English (United States) Français

Net-Inspect Secure Configuration Guide

  • Updated
  • min read
Document Version: 1.0
Effective Date: February 27, 2026
Compliance: FedRAMP Rev5 Secure Configuration Guide Requirement (SCG-CSO-RSC)
Availability: Public

Document Information

Version History

Version Date Description
1.0 February 27, 2026 Initial publication

How to Use This Guide

This guide covers the customer-configurable security settings available within Net-Inspect and their security implications. It is intended for security teams, Information System Security Officers (ISSOs), and Setup Administrators responsible for securely configuring their organization's Net-Inspect account.

This guide does not cover Net-Inspect's internal infrastructure security controls. Information about Net-Inspect's platform-side security posture, including the full FedRAMP Body of Evidence, is available to customers under NDA upon request. Contact sales@net-inspect.com to request access.

1. Overview

Net-Inspect is a Software as a Service (SaaS) platform providing quality management and inspection data solutions for aerospace, defense, and precision manufacturing supply chains. The platform enables customers and their suppliers to manage, share, and track quality records, first article inspections, supplier surveys, and compliance documentation in a secure, cloud-based environment.

Net-Inspect has achieved FedRAMP Equivalency based on the NIST SP 800-53 Rev 5 Moderate control baseline, independently assessed and attested in November 2025. The platform is hosted exclusively in Microsoft Azure for Government, a U.S.-based government-community cloud environment with a FedRAMP High authorization.

This guide is organized as follows:

  • Section 2 explains Net-Inspect's account and role hierarchy
  • Section 3 covers secure access, configuration, and decommissioning of top-level administrative (Setup Administrator) accounts
  • Section 4 describes security-relevant settings controlled by Setup Administrator accounts and the implications of each
  • Section 5 covers privileged (Super Administrator) accounts at a high level
  • Section 6 provides a quick-reference secure defaults table

2. Account Hierarchy in Net-Inspect

Net-Inspect uses a defined account hierarchy to control who can configure security settings and who can manage users. This guide focuses on two tiers:

Tier 1 — Setup Administrator (Top-Level Administrative Account)

The Setup Administrator is the top-level administrative account in a Net-Inspect customer organization. Net-Inspect provisions the first Setup Administrator account at onboarding. This account type has the broadest set of permissions in the system and is responsible for all account-wide security configurations.

Setup Administrators can:

  • Create, modify, and disable all user accounts in the organization
  • Assign and manage customer and supplier relationships
  • Create and manage Programs (access control groups)
  • Configure password policy, multi-factor authentication (MFA), and account inactivity settings
  • Modify company information and account-wide preferences
  • Align any user to any program or division

Security implication: Because the Setup Administrator controls all security-relevant settings, this account type carries the highest risk if compromised or misconfigured. The guidance in Sections 3 and 4 is specifically designed to reduce this risk.

Tier 2 — Super Administrator (Privileged Account)

The Super Administrator is a privileged account type that can create and modify users, but cannot grant permissions exceeding their own. Super Administrators cannot access or change account-wide security settings such as password policy, MFA configuration, or program management.

Security implication: The Super Administrator's privilege ceiling is constrained by design — they cannot escalate privileges beyond what they themselves hold. However, an over-privileged Super Administrator can still provision other users with inappropriate access. See Section 5.

All Other User Types

All other Net-Inspect user types — including Administrator (read-only observation), Supply Chain User, Operator, Calibrator, and module-specific roles — are standard users and are outside the scope of this guide. Their access is managed by Setup Administrators and Super Administrators.

3. Setup Administrator — Secure Access, Configuration, and Decommissioning

3.1 Initial Provisioning

Net-Inspect creates the first Setup Administrator account for each customer organization at the time of onboarding. Account access is provisioned through a password-setup email sent to the designated administrator's email address. The email contains a one-time link that the recipient uses to set up their own password. Net-Inspect does not generate, store, or transmit passwords.

Required actions upon first login:

  • Upon account creation, the Setup Administrator receives an email containing a link to set up their password. This link expires within 24 hours — if it expires before use, contact helpdesk@net-inspect.com to request a new invitation.
  • Enroll in multi-factor authentication (MFA) before performing any account configuration. See Section 4.2.

Recommendation: Limit the number of Setup Administrator accounts to the minimum number of individuals who genuinely require account-wide administrative access. Additional administrative needs can often be met by Super Administrator accounts.

