_Guidance_Documentation": "CSP Secure Configuration guidance: This 10-item secure configuration document is supported by machine-readable documentation standards. HP aligns with FedRAMP reporting requirements that utilize JSON structures for security indicators and authorization data. Additionally, the platform supports real-time JSON payloads via webhooks to post alert notifications to external URLs for automated remediation.\n    ◦ https://learn.workforceexperience.hp.com/docs/wxp-collaboration-fedramp-recommended-secure-configuration"
    },
    {
      "RSC_Number": "FRR-RSC-09",
      "RSC_Name": "Publish Guidance",
      "RSC_Description": "Requirements: Providers SHOULD make recommended secure configuration guidance available publicly.\n\nApplies to: Low, Moderate, High",
      "CSP_Supported": "Yes",
      "WXPC_Guidance_Documentation": "CSP Secure Configuration guidance: This 10-item secure configuration document is maintained within the HP WXP Collaboration Knowledge Base. It is accessible to administrators and provides comprehensive, step-by-step guidance for managing contacts, configuring SSO, and deploying secure collectors."
    },
    {
      "RSC_Number": "FRR-RSC-10",
      "RSC_Name": "Versioning and Release History",
      "RSC_Description": "Requirements: Providers SHOULD provide versioning and a release history for recommended secure default settings for top-level administrative accounts and privileged accounts as they are adjusted over time.\n\nApplies to: Low, Moderate, High",
      "CSP_Supported": "Yes",
      "WXPC_Guidance_Documentation": "CSP Secure Configuration guidance: The platform maintains transparency for settings related to Administrators and privileged accounts:\n    ◦ Document History: This secure configuration guidance follows a versioned history to track material changes to security recommendations.\n    ◦ Data Collector Lifecycle: A dedicated Lifecycle article tracks every version of the Data Collector, identifying those that have reached End of Life (EOL) to ensure privileged users are running supported versions.\n    ◦ https://learn.workforceexperience.hp.com/wxp/docs/the-wxp-collaboration-data-collector-support-lifecycle"
    }
  ]
}