| Document Metadata | |
|---|---|
| Document ID | VDJ-SCG-001 |
| Document Title | Secure Configuration Guide |
| FedRAMP 20x Rules Satisfied | SCG-CSO-RSC (Recommended Secure Configuration), SCG-CSO-AUP (Use Instructions), SCG-CSO-PUB (Public Secure Configuration Guidance), SCG-CSO-SDF (Secure Defaults) |
| Related Controls | AC-1, AC-2, AC-3, AC-6, AC-6(5), AC-7, AC-11, AC-12, AC-17, AU-1, AU-2, AU-6, AU-11, IA-1, IA-2, IA-2(1), IA-5(1), IA-8, SC-7, SC-8 |
| System Name | VirtualDojo AI CRM |
| Authorization Level | FedRAMP 20x Certification, Class C |
| Document Version | 1.0 |
| Effective Date | July 1, 2026 |
| Next Review Date | July 1, 2027 |
| Classification | Public |
| Audience | Agency tenant administrators, agency ISSOs, and any VirtualDojo AI CRM administrative/privileged account holder |
| Prepared By | Devin Henderson, CEO / ISSO |
| Approved By | Devin Henderson, CEO / ISSO |
This guide is VirtualDojo's Secure Configuration Guide as required by the FedRAMP 20x Consolidated Rules Secure Configuration Guidance (SCG) ruleset. It is written for the people who will actually operate a VirtualDojo AI CRM tenant — agency tenant administrators, ISSOs, and anyone holding a top-level administrative or privileged account — not for FedRAMP assessors. It satisfies:
| Rule | Requirement | How this guide satisfies it |
|---|---|---|
| SCG-CSO-RSC | MUST create, maintain, and make available a Secure Configuration Guide covering top-level admin account setup/decommission, security-relevant settings only top-level admins can operate, and (recommended) settings privileged accounts can operate | Sections 2–7 below cover initial admin provisioning and decommissioning, the security-relevant settings gated to the superadmin role, and the settings available to the admin role |
| SCG-CSO-AUP | MUST include instructions in the Certification Package on how to obtain and use this guide | Section 1.2 |
| SCG-CSO-PUB | SHOULD make the guide publicly available | Section 1.3 — published at https://trust.virtualdojo.com/secure-configuration-guide, no login required |
| SCG-CSO-SDF | SHOULD ship top-level admin and privileged accounts with secure defaults out of the box | Section 7 documents what ships secure by default versus what a tenant admin must actively configure |
The optional enhanced-capability items (SCG-ENH-*) are tracked in Section 9 (Enhanced Capabilities Roadmap), which states the current status of each — some are implemented today and others are on the roadmap.
This guide is a distillation of controls that are documented in full elsewhere in the FedRAMP Certification Package. Where this guide says "configure X," the underlying control implementation, evidence, and verification procedure are documented in:
If any statement in this guide appears to conflict with those documents, the control implementation documents govern; this guide is the summarized, customer-facing operational version and is updated whenever the underlying configuration changes.
This guide is included as a named artifact in the VirtualDojo FedRAMP 20x Certification Package (this file, Secure Configuration Guide / its signed PDF rendering in the signed certification package) and is also published independently of the certification package at the public URL in Section 1.3. Agencies evaluating or onboarding to VirtualDojo AI CRM should:
https://trust.virtualdojo.com) and to the tenant's registered admin contact.This guide is published at https://trust.virtualdojo.com/secure-configuration-guide, hosted on the VirtualDojo Trust Center. It does not require an account, a customer relationship, or an NDA to view — it is intended to be readable by prospective agency customers during procurement evaluation, not only by existing tenants. The Trust Center copy is kept in sync with the version in the signed Certification Package; the Certification Package version is authoritative in case of a discrepancy pending republication.
