Laserfiche WebLink
SOLICITATION # CH16012 <br />As part of the Salesforce Government Cloud, Salesforce is capable of responding to FIPS 140-2/3 <br />cryptographic implementations for data being transferred between the customer's web browser and <br />Salesforce. Data that resides within Salesforce's protected boundary does not use FIPS 140-2 <br />validated encryption as compensating/mitigating controls are in place to protect data. <br />Additional information is provided below. <br />Data Transmission between the customer's web browser and Salesforce: <br />Salesforce employs cryptographic mechanisms to protect information during transmission. All <br />transmissions between the user and Salesforce are encrypted by default with a 2048-bit Public Key. <br />Our service uses International/Global Step Up certificates. We support one-way TLS, in which <br />customers create secure connections before sharing private data. Secure routing and traffic flow <br />policies ensure that customer traffic is encrypted entering Salesforce until the load balancer decrypts <br />the traffic. The load balancers decrypting the traffic are FIPS 140-2 compliant and are located inside of <br />the Salesforce Government Cloud isolation boundary. <br />Data Transmission for Backup Media: <br />Media containing customer data is not transported outside of controlled salesforce.com areas and <br />therefore relies on physical access controls to protect the data. <br />Data at Rest: <br />NIST 800-53 Rev. 3 states in SC-28, "Information at rest refers to the state of information when it is <br />located on a secondary storage device (e.g., disk drive, tape drive) within an organizational <br />information system." SC-28 also states, "Organizations may choose to employ different mechanisms <br />to achieve confidentiality and integrity protections, as appropriate." All secondary storage media (hard <br />drives, disk drives, and tapes) containing customer data are maintained within Salesforce's secure <br />production data centers until the media has been sanitized and destroyed. Salesforce relies on <br />physical access controls as a compensating control to protect the data. <br />Primary Data Storage: <br />User passwords are stored in the RDBMS encrypted via the SHA algorithm with a 256-bit hash. This <br />is a one way hash. The passwords are encrypted by the application. <br />For primary data storage, Salesforce provides customers with a built-in capability to apply field -level <br />encryption, using 128-bit keys with Advanced Encryption Standard (AES) encryption (as defined by <br />FIPS 197), for a selection of custom fields included in the Salesforce Platform and CRM applications. <br />Field -level encryption ensures the data associated with designated fields is encrypted in storage. <br />ServiceNow <br />ServiceNow's security policy is based on IS027001:2013 and has been since 2012. ServiceNow also <br />has annual SSAE 16 SOC 1 Type 2 and SOC2 Type 2 attestations with controls being based off NIST <br />800-53. <br />The ServiceNow Service Automation Government Cloud Suite is a FedRAMP Compliant Cloud <br />System with a JAB Provisional Authorization. This cloud offering has regulatory restrictions to the <br />types of tenants that can use it. ServiceNow's FedRAMP compliant and standard commercial <br />datacenter environments are virtually identical. The differences that do exist, such as only allowing <br />access to specially adjudicated US citizens, exist for regulatory reasons not because the environment <br />is superior in some way. <br />QTS <br />QTS assists with mapping between DOD IT RMF/DIACAP and NIST as well as International <br />Standards Organization (ISO) standards and many others. <br />QTS maintains control mappings that include: <br />• NIST 800-53/FedRAMP (Low/Moderate/High) <br />carahsoft 55 carahsoft <br />