Supporting Federal customers on commercial instances and the need for GCC

Rob Rosen · ‎04-19-2022

Good morning. As we embark on hosting federal customers/data in our instances, we have been pointed toward ServiceNow's GovCommunityCloud (GCC), a FedRAMP High-compliant environment, and are trying to get our arms around what it would mean to support two separate sets of instances as well as the rules and regulations around this GCC environment.

I was wondering if anyone that supports federal customers has been using a commercial instance for multitenancy for this rather than a separate set of instances just for those federal customers. If using multitenancy, what did you have to do/change to your commercial instances to remain FedRAMP High compliant?

Thank you in advance for any information you can share.

Allen Andreas · ‎04-19-2022

Hi,

You may want to discuss this directly with ServiceNow as the requirements and such can/will change. FedRAMP High instance, for example, are hosted on a separate server altogether so your stack would have to be moved. Additionally, there's other guidelines like hardening and other security checks that have to be done (all through SN).

You can get right to that information by submitting a case to SN and discussing with your SN Account Exec.

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Rob Rosen · ‎04-19-2022

Thank you, Allen. We have been discussing this with ServiceNow to better understand that environment and what it would mean to support it. We were wondering if any companies have chosen not to go that route, still remain compliant, and what changes were needed to support that model.

John Dahl · ‎05-14-2022

When you enter into a contract with the Federal government, there are certain requirements you are agreeing to meet (they have LOTs of documents explaining them). If the contract only specifies FedRAMP compliance, then you may have some flexibility that still meet the baseline requirements. If the contract stipulates that you use ServiceNow's FedRAMP environment, I would weigh that requirement accordingly.

Generally speaking, when you host your own system, you are fully responsible for compliance with those requirements. When you outsource some or all of those systems or services to an external provider, you are outsourcing the work, but not the responsibility.

It really comes down to the specific contract and your organization's tolerance for risk. You might be required to use a FedRAMP environment for one system and have some flexibility for others.

toneyvecchio1 · ‎05-18-2022

Speak to your SN rep for the full answers, but I'll say a few things in GCC:

US Citizen requirement for users with admin role, nonprod and prod, so some limits in your follow the sun support models.
12 TB Limit due to self-encrypting hard drives could be concern if you look at your current. Database Shards help manage instances over that size but comes at operational costs.
I don't have experience with using both, but our SN Arch strongly suggested we dont try to tightly integrate both like we might 2 commercial instances. I know a peer who has both and they "double deploy code" up the stack.
Would be interested in how a hub-spoke topology for core data might work across GCC, at the end of the day the API endpoints are still exposed between commercial and GCC but I think there isnt official support for syncing them together.