In VirtualDojo AI CRM, the top-level administrative role is superadmin. A superadmin account controls enterprise-wide access to the entire tenant: it can create and remove other admins, change tenant-wide security settings, configure SSO/federation trust, and read the full audit log. There is exactly one class of account with this scope per tenant; VirtualDojo strongly recommends limiting the number of live superadmin holders to the minimum needed for continuity (typically 2, so a single person's unavailability does not block emergency access changes).
superadmin is distinct from the admin role, which is a privileged-but-scoped role (see Section 3) — an admin manages users and day-to-day settings within the tenant but cannot alter the settings enumerated in Section 2.4.
superadmin user is a member of the SAML/OIDC group your agency has mapped to the superadmin role during onboarding (see the groups claim mapping in Authentication and Federation Procedures Section 9.4). Role assignment is driven by your IdP group membership, not by a separate VirtualDojo user-management step — this means your agency's own access-approval workflow for that group is what actually grants superadmin.superadmin-mapped group. VirtualDojo cannot enforce a stronger authenticator than what your IdP asserts, so this step is the customer's responsibility — see Section 3 of this guide and Section 4 (Conditional Access baseline) for the specific policy to apply.groups claim. If no group claim maps to superadmin, the account is provisioned at the most restrictive role (Read-Only) and must be manually elevated — VirtualDojo will not silently grant top-level access to an unmapped account.superadmin account by having it sign in and confirm it can reach Tenant Settings → Administration in the application UI. Record the verification in your agency's onboarding checklist.superadmin-mapped group in your own IdP. This is the primary and immediate control — the next time VirtualDojo re-validates the SAML/OIDC session or the user's assertion is re-issued, the elevated role claim is gone.UserSSOConnection record's is_active flag is set to false if the user is leaving the agency entirely (as opposed to only losing superadmin scope).superadminThe following settings can only be viewed or changed by a superadmin account. Each carries a security implication an agency should understand before changing it:
| Setting | Location | Security Implication |
|---|---|---|
| SSO/federation trust configuration (IdP metadata, signing certificate, attribute mapping) | Tenant Settings → Administration → Identity Federation | Determines which IdP(s) can authenticate users into your tenant and how SAML/OIDC claims map to roles. A misconfigured or overly permissive attribute mapping (e.g., mapping too broad a group to superadmin) directly expands your privileged-account population. |
| Role-to-group mapping | Tenant Settings → Administration → Identity Federation → Role Mapping | Controls which IdP groups map to superadmin, admin, Manager, User, and Read-Only. This is the actual access-control boundary for your tenant since role assignment is claims-driven (Section 2.2, step 3). |
| Tenant-wide session and re-authentication policy (see Section 4.3) | Tenant Settings → Administration → Security | Sets the maximum session lifetime and inactivity timeout enforced by the application in addition to whatever your IdP enforces. Loosening this increases the window an unattended, authenticated session can be misused. |
| Network access restrictions (IP allow-listing, see Section 5) | Tenant Settings → Administration → Network Security | Restricts which source networks can reach your tenant's data at the application layer. Removing restrictions expands your externally reachable attack surface. |
| Audit log export and retention configuration (see Section 6) | Tenant Settings → Administration → Audit & Compliance | Controls where your tenant's audit trail is exported to and how long it is retained in application storage before rolling off (independent of VirtualDojo's own 400-day Cloud Logging retention). Reducing retention or disabling export reduces your agency's own forensic and compliance evidence. |
| API key issuance for tenant-wide integrations | Tenant Settings → Administration → API Access | Long-lived API keys with tenant scope are a standing credential. Only superadmin can mint or revoke them. |
| User and role deletion (bulk) | Tenant Settings → Administration → Users | Bulk deprovisioning actions are restricted to superadmin to prevent an admin account from mass-removing accounts, including other admins. |
admin) Accountsadmin accounts are privileged but scoped: they manage day-to-day tenant operation without the tenant-wide authority described above.
