Security and Privacy

FedRAMP High Authorization

Descope is FedRAMP High Authorized. The Federal Risk and Authorization Management Program (FedRAMP) is the US government's standardized approach to security assessment and authorization for cloud services, and High is its most stringent impact level.

Descope is listed on the FedRAMP Marketplace, which makes it available to federal agencies, contractors, system integrators, and any other organization that requires FedRAMP High authorized software.

For the public administrative configuration guidance required under FedRAMP, see the FedRAMP Security Admin Guide.

That guide is published because FedRAMP requires customer-responsible configuration guidance to be publicly accessible.

Working with Descope on FedRAMP

Most of a FedRAMP deployment is handled directly with Descope Customer Success, including the FedRAMP onboarding process.

If you are planning a deployment, contact Descope Support to scope the environment and kick off onboarding. The Descope team will walk you through provisioning, configuration, and any requirements specific to your agency or program.

Connectors in Your Environment

Descope Connectors let you extend identity flows to external services. In a FedRAMP deployment, those services often sit inside a private network with no inbound access.

The Descope Engine is a component you install within your own environment so connector actions can run against private-network resources. It uses outbound-only gRPC and opens no inbound ports, which keeps it compatible with locked-down government networks.

See Descope Engine for deployment details.

Federating to an External Identity Provider

Descope's authorization covers the Descope platform boundary. If your users authenticate through an external identity provider (such as Okta or Microsoft Entra ID), that provider sits outside the Descope boundary and needs its own FedRAMP High authorization for the end-to-end flow to remain in a High boundary. Your Descope team will cover this as part of onboarding.

For background on which providers and tiers qualify, see our doc on Federated Identity Providers and FedRAMP.

Was this helpful?

On this page