Salesforce’s industry-leading customer platform has become the world’s leading enterprise cloud ecosystem, helping companies of all sizes, from any industry, connect to their stakeholders like never before using the latest innovations in mobile, social, and cloud technology. This vision would not be possible without core values that prioritize confidentiality, integrity, and security of our customer’s data.

To bring this vision to life, our executive team is committed to ensuring and continuously improving the security of Salesforce services, including the establishment of our Government Cloud. The Salesforce Government Cloud is a portion of Salesforce’s multitenant public cloud infrastructure, specifically partitioned for use by Federal, state, and local government agencies, including the U.S. Department of Defense, as well as the community of government contractors and Federally Funded Research and Development Centers (FFRDCs).

“Trust is our #1 value. Nothing is more important to our company than the privacy of our customer’s data.” — Parker Harris, Salesforce Co-Founder.

Salesforce maintains compliance with comprehensive privacy and security standards and certifications, including some of the following:

In May 2014, Salesforce achieved a FedRAMP Agency Authority to Operate (ATO) at the moderate impact level issued by Health and Human Services (HHS) for the Salesforce Government Cloud. The Salesforce Government Cloud information system and authorization boundary is comprised of the Platform, the in-scope Salesforce Services branded as Sales Cloud, Service Cloud, Analytics Cloud,, and Chatter, and the backend infrastructure that support the operations of these products. A complete list of current in-scope Salesforce products included in the authorization boundary is available upon request.

The Salesforce Government Cloud has been granted a Provisional Authorization for Impact Level 2 (IL2) from Defense Information Systems Agency (DISA) leveraging Salesforce’s FedRAMP Moderate ATO. Impact Level 2 is for Non-Controlled Unclassified Information, which includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data, but the information requires some minimal level of access control.

On December 30, 2015, Department of Defense updated the Defense Acquisition Regulation Supplement (DFARS 252.204-7012) to require prime contractors and their subcontractors to adhere to National Institute of Standards and Technology (NIST) guidelines SP 800-171. The revised rule gives contractors until December 31, 2017 to fully implement all NIST SP 800-171 controls on covered contractor information systems. NIST 800-171 provides recommended requirements for protecting controlled unclassified information in non-federal information systems and organizations. The Salesforce Government Cloud has a FedRAMP Authority to Operate at the moderate impact level (based on NIST 800-53 Rev.4). Appendix D of NIST 800-171 includes a mapping of the NIST 800-171 requirements to the NIST 800-53 controls. Salesforce’s Government Cloud FedRAMP Authority to Operate demonstrates compliance with NIST 800-171 to the extent set forth in Appendix D.

Salesforce’s architecture provides a scalable, reliable platform designed to enable customers to deploy applications and data quickly and securely in support of a wide variety of security and regulatory requirements. Salesforce makes a Workbook available for customers to evaluate the shared responsibilities associated with using Salesforce services in connection with Criminal Justice Information Services (CJIS) information.

In order to further support customers that may have complex security, governance, and compliance requirements, the Salesforce Government Cloud offers a premium set of integrated services built natively on the platform that customers can leverage. Two of these services — Event Monitoring and Platform Encryption — are described below:

Event Monitoring gives customers unprecedented visibility into their Salesforce services apps, letting them easily see what data users are accessing, from what IP address, and what actions are being taken in regards to that data. Customers can simply access a standard CSV (comma-separated-value) file via API (application program interface) and can pull the usage data into any number of visualization tools. This feature could enable a customer to track when a page or list view is printed, when a record is edited or created, when ownership of a record is changed, when a list is modified, or even when a user exports data.

Salesforce encryption services enable departments and agencies to encrypt both standard and custom fields and attachments in a way that natively integrates with key Salesforce features, such as search, Chatter, Lookups, and more. Platform Encryption is built natively into the platform and enables a customer to encrypt data (that is submitted to the Salesforce Services) at rest while maintaining important application functionality.

Platform Encryption is FIPS 140-2 compliant and encrypts the data, files, and attachments. Customers have the ability to manage the lifecycle of data encryption keys, which are hardware security module based, and customers have controls over policy configurations.

With respect to providing and operating the Salesforce Government Cloud, Salesforce complies with the HIPAA Security Rule to the extent the requirements apply to Salesforce in its capacity as a business associate. Additionally, Salesforce is proud to maintain compliance with the world’s most demanding security and auditing standards with respect to Salesforce Government Cloud:

  • PCI DSS Level 1
  • ISO 27001/27018
  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS70)
  • SOC 2
  • SOC 3

To learn more about security at Salesforce, visit

Contact us to talk about solutions from the Salesforce Government Cloud. We’ll help you set up a strategy to start connecting people and streamlining processes like never before.