FedRAMP Moderate compliance controls

FedRAMP Moderate compliance controls provide enhancements that help you with FedRAMP Moderate compliance for your workspace. For FedRAMP High compliance, see Databricks on AWS GovCloud (FedRAMP High).

FedRAMP Moderate compliance controls require enabling the compliance security profile, which adds monitoring agents, enforces instance types for inter-node encryption, provides a hardened compute image, and other features. For technical details, see Compliance security profile. It is your responsibility to confirm that each affected workspace has the compliance security profile enabled and confirm that FedRAMP is added as a compliance program.

important

• Databricks is a FedRAMP® Authorized Cloud Service Offering (CSO) at the moderate impact level in the AWS US East-1 and US West-2 (commercial) regions.
• US Government agencies can access the Databricks on AWS FedRAMP® package on OMB Max by submitting a Package Access Request Form and submitting it to package-access@fedramp.gov.
• Additional information regarding Databricks and FedRAMP® compliance is located on the Databricks Security and Trust Center.

Which compute resources get enhanced security

The compliance security profile enhancements apply to compute resources in the classic compute plane in the us-east-1, us-west-2 regions.

FedRAMP Moderate supports serverless SQL Warehouses, serverless compute for notebooks and workflows, and serverless DLT pipelines in us-east-1 and us-west-2. See Compliance security profile compliance standards with serverless compute availability.

Requirements

• Your Databricks account must include the Enhanced Security and Compliance add-on. For details, see the pricing page.

• Your workspace is on the Enterprise tier.

• Your workspace is deployed in AWS region US East-1 and US West-2.

• Single sign-on (SSO) authentication is configured for the workspace.

• Your workspace enables the compliance security profile and adds the FedRAMP compliance standard as part of the compliance security profile configuration.

• You must use the following VM instance types:

  • General purpose: M-fleet, Md-fleet, M5dn, M5n, M5zn, M6i, M7i, M6id, M6in, M6idn
  • Compute optimized: C-fleet, C5a, C5ad, C5n, C6i, C6id, C7i, C6in
  • Memory optimized: R-fleet, Rd-fleet, R6i, R7i, R7iz, R6id, R6in, R6idn
  • Storage optimized: D3, D3en, P3dn, R5dn, R5n, I4i, I3en
  • Accelerated computing: G4dn, G5, P4d, P4de, P5

• Ensure that sensitive information is never entered in customer-defined input fields, such as workspace names, cluster names, and job names.

Enable FedRAMP Moderate compliance controls

To configure your workspace to support processing of data regulated by the FedRAMP standard, enable the compliance security profile and add the FedRAMP compliance standard. You can for this for all workspaces or only on some workspaces.

• To enable the compliance security profile and add the FedRAMP compliance standard for an existing workspace, see Enable enhanced security and compliance features on an existing workspace.
• To set an account-level setting to enable the compliance security profile and FedRAMP for new workspaces, see Set account-level defaults for all new workspaces.

important

• Enabling a compliance standard for a workspace is permanent.
• You are solely responsible for ensuring your own compliance with all applicable laws and regulations.

Does Databricks permit processing data protected by FedRAMP Moderate?

Yes, if you comply with the requirements, enable the compliance security profile, and add the FedRAMP compliance standard as part of the compliance security profile configuration.

Preview features that are supported for processing data protected by FedRAMP Moderate

The following preview features are supported for processing data protected by FedRAMP Moderate:

Public Preview:

• Workspace-level SCIM provisioning

  Workspace-level SCIM provisioning is a legacy feature. Databricks recommends using account-level SCIM provisioning instead.

• Secret paths in environment variables

• System tables that are in Public Preview

• Unity Catalog-enabled DLT pipelines

• Mosaic AI Gateway

• ServiceNow LakeFlow Connect connector

• User-defined functions in Unity Catalog

• Disable access to the Hive metastore

• High memory for serverless compute notebook tasks

• Dashboards in Git folder

• Anomaly detection

• Serverless egress control

• IAM credential passthrough

  Credential passthrough is deprecated starting with Databricks Runtime 15.0 and will be removed in future Databricks Runtime versions. Databricks recommends that you upgrade to Unity Catalog. Unity Catalog simplifies security and governance of your data by providing a central place to administer and audit data access across multiple workspaces in your account. See What is Unity Catalog?.

Private Preview:

• DLT Hive metastore to Unity Catalog clone API
• Tag policies
• DBFS disablement
• Unity Catalog attribute-based access control (ABAC)
• Document parsing

• Default Storage