Salesforce’s industry-leading customer platform has become the world’s leading enterprise cloud ecosystem, helping companies of all sizes, from any industry, connect to their stakeholders like never before using the latest innovations in mobile, social, and cloud technology. This vision would not be possible without core values that prioritize confidentiality, integrity, and security of our customer’s data.

Trust is our #1 value. Nothing is more important to our company than the privacy of our customer’s data.”

Parker Harris, Salesforce Co-Founder
To bring this vision to life, our executive team is committed to ensuring and continuously improving the security of Salesforce services, including the establishment of our Government Cloud. The Salesforce Government Cloud is a portion of Salesforce’s multitenant public cloud infrastructure, specifically partitioned for use by Federal, state, and local government agencies, including the U.S. Department of Defense, as well as the community of government contractors and Federally Funded Research and Development Centers (FFRDCs).

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP program has helped to accelerate the adoption of secure cloud solutions through the reuse of assessments and authorizations across government agencies. FedRAMP leverages a standardized set of requirements, established in accordance with the Federal Information Security Management Act (FISMA), to improve consistency and confidence in the security of cloud solutions. Salesforce Success Cloud Providers (CSP) that support U.S. government customers or operate on U.S. government information are responsible for complying with the requirements established by the FedRAMP program.

In May 2014, Salesforce achieved and has since maintained a FedRAMP Agency Authority to Operate (ATO) at the moderate impact level issued by U.S. Department of Health and Human Services (HHS) for the Salesforce Government Cloud.

The Salesforce Government Cloud is a partitioned instance of salesforce.com’s multi-tenant community cloud infrastructure, specifically for use by U.S federal, state, and local government customers, U.S. government contractors, and Federally Funded Research and Development Centers (FFRDCs). The service model for the Salesforce Government Cloud is Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). The Salesforce Government Cloud is comprised of the Salesforce Services (Sales Cloud, Service Cloud, Chatter, Analytics Cloud, Work.com), Lightning, Industries Apps (Health Cloud, Financial Services Cloud), Platform Encryption, Communities and the backend infrastructure that support the operations of these products. A complete list of current in-scope Salesforce products included in the authorization boundary is available upon request.

The U.S. Department of Defense (DoD) has unique information protection requirements that extend beyond the common set of requirements established by the FedRAMP program. Using FedRAMP requirements as a foundation, the U.S. DoD specifically has defined additional cloud computing security and compliance requirements in their DoD Cloud Computing Security Requirements Guide (SRG). Salesforce Success Cloud Providers supporting U.S. DoD customers are required to comply with these requirements.

 

Defense Information Systems Agency Impact Level 2 (DISA IL2)

The Salesforce Government Cloud has been granted a Provisional Authorization for Information Impact Level 2 from Defense Information Systems Agency (DISA) by building upon the Salesforce Government Cloud's existing FedRAMP Agency ATO. This authorization enables U.S. DoD customers to leverage the Salesforce Government Cloud for information and workloads that are authorized for public release, specifically "non-controlled, unclassified information". In addition, this authorization supports non-sensitive information that, while not considered "mission critical", still requires some access restrictions.

 

Defense Information Systems Agency Impact Level 4 (IL4)

The Salesforce Government Cloud has been granted Provisional Authorization for Impact Level 4 (IL4) from Defense Information Systems Agency (DISA) leveraging Salesforce’s FedRAMP Moderate ATO.  This provides DoD mission owners and authorized contractors the ability to utilize the Salesforce Government Cloud to manage Controlled Unclassified Information, including Personal Identifiable Information (PII) and Protected Health Information (PHI).  This also includes data requiring protection from unauthorized disclosure and other mission-critical data.

