FedRAMP Secure Configuration Guide

GetWell Anywhere Federal (GWAF)

1. Purpose

The purpose of this guide is to provide authorized customers and administrators with the information necessary to configure security-relevant, customer-manageable elements of GWAF.

GWAF is delivered as a GetWellNetwork-managed SaaS offering. The majority of infrastructure, platform, operating system, network and core service configurations are managed by GetWellNetwork (Get Well).

This guide is intended to support secure operation of the authorized GWAF offering within the FedRAMP authorization boundary.

2. Scope

This guide applies to all customer-accessible or administrator-accessible configuration settings within the FedRAMP-authorized GWAF SaaS environment.

  1. Internet access
  2. Role-based access assignment
  3. Export, download and data-sharing controls

3. Internet Access

Access to the internet through the Inpatient component of GWAF can be controlled in the Inpatient Management Console, if the customer has provided internet access in general for GWAF. The following roles are allowed to block a patient’s device from accessing the internet: AccountManager, Patient Educator and CareGiver. There may be custom roles defined for a customer that also grants this permission.

  1. Log into the Inpatient Management Console.
  2. Navigate to the My Patients tab.
  3. Patient Search — for the patient to act upon.
  4. View Patient Profile for the selected patient.
  5. Select the “Internet Access” button to toggle internet access on/off.

4. Role-based Access Assignment

Get Well maintains a list of currently available roles and their permissions that are provided to the customer to allocate to their users via the customer authentication system, typically Active Directory. These roles are assigned, one or more, to the GWAF users AD group. Once assignment is completed, the user has access to the GWAF system, limited to the roles assigned. Available roles can be requested of Get Well via our Support Team.

5. Export, Download and Data-sharing Controls

While GWAF does have options to download reports from various functions, it does not control the browser, as this would be the customer’s responsibility to “lock down” the browser for downloading data or even taking screen captures, if the customer wants to prevent this. Depending on the browsers used, please seek information on how to do this from the appropriate browser vendor.

6. Review and Maintenance

This Secure Configuration Guide shall be:

  • Reviewed at least annually.
  • Updated following significant changes to customer-configurable settings.
  • Updated following material changes to the GWAF service model.
  • Version-controlled and retained according to document management requirements.

The current approved version shall be made available to authorized customers and relevant administrators.

Last Update: May 1, 2026

7. References

This Secure Configuration Guide is informed by and aligned with the following:

  • FedRAMP Rev 5 requirements
  • NIST SP 800-53 Rev 5
  • FedRAMP Secure Configuration Guide requirements

Secure Configuration Guide, OSCAL Format

A doctor in a white coat talks to an older woman. The image showcases icons: Screening alert for Sofie R., Navigation for diabetes management, and Education with a video prompt. Room #51 highlights tailored health plan needs to enhance member experience.

Get Well 360 empowers healthcare organizations to deliver the digital experience that consumers expect across every step of the healthcare journey - in the community, at the point of care, and beyond.

Schedule a Demo