Compliance engineered for the Cloud
Salesforce maintains a comprehensive set of compliance certifications and attestations to validate our #1 value of Trust.
NIST SP 800-171
In October 2016, the U.S. Department of Defense (DoD) updated acquisition requirements for government contractors to provide more specific guidance in light of their continued use of cloud computing services as it relates to the transmission, storage, and processing of controlled defense information. When cloud services are used by a contractor as part of a system operated on behalf of the U.S. government, those cloud services are expected to comply with the requirements defined in the DoD Cloud Computing Security Requirements Guide (SRG). When cloud services are used by a contractor as part of a system not operated on behalf of the U.S. government, those cloud services are expected to comply with the Moderate Impact requirements defined by the Federal Risk and Authorization Management Program (FedRAMP). Since May 2014, Salesforce has maintained a FedRAMP Authority to Operate (ATO) at the Moderate Impact level for the Salesforce Government Cloud. Further, as of January 2017, Salesforce was granted a Provisional Authorization for the Salesforce Government Cloud at Information Impact Level 4 (IL4) by the Defense Information Systems Agency (DISA). These authorizations may assist DoD mission owners and authorized contractors in their management of Controlled Unclassified Information (CUI), including Personal Identifiable Information (PII), Protected Health Information (PHI), and other mission-critical data requiring protection from unauthorized disclosure. Additional information can be found at https://www.salesforce.com/solutions/industries/government/overview/