Regulatory compliance
You can gain an understanding of the compliance stance for the WebSphere® Application Server product for various regulations or standards. Clients are responsible for ensuring their own readiness for the laws and regulations that apply to them.
Clients are responsible for identifying and interpreting any relevant laws and regulations that might affect their users. Clients are also responsible for any actions that their users might need to take to comply with these laws and regulations.
| Regulation or standard | Applicability | Supported | Assessment | Responsibility model |
|---|---|---|---|---|
| Accessibility | Applicable | Yes | Compliant | IBM |
| Artificial intelligence | N/A | N/A | N/A | N/A |
| Export compliance | Applicable | Yes | Compliant | IBM |
| Federal Information Processing Standards (FIPS) | Applicable | Yes | Ready (requires configuration) | Client and IBM |
| Federal Risk and Authorization Management Program (FedRAMP) | N/A | N/A | N/A | N/A |
| General Data Protection Regulation (GDPR) | Applicable | Yes | Ready | Client and IBM |
| Health Insurance Portability and Accountability Act (HIPAA) | Applicable | Yes | Ready (requires configuration) | Client |
| Health Information Trust (HITRUST) | Applicabe | Yes | Ready (requires configuration) | Client |
| ISO/IEC 27001 | Applicable | Yes | Ready (requires configuration) | Client |
| Payment Card Industry (PCI) | Applicable | Yes | Ready (requires configuration) | Client |
| SP800-131 | Applicable | Yes | Ready (requires configuration) | Client and IBM |
| Suite B | Applicable | Yes | Ready (requires configuration) | Client and IBM |
| System and Organization Controls (SOC) | Applicable | Yes | Ready (requires configuration) | Client |
Accessibility
IBM is committed to accessibility. Accessibility Compliance Reports (previously known as a VPAT) containing details on accessibility compliance to standards, including the Worldwide Consortium Web Content Accessibility Guidelines, European Standard EN 301 349, and US Section 508, can be found on the IBM Accessibility Conformance Report Request website.
Artificial intelligence
WebSphere Application Server does not use or interact with any artificial intelligence. No regulations or standards for the use of artificial intelligence apply to this product.
Artificial intelligence assisted in drafting parts of the product source code.
Artificial intelligence assisted in drafting parts of the product documentation. Any generated content is reviewed for accuracy and marked with a comment prior to publication.
Export compliance
IBM is committed to compliance with U.S. Export Regulation requirements.
For export compliance information about the product, such as the Export Control Classification Number (ECCN) and ID number, see Software export classification search. On the Software export classification search page, enter in the Part Number/Product ID field and click Submit.
Federal Information Processing Standards (FIPS)
Clients are responsible for configuring the product to be compliant with Federal Information Processing Standards (FIPS). FIPS enablement is not configured by default.
The National Institute of Standards and Technology (NIST) issues Federal Information Processing Standards (FIPS), which are standards and guidelines for federal government computer systems.
For more information about configuring the product, see WebSphere Application Server security standards configurations.
Federal Information Security Modernization Act (FISMA)
Clients are responsible for configuring the product and implementing controls to meet compliance with the Federal Information Security Modernization Act (FISMA). The product is not compliant by default.
Compliance with FISMA means adhering to a set of policies, standards, and guidelines to protect the personal or sensitive information contained in government systems. FISMA requires all government agencies and their vendors, service providers, and contractors to improve their information security controls based on these pre-defined requirements. IBM is committed to FISMA compliance as a vendor of government agencies.
For more information about configuring the product to meet security standards, see Configuring for security regulations and standards.
For more information about FISMA, see Federal Information Security Modernization Act.
Federal Risk and Authorization Management Program (FedRAMP)
The product is not a cloud product or service. The FedRAMP Security Framework does not apply.
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. It is designed to ensure that government agencies and other organizations can confidently use cloud services that meet the highest security and compliance standards.
