{ "instructions_versioning": { "format": "rows", "rows": [ [ "Source Document (Preamble)", null, null, null ], [ "Provider", "Trenchant Analytics", null, null ], [ "System / Offering", "AI for Federal Acquisition (ACQBOT)", null, null ], [ "Document Version", "1.0", null, null ], [ "Publication Date", "2026-02-09", null, null ], [ "Public URL", "https://abforum.usgovvirginia.cloudapp.usgovcloudapi.net/", null, null ], [ "Contact", "securitycompliance@tacgov.com", null, null ], [ "Document Control", null, null, null ], [ "Provider legal name", "Trenchant Analytics", null, null ], [ "Service offering / system name", "AI for Federal Acquisition (ACQBOT)", null, null ], [ "Service category", "SaaS", null, null ], [ "Primary hosting / deployment model", "Federal Community Cloud", null, null ], [ "Applicable compliance programs", "FedRAMP Rev5", null, null ], [ "Customer audience", "Agency Administrators", null, null ], [ "Document owner", "Joshua Krueger Principal Information Security Engineer", null, null ], [ "Support / security contact", "securitycompliance@tacgov.com", null, null ], [ "Public documentation URL", "https://abforum.usgovvirginia.cloudapp.usgovcloudapi.net/", null, null ], [ "Machine-readable guidance URL", "https://abforum.usgovvirginia.cloudapp.usgovcloudapi.net/", null, null ], [ "Revision History", null, null, null ], [ "Version", "Date", "Author / Team", "Description of Change" ], [ "1.0", "2026-02-09", "Compliance", "Initial Publication" ], [ "How to Use This Workbook", null, null, null ], [ "Instruction", "• Use the 'Content' tab as the machine-readable catalog of recommended secure configuration guidance.", null, null ], [ "Instruction", "• Filter by Category to isolate Section 5 (Top-level administrative accounts), Section 6 (Top-level admin-only settings), or Section 7 (Privileged settings).", null, null ], [ "Instruction", "• For each row, compare your current configuration to RecommendedValue; record deviations in your internal change control / risk acceptance process.", null, null ], [ "Instruction", "• GuidanceText contains security impact/rationale and UI/API paths to view or change the setting (where applicable).", null, null ], [ "Instruction", "• VersionNumber/Label and EffectiveFrom/To support tracking recommended-default changes over time.", null, null ], [ "Versioning & Release Management (Recommended)", null, null, null ], [ "Guideline", "• When recommended defaults change, increment VersionNumber (e.g., 1.1, 1.2) and update VersionLabel with a short description (e.g., 'Updated session timeout guidance').", null, null ], [ "Guideline", "• Set EffectiveFrom to the publication date of the updated guidance and, if superseded, set EffectiveTo on the prior version row(s).", null, null ], [ "Guideline", "• Do not overwrite old recommendations in-place when publishing a new baseline; retain prior rows with EffectiveTo populated for auditability.", null, null ], [ "Guideline", "• If a setting is deprecated, keep the row and note the replacement in GuidanceText; set EffectiveTo when the guidance is no longer applicable.", null, null ], [ "Guideline", "• Align any versioning updates with your public documentation portal / machine-readable guidance URL to support customer comparison.", null, null ], [ "Section 9 — Comparing Current Settings to Recommended Secure Defaults", null, null, null ], [ "Method", "Where to run", "Output format", "Notes" ], [ "Settings UI Review", "UI: Settings > Organization, Settings > Members", "HTML", "Organization owners review own org settings, members, invitations, join requests. Limited to current organization context." ], [ "Super Admin Console", "UI: /admin/organizations", "HTML", "Super Admins review all organizations, members, entitlements, hierarchy. Requires isSuperAdmin flag on user." ], [ "API-Based Query", "Customer tooling / scripts", "JSON", "Endpoints: organization.one, organization.users, organization.allJoinRequests, invite.all. Auth: Session cookie or API token (Bearer header)." ], [ "Manual", "Leveraging checklist", "Checklist", "Manual review leveraging Section 6 and Section 7 tables in this document." ] ] }, "content": { "format": "records", "columns": [ "Category", "SettingKey", "Name", "GuidanceText", "DefaultValue", "RecommendedValue", "VersionNumber", "VersionLabel", "EffectiveFrom" ], "records": [ { "Category": "5.1 Secure Access", "SettingKey": "S5.1-01", "Name": "Authenticate via OIDC Single Sign-On (no local credentials)", "GuidanceText": "All administrative access to ACQBOT is performed via OIDC Single Sign-On (SSO). Local username/password authentication is not supported.