Across all industries, we recognize employees and stakeholders are demanding more flexibility in where they work. This flexibility introduces challenges to the traditional landscape of information technology (IT), particularly with things like cybersecurity attacks and ransomware attacks becoming increasingly common. This is particularly true for our public sector partners who continue to deliver essential services to keep our government running. The public sector cannot ignore the real government cybersecurity risks it faces, and while they must modernize and adapt to this new operating model, security continues to be paramount in their decision-making process.
As a former executive in the federal government, my career focused on modernizing the government’s legacy IT by pushing for secure, modern technologies like cloud computing. When I started in 2009, cloud computing wasn’t well known or widely recognized. Now, cloud computing and modern technologies are used at every federal agency, and in 2020, federal agencies spent $6.6 billion, in total contract value, on cloud computing services.
One of the biggest hurdles to cloud computing adoption in the U.S. has been government cybersecurity. The U.S. government has some of the world’s most sensitive data. The federal government alone is the largest purchaser of IT at around $100 billion in spend per year. As the public sector moves to the cloud, government cybersecurity will always be a roadblock to widespread adoption — and until recent years — the U.S. government couldn’t modernize its most sensitive systems because there was no standard for doing so. Enter FedRAMP (Federal Risk and Authorization Management Program).
FedRAMP is the U.S. government’s program to enforce cybersecurity standards and drive cloud adoption through the reuse of security authorizations, a program I helped create and led for five years. FedRAMP has evolved since its launch in 2011 to include standards for all levels of cybersecurity under the classified/national security level. When FedRAMP released its requirements for the highest sensitivity level in 2016, it estimated that over 50% of federal IT spend was on these systems, many of which are over 40 years old with no clear path to modernization.
We understand how important it is for our public sector partners to use modern technologies to deliver on their mission while ensuring the government’s most sensitive data is secure. Since our number one value as a company is trust, we live and breathe cybersecurity to ensure trust with billions of secure transactions processed daily. That’s why Salesforce Government Cloud Plus, powered by AWS GovCloud (U.S.), is designed and engineered to meet some of the U.S. government’s highest security standards for cloud computing — FedRAMP High and Department of Defense (DoD) Impact Level 4 (IL4).
With this new environment, the U.S. government can leverage Salesforce for many of its most sensitive data types. The government defines data, at this level, as information that can potentially impact the life or limb of individuals, the entire degradation of an organization, or a financial catastrophe. In simple terms, this means healthcare, law enforcement, financial, and (some) defense data. While the vast majority of high impact systems are located at the federal level at agencies like the DoD, Department of Homeland Security (DHS), Department of Veterans Affairs (VA), Department of the Treasury (USDT), and Department of Health and Human Services (HHS), almost every federal agency has high systems as well.
But this need for security isn’t restricted to the federal government. Many state and local governments must follow federal laws for protecting law enforcement, healthcare, and educational data, as well. And, as many of our partners support the U.S. government, at the local, state, and federal levels, this environment grants them the reliability and security they need. Our public sector partners can use the most modern, up-to-date technology for their most sensitive workloads.
Some benefits of using Government Cloud Plus include:
A fully managed PaaS/SaaS
Salesforce fully manages the Salesforce Government Cloud Plus environment, allowing our customers to focus on their mission rather than IT. Since we support everything from the latest patch updates and vulnerability scans to the three yearly updates to the platform, we help ensure government agencies (and those who work with them) always have the latest version and are never in an outdated environment.
High validation levels
To achieve a FedRAMP authorization, we underwent a rigorous audit by a FedRAMP accredited third-party assessment organization (3PAO). The audit covered over 400 unique FedRAMP requirements and additional DoD requirements, including the DoD Privacy Overlay—everything from data center backup generators to encryption capabilities to logging capabilities for access to the system, and of course, penetration tests. Additionally, the audit ensures our system meets rigorous federal standards around features like encryption and authentication. To make sure we are compliant, we will do these audits annually and any time we make major upgrades to the platform.
Provisional authorizations by the FedRAMP Joint Authorization Board and DISA
The Joint Authorization Board (or JAB), composed of CIOs (chief information officers) from DoD, DHS, and the General Services Administration, provides the highest level of FedRAMP review. With their distinct perspectives on operations within the U.S. government (external and internal defense, and business), an authorization by the JAB ensures the Salesforce environment is suitable at a high-impact level for almost any federal use case. Additionally, the JAB is responsible for maintaining FedRAMP authorization, freeing up time for the public sector employees who might’ve had to do that work individually.
Additionally, this environment has been provisionally authorized by DISA (the Defense Information System Agency) at DoD’s IL4, allowing DoD to store and process Controlled Unclassified Information (CUI), including DoD Personally Identifiable Information (PII) and Protected Health Information (PHI).
Fully U.S.-based operations
Additionally, all our Government Cloud Plus operations are located within the United States. Since Government Cloud Plus leverages AWS’s FedRAMP High infrastructure, our offering is physically isolated from non-U.S. government systems. For additional peace of mind, we also have a 24×7 team of cleared-U.S. citizens maintaining the environment and responding in real time to any potential threats.
During times of crisis like public sector customers face, we’re ready to support in whatever way we can. It’s been a long journey since cloud computing began to be adopted by the U.S. government, but with our suite of Government Cloud offerings, we know we can continue to support public sector partners in their digital transformation efforts while maintaining the highest level of security and trust.
Government Cloud Plus Security Whitepaper
This whitepaper provides an overview of Salesforce’s principles of trust and compliance specifically for Salesforce Government Cloud Plus in the context of Federal Risk and Authorization Management Program (FedRAMP) and the Department of Defense (DoD) Cloud Computing Security Requirements Guide (CC SRG).