Government and Public Sector

Government agencies and public sector organizations operate under strict security and compliance requirements, including FedRAMP in the United States and similar frameworks globally. These requirements affect how software is deployed, updated, and licensed in government environments.

Big Picture addresses government requirements through air-gapped deployment capabilities, vendor-controlled mirrors, local license servers, and policy-driven update governance that respects government IT controls and security clearance requirements.

When This Scenario Applies

This scenario applies when you ship software to:

• Federal, state, and local government agencies
• Public sector organizations and government contractors
• Military and defense contractors
• Organizations requiring FedRAMP compliance
• Systems handling classified or sensitive government information

Government customers typically require air-gapped operation, self-hosted infrastructure, comprehensive security controls, and the ability to operate entirely within government network boundaries.

Regulatory Requirements

FedRAMP Compliance

FedRAMP requires cloud services used by federal agencies to meet specific security requirements. While Big Picture can be deployed as SaaS, government customers often require:

• Self-hosted deployment within government infrastructure
• Air-gapped operation with no external network dependencies
• Vendor-controlled mirrors that operate within government networks
• Local license servers that operate entirely within government boundaries

Big Picture supports these requirements through its mirror architecture and local license server capabilities.

Security Clearance Considerations

Government systems may require security clearances for personnel and systems:

• Administrative access may be restricted to cleared personnel
• Systems may need to operate in classified network environments
• External dependencies may be prohibited or restricted

Big Picture’s local license servers and vendor-controlled mirrors allow operation entirely within government network boundaries, reducing external dependencies and security clearance requirements.

Air-Gapped Deployment Requirements

Many government environments require air-gapped operation:

• Networks may have no external connectivity
• Updates must be deployed through approved secure channels
• License verification must operate without external network access

Big Picture supports air-gapped deployment through:

• Vendor-controlled mirrors that can be updated through secure file transfer or physical media
• Local license servers that operate independently of cloud infrastructure
• Signed snapshot bundles that can be verified without network connectivity
• Cached update metadata and license leases that allow operation offline

Self-Hosted Deployment Options

Government customers often require self-hosted infrastructure:

• Software must run within government-controlled infrastructure
• Vendors cannot have direct access to government systems
• All system components must be deployable within government networks

Big Picture supports self-hosted deployment:

• Vendors can self-host Big Picture in their own infrastructure
• Government customers can deploy local license servers within their networks
• Vendor-controlled mirrors can be deployed within government networks
• All components operate independently of cloud infrastructure when needed

How Big Picture Addresses Government Requirements

Vendor-Controlled Mirrors

Government agencies can mirror Big Picture’s signed snapshot bundles into their networks. This allows:

• Updates to be hosted entirely within government network boundaries
• IT departments to test updates before deployment to production systems
• Compliance with network security policies that prohibit external dependencies
• Complete control over when updates are made available to government systems

Mirrors verify vendor signatures before accepting updates, maintaining trust while operating within government network boundaries. Updates can be transferred through secure channels approved by government security policies.

Local License Server Deployment

Government agencies can deploy Big Picture’s local license server within their networks. This provides:

• License verification that operates entirely within government networks
• License data that never leaves government network boundaries
• Integration with government identity systems for user-based licensing
• Audit logs that remain within government control

Local license servers issue lease tokens using keys provided by vendors through secure channels approved by government security policies, maintaining vendor control over licensing while respecting government network boundaries.

Update Governance for Government Software

Government software requires careful update management:

• Updates must be tested before deployment to production systems
• IT departments must approve updates through formal change management processes
• Different update policies may apply to different security classifications
• Emergency security patches may need expedited approval processes

Big Picture’s policy system supports these requirements:

• MANAGED_BY_IT mode allows IT departments to control when updates are deployed
• Staged rollouts allow testing in non-production environments before production deployment
• Tenant-specific policies allow different update rules for different security classifications
• Kill switches allow immediate blocking of problematic updates

Security Controls

Government systems require strict security controls:

• All system access must be authenticated and authorized
• Administrative functions must be restricted to authorized personnel
• System changes must be logged and auditable
• Cryptographic verification must be used for all critical operations

Big Picture provides:

• Role-based access control for administrative functions
• Comprehensive audit logs of all system activity
• Cryptographic signing of all update decisions and license leases
• Secure key management for signing and license operations

Key Considerations

Network Security Policies

Government networks often have strict security policies:

• Air-gapped networks may be required for classified systems
• Network segmentation may isolate systems by security classification
• External dependencies may be prohibited or restricted

Big Picture’s mirror architecture and local license servers support these requirements, allowing software to operate entirely within government network boundaries.

Change Management

Government agencies require formal change management processes:

• Updates must be approved through change management workflows
• Testing must be documented before production deployment
• Rollback procedures must be available

Big Picture supports change management through:

• Policy controls that prevent unauthorized updates
• Staged rollouts that allow controlled testing
• Audit trails that document update approval and deployment
• Version pinning that allows staying on approved versions

Secure Update Distribution

Updates must be distributed through secure channels:

• Physical media may be required for air-gapped systems
• Secure file transfer may be required for outbound-only networks
• Updates must be verifiable without external network access

Big Picture’s signed snapshot bundles can be distributed through any secure channel and verified cryptographically without network connectivity.

Next Steps

• Review Regulated Environment Deployments for comprehensive guidance on regulated environments
• See Syncing Local License Server for deploying license servers in government networks
• Review Generating Snapshots for creating mirror bundles for air-gapped deployment
• See Offline and Intermittent Connectivity for air-gapped operation guidance
• Review Common Regulatory Requirements for cross-industry regulatory themes