 

Defense Federal Acquisition Regulation Supplement (DFARS) 252.239-7010 and _252.204-7012

In October 2016, the U.S. Department of Defense (DoD) updated acquisition requirements for government contractors to provide more specific guidance in light of their continued use of cloud computing services as it relates to the transmission, storage, and processing of controlled defense information. When cloud services are used by a contractor as part of a system operated on behalf of the U.S. government, the contractor is expected to leverage a cloud service provider that complies with the requirements defined in the DoD Cloud Computing Security Requirements Guide (SRG). When cloud services are used by a contractor as part of a system not operated on behalf of the U.S. government, the contractor is expected to select a cloud service provider that complies with the Moderate Impact Baseline requirements defined by the Federal Risk and Authorization Management Program (FedRAMP).

Since May 2014, Salesforce has maintained a FedRAMP Authority to Operate (ATO) at the Moderate Impact level for the Salesforce Government Cloud. Further, as of January 2017, Salesforce was granted a Provisional Authorization for the Salesforce Government Cloud at Information Impact Level 4 (IL4) by the Defense Information Systems Agency (DISA).

 

NIST Special Publication 800-171

U.S. government contractors are required to protect controlled unclassified information (CUI) in accordance with the requirements defined by NIST Special Publication 800-171 (“Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”). Those contractors can confirm that the required controls listed in Chapter 3 of that document are a subset of those defined by the FedRAMP Moderate Impact Baseline as well as the DoD Cloud Computing Security Requirements Guide. Therefore, customers required to comply with NIST Special Publication 800-171 requirements can build upon the foundation established by Salesforce's existing FedRAMP and DoD authorizations. This position is reaffirmed by Defense Federal Acquisition Regulation Supplement (DFARS) 252.239-7010 and 252.204-7012

Since May 2014, Salesforce has maintained a FedRAMP Authority to Operate (ATO) at the Moderate Impact level for the Salesforce Government Cloud. Further, as of January 2017, Salesforce was granted a Provisional Authorization for the Salesforce Government Cloud at Information Impact Level 4 (IL4) by the Defense Information Systems Agency (DISA).

The Information Security Registered Assessors Program (iRAP) is an Australian Signals Directorate (ASD) initiative to provide high-quality information and communications technology (ICT) services to government in support of Australia's security. iRAP provides the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to Australian governments. Endorsed iRAP Assessors can provide an independent assessment of ICT security, suggest mitigations and highlight residual risks. iRAP Assessors may provide assessment up to the TOP SECRET level for Salesforce Success Cloud and others.
In order to further support customers that may have complex security, governance, and compliance requirements, the Salesforce Government Cloud offers a premium set of integrated services built natively on the Lightning Platform that customers can leverage. Two of these services — Event Monitoring and Platform Encryption — are described below:

 

Event Monitoring

Event Monitoring gives customers unprecedented visibility into their Salesforce services apps, letting them easily see what data users are accessing, from what IP address, and what actions are being taken in regards to that data. Customers can simply access a standard CSV (comma-separated-value) file via API (application program interface) and can pull the usage data into any number of visualization tools. This feature could enable a customer to track when a page or list view is printed, when a record is edited or created, when ownership of a record is changed, when a list is modified, or even when a user exports data.

 

Platform Encryption

Salesforce encryption services enable departments and agencies to encrypt both standard and custom fields and attachments in a way that natively integrates with key Salesforce features, such as search, Chatter, Lookups, and more. Platform Encryption is built natively into the Lightning Platform and enables a customer to encrypt data (that is submitted to the Salesforce Services) at rest while maintaining important application functionality.

Platform Encryption encrypts the data, files, and attachments. Customers have the ability to manage the lifecycle of data encryption keys, which are hardware security module based, and customers have controls over policy configurations.

With respect to providing and operating the Salesforce Government Cloud, Salesforce complies with the HIPAA Security Rule to the extent the requirements apply to Salesforce in its capacity as a business associate. Additionally, Salesforce is proud to maintain compliance with the world’s most demanding security and auditing standards with respect to Salesforce Government Cloud:

  • PCI DSS Level 1
  • ISO 27001/27018
  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS70)
  • SOC 2
  • SOC 3


To learn more about security at Salesforce, visit trust.salesforce.com.

Contact us to talk about solutions from the Salesforce Government Cloud. We’ll help you set up a strategy to start connecting people and streamlining processes like never before.
OR CALL 1-844-807-8829