Salesforce Government Cloud Data Sheet Updated December 2015
Salesforce Government Cloud Overview Federal, state, and local government agencies trust salesforce.com s cloud-computing platform to deliver critical business applications. This is largely because of salesforce.com s commitment to security and privacy. Salesforce.com s vision is to be government s trusted Cloud Service Provider (CSP), based on the values of maintaining the confidentiality, integrity, and availability of customer data. Salesforce.com s methods to fulfill this vision are built upon an executive commitment to ensure and continuously improve the security of salesforce.com s services, and include: Defense-in-depth: whenever possible, multiple controls and technologies are applied to limit the possibility of any single point of failure. Investment: in personnel, tools, and technologies to manage, analyze, and improve security effectiveness. Transparency: trust cannot be maintained without open communications regarding service performance, reliability, and security, and to that end salesforce.com strives to be industry leaders in transparency. See trust.salesforce.com for further details. As a Software as a Service (SaaS) and Platform as a Service (PaaS) leader, data security is of utmost importance for salesforce.com. Salesforce.com serves over 100,000 customers and processes over a billion transactions a day. The organizations that use Salesforce.com include customers in heavily regulated industries such as financial services, healthcare, insurance, and public sector that require strict adherence with security and privacy requirements. Salesforce.com raises the bar of security to meet the requirements of our customers, specifically customers in heavily regulated industries such as Public Sector, by maintaining numerous security and privacy certifications. In May 2014, Salesforce.com became the first CSP to attain FedRAMP Authority to Operate for both Software as a Service (SaaS) and Platform as a Service (PaaS), consistent with the FedRAMP moderate baseline controls. The Authority to Operate was granted by Health and Human Services for the Salesforce Government Cloud (described in more detailed below). Deployment Model Salesforce.com s deployment model is a public cloud infrastructure, as defined by NIST 800-145. In the Salesforce Government Cloud, an agency dynamically provisions computing resources over the Internet on our multi-tenant infrastructure. This is a cost effective deployment model for agencies as it gives them the flexibility to procure only the computing resources they need and delivers all services with consistent availability, resiliency, security, and manageability. Salesforce 1
Salesforce.com Government Cloud The Salesforce Government Cloud is a partitioned instance of salesforce.com s multi-tenant public cloud infrastructure, specifically for use by U.S federal, state, and local government customers, U.S. government contractors, and Federally Funded Research and Development Centers (FFRDCs). The isolated Production infrastructure supporting the Salesforce Government Cloud Customer Data ensures that the physical hardware in salesforce.com s colocation data centers that process, store, and transmit unencrypted Government Customer data are separate from hardware supporting other customers. While isolated, the underlying infrastructure supporting the Salesforce Government Cloud is the same trusted architecture model that supports salesforce.com s multi-tenant public cloud offering and over a billion customer transactions a day. Subject to the Government Cloud Premier+ Success Plan section below, access to systems and permissions which could permit access to Customer Data inside of the Salesforce Government Cloud storing U.S. government, U.S. government contractors, and FFRDC Customer Data will be restricted to Qualified U.S. Citizens. Qualified US Citizens are individuals who are United States citizens, and are physically located within the United States when accessing the Salesforce Government Cloud systems; and have completed a background check as a condition of their employment with Salesforce. FedRAMP Authority to Operate (ATO) As the government s trusted cloud provider, salesforce s information security program for the Salesforce Government Cloud is aligned with the FedRAMP requirements. On May 23, 2014, salesforce achieved a FedRAMP Agency Authority to Operate (ATO) at the moderate impact level issued by Health and Human Services (HHS) for the Salesforce Government Cloud. The Salesforce Government Cloud is a portion of salesforce s multi-tenant public cloud infrastructure, specifically for use by U.S federal, state, and local government customers, U.S. government contractors, and Federally Funded Research and Development Centers (FFRDCs). The Salesforce Government Cloud information system and authorization boundary, is comprised of the Force.com Platform, Salesforce Services (Sales Cloud, Service Cloud, Chatter), Analytics Services, and the backend infrastructure (servers, network devices, databases, storage arrays) that support the operations of these products, referred to as the General Support System (GSS). A complete list of current in-scope salesforce products included in the authorization boundary for the FedRAMP ATO can be provided to customers upon request. To obtain compliance with FedRAMP, salesforce conducted security assessment and authorization activities in accordance with FedRAMP guidance, NIST 800-37 Rev. 1, and HHS guidance. As part of this process salesforce documented a System Security Plan (SSP) for the Salesforce Government Cloud service offering. The SSP is developed in accordance with NIST SP 800-18 rev.1, Guide for Developing Federal Information System Security Plans. The SSP identifies control implementations for the GSS and in-scope customer facing products (Force.com Platform, Salesforce Services, Analytics Services) according to the FedRAMP moderate baseline and HHS security control parameters. A security assessment of the information system was conducted by a third party assessment organization (3PAO) in accordance with NIST 800-53A Rev. 1 and FedRAMP requirements. The security assessment testing determined the adequacy of the management, operational, and technical security controls used to protect Salesforce 2
