Cloud computing security requirements for the US Department of Defense for Impact Level 2The U.S. Department of Defense (DoD) has unique information protection requirements that extend beyond the common set of requirements established by the Federal Risk and Authorization Management Program (FedRAMP) program. Using FedRAMP requirements as a foundation, the U.S. DoD specifically has defined additional cloud computing security and compliance requirements in their DoD Cloud Computing Security Requirements Guide (SRG). Cloud Service Providers (CSPs) supporting U.S. DoD customers are required to comply with these requirements.

The McAfee MVISION Cloud has been granted a DoD Impact Level 2 (IL2) Provisional Authorization (PA) from Defense Information Systems Agency (DISA) leveraging MVISION Cloud's FedRAMP Moderate ATO. DoD IL2 is for non-Controlled Unclassified Information (non-CUI), which includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data that requires some minimal level of access control.

McAfee MVISION is actively pursuing DoD Impact Level 4 and DoD Impact Level 5 with multiple customers.

DoD IL4 is for Controlled Unclassified Information(CUI) which includes protection of data from unauthorized disclosure established by Executive Order 13556( Nov 2010); Education, Training, PII, PHI, SSN, Credit Card Information, Export Controls, FOUO and Law Enforcement Sensitive material and email.

DoD IL5 is Controlled Unclassified Information(CUI) and National Security Systems(NSS) which is the highest unclassified information level of protection.

U.S. government program providing a standard approach to security, authorization and monitoringThe Federal Risk and Authorization Management Program (FedRAMP) is a U.S Federal Government Program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). The FedRAMP program has helped accelerate the adoption of secure cloud solutions, through the reuse of assessment and authorizations across other government agencies. FedRAMP leverages a standardized set of requirements established in accordance with the Federal Information Security Management Act (FISMA), and utilizing the Security Assessment Framework (SAF) and NIST Risk Management Framework (RMF) to continuously monitor, and improve the confidence and process maturity with the various baselines of security controls implemented by the Cloud Service Providers. In-order to support on-going operations with U.S Government customers to process, store or transmit U.S Government data; they are responsible for complying with the requirements established by the FedRAMP Program.

McAfee's MVision Cloud (CASB, Web Security)

• Initially achieved FedRAMP Moderate Agency Authorization in Nov of 2017, and has since maintained the Authority To Operate (ATO).
  With 8 Agency ATO's, McAfee MVision Cloud has now achieved FedRAMP High with the Joint Authorization Board (JAB) in April 2020, and has since maintained the Authority To Operate (ATO). (https://marketplace.fedramp.gov/#!/product/mvision-cloud?sort=productName&productNameSearch=mcafee)

McAfee's MVision for Endpoint (ePO, EDR, Real Protect)

• Has achieved FedRAMP Moderate Agency Authorization in Oct of 2020, and has since maintained the Authority To Operate (ATO). (https://marketplace.fedramp.gov/#!/product/mvision-for-endpoint-epo-edr?sort=productName&productNameSearch=mcafee)

European Union General Data Protection Regulation (GDPR)The General Data Protection Rgulation (GDPR) came into force on May 25, 2018 and is an EU regulation which provides individuals more control over their personal data. The GDPR was designed to harmonize data protection rules across the European Union. It provides rules relating to the protection of individuals with regard to the processing of personal data and rules relating to the free movement of personal data of data subjects in the European Union. The GDPR requires companies to implement appropriate technical and organizational measure to protect personal data.

For more information visit:
https://www.mcafee.com/enterprise/en-us/about/gdpr.html

Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five "trust service principles"-security, availability, processing integrity, confidentiality and privacySOC 2 Type II report is an attestation for the management of MVISION Cloud organization assertion that certain controls are in place to meet the AICPA's SOC 2 Trust Services Criteria (TSC).

The Trust Services Criteria are noted below:

• Security - The system is protected against unauthorized access (both physical and logical).
• Availability - The system is available for operation and use as committed or agreed.
• Processing Integrity - System processing is complete, accurate, and authorized.
• Confidentiality - Information that is designated "confidential" is protected according to policy or agreement.
• Privacy - Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity's privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA.

The report contains an opinion from a CPA firm that states whether the CPA firm agrees with management's assertion. The opinion states that the appropriate controls are in place to address the selected TSCs and the controls are designed (Type I report) or designed and operating effectively (Type II report).

The Cloud Security Alliance Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standardsMcAfee MVISION Cloud, the world's leading Cloud Access Security Broker (CASB), enables enterprises to safely adopt SaaS, PaaS and IaaS cloud services as well as Containers, while meeting their security, compliance and governance requirements. With more than 1200 enterprise customers globally, MVISION Cloud provides organizations the visibility and management for all their cloud services, including enforcement of data loss prevention policies; detecting and preventing internal and external threats; encrypting data with customer-controlled keys; and implementing access-control policies.

For more information visti:
https://cloudsecurityalliance.org/star/registry/mcafee/

McAfee Enterprise is committed to publishing data regarding requests or demands for customer data received from law enforcement and national security agenciesMcAfee Enterprise shall publish this data twice per year (covering a reporting period of either January-to-June or July-to-December). Said reports are published six months after the end of a given reporting period in compliance with restrictions on the timing of such reports.

Transparency Reports