Certifications and Compliance

Cloud computing security requirements for the US Department of Defense for Impact Level 2 and Impact Level 4

The U.S. Department of Defense (DoD) has unique information protection requirements that extend beyond the common set of requirements established by the Federal Risk and Authorization Management Program (FedRAMP) program. Using FedRAMP requirements as a foundation, the U.S. DoD specifically has defined additional cloud computing security and compliance requirements in their DoD Cloud Computing Security Requirements Guide (SRG). Cloud Service Providers (CSPs) supporting U.S. DoD customers are required to comply with these requirements.

Skyhigh Security has been granted a DoD Impact Level 2 (IL2) Provisional Authorization (PA) from Defense Information Systems Agency (DISA) leveraging Skyhigh Security's FedRAMP Moderate ATO. DoD IL2 is for non-Controlled Unclassified Information (non-CUI), which includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data that requires some minimal level of access control.

Skyhigh Security is actively pursuing DoD Impact Level 4 with multiple customers.

DoD IL4 is for Controlled Unclassified Information(CUI) which includes protection of data from unauthorized disclosure established by Executive Order 13556( Nov 2010); Education, Training, PII, PHI, SSN, Credit Card Information, Export Controls, FOUO and Law Enforcement Sensitive material and email.

U.S. government program providing a standard approach to security, authorization and monitoring

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S Federal Government Program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). The FedRAMP program has helped accelerate the adoption of secure cloud solutions, through the reuse of assessment and authorizations across other government agencies. FedRAMP leverages a standardized set of requirements established in accordance with the Federal Information Security Management Act (FISMA), and utilizing the Security Assessment Framework (SAF) and NIST Risk Management Framework (RMF) to continuously monitor, and improve the confidence and process maturity with the various baselines of security controls implemented by the Cloud Service Providers. In-order to support on-going operations with U.S Government customers to process, store or transmit U.S Government data; they are responsible for complying with the requirements established by the FedRAMP Program.

GDPR is a European Union (EU) regulation designed to provide individuals more control over their personal data

The General Data Protection Regulation (GDPR) came into force on May 25, 2018 and is an EU regulation which provides individuals more control over their personal data. The GDPR was designed to harmonize data protection rules across the European Union. It provides rules relating to the protection of individuals with regard to the processing of personal data and rules relating to the free movement of personal data of data subjects in the European Union. The GDPR requires companies to implement appropriate technical and organizational measure to protect personal data.

For more information visit:
General Data Protection Regulation (GDPR) Individual Data Request Form

Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five "trust service principles"-security, availability, processing integrity, confidentiality and privacy

SOC 2 Type II report is an attestation for the management of Skyhigh Security organization assertion that certain controls are in place to meet the AICPA's SOC 2 Trust Services Criteria (TSC).

The report contains an opinion from a CPA firm that states whether the CPA firm agrees with management's assertion. The opinion states that the appropriate controls are in place to address the selected TSCs and the controls are designed (Type I report) or designed and operating effectively (Type II report).

The international standard for information security

It sets out the specification for an information security management system (ISMS). ISO 27001's best-practice approach helps organizations manage their information security by addressing people, processes, and technology.

Skyhigh Security was the first Cloud Access Security Broker to attain ISO 27001 Certification.

The certification also reflects the maturity of controls and practices that Skyhigh Security has in place.

IRAP endorses individuals from the private and public sectors to provide security assessment services.

The Information Security Registered Assessor Program (IRAP) is a security compliance framework comprised of security assessment processes, and a security assessor program. It was developed by the Australia Signals Directorate (ASD), and the Australian Cyber Security Centre (ACSC), within the Australian government. IRAP supports Australian commonwealth government entities in maintaining their security assurance and risk management, as well as assessing cloud service providers and their cloud services’ security controls against the Australian government security policies and guidelines.

Skyhigh Security Service Edge (SSE) completed an IRAP assessment at the PROTECTED security classification level in 2023, and Skyhigh Cloud Access Security Broker (CASB) was assessed at the IRAP PROTECTED level in 2020. The IRAP assessment provides assurance to public sector organizations that Skyhigh Security’s powerful suite of data-aware cloud security technology has appropriate and effective security controls in place to manage highly sensitive data and infrastructures for Australian government agencies.

For more information visit:
https://www.cyber.gov.au/acsc/view-all-content/programs/irap