\n\nSupported IdP entry points:\n- DoD CAC (PKI): GET /api/auth/callback/oidc/login (CAC/PIV via DOD1 tenant)\n- Microsoft Entra ID: GET /api/auth/callback/microsoft (TACGov tenant OIDC)\n\nUI path: /auth/login → Select authentication method → Complete IdP authentication → Dashboard.\n\nSecurity impact / rationale: Centralizing authentication at the IdP enables strong identity proofing (e.g., CAC/PIV), consistent policy enforcement, and reduces risk from locally managed credentials.", "DefaultValue": "OIDC SSO only", "RecommendedValue": "OIDC SSO only", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.1 Secure Access", "SettingKey": "S5.1-02", "Name": "Enforce MFA and conditional access at the Identity Provider", "GuidanceText": "Multi-factor authentication (MFA) and any conditional access requirements are enforced by the configured Identity Provider (Microsoft Entra ID and/or DoD PKI infrastructure). Configure MFA requirements, device compliance, and sign-in risk policies at the IdP according to agency policy.\n\nSecurity impact / rationale: Enforcing MFA at the IdP provides consistent protections across all access paths, supports centralized auditing, and helps mitigate credential theft and session hijacking.", "DefaultValue": "IdP-enforced (customer configured)", "RecommendedValue": "IdP-enforced MFA per agency policy (prefer phishing-resistant factors where available)", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.1 Secure Access", "SettingKey": "S5.1-03", "Name": "Account lockout protections managed at the Identity Provider", "GuidanceText": "Failed authentication attempts and account lockout policies are tracked and enforced by the Identity Provider (Microsoft Entra ID or DoD PKI infrastructure). Configure lockout / throttling behavior at the IdP.\n\nSecurity impact / rationale: Centralized lockout controls help prevent password spraying and brute-force attempts and ensure consistent enforcement across all authentication endpoints.", "DefaultValue": "IdP-managed", "RecommendedValue": "IdP-managed lockout/throttling aligned to agency policy", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.1 Secure Access", "SettingKey": "S5.1-04", "Name": "Session inactivity timeout", "GuidanceText": "Administrative sessions expire after 10 minutes of inactivity. Session activity is tracked via lastActivityAt, and sessions are invalidated upon organization switching.\n\nProgrammatic validation: POST /api/trpc/user.validateSession with body {\"updateActivity\": true} (returns validity and remaining time).\n\nSecurity impact / rationale: Short inactivity timeouts reduce risk from unattended sessions, shared workstations, and stolen browser sessions.", "DefaultValue": "10 minutes inactivity timeout", "RecommendedValue": "10 minutes (or shorter) inactivity timeout", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.1 Secure Access", "SettingKey": "S5.1-05", "Name": "Network access restrictions", "GuidanceText": "Implement network access restrictions at the infrastructure and/or IdP level, as appropriate for your deployment. Examples include IP allowlisting via Azure Front Door or load balancer rules, network security groups for VNet-integrated deployments, and Conditional Access policies in Microsoft Entra ID.\n\nSecurity impact / rationale: Network restrictions reduce exposure to the public internet, limit access to known agency networks/devices, and reduce risk from opportunistic scanning and credential misuse.", "DefaultValue": "Customer-defined", "RecommendedValue": "Restrict admin access via IP allowlisting and/or IdP Conditional Access where feasible", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.2 Secure Configuration", "SettingKey": "S5.2-01", "Name": "Create organization with a single owner (Organization Owner role)", "GuidanceText": "Organizations are created with a single Organization Owner. The creating user automatically becomes the owner (organization_users.role = \"owner\").\n\nUI path: /organizations → Create Organization → Enter organization name → Submit.\nAPI: POST /api/trpc/organization.create {\"name\": \"\"}.