| Setting | Location | Security Implication |
|---|---|---|
Individual user role assignment (within roles below superadmin) |
Users → [user] → Role | Assigning admin to a user materially expands who can see and act on other users' records and settings below tenant-wide scope; least-privilege role assignment is a customer responsibility (see Customer Responsibility Matrix AC-6(5)). |
| Per-user MFA re-enrollment / session revocation | Users → [user] → Security | Lets an admin force a suspected-compromised user to re-authenticate and re-register MFA. Useful first-response action; also a capability that should itself be audit-logged and reviewed (it is — see Section 6). |
| Data export configuration for their own scope | Reports / Data → Export | Controls who can pull bulk data out of the tenant. Overly broad export permission granted to admin-managed users is a common data-exfiltration risk vector. |
| Audit log viewing (read-only) | Audit Log | admin can view but not delete or reconfigure retention; only superadmin can change retention/export settings (Section 2.4). |
VirtualDojo AI CRM does not offer a local username/password login for agency users — every sign-in is federated through the agency's own IdP (Section 2.2), and MFA enforcement for superadmin and admin accounts is therefore primarily your IdP's responsibility, with VirtualDojo enforcing a floor:
authnContextClassRef such as SmartcardPKI for PIV/CAC, or an equivalent multi-factor claim). Assertions that do not assert MFA are still accepted for authentication but the session is flagged and step-up MFA is required before any superadmin- or admin-gated action can be performed.superadmin-mapped group. VirtualDojo recommends the following priority order for the MFA method itself, consistent with OMB M-22-09 phishing-resistance guidance:| Priority | Method | Why |
|---|---|---|
1 (required for superadmin) |
FIDO2 security key, or PIV/CAC certificate-based authentication | Phishing-resistant; PIV/CAC additionally satisfies HSPD-12 for federal personnel |
2 (acceptable for admin) |
Authenticator app with number matching | Mitigates MFA-fatigue push attacks; not phishing-resistant |
| Prohibited | SMS OTP, voice call OTP, email OTP | Restricted authenticators per NIST SP 800-63B; VirtualDojo's acceptance criteria explicitly reject agencies relying on these alone (Authentication and Federation Procedures Section 11.3) |
If your agency cannot demonstrate AAL2-equivalent MFA enforcement during federation onboarding, VirtualDojo will not activate the federation trust until it is remediated (Authentication and Federation Procedures Section 11.5.2).
Most current VirtualDojo AI CRM agency tenants federate from Microsoft Entra ID. If your agency uses Entra ID as its IdP, verify the following Conditional Access baseline is applied to the VirtualDojo AI CRM enterprise application before onboarding any superadmin or admin account. These are the same baseline settings VirtualDojo itself applies to its own Entra ID tenant for administering the platform (Identification and Authentication Policy, Access Control Policy), offered here as the recommended customer-side configuration:
superadmin (and recommended for admin)superadmin/admin-mapped groupsIndependent of whatever your IdP's session-frequency policy is set to, VirtualDojo AI CRM enforces its own session ceiling so that a long-lived IdP session cannot translate into an indefinitely long application session:
| Setting | Enforced Value | Configurable by Customer? |
|---|---|---|
| Maximum session lifetime | 8 hours | No — platform-enforced floor; ships as the secure default |
| Inactivity/idle timeout | 15 minutes (locks session, requires re-authentication) | No — platform-enforced floor; ships as the secure default |
| Step-up MFA for privileged actions | Required regardless of session age | No — platform-enforced |
| Tenant-configurable stricter session policy | superadmin may set a shorter max session or idle timeout than the platform default |
Yes — Tenant Settings → Administration → Security (Section 2.4); the platform default is a ceiling, not a customer-adjustable maximum |
VirtualDojo recommends agencies leave the Entra ID sign-in-frequency setting at or below 12 hours for standard users and 1 hour for privileged roles even though the application enforces its own tighter ceiling — defense in depth means a compromised or misconfigured application session control should not be the only backstop.
