WHITE PAPER

Trusted Unified Communications and Collaboration

01 FedRAMP-In-Process Carrier-Class Cloud

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. BroadSoft Government Cloud is committed to providing Government agencies with a secure cloud solution that meets the federal government standards.

Key Benefits from the Cloud​:

Easy Migration. Phase in over the top of existing infrastructure or fully implement in one project – leverage proven best practices, inclusive services for security, operations management and maintenance and an expert partner network.

End to end encryption in adherence with FIPS 140 standard. Transport Layer Security (TLS) and Secure Real-time Transport Protocol (SRTP) from IP end points at the Government agencies all the way to the cloud. 

Securing government agency confidentiality

Additional regulatory certifications. In addition to FedRAMP moderate, we also comply with NIST 800-53 security controls, FISMA, HSPD-12, FIPS 140-2, FDCCI, Telework enhancement act of 2010, GSA infrastructure contract consolidation initiative, and ISO 27001. 

Multi-location agency support with common controls and centralized management. Flexible, role based feature packaging for agency workers at any site with self-managed secure portals.

Increased productivity with mobile and remote workers with the same security assurance as workers at the physical desk.

SIP Trunking to allow flexibility to connect existing premise-based PBX or Key Telephone System (KTS) with secure transport from agency boundary into the cloud.

Highest standard of data center security.

Fraud prevention – vulnerabilities investigation, correction and prevention best practices. Multiple levels of security are supported including network security, intrusion and network detection, call processing and device configuration

The BroadSoft Government Cloud service is supported by equipment deployed in a geographically redundant configuration across two physical data centers. The design of the network is to ensure that, if there is a loss of connectivity to one data center location the other site can seamlessly support the voice traffic. The equipment deployed and connectivity to each data centers is built so that each site is a mirror image of the other. The BroadSoft Government Cloud supports a variety of data interconnection methods for both access to customer premise equipment and connectivity to the PSTN via Service Provider (SP) partner carrier networks. 

BroadSoft Government Cloud (BGC) | High Level Network Architecture

The methodologies supported include Internet-based connectivity, connectivity via Managed Internet, or connectivity via Virtual Private Networks (VPNs). BroadSoft Government Cloud services are available regardless of the type of connecting device or connectivity method.

Security Classification and Compliance Level

The Federal Information Processing Standard (FIPS) Publication 199 de nes three levels (Low, Moderate or High) of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of con dentiality, integrity, or availability). The application of these de nitions must take place within the context of each organization and the overall national interest. Due to the sensitive nature of Government communications, BroadSoft Government Cloud has pursued the Moderate control baseline for compliance and certi cation purposes. Moderate is de ned by the potential impact of a breach: The loss of con dentiality, integrity, or availability could be expected to have a serious adverse e ect on organizational operations, organizational assets, or individuals.

Security and regulatory certifications in addition to FedRAMP

  • Federal Information Security Modernization Act (FISMA)

  • Homeland Security Presidential Directive 12 (HSPD-12) – Common Identi cation Standards

  • FIPS 140-2 Cryptographic Module

  • Federal Data Center Consolidation Initiative (FDCCI)

  • Telework Enhancement Act of 2010

02 Enterprise Class Performance

Comprehensive, Integrated Capabilities for the Government Workplace 

The BroadSoft Government Cloud service is designed to allow multi-location agencies to communicate as easily and effectively as if located under a single roof while providing the convenience and cost savings of centralized management. The BroadSoft Government Cloud service structure allows multiple locations with different technology needs to exist under a single entity’s complete control. Each site can service multiple types of users, with features based on the needs of an individual staff member or role. Entity-wide service management portals, site-specific service management portals and user-specific portals can be granted to provide real-time changes in call handling and features with the appropriate level of permission.

Mobile Staffers.
Move seamlessly between agencies and remote offices while communicating anywhere from any device.

  • Drive new productivity with your constituents, contract partners and co-workers.
  • On-the-fly ease of use with a one number solution integrated with a complete suite of collaboration tools.


Teleworkers and Telecommuters
Expand telework capabilities on a wide range of devices, while maintaining secure, remote access.

  • Connect with the workplace culture and extend the collaborative experience and productivity of working with your teams.
  • Enrich the virtual workplace from different environments that bring new influences that are more comfortable to share when virtual.
  • Meet security and internal policy compliance.


Bring Your Own Device (BYOD)
Support your BYOD initiatives with seamless mobility across devices and WebRTC-enabled browsers.

03 Centrex Replacement – Hosted PBX & SIP Trunking

BroadSoft Government Cloud can service locations with either a Hosted PBX solution or a SIP Trunking solution, depending on whether a location is equipped with a phone system (IP PBX, key system, etc.). The site type selected for a location will determine which site features are available to the location and which user features are available to the users at that location.