\n\nSecurity impact / rationale: Establishing an accountable initial owner ensures an authoritative administrator exists to manage access approvals, role assignments, and security settings.", "DefaultValue": "Creator becomes owner", "RecommendedValue": "Maintain a controlled, minimal set of owners", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.2 Secure Configuration", "SettingKey": "S5.2-02", "Name": "Grant (promote) owner privileges", "GuidanceText": "Only existing owners can promote a member to the owner role.\n\nUI path: /settings/members → Select user → Edit → Role = \"owner\" → Save.\nAPI: POST /api/trpc/member.update {\"userId\": \"\", \"organizationId\": \"\", \"role\": \"owner\"}.\n\nSecurity impact / rationale: Restricting promotion to current owners prevents unauthorized privilege escalation and supports separation of duties for administrative role changes.", "DefaultValue": "Owner-only action", "RecommendedValue": "Limit promotions; use least privilege and documented approvals", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.2 Secure Configuration", "SettingKey": "S5.2-03", "Name": "Revoke (demote) owner privileges", "GuidanceText": "Demote an owner to a lower role when elevated privileges are no longer required.\n\nUI path: /settings/members → Select user → Edit → Role = \"member\" (or other role) → Save.\nAPI: POST /api/trpc/member.update {\"userId\": \"\", \"organizationId\": \"\", \"role\": \"member\"}.\n\nNote: If a user has Super Admin status, revocation is a database administrator action (UPDATE users SET is_super_admin = false WHERE id = '';).\n\nSecurity impact / rationale: Timely removal of admin privileges reduces the impact of compromised accounts and limits access for users who have changed roles or responsibilities.", "DefaultValue": "Owner-only action", "RecommendedValue": "Demote/remove elevated roles promptly when no longer required", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.2 Secure Configuration", "SettingKey": "S5.2-04", "Name": "API token generation (programmatic access)", "GuidanceText": "Owners and authorized users may generate an API token for programmatic access.\n\nUI path: Settings → Security → API Token → Generate Token.\nAPI: POST /api/trpc/user.generateApiToken.\nBehavior: Previously issued tokens are automatically invalidated; the new token is displayed only once.\n\nSecurity impact / rationale: Tokens provide non-interactive access. Automatic invalidation and one-time display reduce long-lived token sprawl and lower the likelihood of unintended disclosure.", "DefaultValue": "No token until generated", "RecommendedValue": "Generate only when needed; rotate/reissue periodically; store in approved secrets manager", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.2 Secure Configuration", "SettingKey": "S5.2-05", "Name": "API token invalidation (revoke programmatic access)", "GuidanceText": "Invalidate API tokens when access is no longer required, after role changes, or if compromise is suspected.\n\nUI path: Settings → Members → Select User → Invalidate API Token.\nAPI: POST /api/trpc/user.invalidateApiToken {\"userId\": \"\"}.\nOnly organization owners (or Super Admins) can invalidate other users’ tokens.\n\nSecurity impact / rationale: Token revocation immediately removes programmatic access pathways that may bypass interactive sign-in controls.", "DefaultValue": null, "RecommendedValue": "Revoke tokens on offboarding, privilege change, or suspicion of compromise", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.2 Secure Configuration", "SettingKey": "S5.2-06", "Name": "Invitation-based onboarding (recommended identity lifecycle flow)", "GuidanceText": "Recommended onboarding method: Owner sends email invitation with an explicitly assigned role.\n\nUI path: /settings/members → Invite Member → Enter email → Select role → Send.\nAPI: POST /api/trpc/invite.create {\"email\": \"newuser@agency.gov\", \"role\": \"member\", \"vehicleRoles\": {\"\": \"user\"}}.\n\nSecurity impact / rationale: Invitation-based onboarding ensures admins authorize membership before access is granted and enables least-privilege role assignment at the time of provisioning.", "DefaultValue": "Invitation or join request", "RecommendedValue": "Use invitation-based onboarding for controlled access", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.2 Secure Configuration", "SettingKey": "S5.2-07", "Name": "Join request workflow (owner approval required)", "GuidanceText": "Alternative onboarding method: Users authenticate via SSO and request to join an organization; owners must approve/reject.