The Federal Risk and Authorization Management Program (FedRAMP) was established to enable the secure, risk-based adoption of cloud services for the federal government. Achieving & maintaining a FedRAMP Authorization to Operate (ATO) requires implementing the required FedRAMP control baseline based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 revision 4 controls, undergoing an independent assessment performed by an accredited third-party assessment organization (3PAO) & agency ATO review, and performing on-going continuous monitoring (including annual 3PAO assessments). To read more about the FedRAMP program: click here.
📄️ SOC 2
The Service and Organization Control (SOC) reporting framework from the AICPA providers reporting frameworks for service organizations to provide assurance that controls related to providing the service are performed in accordance with standard requirements. A SOC 2 report is a report on controls at a service organization relevant to the Trust Services Criteria which can include Security, Availability, Processing Integrity, Confidentiality, or Privacy. Obtaining a SOC 2 report requires undergoing an assessment from an independent Certified Public Accounting (CPA) firm. To read more about SOC 2: click here.
ANSSI is the French National Cybersecurity Agency’s (Agence nationale de la sécurité des systèmes d’information). The ANSSI Security Visa program certifies information technology products for use by the French government and companies. The Security Visas issued by ANSSI are used by many companies to identify reliable solutions that are recognized as such by following an evaluation performed by licensed evaluators in accordance ANSSI standards. The evaluations involves extensive penetration testing and in-depth analysis to make sure that the solutions are compliant. ANSSI offers two types of certifications: Common Criteria (CC) and First Level Security Certification (CSPN – Certification de sécurité de premier niveau).
📄️ CSA STAR
The Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) program is built on the key principles of transparency, auditing, and harmonization of standards. The STAR is designed for service providers to demonstrate best practices and validate the security posture of their cloud offerings. The publicly accessible STAR registry allows cloud customers to assess their security providers in order to make the best procurement decisions. There are several levels of CSA STAR participation from self-assessment (Level 1) to continuous auditing (Level 3). To read more about the STAR program: click here.
📄️ FIPS 140-2
Federal Information Processing Standards (FIPS) Publication 140-2 specifies security requirements for cryptographic modules. There is a lot of confusion when it comes to terminology - FIPS compliant vs. FIPS validated - and there is a significant difference between the two. We'll try to clarify some of that and explain how it applies to Virtru.
Criminal Justice Information Services (CJIS) is a division of the Federal Bureau of Investigations (FBI). The CJIS Division publishes the CJIS Security Policy as a minimum set of security requirements for protecting and safeguarding Criminal Justice Information (CJI).
📄️ Export Controls
Export control regulations are federal laws that prohibit the unlicensed export of items (which may include technology or technical data) that are of importance to national security, foreign policy, and economic objectives. In simple terms, an export is defined as any disclosure, transmission, or transfer of controlled items to any non-U.S. persons or physically out of the U.S.
📄️ CMMC and NIST 800-171
Virtru products and services support regulatory compliance under a number of security control frameworks. This document describes how Virtru products support compliance with the DoD “Cybersecurity Maturity Model Certification” (CMMC), which is based on the NIST 800-171 control framework. CMMC is designed to protect sensitive information, and soon will be required for all defense contractors. Universities and grant-funded research entities face similar requirements to meeting the 800-171 controls as such.