IBM Cloud data center security for federal

IBM Cloud data centers for government workloads were designed and built to meet the strictest standards of the US government. We’ve employed the security and privacy controls defined by NIST SP 800-53, and all IBM Cloud data centers for government use meet FedRAMP and FISMA compliance standards and are audited regularly in our SOC 2, Type II reports.

IBM  helps customers seeking HIPAA and PCI-DSS compliance by providing and meeting the necessary infrastructure-related controls for those certifications. These physical and network controls are enhanced with additional security features such as multi-factor authentication, hardware and software firewalls, vulnerability scans, anti-virus and anti-spyware protection, host-based intrusion detection, virtual private networks (IPSEC and VPN SSL), and SSL certificates.

FedRAMP

FedRAMP (the Federal Risk and Authorization Management Program - link resides outside ibm.com) is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. FedRAMP authorizes cloud systems with a three-step process that includes security assessment, leveraging and authorization and ongoing assessment and authorization. All IBM Cloud data centers are built to FedRAMP standards. Data centers reserved for government workloads have FedRAMP certification pending.

FISMA

The Federal Information Security Management Act of 2002 (FISMA) was created to ensure the security of data in the federal government. The act requires program officials and agency heads to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. All IBM Cloud data centers are built to FISMA standards. Data centers reserved for government workloads have FISMA certification pending.

SOC reports

IBM Cloud provides SOC 1, SOC 2 and SOC 3 reports. These reports evaluate IBM Cloud's operational controls with respect to criteria set by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. The Trust Services Principles define adequate control systems and establish industry standards for services providers such as IBM Cloud to safeguard their customers' data and information. Customers may download the current IBM Cloud SOC 1 and SOC 2 reports from the customer portal or contact our sales team. Our SOC 3 report is available for general use and can be accessed here: IBM Cloud SOC 3 Report (PDF, 150KB).

Safe Harbor

Safe Harbor is an important way for US companies to avoid experiencing interruptions in their business dealings with the EU or to avoid facing prosecution by European authorities under European privacy laws. Certifying to the Safe Harbor will assure that EU organizations know that your company provides “adequate” privacy protection, as defined by the Directive. 

Cloud Security Alliance – STAR registrant

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. One of the mechanisms the Cloud Security Alliance uses in pursuit of its mission is the Security, Trust and Assurance Registry (STAR) — a free, publicly-accessible registry that documents the security controls provided by various cloud computing offerings. IBM Cloud STAR Consensus Assessment Initiative Questionnaire: https://cloudsecurityalliance.org/star/registry/ibm-cloud/  (link resides outside ibm.com)

PCI compliance

If you store or process credit card data then PCI compliance and network security are of primary concern to your business. To ensure consistent standards for merchants, the Payment Card Industry Security Standards Council established Payment Card Industry (PCI) data security standards. These standards incorporate best practices to protect cardholder data, and they often require validation from a third-party Qualified Service Assessor (QSA). We help our customers supplement their internal security controls to meet PCI compliance by assisting with third-party, auditor-security walkthroughs and providing proof of physical and environmental controls while maintaining strict information security policies.

HIPAA compliance

The US Health Insurance Portability and Accountability Act requires specific security controls for businesses that store or process protected health information online. The IBM Cloud platform meets all of the necessary requirements for HIPAA on the data center/service provider side. For more information about and assistance to achieve, certify and maintain HIPAA compliance for your IBM Cloud environment, please contact our sales team.

CJIS standards

The Criminal Justice Information Systems (CJIS) Division is a division of the US Department of Justice Federal Bureau of Investigation. CJIS Division created and published a Security Policy (CJISD-ITS-DOC-08140-5.4), which contains minimum information security requirements, guidelines and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage and generation of Criminal Justice Information (CJI).

IBM Cloud is approved and ready for CJI workloads (PDF, 347KB). For more information about how to leverage IBM Cloud for Criminal Justice Information workloads, download our guide on Leveraging IBM Cloud for CJIS workloads (PDF, 347KB).