“Trust is our #1 value. Nothing is more important to our company than the privacy of our customer’s data.”
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP program has helped to accelerate the adoption of secure cloud solutions through the reuse of assessments and authorizations across government agencies. FedRAMP leverages a standardized set of requirements, established in accordance with the Federal Information Security Management Act (FISMA), to improve consistency and confidence in the security of cloud solutions. Salesforce Success Cloud Providers (CSP) that support U.S. government customers or operate on U.S. government information are responsible for complying with the requirements established by the FedRAMP program.
In May 2014, Salesforce achieved and has since maintained a FedRAMP Agency Authority to Operate (ATO) at the moderate impact level issued by U.S. Department of Health and Human Services (HHS) for the Salesforce Government Cloud.
The Salesforce Government Cloud is a partitioned instance of salesforce.com’s multi-tenant community cloud infrastructure, specifically for use by U.S federal, state, and local government customers, U.S. government contractors, and Federally Funded Research and Development Centers (FFRDCs). The service model for the Salesforce Government Cloud is Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). The Salesforce Government Cloud is comprised of the Salesforce Services (Sales Cloud, Service Cloud, Chatter, Analytics Cloud, Work.com), Force.com Platform, Industries Apps (Health Cloud, Financial Services Cloud), Platform Encryption, Communities and the backend infrastructure that support the operations of these products. A complete list of current in-scope Salesforce products included in the authorization boundary is available upon request.
Defense Information Systems Agency Impact Level 2 (DISA IL2)
The Salesforce Government Cloud has been granted a Provisional Authorization for Information Impact Level 2 from Defense Information Systems Agency (DISA) by building upon the Salesforce Government Cloud's existing FedRAMP Agency ATO. This authorization enables U.S. DoD customers to leverage the Salesforce Government Cloud for information and workloads that are authorized for public release, specifically "non-controlled, unclassified information". In addition, this authorization supports non-sensitive information that, while not considered "mission critical", still requires some access restrictions.
Defense Information Systems Agency Impact Level 4 (IL4)
The Salesforce Government Cloud has been granted Provisional Authorization for Impact Level 4 (IL4) from Defense Information Systems Agency (DISA) leveraging Salesforce’s FedRAMP Moderate ATO. This provides DoD mission owners and authorized contractors the ability to utilize the Salesforce Government Cloud to manage Controlled Unclassified Information, including Personal Identifiable Information (PII) and Protected Health Information (PHI). This also includes data requiring protection from unauthorized disclosure and other mission-critical data.
NIST Special Publication 800-171
On December 30, 2015, Department of Defense updated the Defense Acquisition Regulation Supplement (DFARS 252.204-7012) to require prime contractors and their subcontractors to adhere to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations. The revised regulation gives contractors until December 31, 2017 to fully implement NIST SP 800-171 requirements on unclassified information systems that are owned, or operated by or for, a contractor and that process, store, or transmit covered defense information, including controlled unclassified information (CUI).
In the context of the Salesforce Government Cloud, DoD contractors can reference the Salesforce Government Cloud’s existing FedRAMP Agency Authority to Operate (ATO). The Salesforce Government Cloud ATO was issued at the moderate impact level and is based on NIST Special Publication 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, controls. NIST SP 800-171 Appendix D provides a mapping between NIST SP 800-171 requirements and NIST SP 800-53 Rev. 4 controls.
Event Monitoring gives customers unprecedented visibility into their Salesforce services apps, letting them easily see what data users are accessing, from what IP address, and what actions are being taken in regards to that data. Customers can simply access a standard CSV (comma-separated-value) file via API (application program interface) and can pull the usage data into any number of visualization tools. This feature could enable a customer to track when a page or list view is printed, when a record is edited or created, when ownership of a record is changed, when a list is modified, or even when a user exports data.
Salesforce encryption services enable departments and agencies to encrypt both standard and custom fields and attachments in a way that natively integrates with key Salesforce features, such as search, Chatter, Lookups, and more. Platform Encryption is built natively into the Force.com platform and enables a customer to encrypt data (that is submitted to the Salesforce Services) at rest while maintaining important application functionality.
Platform Encryption encrypts the data, files, and attachments. Customers have the ability to manage the lifecycle of data encryption keys, which are hardware security module based, and customers have controls over policy configurations.