\n\nUser flow: /auth/login → /organizations → Request to Join.\nOwner flow: /settings/members → Join Requests → Approve/Reject.\nAPI Approve: POST /api/trpc/organization.approveJoinRequest \"\".\nAPI Reject: POST /api/trpc/organization.rejectJoinRequest \"\".\n\nSecurity impact / rationale: Required owner review prevents unauthorized access and provides an auditable decision point for membership changes.", "DefaultValue": "Pending until approved", "RecommendedValue": "Review and disposition all join requests promptly", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.3 Secure Operation", "SettingKey": "S5.3-01", "Name": "Periodic access reviews for members and roles", "GuidanceText": "Perform periodic reviews of organization membership and role assignments.\n\nUI path: /settings/members → Review all members and their roles.\nRecommended frequency: Monthly (or per agency policy).\nAPI (members): GET /api/trpc/organization.users\nAPI (join requests): GET /api/trpc/organization.allJoinRequests\n\nSecurity impact / rationale: Regular access reviews reduce accumulation of stale privileges and help detect unauthorized access.", "DefaultValue": "Customer process", "RecommendedValue": "Monthly (or per agency policy)", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.3 Secure Operation", "SettingKey": "S5.3-02", "Name": "Detect and investigate suspicious activity indicators", "GuidanceText": "Monitor for indicators of suspicious or unauthorized activity, including:\n- Unexpected role changes to \"owner\" (privilege escalation)\n- Unusual or high-volume file download patterns\n- Join requests that remain unreviewed for more than 7 days\n\nSecurity impact / rationale: Early detection enables timely response to potential compromise and reduces dwell time.", "DefaultValue": "Customer monitoring", "RecommendedValue": "Implement monitoring and timely triage of suspicious indicators", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.3 Secure Operation", "SettingKey": "S5.3-03", "Name": "Change control for security-impacting actions", "GuidanceText": "Security-impacting changes require the owner role. Changes are tracked via database timestamps (createdAt, updatedAt). Customers should align administrative actions with internal change control procedures and retain evidence as required.\n\nSecurity impact / rationale: Formal change control reduces configuration drift, supports auditability, and helps prevent unauthorized changes.", "DefaultValue": "Owner required for admin actions", "RecommendedValue": "Owner approval + internal change control for security-impacting changes", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.4 Secure Decommissioning", "SettingKey": "S5.4-01", "Name": "Remove Organization Owner from organization", "GuidanceText": "Remove Organization Owners when no longer required.\n\nUI path: /settings/members → Select user → Remove from organization.\nAPI: POST /api/trpc/member.remove {\"userId\": \"\"}.\n\nSecurity impact / rationale: Removing the user revokes all organization access and reduces risk from departed or reassigned personnel.", "DefaultValue": null, "RecommendedValue": "Remove inactive/unauthorized admins promptly", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.4 Secure Decommissioning", "SettingKey": "S5.4-02", "Name": "Revoke API tokens and terminate sessions", "GuidanceText": "Invalidate API tokens as needed:\n- API: POST /api/trpc/user.invalidateApiToken {\"userId\": \"\"}\n\nSessions expire automatically after 10 minutes of inactivity. For immediate session termination, contact securitycompliance@tacgov.com.\n\nSecurity impact / rationale: Token/session termination prevents continued access after offboarding or suspected compromise.", "DefaultValue": "Sessions expire (10 min inactivity)", "RecommendedValue": "Invalidate tokens on offboarding; request immediate termination when warranted", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.4 Secure Decommissioning", "SettingKey": "S5.4-03", "Name": "Request data export and data deletion", "GuidanceText": "For tenant decommissioning activities, contact securitycompliance@tacgov.com to:\n- Request data export (JSON or CSV)\n- Request data deletion (subject to retention requirements)\n- Close organization/tenant\n\nSecurity impact / rationale: Controlled export and deletion processes help ensure confidentiality during data handling and ensure deletion is performed consistently with retention obligations.", "DefaultValue": "By request", "RecommendedValue": "Use documented request process; retain written confirmation", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "5.4 Secure Decommissioning", "SettingKey": "S5.4-04", "Name": "Close organization (tenant) workflow", "GuidanceText": "Recommended steps to close an organization:\n1) Remove all members: /settings/members → Remove each member\n2) Cancel pending invitations: /settings/members → Invitations → Delete\n3) Invalidate API tokens for former members\n4) Request organization deletion from securitycompliance@tacgov.com\n5) Receive written confirmation of deletion and access removal\n\nSecurity impact / rationale: Ensures access is removed, invitation tokens cannot be reused, and decommissioning is completed with auditable confirmation.", "DefaultValue": null, "RecommendedValue": "Follow full closure steps and maintain evidence", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "6. Top-Level Admin-only Settings", "SettingKey": "TL-01", "Name": "Organization Name", "GuidanceText": "Recommended setting: Meaningful, identifiable name.\nDefault value: User-generated ({username}'s Team for personal orgs).\nSecurity impact / rationale: Organization name is visible across the platform; ensures clear identification and prevents impersonation.\nHow to view: UI: Settings > Organization; API: organization.one.\nHow to change: UI: Settings > Organization > Edit; API: organization.update.\nDependencies / notes: Requires current user to be organization owner (organization.ownerId === ctx.user.id).", "DefaultValue": "User-generated ({username}'s Team for personal orgs)", "RecommendedValue": "Meaningful, identifiable name", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "6. Top-Level Admin-only Settings", "SettingKey": "TL-02", "Name": "Organization Support Email", "GuidanceText": "Recommended setting: Valid monitored email address.\nDefault value: null.\nSecurity impact / rationale: Contact point for organization-wide support requests; ensures proper escalation path.\nHow to view: UI: Settings > Organization; API: organization.one.\nHow to change: UI: Settings > Organization; API: organization.updateSupportEmail.\nDependencies / notes: Owner role check enforced at API level.", "DefaultValue": null, "RecommendedValue": "Valid monitored email address", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "6. Top-Level Admin-only Settings", "SettingKey": "TL-03", "Name": "Approve Join Requests", "GuidanceText": "Recommended setting: Review all requests.\nDefault value: pending.\nSecurity impact / rationale: Controls who can join the organization; prevents unauthorized access.\nHow to view: UI: Settings > Members > Join Requests; API: organization.allJoinRequests.\nHow to change: UI: Settings > Members > Approve/Reject; API: organization.approveJoinRequest / organization.rejectJoinRequest.\nDependencies / notes: Only owners can approve; sends email notification to requester.", "DefaultValue": "pending", "RecommendedValue": "Review all requests", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "6. Top-Level Admin-only Settings", "SettingKey": "TL-04", "Name": "Organization Member Role Assignment", "GuidanceText": "Recommended setting: Principle of least privilege.\nDefault value: member.\nSecurity impact / rationale: Determines user permissions within organization; over-privileged users increase risk.\nHow to view: UI: Settings > Members > Edit Member; API: member.update.\nHow to change: UI: Settings > Members > Change Role dropdown; API: member.update({userId, role}).\nDependencies / notes: Available roles: owner, member, evaluator, read_only; requires organization_member:update permission.", "DefaultValue": "member", "RecommendedValue": "Principle of least privilege", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "6. Top-Level Admin-only Settings", "SettingKey": "TL-05", "Name": "Remove Organization Members", "GuidanceText": "Recommended setting: Remove inactive/unauthorized users.\nDefault value: N/A.\nSecurity impact / rationale: Revokes all organization access for removed users; prevents data leakage from former members.\nHow to view: UI: Settings > Members > Remove; API: member.remove.