For more information about FedRAMP, see FedRAMP
General Data Protection Regulation (GDPR)
Clients are responsible for ensuring their own readiness for the laws and regulations, including the European Union General Data Protection Regulation.
For more information about GDPR for the product, see WebSphere Application Server considerations for GDPR readiness.
For more information, see What is GDPR, the EU’s new data protection law?
Health Insurance Portability and Accountability Act (HIPAA)
Clients are responsible for configuring the product and implementing controls to meet compliance with the Health Insurance Portability and Accountability Act (HIPAA) if they deal with electronically protected health information (EPHI). The product is not compliant by default.
The HIPAA Security Rule specifically focuses on the protection of EPHI, and only a subset of agencies are subject to the HIPAA Security Rule based on their functions and use of EPHI.
For more information about configuring the product to meet security standards, see Configuring for security regulations and standards.
For more information, see Health Information Privacy.
Health Information Trust (HITRUST)
Clients are responsible for configuring the product and other controls to meet compliance with Health Information Trust (HITRUST). The product is not compliant by default.
The Health Information Trust Alliance, now rebranded as HITRUST, is an organization governed by representatives from across the healthcare industry. HITRUST was founded in 2007 and created the Common Security Framework (CSF), a framework for verifying the security of sensitive or regulated healthcare data.
For more information about configuring the product to meet security standards, see Configuring for security regulations and standards.
For more information, see HITRUST.
ISO/IEC 27001
Clients are responsible for configuring the product and implementing controls to meet compliance with ISO/IEC 27001. The product is not compliant by default.
ISO/IEC 27001 compliance requires organizations to meet information security management systems (ISMS) requirements. The International Organization for Standardization (ISO) is an independent, non-governmental organization, with a membership of 164 national standards bodies. ISO develops international standards that are voluntary, consensus-based, and market relevant. The goal is to ensure that products and services are safe, reliable, and are of good quality.
For more information about configuring the product to meet security standards, see Configuring for security regulations and standards.
For more information, see ISO/IEC 27001:2022.
Payment Card Industry (PCI)
Clients are responsible for configuring the product and/or implementing controls to meet compliance with Payment Card Industry (PCI) standards. The product is not compliant by default.
Payment Card Industry Data Security Standard (PCI-DSS) and Payment Application Data Security Standard (PA-DSS) are standards established by the Payment Card Industry to promote secure payment processing. PA-DSS is a standard for commercially off-the-shelf payment applications, which are defined as applications that capture, process, store, or transmit information pertaining to cards, such as credit cards.
For more information about configuring the product to meet security standards, see Configuring for security regulations and standards.
For more information, see PCI Security Standards.
SP800-131
Clients are responsible for configuring the product and implementing controls to meet compliance with SP800-131. The product is not compliant by default.
SP800-131 is a requirement originated by the National Institute of Standards and Technology (NIST) which requires longer key lengths and stronger cryptography.
For more information, see WebSphere Application Server security standards configurations.
Suite B
Clients are responsible for configuring the product and implementing controls to meet compliance with Suite B. The product is not compliant by default.
Suite B is a requirement that is originated by the National Security Agency (NSA) to specify a cryptographic interoperability strategy. This standard is similar to SP800-131 with some tighter restrictions.
For more information, see WebSphere Application Server security standards configurations.
System and Organization Controls (SOC)
Clients are responsible for configuring the product and implementing controls to meet compliance with System and Organization Controls (SOC). The product is not compliant by default.
- SOC 1 is an audit of the internal controls at a service organization, implemented to protect client-owned data that is involved in client financial reporting. SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).
- SOC 2 audits are based on the AICPA Trust Service Principles and Criteria to gauge service organization internal controls that are implemented to protect customer-owned data. SOC 2 reports provide details about the nature of those internal controls.
For more information about configuring the product to meet security standards, see Configuring for security regulations and standards.
For more information about SOC, see SOC Reporting Guide.