Salesforce is committed to continuously improving the security of Salesforce services for the U.S. Department of Defense (DoD). Salesforce maintains compliance with comprehensive privacy and security standards in accordance with DoD Cloud Computing SRG v1r2.

Defense Information Systems Agency Impact Level 2 (DISA IL2)

The Salesforce Government Cloud has been granted a Provisional Authorization for Impact Level 2 (IL2) from Defense Information Systems Agency (DISA) leveraging Salesforce’s FedRAMP Moderate ATO. Impact Level 2 is for non-Controlled Unclassified Information (non-CUI), which includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data that requires some minimal level of access control.

Defense Information Systems Agency Impact Level 4 (DISA IL4)

The Salesforce Government Cloud has been granted Provisional Authorization for Impact Level 4 (IL4) from Defense Information Systems Agency (DISA) leveraging Salesforce’s FedRAMP Moderate ATO.  This provides DoD mission owners and authorized contractors the ability to utilize the Salesforce Government Cloud to manage Controlled Unclassified Information, including Personal Identifiable Information (PII) and Protected Health Information (PHI).  This also includes data requiring protection from unauthorized disclosure and other mission-critical data.

Defense Federal Acquisition Regulation Supplement (DFARS) 252.239-7010 and 252.204-7012

In October 2016, the U.S. Department of Defense (DoD) updated acquisition requirements for government contractors to provide more specific guidance in light of their continued use of cloud computing services as it relates to the transmission, storage, and processing of controlled defense information. When cloud services are used by a contractor as part of a system operated on behalf of the U.S. government, the contractor is expected to leverage a cloud service provider that complies with the requirements defined in the DoD Cloud Computing Security Requirements Guide (SRG). When cloud services are used by a contractor as part of a system not operated on behalf of the U.S. government, the contractor is expected to select a cloud service provider that complies with the Moderate Impact Baseline requirements defined by the Federal Risk and Authorization Management Program (FedRAMP).

Since May 2014, Salesforce has maintained a FedRAMP Authority to Operate (ATO) at the Moderate Impact level for the Salesforce Government Cloud. Further, as of January 2017, Salesforce was granted a Provisional Authorization for the Salesforce Government Cloud at Information Impact Level 4 (IL4) by the Defense Information Systems Agency (DISA).

In order to further support customers that may have complex security, governance, and compliance requirements, the Salesforce Government Cloud offers a premium set of integrated services built natively on the Force.com platform that customers can leverage. Two of these services — Event Monitoring and Platform Encryption — are described below:

 

Event Monitoring

Event Monitoring gives customers unprecedented visibility into their Salesforce services apps, letting them easily see what data users are accessing, from what IP address, and what actions are being taken in regards to that data. Customers can simply access a standard CSV (comma-separated-value) file via API (application program interface) and can pull the usage data into any number of visualization tools. This feature could enable a customer to track when a page or list view is printed, when a record is edited or created, when ownership of a record is changed, when a list is modified, or even when a user exports data.

 

Platform Encryption

Salesforce encryption services enable departments and agencies to encrypt both standard and custom fields and attachments in a way that natively integrates with key Salesforce features, such as search, Chatter, Lookups, and more. Platform Encryption is built natively into the Force.com platform and enables a customer to encrypt data (that is submitted to the Salesforce Services) at rest while maintaining important application functionality.

Platform Encryption is FIPS 140-2 compliant and encrypts the data, files, and attachments. Customers have the ability to manage the lifecycle of data encryption keys, which are hardware security module based, and customers have controls over policy configurations.

NIST Special Publication 800-171

U.S. government contractors are required to protect controlled unclassified information (CUI) in accordance with the requirements defined by NIST Special Publication 800-171 (“Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”). Those contractors can confirm that the required controls listed in Chapter 3 of that document are a subset of those defined by the FedRAMP Moderate Impact Baseline as well as the DoD Cloud Computing Security Requirements Guide. Therefore, customers required to comply with NIST Special Publication 800-171 requirements can build upon the foundation established by Salesforce's existing FedRAMP and DoD authorizations. This position is reaffirmed by Defense Federal Acquisition Regulation Supplement (DFARS) 252.239-7010 and 252.204-7012.

Since May 2014, Salesforce has maintained a FedRAMP Authority to Operate (ATO) at the Moderate Impact level for the Salesforce Government Cloud. Further, as of January 2017, Salesforce was granted a Provisional Authorization for the Salesforce Government Cloud at Information Impact Level 4 (IL4) by the Defense Information Systems Agency (DISA).

 

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP program has helped to accelerate the adoption of secure cloud solutions through the reuse of assessments and authorizations across government agencies. FedRAMP leverages a standardized set of requirements, established in accordance with the Federal Information Security Management Act (FISMA), to improve consistency and confidence in the security of cloud solutions. Cloud Service Providers (CSP) that support U.S. government customers or operate on U.S. government information are responsible for complying with the requirements established by the FedRAMP program.

In May 2014, Salesforce achieved and has since maintained a FedRAMP Agency Authority to Operate (ATO) at the moderate impact level issued by U.S. Department of Health and Human Services (HHS) for the Salesforce Government Cloud. The FedRAMP ATO does not currently apply to the following Salesforce services: Site.com, Database.com and Communities.

 

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) is government legislation that defines the privacy and security provisions for safeguarding medical information (protected healthcare information: PHI). The HIPAA regulation framework includes the following categories of regulations: Security Rule, Privacy Rule, Breach Notification, and Enforcement Rule

The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data and are issued for 6-month periods each year.  SOC1, SOC2 and SOC3 audits are performed by third party auditor annually at a minimum.

For questions regarding implementation, please contact us.

Contact us to talk about solutions from the Salesforce Government Cloud. We’ll help you set up a strategy to start connecting people and streamlining processes like never before.
OR CALL 1-844-807-8829