\nHow to change: UI: Settings > Members > Remove button; API: member.remove({userId}).\nDependencies / notes: Also removes user from all vehicles in the organization; requires organization_member:delete permission.", "DefaultValue": null, "RecommendedValue": "Remove inactive/unauthorized users", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "6. Top-Level Admin-only Settings", "SettingKey": "TL-06", "Name": "Send Organization Invitations", "GuidanceText": "Recommended setting: Invite known, authorized users only.\nDefault value: N/A.\nSecurity impact / rationale: Controls initial access to organization; email-based invitation reduces unauthorized access.\nHow to view: UI: Settings > Members > Invite; API: invite.create.\nHow to change: UI: Settings > Members > Invite button; API: invite.create({email, role, vehicleRoles}).\nDependencies / notes: Sends email to invitee; requires organization_invitation:create permission.", "DefaultValue": null, "RecommendedValue": "Invite known, authorized users only", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "6. Top-Level Admin-only Settings", "SettingKey": "TL-07", "Name": "Revoke Organization Invitations", "GuidanceText": "Recommended setting: Revoke unused/stale invitations.\nDefault value: N/A.\nSecurity impact / rationale: Prevents stale invitation tokens from being used; reduces risk of unauthorized access.\nHow to view: UI: Settings > Members > Invitations > Delete; API: invite.remove.\nHow to change: UI: Settings > Members > Invitations > Delete button; API: invite.remove({id}).\nDependencies / notes: Requires organization_invitation:delete permission.", "DefaultValue": null, "RecommendedValue": "Revoke unused/stale invitations", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "6. Top-Level Admin-only Settings", "SettingKey": "TL-08", "Name": "Invalidate User API Tokens", "GuidanceText": "Recommended setting: Revoke on role change or suspicious activity.\nDefault value: N/A.\nSecurity impact / rationale: API tokens provide programmatic access; revocation prevents continued access after role changes or compromise.\nHow to view: UI: Settings > Members > User > Invalidate Token; API: user.invalidateApiToken.\nHow to change: UI: Settings > Members > Invalidate API Token; API: user.invalidateApiToken({userId}).\nDependencies / notes: Only organization owners can invalidate other users' tokens.", "DefaultValue": null, "RecommendedValue": "Revoke on role change or suspicious activity", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "6. Top-Level Admin-only Settings", "SettingKey": "TL-09", "Name": "Delete User Organization Profiles", "GuidanceText": "Recommended setting: Remove on member departure.\nDefault value: N/A.\nSecurity impact / rationale: User profiles contain organization-specific data; deletion ensures data hygiene.\nHow to view: UI: Settings > Members > User > Delete Profile; API: user.orgProfile.delete.\nHow to change: UI: Settings > Members > Delete Profile; API: user.orgProfile.delete({userId}).\nDependencies / notes: Owner role check at API level.", "DefaultValue": null, "RecommendedValue": "Remove on member departure", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "6. Top-Level Admin-only Settings", "SettingKey": "TL-10", "Name": "Vehicle User Role Assignment", "GuidanceText": "Recommended setting: Principle of least privilege.\nDefault value: N/A (must be explicitly assigned).\nSecurity impact / rationale: Controls access to specific vehicles (contract vehicles/programs); limits scope of user actions.\nHow to view: UI: Settings > Members > Edit Member > Vehicle Roles; API: member.update with vehicleRoles.\nHow to change: UI: Settings > Members > Vehicle Access section; API: member.update({userId, vehicleRoles: {vehicleId: role}}).\nDependencies / notes: Available vehicle roles: owner, member, evaluator, read_only; managed during invitation or member update.", "DefaultValue": "N/A (must be explicitly assigned)", "RecommendedValue": "Principle of least privilege", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "7. Privileged Account Settings", "SettingKey": "PR-01", "Name": "User Profile (Self)", "GuidanceText": "Recommended setting: Complete and accurate.\nDefault value: Empty/minimal.\nSecurity impact / rationale: User identity information for audit trails and collaboration.\nHow to view: UI: Settings > Profile; API: user.me.\nHow to change: UI: Settings > Profile > Edit; API: user.update.