Defense Information Systems Agency Impact Level 2 (DISA IL2)
The Salesforce Government Cloud has been granted a Provisional Authorization for Impact Level 2 (IL2) from Defense Information Systems Agency (DISA) leveraging Salesforce’s FedRAMP Moderate ATO. Impact Level 2 is for non-Controlled Unclassified Information (non-CUI), which includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data that requires some minimal level of access control.
Defense Information Systems Agency Impact Level 4 (DISA IL4)
The Salesforce Government Cloud has been granted Provisional Authorization for Impact Level 4 (IL4) from Defense Information Systems Agency (DISA) leveraging Salesforce’s FedRAMP Moderate ATO. This provides DoD mission owners and authorized contractors the ability to utilize the Salesforce Government Cloud to manage Controlled Unclassified Information, including Personal Identifiable Information (PII) and Protected Health Information (PHI). This also includes data requiring protection from unauthorized disclosure and other mission-critical data.
In order to further support customers that may have complex security, governance, and compliance requirements, the Salesforce Government Cloud offers a premium set of integrated services built natively on the Force.com platform that customers can leverage. Two of these services — Event Monitoring and Platform Encryption — are described below:
Event Monitoring gives customers unprecedented visibility into their Salesforce services apps, letting them easily see what data users are accessing, from what IP address, and what actions are being taken in regards to that data. Customers can simply access a standard CSV (comma-separated-value) file via API (application program interface) and can pull the usage data into any number of visualization tools. This feature could enable a customer to track when a page or list view is printed, when a record is edited or created, when ownership of a record is changed, when a list is modified, or even when a user exports data.
Salesforce encryption services enable departments and agencies to encrypt both standard and custom fields and attachments in a way that natively integrates with key Salesforce features, such as search, Chatter, Lookups, and more. Platform Encryption is built natively into the Force.com platform and enables a customer to encrypt data (that is submitted to the Salesforce Services) at rest while maintaining important application functionality.
Platform Encryption is FIPS 140-2 compliant and encrypts the data, files, and attachments. Customers have the ability to manage the lifecycle of data encryption keys, which are hardware security module based, and customers have controls over policy configurations.
NIST Special Publication 800-171
On December 30, 2015, Department of Defense updated the Defense Acquisition Regulation Supplement (DFARS 252.204-7012) to require prime contractors and their subcontractors to adhere to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations. The revised regulation gives contractors until December 31, 2017 to fully implement NIST SP 800-171 requirements on unclassified information systems that are owned, or operated by or for, a contractor and that process, store, or transmit covered defense information, including controlled unclassified information (CUI).
In the context of the Salesforce Government Cloud, DoD contractors can reference the Salesforce Government Cloud’s existing FedRAMP Agency Authority to Operate (ATO). The Salesforce Government Cloud ATO was issued at the moderate impact level and is based on NIST Special Publication 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, controls. NIST SP 800-171 Appendix D provides a mapping between NIST SP 800-171 requirements and NIST SP 800-53 Rev. 4 controls. The FedRAMP ATO does not currently apply to the following Salesforce Services: Site.com, Database.com and Communities.
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP program has helped to accelerate the adoption of secure cloud solutions through the reuse of assessments and authorizations across government agencies. FedRAMP leverages a standardized set of requirements, established in accordance with the Federal Information Security Management Act (FISMA), to improve consistency and confidence in the security of cloud solutions. Cloud Service Providers (CSP) that support U.S. government customers or operate on U.S. government information are responsible for complying with the requirements established by the FedRAMP program.
In May 2014, Salesforce achieved and has since maintained a FedRAMP Agency Authority to Operate (ATO) at the moderate impact level issued by U.S. Department of Health and Human Services (HHS) for the Salesforce Government Cloud. The FedRAMP ATO does not currently apply to the following Salesforce services: Site.com, Database.com and Communities.
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) is government legislation that defines the privacy and security provisions for safeguarding medical information (protected healthcare information: PHI). The HIPAA regulation framework includes the following categories of regulations: Security Rule, Privacy Rule, Breach Notification, and Enforcement Rule