  • Hosted PBX is the ideal solution for Centrex replacement, new locations where a phone system has not been purchased, or when retiring an aging PBX or key system. Each user is provisioned with a set of included and optional features controllable by service administrator(s). Each station/user is allocated a call path for incoming and outgoing calls. The call path is included with each station/user. A SIP phone or soft client will be required for each user to place and receive calls. Certain government purchase vehicles also refer to this specific type of service as “Hosted IP Voice” or “IP Voice Services (IPVS)”.
  • SIP Trunking is the hosted solution for existing IP PBXs or other phone systems that are not yet end-of-life. SIP Trunking is typically utilized to cost-effectively replace traditional ISDN PRIs and T1s cost and to also provide enhanced functionality such as built-in business continuity for automatic failover during site incidents. User features are controllable by the combination of the phone system itself and by the BroadSoft Government Cloud site administrator’s portal. Unlike Hosted PBX, the quantity of desired call paths need to be identified and subscribed to separately from users. A soft client can be used in conjunction with the service but the physical telephone is typically provided by/with the phone system.

SIP Trunking

04 UC-One Communication Mobilization

Features

Premium
Station

Standard
Station

Basic
Station

Messaging 
Station

Dialtone
Station

UC-One App Bundle

•   Mobile App

•   Desktop App (with S4B Option)

•   Tablet App (when available)

•   Video Calling

UC-One Collaboration Bundle

•   Instant Messaging & Presence

•   Desktop & File Sharing (up to 15)

•   My Room Collaboration

Upgrade

User Web Portal

Business Continuity

Inbound Fax to Email

Mobile Integration

Exec/Admin Tools

Unified Message | Visual Voicemail

Upgrade

Business Class Calling Features

> 40 features

> 40 features

> 25 features

> 11 features

> 10 features

Call Queue Agent

Skype for Business

UC-One App Bundle

  • Business identity on desktop and mobile
  • Always-on access to business calling features and services
  • Video calling
  • Desktop option for Skype for Business

UC-One Collaboration Bundle

  • IM&P fully integrated with business voice
  • Collaboration tools including group chat, desktop sharing, and My Room
  • Audio and Video conferencing integration
  • Microsoft Outlook integration
  • Enterprise level feature control
  • Guest Client for external party access
05 Carrier-grade Network Architecture

The BroadWorks Call Control platform is at the center of the network and provides the hosted telephony services and call routing for the subscriber base. There are multiple types of servers that make up the entire platform with each having a distinct function and redundancy mechanism. The servers running the BroadWorks software are physically connected to the network with Gigabit Ethernet connections to separate Ethernet switches. Session Border Controllers (SBC’s) are deployed in each data center in high availability mode, meaning there is full redundancy built into each deployed SBC cluster. On the Access side of the network, SBC’s are used to provide security for the Call Control platform and SIP connectivity to IP endpoints including NAT traversal and VPN connectivity. SBC’s are also used on the Network side for interconnection to partner carrier networks via SIP interconnections.

Oracle SBCs capable of FIPS encryption are currently deployed on both the Access and Network side. The routing and switching infrastructure consists of IP routers and switches manufactured by Juniper Networks. There are multiple connections within each data switch to servers, SBCs, and other networking equipment to ensure that no single physical port failure will result in complete loss of connectivity to the network. The supported IP endpoints rely on the resolution of DNS SRV records to signal to the SBCs. The DNS SRV records control the preferred order and signaling ports for the IP to signal towards. If connectivity to the primary SBC fails, the phones are configured to failover to the secondary address.

For PSTN connectivity, the cPBX network can be configured to signal to any number of SBCs or proxy servers. Common connections are established between the cPBX network and the SP network that are shared by all end customers of the SP partner. These connections can leverage either public Internet connectivity, using IPSEC tunnels for signaling, or private connections between the SP and the cPBX network.

BroadSoft supports a variety of network access and customers have flexibility as to how they access BroadSoft Government Cloud services.

  • Fully managed or Over The Top (OTT)
  • Customer access networks are independent of routing networks
  • Allows multiple access networks connecting to a common routing network
  • Full local and geographic redundancy for optimal survivability

Customers can access BroadSoft Government Cloud as a fully managed service or Over the Top (OTT):

  • Customer access networks are independent of routing networks
  • Allows multiple access networks connecting to a common routing network
  • Full local and geographic redundancy for optimal survivability

The following diagram depicts the BroadSoft Government Cloud network boundary design:

Please note: For security boundary definition, please refer to the BroadSoft Government Cloud System Security Plan (SSP)1 on file with the FedRAMP Program Management Office. BroadSoft houses its SSP in the FedRAMP OMB-MAX repository. Federal Agency employees or contractors may review the BroadCloud Government SSP by completing a FedRAMP-Package-Request- Form, located on the FedRAMP site, and submitting the completed form to info@fedramp.gov.