\nDependencies / notes: Users can only modify their own profile.", "DefaultValue": "Empty/minimal", "RecommendedValue": "Complete and accurate", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "7. Privileged Account Settings", "SettingKey": "PR-02", "Name": "User Organization Profile (Self)", "GuidanceText": "Recommended setting: Role-appropriate information.\nDefault value: Empty.\nSecurity impact / rationale: Organization-specific profile (roles, focus areas, bio) for team coordination.\nHow to view: UI: Settings > Profile > Organization Profile; API: user.orgProfile.get.\nHow to change: UI: Settings > Profile > Edit Org Profile; API: user.orgProfile.update.\nDependencies / notes: Scoped to current organization context.", "DefaultValue": "Empty", "RecommendedValue": "Role-appropriate information", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "7. Privileged Account Settings", "SettingKey": "PR-03", "Name": "User Global Profile (Self)", "GuidanceText": "Recommended setting: Complete for compliance.\nDefault value: Empty.\nSecurity impact / rationale: Cross-organization profile data (DoD affiliation, AI/ML experience).\nHow to view: UI: Settings > Profile > Global Profile; API: user.globalProfile.get.\nHow to change: UI: Settings > Profile > Edit Global; API: user.globalProfile.upsert.\nDependencies / notes: Used for compliance and capability tracking.", "DefaultValue": "Empty", "RecommendedValue": "Complete for compliance", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "7. Privileged Account Settings", "SettingKey": "PR-04", "Name": "Generate Personal API Token", "GuidanceText": "Recommended setting: Generate only when needed; regenerate periodically.\nDefault value: None.\nSecurity impact / rationale: API tokens enable programmatic access; token exposure compromises user access.\nHow to view: UI: Settings > Security > API Token; API: user.generateApiToken.\nHow to change: UI: Settings > Security > Generate Token; API: user.generateApiToken.\nDependencies / notes: Previous tokens are automatically invalidated; token shown only once.", "DefaultValue": null, "RecommendedValue": "Generate only when needed; regenerate periodically", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "7. Privileged Account Settings", "SettingKey": "PR-05", "Name": "Organization Switching", "GuidanceText": "Recommended setting: Switch to authorized orgs only.\nDefault value: Last used org.\nSecurity impact / rationale: Active organization context determines permissions and data access.\nHow to view: UI: Organization switcher dropdown; API: organization.switchOrg.\nHow to change: UI: Click organization in switcher; API: organization.switchOrg(orgId).\nDependencies / notes: Only organizations user belongs to are listed.", "DefaultValue": "Last used org", "RecommendedValue": "Switch to authorized orgs only", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "7. Privileged Account Settings", "SettingKey": "PR-06", "Name": "Create Solicitations", "GuidanceText": "Recommended setting: Follow organizational guidelines.\nDefault value: N/A.\nSecurity impact / rationale: Solicitations are core workflow documents; unauthorized creation could misuse government resources.\nHow to view: UI: Solicitations > Create; API: solicitation.create.\nHow to change: UI: Solicitations > New Solicitation; API: solicitation.create({...}).\nDependencies / notes: Requires solicitation entitlement; member role grants solicitation:* permissions.", "DefaultValue": null, "RecommendedValue": "Follow organizational guidelines", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "7. Privileged Account Settings", "SettingKey": "PR-07", "Name": "Manage Documents", "GuidanceText": "Recommended setting: Upload appropriate documents only.\nDefault value: N/A.\nSecurity impact / rationale: Documents may contain sensitive procurement data; unauthorized uploads could leak information.\nHow to view: UI: Documents section; API: document.*.\nHow to change: UI: Documents > Upload/Edit/Delete; API: document.create/update/delete.\nDependencies / notes: Requires document entitlement; all documents scoped to organization.", "DefaultValue": null, "RecommendedValue": "Upload appropriate documents only", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "7. Privileged Account Settings", "SettingKey": "PR-08", "Name": "Manage Templates", "GuidanceText": "Recommended setting: Maintain approved templates.