VirtualDojo AI CRM is an internet-facing SaaS application (https://app.virtualdojo.com) — there is no customer-managed network perimeter in front of it in the traditional sense, but the following customer-configurable restrictions are available:
| Control | Where Configured | Notes |
|---|---|---|
| Tenant IP allow-listing | Tenant Settings → Administration → Network Security (superadmin only, Section 2.4) |
Restricts application-layer sign-in to a customer-specified list of source IP ranges (e.g., agency VPN egress ranges or Windows 365 Cloud PC egress ranges). Sign-ins from outside the allow-list are rejected before authentication is attempted. Recommended for agencies with a defined egress footprint. |
| IdP-side named-location Conditional Access | Your Entra ID tenant | Independent of the VirtualDojo-side allow-list, your agency can also restrict which named locations are permitted to complete authentication against your own IdP for the VirtualDojo enterprise application — this is the customer's own control and is enforced before VirtualDojo ever sees the sign-in attempt. |
| TLS enforcement | Platform-enforced, not customer-configurable | All traffic to app.virtualdojo.com requires TLS 1.2 minimum (TLS 1.3 preferred); TLS 1.0/1.1 and legacy cipher suites are not offered. See Authentication and Federation Procedures Section 8.3 for the exact cipher suite list. |
| API access network restriction | Tenant Settings → Administration → API Access | API keys can optionally be bound to a source IP allow-list at issuance time, limiting where a leaked key could be used from. |
VirtualDojo does not offer customer-managed WAF rule authoring or a customer-facing firewall console — the application-layer allow-list above is the supported network restriction mechanism. Agencies requiring network-layer controls beyond this should implement them at their own egress point (e.g., forcing all agency traffic to VirtualDojo through an agency-managed proxy/VPN and then allow-listing only that egress range).
VirtualDojo AI CRM logs authentication events, privileged actions, role changes, and data export/access events to an application-level audit log, which is layered on top of VirtualDojo's own GCP Cloud Logging pipeline (400-day retention at the platform level, per Customer Responsibility Matrix AC-2(12)). Customer-facing configuration options:
| Option | Location | Description |
|---|---|---|
| In-app audit log viewer | Audit Log (available to admin read-only, full control for superadmin) |
Searchable/filterable view of authentication events, role/permission changes, user provisioning/deprovisioning, and data export events for your tenant only (tenant-isolated; you cannot see other tenants' logs and they cannot see yours) |
| Export format | Audit Log → Export | CSV or JSON export of a selected date range, for import into your own SIEM or compliance reporting pipeline |
| Automated export / SIEM integration | Tenant Settings → Administration → Audit & Compliance (superadmin only) |
Configure a recurring export destination (webhook or scheduled pull) so your agency does not depend on manual export |
| In-app retention window | Tenant Settings → Administration → Audit & Compliance (superadmin only) |
Configure how long audit events remain queryable in the application UI before rolling off; this is independent of (and shorter than or equal to) VirtualDojo's own 400-day platform-level Cloud Logging retention, which is not customer-configurable and serves as the forensic backstop even if a tenant shortens its in-app window |
| Immutability | Not customer-configurable | Audit log records cannot be edited or deleted via any role, including superadmin — there is no update/delete API for audit records (Customer Responsibility Matrix AU-9) |
VirtualDojo recommends weekly review of the audit log at minimum, and provides a standardized checklist your reviewer can adapt — see Audit Log Review Checklists for the schedule and check items VirtualDojo's own ISSO uses internally (daily/weekly/monthly cadence, specific things to look for such as new-IP logins, privilege escalation events, and bulk data export).
This section states plainly what ships secure out of the box for a newly onboarded tenant, versus what requires active customer configuration. Nothing in the "customer must configure" column is unsafe left alone — it simply is not something VirtualDojo can set on the customer's behalf because it depends on the customer's own IdP or organizational policy.