3.2 Authentication Requirements

Each Setup Administrator must have a unique user account. Sharing Setup Administrator credentials between individuals is prohibited and undermines the account audit trail.

Setup Administrator accounts should be subject to the same or stronger authentication controls as standard users:

  • Strong password policy should be enabled at the account level so that it applies to all users, including Setup Administrators. See Section 4.1.
  • MFA must be enrolled by all Setup Administrator accounts. See Section 4.2.
  • SSO integration: Organizations using a corporate identity provider (IdP) via SAML 2.0 Single Sign-On should ensure MFA is enforced at the IdP level and confirmed to pass through the SSO handshake to Net-Inspect. See Section 4.3.

3.3 Ongoing Account Review

Setup Administrator accounts should be reviewed periodically to confirm that only active, authorized individuals hold this account type.

To review Setup Administrator accounts:

  1. Click the gear icon (top-right) > User Management
  2. In the User Types column, filter for Setup Administrator

Any individual who no longer requires Setup Administrator access should be downgraded to a lesser role (such as Super Administrator or a standard user type) rather than having their account deleted, in order to preserve historical audit records.

Recommendation: Conduct this review at least quarterly, and immediately following any personnel change affecting individuals with Setup Administrator access.

3.4 Decommissioning a Setup Administrator Account

When an individual with Setup Administrator access leaves the organization or no longer requires that level of access:

  1. Immediately disable the account — do not transfer or reuse credentials
  2. Downgrade the user's role to a lesser type, or disable the account entirely through User Management
  3. Confirm at least one other active Setup Administrator account remains in the organization before disabling any Setup Administrator account
  4. If your organization's only Setup Administrator is departing, contact helpdesk@net-inspect.com before making any changes so Net-Inspect can assist with continuity

Security implication: Failure to promptly revoke Setup Administrator access upon personnel departure creates ongoing risk of unauthorized account-wide configuration changes or data access.

4. Setup Administrator — Security Settings and Their Implications

The following settings are configurable by Setup Administrators and have direct security implications. For each setting, this section explains what it controls, its default state, the recommended configuration, and the security risk of not following the recommendation.

4.1 Password Policy

What it controls: Whether all users in the account are required to meet a strong password standard.

Default: Not enforced. Users may set passwords that do not meet strong password criteria.

Recommended configuration: Enable strong password enforcement for all users.

Strong password criteria (enforced when this setting is enabled):

  • Minimum 8 characters; maximum 256 characters
  • Must contain at least one uppercase letter, one lowercase letter, and one number
  • Cannot contain the user's identifier (username)
  • Cannot start with the “!” or “?” character
  • Cannot match any of the user's last 14 passwords

How to configure: Click the gear icon (top-right) > Company Setup > select the Access Control Setup tab > locate the Account Security section. Configure the password expiration frequency using the dropdown. Click Save when done.

Additional password controls available to Setup Administrators:

  • Password expiration frequency: configurable via dropdown (default: “Password does not expire”). When enabled, expiration may be set up to a maximum of 90 days, the ceiling defined in Net-Inspect's password policy.
  • Password reuse: prohibited for the last 14 password generations.
  • Account lockout: user accounts are automatically locked after 5 consecutive failed login attempts. This control is enforced platform-wide and is not customer-configurable.

Security implication of not enabling: Without strong password enforcement, users may set easily guessable credentials, significantly increasing the risk of unauthorized access through credential-based attacks.

4.2 Multi-Factor Authentication (MFA)

What it controls: Whether users are required to provide a second form of authentication in addition to their username and password when logging in to Net-Inspect.

Default: Not required.

Recommended configuration: Require MFA for all internal users. For organizations whose suppliers access controlled technical data, also require MFA for supplier users.

How to configure:

  1. Click the gear icon (top-right) > Company Setup
  2. Select the Access Control Setup tab
  3. Locate the Multi-Factor Authentication section
  4. Check the box labeled “Require all internal users to provide secondary authentication upon login”
  5. Select the allowed MFA methods appropriate for your organization's policy (see below)
  6. Click Save Changes

Available MFA methods:

  • Push notification via Okta Verify app (requires smartphone or tablet)
  • One-time passcode via Okta Verify app (requires smartphone or tablet)

Grace period: A 0–30 day grace period can be configured, during which users may log in without MFA while they complete enrollment. Users cannot access data belonging to customers requiring MFA until MFA enrollment is complete, regardless of the grace period setting.

