{ "component-definition": { "uuid": "9d556e28-167f-4fa0-aaba-8acc185dc9ab", "metadata": { "title": "FedRAMP Secure Configuration Guide - GetWell Anywhere Federal (GWAF)", "published": "2026-05-01T00:00:00Z", "last-modified": "2026-05-01T15:02:15Z", "version": "1.0.0", "oscal-version": "1.1.2", "remarks": "This OSCAL representation was derived from the attached FedRAMP Secure Configuration Guide for GetWell Anywhere Federal (GWAF). OSCAL does not have a dedicated Secure Configuration Guide model, so this file uses an OSCAL component-definition as the closest fit.", "props": [ { "name": "source-document", "value": "FedRAMP Secure Configuration Guide.docx" }, { "name": "document-type", "value": "Secure Configuration Guide" }, { "name": "service-model", "value": "SaaS" }, { "name": "authorization-scope", "value": "FedRAMP-authorized GWAF SaaS environment" } ], "roles": [ { "id": "provider", "title": "Service Provider" }, { "id": "customer-admin", "title": "Customer Administrator" }, { "id": "authorized-customer", "title": "Authorized Customer" }, { "id": "support-team", "title": "Support Team" } ], "parties": [ { "uuid": "1a79481f-d26b-42d0-9f00-b477fb5cc48c", "type": "organization", "name": "GetWellNetwork", "short-name": "Get Well" } ], "links": [ { "href": "https://www.fedramp.gov/", "rel": "reference" }, { "href": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final", "rel": "reference" } ] }, "components": [ { "uuid": "acb92887-123e-418c-8e39-59aa35068fb7", "type": "service", "title": "GetWell Anywhere Federal (GWAF)", "description": "GWAF is delivered as a GetWellNetwork-managed SaaS offering. The majority of infrastructure, platform, operating system, network, and core service configurations are managed by GetWellNetwork. This OSCAL file captures customer-manageable, security-relevant configuration guidance.", "props": [ { "name": "deployment-model", "value": "SaaS" }, { "name": "service-name", "value": "GetWell Anywhere Federal" }, { "name": "service-short-name", "value": "GWAF" }, { "name": "last-update", "value": "2026-05-01" } ], "responsible-roles": [ { "role-id": "provider" }, { "role-id": "customer-admin" } ], "remarks": "This guide applies to all customer-accessible or administrator-accessible configuration settings within the FedRAMP-authorized GWAF SaaS environment.", "control-implementations": [ { "uuid": "12b766f4-03d5-4913-b056-851aef2c5b8f", "source": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final", "description": "Customer-manageable secure configuration guidance derived from the GWAF FedRAMP Secure Configuration Guide.", "implemented-requirements": [ { "uuid": "cce8eca8-cf93-4bc3-8cba-dbee21c6d0f8", "control-id": "SCG-GWAF-01", "description": "Internet Access", "statements": [ { "statement-id": "SCG-GWAF-01_smt", "description": "Access to the internet through the Inpatient component of GWAF can be controlled in the Inpatient Management Console, if the customer has provided internet access in general for GWAF.", "remarks": "The following roles are allowed to block a patient's device from accessing the internet: AccountManager, Patient Educator, and CareGiver. There may be custom roles defined for a customer that also grant this permission. Steps: log into the Inpatient Management Console; navigate to the My Patients tab; search for the patient; view the Patient Profile; select the Internet Access button to toggle access on or off." } ], "props": [ { "name": "configuration-area", "value": "internet-access" }, { "name": "customer-manageable", "value": "yes" }, { "name": "interface", "value": "Inpatient Management Console" } ] }, { "uuid": "03d35466-5ee7-4fbd-ae89-390ee2bf115d", "control-id": "SCG-GWAF-02", "description": "Role-Based Access Assignment", "statements": [ { "statement-id": "SCG-GWAF-02_smt", "description": "Get Well maintains a list of currently available roles and permissions and provides them to the customer to allocate to their users via the customer authentication system, typically Active Directory.", "remarks": "These roles are assigned, one or more, to the GWAF users Active Directory group. Once assignment is completed, the user has access to GWAF limited to the roles assigned. Available roles can be requested from Get Well via the Support Team." } ], "props": [ { "name": "configuration-area", "value": "rbac" }, { "name": "customer-manageable", "value": "yes" }, { "name": "identity-source", "value": "Customer authentication system / Active Directory" } ] }, { "uuid": "14bf46d6-8ece-4b23-9e13-f505b7c1ef0a", "control-id": "SCG-GWAF-03", "description": "Export, Download, and Data-Sharing Controls", "statements": [ { "statement-id": "SCG-GWAF-03_smt", "description": "GWAF includes options to download reports from various functions, but GWAF does not control the browser. Browser lockdown for downloading data or taking screen captures is the responsibility of the customer.", "remarks": "Depending on the browsers used, customers should consult the appropriate browser vendor for secure configuration guidance." } ], "props": [ { "name": "configuration-area", "value": "data-export-and-sharing" }, { "name": "customer-manageable", "value": "shared" }, { "name": "customer-responsibility", "value": "browser hardening / endpoint controls" } ] }, { "uuid": "31e9be47-fbcb-49ce-ab5b-a302db4d2b4d", "control-id": "SCG-GWAF-04", "description": "Review and Maintenance", "statements": [ { "statement-id": "SCG-GWAF-04_smt", "description": "The Secure Configuration Guide shall be reviewed at least annually, updated following significant changes to customer-configurable settings, updated following material changes to the GWAF service model, and version-controlled and retained according to document management requirements.", "remarks": "The current approved version shall be made available to authorized customers and relevant administrators." } ], "props": [ { "name": "configuration-area", "value": "document-maintenance" }, { "name": "customer-manageable", "value": "no" } ] } ] } ] } ], "back-matter": { "resources": [ { "uuid": "246abe75-b0d5-4cc2-a376-02245855a889", "title": "FedRAMP Rev. 5 requirements", "document-ids": [ { "scheme": "URL", "identifier": "https://www.fedramp.gov/" } ], "rlinks": [ { "href": "https://www.fedramp.gov/" } ] }, { "uuid": "86a5fbd4-9c40-4255-ad0d-a3f191513d62", "title": "NIST SP 800-53 Rev. 5", "document-ids": [ { "scheme": "URL", "identifier": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final" } ], "rlinks": [ { "href": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final" } ] } ] } } }