Skip to main content


These are compliance standards which Virtru either adheres to internally and can enable compliance with by leveraging our products.

📄️ FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) was established to enable the secure, risk-based adoption of cloud services for the federal government. Achieving & maintaining a FedRAMP Authorization to Operate (ATO) requires implementing the required FedRAMP control baseline based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 revision 4 controls, undergoing an independent assessment performed by an accredited third-party assessment organization (3PAO) & agency ATO review, and performing on-going continuous monitoring (including annual 3PAO assessments). To read more about the FedRAMP program: click here.

📄️ SOC 2

The Service and Organization Control (SOC) reporting framework from the AICPA providers reporting frameworks for service organizations to provide assurance that controls related to providing the service are performed in accordance with standard requirements. A SOC 2 report is a report on controls at a service organization relevant to the Trust Services Criteria which can include Security, Availability, Processing Integrity, Confidentiality, or Privacy. Obtaining a SOC 2 report requires undergoing an assessment from an independent Certified Public Accounting (CPA) firm. To read more about SOC 2: click here.


ANSSI is the French National Cybersecurity Agency’s (Agence nationale de la sécurité des systèmes d’information). The ANSSI Security Visa program certifies information technology products for use by the French government and companies. The Security Visas issued by ANSSI are used by many companies to identify reliable solutions that are recognized as such by following an evaluation performed by licensed evaluators in accordance ANSSI standards. The evaluations involves extensive penetration testing and in-depth analysis to make sure that the solutions are compliant. ANSSI offers two types of certifications: Common Criteria (CC) and First Level Security Certification (CSPN – Certification de sécurité de premier niveau).


The Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) program is built on the key principles of transparency, auditing, and harmonization of standards. The STAR is designed for service providers to demonstrate best practices and validate the security posture of their cloud offerings. The publicly accessible STAR registry allows cloud customers to assess their security providers in order to make the best procurement decisions. There are several levels of CSA STAR participation from self-assessment (Level 1) to continuous auditing (Level 3). To read more about the STAR program: click here.

📄️ CMMC and NIST 800-171

Virtru products and services support regulatory compliance under a number of security control frameworks. This document describes how Virtru products support compliance with the DoD “Cybersecurity Maturity Model Certification” (CMMC), which is based on the NIST 800-171 control framework. CMMC is designed to protect sensitive information, and soon will be required for all defense contractors. Universities and grant-funded research entities face similar requirements to meeting the 800-171 controls as such.