Salesforce’s industry-leading customer platform has become the world’s leading enterprise cloud ecosystem, helping companies of all sizes, from any industry, connect to their stakeholders like never before using the latest innovations in mobile, social, and cloud technology. This vision would not be possible without core values that prioritize confidentiality, integrity, and security of our customer’s data.

To bring this vision to life, our executive team is committed to ensuring and continuously improving the security of Salesforce services, including the establishment of our Government Cloud. The Salesforce Government Cloud is a portion of Salesforce’s multitenant public cloud infrastructure, specifically partitioned for use by Federal, state, and local government agencies, including the U.S. Department of Defense, as well as the community of government contractors and Federally Funded Research and Development Centers (FFRDCs).

Trust is our #1 value. Nothing is more important to our company than the privacy of our customer’s data.”

Parker Harris, Salesforce Co-Founder

Salesforce maintains compliance with comprehensive privacy and security standards and certifications, including some of the following:

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP program has helped to accelerate the adoption of secure cloud solutions through the reuse of assessments and authorizations across government agencies. FedRAMP leverages a standardized set of requirements, established in accordance with the Federal Information Security Management Act (FISMA), to improve consistency and confidence in the security of cloud solutions. Cloud Service Providers (CSP) that support U.S. government customers or operate on U.S. government information are responsible for complying with the requirements established by the FedRAMP program.

In May 2014, Salesforce achieved and has since maintained a FedRAMP Agency Authority to Operate (ATO) at the moderate impact level issued by U.S. Department of Health and Human Services (HHS) for the Salesforce Government Cloud.

The Salesforce Government Cloud is a partitioned instance of salesforce.com’s multi-tenant community cloud infrastructure, specifically for use by U.S federal, state, and local government customers, U.S. government contractors, and Federally Funded Research and Development Centers (FFRDCs). The service model for the Salesforce Government Cloud is Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). The Salesforce Government Cloud is comprised of the Salesforce Services (Sales Cloud, Service Cloud, Chatter, Analytics Cloud, Work.com), Force.com Platform, Industries Apps (Health Cloud, Financial Services Cloud), Platform Encryption, Communities and the backend infrastructure that support the operations of these products.  A complete list of current in-scope Salesforce products included in the authorization boundary is available upon request.

The U.S. Department of Defense (DoD) has unique information protection requirements that extend beyond the common set of requirements established by the FedRAMP program. Using FedRAMP requirements as a foundation, the U.S. DoD specifically has defined additional cloud computing security and compliance requirements in their DoD Cloud Computing Security Requirements Guide (SRG). Cloud Service Providers supporting U.S. DoD customers are required to comply with these requirements.

Defense Information Systems Agency Impact Level 2 (DISA IL2)

The Salesforce Government Cloud has been granted a Provisional Authorization for Information Impact Level 2 from Defense Information Systems Agency (DISA) by building upon the Salesforce Government Cloud's existing FedRAMP Agency ATO. This authorization enables U.S. DoD customers to leverage the Salesforce Government Cloud for information and workloads that are authorized for public release, specifically "non-controlled, unclassified information". In addition, this authorization supports non-sensitive information that, while not considered "mission critical", still requires some access restrictions.

Defense Information Systems Agency Impact Level 4 (IL4)

The Salesforce Government Cloud has been granted Provisional Authorization for Impact Level 4 (IL4) from Defense Information Systems Agency (DISA) leveraging Salesforce’s FedRAMP Moderate ATO.  This provides DoD mission owners and authorized contractors the ability to utilize the Salesforce Government Cloud to manage Controlled Unclassified Information, including Personal Identifiable Information (PII) and Protected Health Information (PHI).  This also includes data requiring protection from unauthorized disclosure and other mission-critical data.

NIST Special Publication 800-171

On December 30, 2015, Department of Defense updated the Defense Acquisition Regulation Supplement (DFARS 252.204-7012) to require prime contractors and their subcontractors to adhere to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations. The revised regulation gives contractors until December 31, 2017 to fully implement NIST SP 800-171 requirements on unclassified information systems that are owned, or operated by or for, a contractor and that process, store, or transmit covered defense information, including controlled unclassified information (CUI).

In the context of the Salesforce Government Cloud, DoD contractors can reference the Salesforce Government Cloud’s existing FedRAMP Agency Authority to Operate (ATO). The Salesforce Government Cloud ATO was issued at the moderate impact level and is based on NIST Special Publication 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, controls. NIST SP 800-171 Appendix D provides a mapping between NIST SP 800-171 requirements and NIST SP 800-53 Rev. 4 controls.

The Information Security Registered Assessors Program (iRAP) is an Australian Signals Directorate (ASD) initiative to provide high-quality information and communications technology (ICT) services to government in support of Australia's security. iRAP provides the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to Australian governments. Endorsed iRAP Assessors can provide an independent assessment of ICT security, suggest mitigations and highlight residual risks. iRAP Assessors may provide assessment up to the TOP SECRET level for cloud services and others.

In order to further support customers that may have complex security, governance, and compliance requirements, the Salesforce Government Cloud offers a premium set of integrated services built natively on the Force.com platform that customers can leverage. Two of these services — Event Monitoring and Platform Encryption — are described below:

Event Monitoring

Event Monitoring gives customers unprecedented visibility into their Salesforce services apps, letting them easily see what data users are accessing, from what IP address, and what actions are being taken in regards to that data. Customers can simply access a standard CSV (comma-separated-value) file via API (application program interface) and can pull the usage data into any number of visualization tools. This feature could enable a customer to track when a page or list view is printed, when a record is edited or created, when ownership of a record is changed, when a list is modified, or even when a user exports data.

Platform Encryption

Salesforce encryption services enable departments and agencies to encrypt both standard and custom fields and attachments in a way that natively integrates with key Salesforce features, such as search, Chatter, Lookups, and more. Platform Encryption is built natively into the Force.com platform and enables a customer to encrypt data (that is submitted to the Salesforce Services) at rest while maintaining important application functionality.

Platform Encryption encrypts the data, files, and attachments. Customers have the ability to manage the lifecycle of data encryption keys, which are hardware security module based, and customers have controls over policy configurations.

With respect to providing and operating the Salesforce Government Cloud, Salesforce complies with the HIPAA Security Rule to the extent the requirements apply to Salesforce in its capacity as a business associate. Additionally, Salesforce is proud to maintain compliance with the world’s most demanding security and auditing standards with respect to Salesforce Government Cloud:

  • PCI DSS Level 1
  • ISO 27001/27018
  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS70)
  • SOC 2
  • SOC 3


To learn more about security at Salesforce, visit trust.salesforce.com.

Contact us to talk about solutions from the Salesforce Government Cloud. We’ll help you set up a strategy to start connecting people and streamlining processes like never before.

OR CALL 1-844-807-8829