In addition to the ACTIVATE SaaS platform, we offer a solution for the US Government: the Parallel Works High-Security Platform (PWHSP). Hosted in AWS GovCloud, the PWHSP is compliant with Federal Risk and Authorization Management Program (FedRAMP) standards.
The PWHSP includes the same major features of ACTIVATE. Some features and services have been modified for security compliance, which are detailed in this section.
At present, the PWHSP only supports connecting to on-premises clusters with an Authority to Operate (ATO) and deploying compute resources on AWS. We will be adding support for Microsoft Azure and Google Cloud Platform compute resources in the future. All AWS options are available on the PWHSP, but screenshots and page sections that mention other cloud service providers can be disregarded until further notice.
The PWHSP does not support SSH access from your personal computer to cloud resources. All of your work with compute resources must be conducted in your user workspace on the platform. SSH can be federated through the PWHSP using the PW CLI, see the PW CLI documentation for more information.
On the PWHSP, users are required to have MFA enabled on their account or use an authentication method which ensures MFA, e.g. CAC, an OIDC provider with MFA.
For users using the password authentication method, we support adding a YubiKey 5 FIPS model. YubiKeys plug into your computer via USB-A or USB-C and require physical touch after you enter your password. These YubiKeys are provisioned and issued by Parallel Works.
Common Access Cards (CAC) are the standard form of identification for government employees, personnel, and service members. If you use a CAC, your administrator will register your CAC with your PWHSP account before you access the PWHSP for the first time. You’ll need your CAC PIN in addition to your CAC.
OpenID Connect can use either a YubiKey or a CAC for second-step validation. With OpenID connect, the PWHSP login page is provided by the government instead of Parallel Works. The YubiKey in this case will be provisioned and issued by the government.
The Federal Information Processing Standards (FIPS) are globally recognized guidelines for information security. The PWHSP adheres to FIPS 140-2.
When accessing Cloud Service Provider (CSP) services from within the PWHSP, you must utilize endpoints which utilize FIPS. Below are instructions for configuring common cloud SDKs to use FIPS endpoints.
For AWS SDKs, you can enforce the use of FIPS endpoints by setting the following environment variable:
AWS_USE_FIPS_ENDPOINT=trueFor Azure, FIPS compliance involves using the Azure Government cloud. Ensure your authentication uses the correct authority host:
AZURE_AUTHORITY_HOST=https://login.microsoftonline.usFor Google Cloud, FIPS compliance is generally handled at the cryptographic library level rather than specific FIPS endpoints. Ensure your application is built and run using FIPS-validated cryptographic modules.
The PWHSP can only be accessed through port 443. Port 80 is open for redirect to port 443 only. Port 8443 is open for CAC authentication. All data is encrypted at rest and in transit using validated FIPS 140-2 cryptographic modules.