\nDefault value: N/A.\nSecurity impact / rationale: Templates affect document generation; malicious templates could produce improper outputs.\nHow to view: UI: Templates section; API: template.*.\nHow to change: UI: Templates > Create/Edit/Delete; API: template.create/update/delete.\nDependencies / notes: Requires template:* permissions from member role.", "DefaultValue": null, "RecommendedValue": "Maintain approved templates", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "7. Privileged Account Settings", "SettingKey": "PR-09", "Name": "Request Entitlements", "GuidanceText": "Recommended setting: Request only needed entitlements.\nDefault value: N/A.\nSecurity impact / rationale: Entitlements unlock features; excessive entitlements increase attack surface.\nHow to view: UI: Settings > Features > Request; API: entitlements.request.\nHow to change: UI: Settings > Features > Request Access; API: entitlements.request(slug).\nDependencies / notes: Request goes to system administrators for approval; prevents duplicate requests.", "DefaultValue": null, "RecommendedValue": "Request only needed entitlements", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "7. Privileged Account Settings", "SettingKey": "PR-10", "Name": "Use Tools (AI/Document Processing)", "GuidanceText": "Recommended setting: Use for authorized purposes.\nDefault value: N/A.\nSecurity impact / rationale: Tools process documents and use AI; may expose sensitive data to AI models.\nHow to view: UI: Tools section; API: tools.*.\nHow to change: UI: Tools > Select Tool; API: tools.{toolName}.\nDependencies / notes: Requires tools entitlement; some tools require additional entitlements (e.g., eula-shredder, program-management).", "DefaultValue": null, "RecommendedValue": "Use for authorized purposes", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "7. Privileged Account Settings", "SettingKey": "PR-11", "Name": "Manage Evaluations", "GuidanceText": "Recommended setting: Maintain evaluation integrity.\nDefault value: N/A.\nSecurity impact / rationale: Evaluations affect procurement decisions; improper evaluations could result in compliance violations.\nHow to view: UI: Evaluations section; API: evaluation.*.\nHow to change: UI: Evaluations > Create/Edit; API: evaluation.create/update.\nDependencies / notes: Requires evaluation:* permissions; members can create/manage evaluations.", "DefaultValue": null, "RecommendedValue": "Maintain evaluation integrity", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "7. Privileged Account Settings", "SettingKey": "PR-12", "Name": "Access RAI Toolkit", "GuidanceText": "Recommended setting: Use for AI risk assessment.\nDefault value: N/A.\nSecurity impact / rationale: RAI (Responsible AI) toolkit documents AI risks; improper use could miss critical risks.\nHow to view: UI: RAI Toolkit section; API: raiToolkit.*.\nHow to change: UI: RAI Toolkit > Projects; API: raiToolkit.project.*.\nDependencies / notes: Requires rai-toolkit entitlement.", "DefaultValue": null, "RecommendedValue": "Use for AI risk assessment", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "7. Privileged Account Settings", "SettingKey": "PR-13", "Name": "Manage Files (Storage)", "GuidanceText": "Recommended setting: Follow data classification guidelines.\nDefault value: N/A.\nSecurity impact / rationale: File storage contains uploaded documents; data leakage if improperly managed.\nHow to view: UI: Files section; API: files.*.\nHow to change: UI: Files > Upload/Delete; API: files.upload/delete.\nDependencies / notes: Requires file_storage entitlement.", "DefaultValue": null, "RecommendedValue": "Follow data classification guidelines", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" }, { "Category": "7. Privileged Account Settings", "SettingKey": "PR-14", "Name": "Market Research", "GuidanceText": "Recommended setting: Use for authorized research.\nDefault value: N/A.\nSecurity impact / rationale: Market research accesses external vendor data; could expose procurement intentions.\nHow to view: UI: Market Research section; API: marketResearch.*.\nHow to change: UI: Market Research > Create/Run; API: marketResearch.*.\nDependencies / notes: Requires market-research entitlement.", "DefaultValue": null, "RecommendedValue": "Use for authorized research", "VersionNumber": 1.0, "VersionLabel": "Initial Publication", "EffectiveFrom": "2026-02-09T00:00:00" } ] } }