Security implication of not enabling: Accounts without MFA are significantly more vulnerable to unauthorized access through credential theft, phishing, and brute-force attacks. MFA is one of the most effective controls available against account compromise.

4.3 Single Sign-On (SSO) and MFA Integration

What it controls: Whether users authenticate to Net-Inspect through your organization's corporate identity provider (IdP) via SAML 2.0 SSO, and how MFA is handled in that context.

Default: SSO is not configured. Users authenticate directly through the Net-Inspect login page.

Recommended configuration for SSO users: If your organization uses a corporate IdP linked to Net-Inspect, MFA must be enforced at the IdP level and the MFA status must be passed to Net-Inspect through the SAML assertion. When SSO is configured, Net-Inspect honors the MFA event already performed at the customer's identity provider, eliminating the need for users to enroll separately in Net-Inspect MFA. Net-Inspect verifies SAML assertion attributes and Authentication Context values from supported identity providers including Microsoft Azure AD and Duo before admitting the user.

How to configure SSO MFA recognition:

  1. Navigate to MFA setup (gear icon > Company Setup > Access Control Setup tab > Multi-Factor Authentication section)
  2. Check the box labeled “All internal users will provide secondary authentication via Single Sign-On (SSO) rather than using Net-Inspect's MFA methods”
  3. Click Save Changes
  4. Confirm with your IdP administrator that the SAML response includes a supported MFA assertion attribute or Authentication Context indicating MFA was performed

Important: If your organization uses a corporate portal for Net-Inspect access but that portal does not currently enforce MFA, you must either: (a) begin enforcing MFA at the portal level, or (b) allow users to authenticate directly through the Net-Inspect login page and configure MFA within Net-Inspect. A combination approach is not supported.

SSO setup requires coordination with Net-Inspect. Contact helpdesk@net-inspect.com to initiate SSO integration. Net-Inspect will provide a metadata file and validate the integration before it goes live.

Security implication of misconfiguration: If SSO is configured but MFA is not properly passed through the SAML handshake, users may bypass MFA requirements without the Setup Administrator's awareness. Always verify MFA status is correctly reflected in Net-Inspect after SSO configuration.

4.4 Account Inactivity Auto-Disable

What it controls: The number of days of inactivity after which a user account is automatically disabled. When this threshold is reached, the user is notified by email in advance and then automatically disabled if no login activity occurs.

Default: Not set. Inactive accounts are not automatically disabled.

Recommended configuration: Set to 30–90 days, consistent with your organization's access management policy.

How to configure: Click the gear icon (top-right) > Company Setup > select the Access Control Setup tab > locate the User Access Monitoring section on the right side of the page. Check “Enable User Access Monitoring”, then set the “Deactivate user X days after last access” field (accepts 10–180 days). Optionally configure the advance warning period using the “Warn user about account deactivation X days in advance” field. Click Save when done.

Security implication of not enabling: Inactive accounts that remain enabled represent unnecessary access risk. Former employees, contractors, or users who have changed roles may retain access to technical data without any active use — and without the organization's awareness. Automatic disabling is a key control for maintaining least-privilege access over time.

4.5 Session Timeout

What it controls: The length of time a user's Net-Inspect session remains active after a period of inactivity before requiring re-authentication.

Default: Net-Inspect system default (platform-managed).

Recommended configuration: Configure the shortest practical timeout for your operational environment.

How to configure: Session timeout is not self-service. Contact helpdesk@net-inspect.com to discuss and request a session timeout adjustment for your account.

Security implication of not configuring: Long session timeouts increase the risk of unauthorized access from unattended workstations or sessions left open on shared or public devices.

4.6 Program Access Controls

What it controls: Programs are access control groups that determine which users — internal and supplier — can view and interact with which parts and technical data. A user must be aligned to a Program to access the records associated with it.

Default: No Programs configured. Without Programs, all aligned users in the account can access all available data.

Recommended configuration: Create Programs aligned to export classification (e.g., Export Controlled, Not ITAR, License Number) or by business function. Assign users only to the Programs they require to perform their role.

How to configure: Click the gear icon (top-right) > Company Setup > General Setup tab > select Programs from the left sidebar. Click + Add Program to create a new program. Assign users to Programs through User Management.