the confidentiality, integrity, and availability of the Salesforce service and the Customer Data it stores, transmits and processes. To maintain compliance with FedRAMP, salesforce conducts continuous monitoring. Continuous monitoring includes ongoing technical vulnerability detection and remediation, remediation of open compliance related findings, and at least annual independent assessment of a selection of security controls. Government Cloud Premier+ Success Plan The Salesforce Government Cloud requires the Government Cloud Premier + Success Plan, which provides technical support from Qualified US Citizens. Support cases submitted online will be automatically routed to a team of Qualified US Citizens. Telephone support is also available in English, 24 hours a day, seven days a week, however calls for support received via telephone will be initially responded to by individuals who may not be Qualified US Citizens and who may be located outside the United States. These individuals will then route cases to a team of Qualified US Citizens. Support cases submitted via Chat will not be responded to by Qualified US Citizens. All other personnel, including Customer Success Managers, Success Account Managers, Customer Success Technologists and any other personnel engaged in customer success roles and providing customer success services (collectively referred to as "Success Representatives") may not be Qualified US Citizens and will not have access to Customer Data unless Customer provides such personnel a User ID or otherwise enables the sharing of Customer Data with such personnel. In addition to providing personnel controls for technical support, Government Cloud Premier+ Success Plan includes success resources, online training and administration services to drive Salesforce adoption and business productivity. For more information about the Premier + Success Plan, please see http://www.salesforce.com/assets/pdf/misc/salesforce_premierplans.pdfhttp://www.salesforce.com/assets/ pdf/misc/salesforce_premierplans.pdf http://www.salesforce.com/assets/pdf/misc/salesforce_premierplans.pdf Products Available on the Salesforce Government Cloud The Enterprise Edition and Unlimited Edition of some Salesforce.com products are available for use on the Salesforce Government Cloud. From time to time, the list of available products on the Salesforce Government Cloud may change at Salesforce.com s sole discretion and without any advance notice. Prior to a Government Customer placing an order on the Salesforce Government Cloud, please contact your local Salesforce.com sales or renewal representative for the most current product availability information on the Salesforce Government Cloud. Not all of the products available on the Salesforce Government Cloud are included in the scope of salesforce.com s FedRAMP Agency Authority to Operate. Please see Attachment A for further information. Customer Responsibilities Federal government Agencies can request access to the Salesforce FedRAMP Agency ATO package by submitting a request to the FedRAMP PMO. All other customers can submit a request to salesforce.com via the customer s account representative. Each customer will need to review the documentation and assess that organization s compliance requirements. Customers may need to purchase additional Salesforce and/or third party products and services in order to meet their individual requirements. Salesforce 3
Attachment A FedRAMP Authorization Boundary for the Salesforce Government Cloud for SFDC products* as of October 31, 2015 Products and features included in FedRAMP Authorization Boundary for the Salesforce Government Cloud*: Salesforce1 Platform 3 (not including Salesforce1 Mobile app) Salesforce Applications (including Sales Cloud, Service Cloud, Analytics Cloud and Chatter) Salesforce.com application features 4 o Content o Ideas o Knowledge o Chatter Answers o Chatter Messenger o Customer facing Chatter groups o Chatter files Salesforce1 Platform Public Sites Administrative, App, and Personal Setup/My Settings APIs APEX Coding Federated SSO Delegated SSO External provider SSO Portals (Authenticated sites, Service Cloud Portal, Customer Portal, Partner Portal) Communities (including Salesforce1 Platform Sites and Site.com sites for Communities) Visualforce coding Application features including Visual Force and Live Agent Products and features excluded from FedRAMP Authorization Boundary for the Salesforce Government Cloud: Desk.com Heroku Marketing Cloud (Radian 6, Exact Target, Buddy Media) Database.com 3 Only Force.com Platform, which is bundled with this product, is included under the FedRAMP Authorization Boundary for the Salesforce Government Cloud. All other platform products are excluded. 4 Salesforce 4
Remedyforce Site.com (except Site.com sites for Communities) Work.com Data.com Customer developed applications AppExchange Desktop Integration and Connect Services (e.g., Offline, Outlook, and Office) Salesforce.com custom development (custom development for specific customers) Salesforce.com consulting Google Apps Integration Salesforce.com Mobile (independent or as included in any other product) Salesforce1 Mobile app (independent or as included in any other product) CRM Call Center / CTI adaptor any other product or feature not noted as included in the FedRAMP SSP is also excluded For a detailed description of salesforce.com s current product offerings see http://www.salesforce.com/products/. *This list is for informational purposes only and is subject to change at any time and without notice. This list may not represent the current status of the products listed. Salesforce.com makes no assurance, contractual or otherwise, as to the status of these products. Salesforce 5