| Setting | Default | Rationale |
|---|---|---|
| Local username/password login | Disabled — federation-only | Eliminates an entire class of credential-stuffing and password-reuse risk for agency accounts |
| Application session maximum lifetime | 8 hours | Prevents indefinite sessions regardless of IdP session policy |
| Application inactivity timeout | 15 minutes | Limits exposure from an unattended, authenticated device |
| New non-organizational user default role (no group claim mapped) | Read-Only (most restrictive) | JIT-provisioned users are never silently granted elevated access; VirtualDojo notifies the tenant superadmin for manual review within 24 hours |
| TLS configuration | TLS 1.2 minimum, FIPS-approved cipher suites only | Not adjustable by any role — platform-enforced |
| Audit log immutability | No update/delete path for audit records, at any role | Guarantees a tamper-evident record regardless of tenant configuration |
| Assertion replay protection | SAML/OIDC assertion IDs single-use, cached for the assertion lifetime | Prevents replay of a captured assertion even if other controls are misconfigured |
| Password complexity, history, and breached-password blocking for any VirtualDojo-managed credential (e.g., break-glass accounts) | 14-character minimum, 24-password history, global + custom banned-password list, 10-attempt/30-minute smart lockout | Matches VirtualDojo's own internal Entra ID policy (Identification and Authentication Policy); applies to any VirtualDojo-side credential, not to federated agency accounts which have no VirtualDojo-managed password |
| Setting | Why VirtualDojo Cannot Default This |
|---|---|
| MFA enforcement and method | Enforced at your IdP, which VirtualDojo does not control (Section 3) |
| Role-to-group mapping | Depends entirely on your agency's own group structure (Section 2.2) |
| Device compliance requirement | Depends on your agency's MDM/Intune enrollment (Section 4.3) |
| Network/IP allow-listing | Depends on your agency's egress topology (Section 5) |
| Audit log export destination and in-app retention window | Depends on your agency's SIEM/compliance requirements (Section 6) |
| API key issuance and scoping | Depends on what integrations your agency actually needs |
Use this checklist during onboarding and at each annual access review:
app.virtualdojo.com — none should be reachable).superadmin, navigate to Tenant Settings → Administration → Security and confirm the session lifetime and idle timeout fields show 8 hours / 15 minutes or a customer-tightened value — never a value greater than the platform ceiling (the UI will not accept a looser value).superadmin or admin that is not mapped through your IdP's group claims (Section 2.2, step 3) — every privileged account should trace back to an entry in your own IdP's group membership, not a VirtualDojo-local grant.app.virtualdojo.com (e.g., nmap --script ssl-enum-ciphers or an equivalent external scanner) — this should always fail to downgrade regardless of tenant configuration.| Need | Contact |
|---|---|
| Federation onboarding, role-mapping setup | security@virtualdojo.com |
| Suspected security incident involving your tenant | security@virtualdojo.com (immediate) |
| General configuration questions about this guide | security@virtualdojo.com |
| Trust Center / authorization package access | https://trust.virtualdojo.com |
The FedRAMP 20x Consolidated Rules define a set of optional, enhanced-capability SHOULD items beyond the baseline Secure Configuration Guide requirements. VirtualDojo does not currently implement any of the following. They are listed here for transparency and roadmap visibility only — none of the capabilities below exist in the product today, and this guide will be updated (with a version bump, see the document metadata table) if and when any of them ship.
| Rule | Capability | Status |
|---|---|---|
| SCG-ENH-CMP | Compare all current top-level admin/privileged settings against the recommended secure defaults, in-app | Not implemented. Today, verification of secure defaults is manual (Section 7.3 checklist). |
| SCG-ENH-EXP | Export all security settings in a machine-readable format | Implemented. Security settings are retrievable in machine-readable (JSON) form via VirtualDojo's administrative API and the VirtualDojo CLI (see SCG-ENH-API), in addition to the audit-log export in Section 6. |
| SCG-ENH-API | View and adjust security settings via an API | Implemented. Security settings can be viewed and adjusted programmatically via VirtualDojo's administrative API and the VirtualDojo CLI, in addition to the application UI (Sections 2–6). API documentation is available in the admin console after signing in at app.virtualdojo.com. |
| SCG-ENH-MRG | Provide this Secure Configuration Guide itself in a machine-readable format for automated comparison against current settings | Not implemented. This guide is published only as human-readable Markdown/PDF. |
| SCG-ENH-VRH | Versioning and release history for recommended secure defaults as they change over time | Partially addressed structurally (this document carries a version and effective date in its metadata table, and changes to defaults are announced via Trust Center SCR notices per Section 1.2), but there is no dedicated, queryable release-history log of default-setting changes distinct from the general SCR process. Treated as not implemented until a purpose-built history view exists. |
Questions or feature requests related to this roadmap can be sent to security@virtualdojo.com.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0 | July 1, 2026 | Devin Henderson | Initial release, satisfying SCG-CSO-RSC, SCG-CSO-AUP, SCG-CSO-PUB, and SCG-CSO-SDF for the FedRAMP 20x Certification Package |