Security implication of misconfiguration: Without Program-level access controls, users — including supplier users — may have visibility into controlled technical data they are not authorized to access. For defense and aerospace customers handling export-controlled data, failure to configure Program controls may result in EAR/ITAR compliance violations.

4.7 Supplier Account Alignments

What it controls: Which supplier organizations are connected to your Net-Inspect account and what data flows between your account and theirs.

Default: No suppliers aligned until explicitly added by a Setup Administrator.

Recommended configuration: Review supplier alignments periodically. Remove alignments for suppliers who are no longer active partners.

How to configure: Navigate to Supply Chain > Suppliers to view and manage supplier alignments.

Security implication of not reviewing: Outdated supplier alignments may allow former partners continued access to your organization's technical data. Because supplier administrators manage their own users independently, a supplier organization may have personnel with active access to your data even after the business relationship has ended.

4.8 Shared and Group Accounts

What it controls: Whether individual user accounts are shared among multiple people.

Default: Net-Inspect does not technically prevent credential sharing, but it is explicitly prohibited by Net-Inspect's Rules of Behavior, which all users must agree to upon login.

Recommended configuration: Enforce through organizational policy — every user must have a unique account. Shared or group accounts are not permitted.

Security implication: Shared accounts eliminate individual accountability, make audit log review meaningless, and violate federal identity management requirements. Each user must be uniquely identified and authenticated.

5. Super Administrator — Security Guidance

Super Administrator accounts are privileged accounts that can create and modify users but cannot change account-wide security settings or grant permissions exceeding their own.

5.1 Appropriate Use

Super Administrator accounts are appropriate for individuals responsible for day-to-day user management — such as onboarding new employees or removing departed ones — who do not need access to account-wide security configuration.

Recommendation: Reserve Setup Administrator accounts for security configuration tasks. Use Super Administrator accounts for routine user management wherever possible.

5.2 User Provisioning Responsibility

Super Administrators should follow the same identity proofing standards as Setup Administrators before provisioning any new user account. Before creating an account, the Super Administrator should confirm the individual's identity and their legitimate need for access.

Recommendation: Establish an internal request and approval process before a Super Administrator creates any new account. Document this process as part of your organization's access management procedures.

5.3 Privilege Ceiling

Because Super Administrators cannot grant permissions beyond what they themselves hold, privilege escalation through the Super Administrator role is constrained by design. However, an over-privileged Super Administrator can still provision users with inappropriate levels of access.

Recommendation: Review Super Administrator accounts and their alignments periodically. A Super Administrator who has been granted broad program access may inadvertently provision other users with the same broad access. Scope Super Administrator alignments to only what is necessary for their user management responsibilities.

6. Secure Defaults Reference

The following table summarizes all customer-configurable security settings covered in this guide, their default state, and Net-Inspect's recommended configuration.

Setting Default State Recommended Configuration Configured By Self-Service
Strong password enforcement Off On Setup Administrator Yes
Password expiration frequency Does not expire Set expiration per org policy (e.g., 90 days) Setup Administrator Yes
Password reuse restriction 14 generations 14 generations (platform enforced) Net-Inspect (platform) N/A
MFA — all internal users Off Required Setup Administrator Yes
MFA — supplier users Off Required for accounts handling controlled technical data Setup Administrator Yes
SSO MFA handshake verification Not configured Verify MFA assertion passes through SAML response Setup Administrator + Net-Inspect Partial — requires Net-Inspect coordination
Account inactivity auto-disable Off 30–90 days per org policy Setup Administrator Yes
Session timeout Platform default Shortest practical duration Net-Inspect (on request) No — contact helpdesk
Program access controls None configured Define by export classification and/or business function Setup Administrator Yes
Supplier alignments None until added Review quarterly; remove inactive suppliers Setup Administrator Yes
Shared/group accounts Not enforced by platform Prohibited by policy — one account per individual Customer organizational policy Policy only

7. Getting Help

Help Desk (configuration assistance, account issues, SSO setup):
helpdesk@net-inspect.com

Security and compliance inquiries (FedRAMP Body of Evidence requests, ISSO support):
ItSecurity@net-inspect.com

Net-Inspect's full FedRAMP Body of Evidence — including the System Security Plan, Security Assessment Report, Customer Responsibility Matrix, and supporting appendices — is available to customers and their authorized representatives under a Non-Disclosure Agreement upon request.

Previous
Next
48782474686228
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Related articles