Secure Configuration Guide

PROCORE FOR GOVERNMENT

Available Procore for Government Tools are engineered consistent with the FedRAMP Moderate baseline.

Secure Configuration

ID - SCG-CSO-RSC

Changelog: 2026-02-04: Combined all required and recommended SCG information; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Providers MUST create, maintain, and make available recommendations for securely configuring their cloud services (the Secure Configuration Guide) that includes at least the following information:

  • Required: Instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering.

  • Required: Explanations of security-related settings that can be operated only by top-level administrative accounts and their security implications.

  • Recommended: Explanations of security-related settings that can be operated only by privileged accounts and their security implications.

Required Guidance

  1. Access

    1. How to Log in to Procore Web (app.procore.com)

    2. Enable MFA for Your Company

  2. Configuration

    1. Company Permissions Tutorials 

  3. Decommissioning

    1. Deactivate User Accounts in the Company Directory

    2. Deactivate a Company in the Project Directory

  4. Security Related Settings

    1. Admin Accounts

      1. What is a company admin?

      2. What is a Developer Managed Service Account (DMSA)?

      3. Shared Responsibility Model

      4. Security Impact: 

  5. Privileged Accounts

    1. Security Impact

    2. Company Permission Matrix

    3. Enable Security Settings for Logins, Passwords, and Session Time Intervals

    4. Manage Secure File Access for Your Procore Company Account

Use Instructions

ID - SCG-CSO-AUP

Changelog: 2026-02-04: This requirement is new in v-0.9.0 to clarify expectations.

Providers must include instructions in the FedRAMP authorization package that explain how to obtain and use the Secure Configuration Guide.

Guidance: Agencies and Organizations can request a copy of Procore’s Authorization Package via the FedRAMP Marketplace or sending an email request to info@fedramp.gov or support@procore.gov

Public Guidance

ID -SCG-CSO-PUB

Former ID: FRR-RSC-09

Changelog: 2026-02-04: Clarified wording; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Providers SHOULD make the Secure Configuration Guide available publicly.

Guidance: The Procore Secure Configuration Guide can be found at Secure Configuration Guide.