06 Data Center Security Standards

BroadSoft Government Cloud applications and services are running on multiple servers within BroadSoft Datacenters. BroadSoft Government Cloud provides applications and services that are assured by the implementation of security and availability methods and procedures. These are designed to cover physical access and protection, network connectivity, remote and local access, application and server management, availability and customer sensitive data. BroadSoft partners with datacenter operators with years of experience in design, implementation and operation of large-scale datacenters. These facilities provide physical, environmental and access security, protecting BroadSoft Government Cloud’s physical and virtual application environments.

  • 24×7 facility on-site security personnel
  • Nondescript and unmarked facilities with natural boundary protection
  • Silent alarm system with automatic notification of local law enforcement
  • Building code compliance to local governmental standards Environmental Safeguards
  • Fully redundant HVAC facilities
  • Automatic Fire suppression systems, dual alarmed (heat/smoke), dual interlock with cross-linked event management
  • N+1 redundant UPS power system supporting entire datacenter capacity, with redundant backup generators
  • Biometric scanning and/or 2-factor authentication for access
  • All ingress/egress through vestibules (man-traps)
  • Access requires valid government issued photo ID, and all access history is recorded for audit purposes
  • Authorization required prior to access and is only provided for legitimate business need
  • Shipping and receiving are walled off from co-location areas
  • For both ingress and egress, all material is inspected upon arrival by on-site security staff.

Fraud Prevention

BroadSoft is dedicated to investigating and correcting security vulnerabilities and preventing fraud relating to the BroadSoft Government Cloud portfolio. BroadSoft Government Cloud solution specific fraud prevention and detection mechanisms include: Portals which limit access to information based on specific business functions and permissions assigned to each user. End users can only access their own information. Administrators are limited to managing information for the specific sites for which they have been authorized. Each access account has distinct credentials, authentication vectors, and permission sets. Business directory information is made available to users that have been properly authenticated to a management or client portal. Strengthened admin password policy management is avaialble on all phones to address a potential security vulnerability which could lead to user spoofing and ultimately fraudulent call activity. HTTP/HTTPS interfaces are disabled on the IP Phones to lock them down and prevent unauthorized access. Security features configured in the SBCs will block calls if the source IP and port don’t match the IP and port associated with the registration, or blacklist IP addresses sending in too many failed attempts in a short period of time. 

General fraud-related practices utilized for BroadSoft Government Cloud services include:

  • Assign a unique strong alphanumeric authentication password per device 
  • Implement authentication on both Reg and Invites 
  • Disable HTTP access on devices and establish a very strong admin password 
  • Implement authentication (user/pwd) for access to config files from configuration server 
  • Force all config server communication to use HTTPS 
  • Implement both server and client (phone) side certificates 
  • Implement UA whitelist in SBCs to restrict access to supported UAs
07 Why BroadSoft for Government? 

For government agencies needing a secure and simple transition to cloud communications, BroadSoft Government is the logical choice. The BroadSoft Government portfolio suite offers an integrated, comprehensive suite of communications and collaboration functions that meet the stringent federal security requirements – ready for any mission or crisis.

The public sector workplace is changing and requires the use of new technologies that offer more standards-based mobile and secure deployment of communications services, enabling greater access to people and information across agencies. BroadSoft Government puts government workers back in command by giving teams and individuals the power to communicate and collaborate from within their workflow applications, and from the devices and networks they choose.

BroadSoft is the global market share leader oaf UCaaS with 49% market share (Synergy Research Group) and recently recognized as a “Visionary” in the 2017 Gartner UCaaS Magic Quadrant.

08 About BroadSoft

Commitment to Standards
BroadSoft is committed to standards-based development of its solutions, which enables interoperability with a variety of applications through APIs, systems and a rich set of pre-built integrations, so that of your communications services are connected with your business applications.

Extensive Partner Ecosystem
Our partner ecosystem ranges from leading global service providers to top technology innovators across the communications value chain. 25 of the world’s top 30 service providers across 80 countries have chosen BroadSoft as their trusted partner in cloud unified communications.

Channel partners are an important and vital extension of BroadSoft Government. They provide subject matter expertise, best practices and other value add solutions and services. BroadSoft’s channel partner program supports agents, resellers and service provider business models. 

Our solutions partners are innovators across the cloud communications and collaboration value chain.

An Industry Leader
BroadSoft is the global market share leader of UCaaS with 49% market share (Synergy Research Group) and recently recognized as a “Visionary” in the 2017 Gartner UCaaS Magic Quadrant.

For More Information:

public-sector@broadsoft.com
www.broadsoftgovernment.com