Cloud computing security requirements for the US Department of Defense for Impact Level 2The U.S. Department of Defense (DoD) has unique information protection requirements that extend beyond the common set of requirements established by the Federal Risk and Authorization Management Program (FedRAMP) program. Using FedRAMP requirements as a foundation, the U.S. DoD specifically has defined additional cloud computing security and compliance requirements in their DoD Cloud Computing Security Requirements Guide (SRG). Cloud Service Providers (CSPs) supporting U.S. DoD customers are required to comply with these requirements.

The McAfee MVISION Cloud has been granted a DoD Impact Level 2 (IL2) Provisional Authorization (PA) from Defense Information Systems Agency (DISA) leveraging MVISION Cloud's FedRAMP Moderate ATO. DoD IL2 is for non-Controlled Unclassified Information (non-CUI), which includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data that requires some minimal level of access control.

McAfee MVISION is actively pursuing DoD Impact Level 4 and DoD Impact Level 5 with multiple customers.

DoD IL4 is for Controlled Unclassified Information(CUI) which includes protection of data from unauthorized disclosure established by Executive Order 13556( Nov 2010); Education, Training, PII, PHI, SSN, Credit Card Information, Export Controls, FOUO and Law Enforcement Sensitive material and email.

DoD IL5 is Controlled Unclassified Information(CUI) and National Security Systems(NSS) which is the highest unclassified information level of protection.

U.S. government program providing a standard approach to security, authorization and monitoringThe Federal Risk and Authorization Management Program (FedRAMP) (https://www.fedramp.gov/faqs/) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP program has helped to accelerate the adoption of secure cloud solutions through the reuse of assessments and authorizations across government agencies. FedRAMP leverages a standardized set of requirements, established in accordance with the Federal Information Security Management Act (FISMA), to improve consistency and confidence in the security of cloud solutions. Cloud Service Providers (CSP) that support U.S. government customers or operate on U.S. government information are responsible for complying with the requirements established by the FedRAMP program.

MVISION Cloud (CASB, Web Security)

• In November 2017, McAfee's MVISION Cloud achieved FedRAMP Agency Authorization (https://marketplace.fedramp.gov/#/product/mvision-cloud?sort=productName&productNameSearch=mcafee) at the moderate impact level and has since maintained the Authority To Operate (ATO).
• In April 2020, McAfee's MVISION Cloud achieved a FedRAMP Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) (https://marketplace.fedramp.gov/#/product/mvision-cloud?sort=productName&productNameSearch=mcafee) at the High impact level issued by the FedRAMP Joint Authorization Board.

MVISION for Endpoint (MVISION ePO, EDR, AI)

• In September 2019, McAfee MVISION for Endpoint is currently 'FedRAMP In-Process' (https://marketplace.fedramp.gov/#/product/mvision-for-endpoint?sort=productName&productNameSearch=mcafee) of pursuing FedRAMP Authorization at the Moderate Impact Level. This effort is sponsored by the US Department of Homeland Security, Immigration Customs Enforcement (DHS/ICE) and is expected to complete the summer of 2020.

European Union General Data Protection Regulation (GDPR)The General Data Protection Rgulation (GDPR) came into force on May 25, 2018 and is an EU regulation which provides individuals more control over their personal data. The GDPR was designed to harmonize data protection rules across the European Union. It provides rules relating to the protection of individuals with regard to the processing of personal data and rules relating to the free movement of personal data of data subjects in the European Union. The GDPR requires companies to implement appropriate technical and organizational measure to protect personal data.

For more information visit:
https://www.mcafee.com/enterprise/en-us/about/gdpr.html

How McAfee helps support financial service organizations with their regulatory complianceFinancial services organizations endure changing regulations which require more transparency and stricter data protection, usage, and security requirements. McAfee technology can help prevent malicious attacks of data, identify and isolate attacks, initiate automated incident responses to negate an attack, and assist in financial services compliance obligations around securing and protecting data.

For more information visit:
https://www.mcafee.com/enterprise/en-us/solutions/financial-services.html

Information Technology - Security Techniques - Information Security Management Systems - RequirementsISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

ISO 27001 Certificate

To verify our certification, please visit:
https://www.schellman.com/certificate-directory?certificateNumber=1566607-1

Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud servicesISO/IEC 27017 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:

• additional implementation guidance for relevant controls specified in ISO/IEC 27002
• additional controls with implementation guidance that specifically relate to cloud services

ISO 27017 Certificate

To verify our certification, please visit:
https://www.schellman.com/certificate-directory?certificateNumber=1566607-1

Information technology - Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processorsThis document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, this document specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

ISO 27018 Certificate

To verify our certification, please visit:
https://www.schellman.com/certificate-directory?certificateNumber=1566607-1

Disaster Recovery & Business ContinuityMcAfee focuses on comprehensive Continuity of Operations by integrating risk management, emergency response, crisis management, business continuity, and disaster recovery processes designed to maintain a state of readiness to bounce back from business disruptions should they occur. We proactively assess and mitigate potential disruptions through dynamic development of business continuity plans. McAfee's Business Continuity Management (BCM) program includes conducting necessary tests against these plans to ensuring they are effective and up-to-date. We leverage periodic Business Impact Analysis of our core business processes and functional groups to prioritize planning and risk mitigation investments.

• McAfee's Business Continuity Management Plans are designed to ensure our critical operations will continue to function with little or no disruption, that our customers' accounts will be secure and accessible, and that our customers will be able to reach us regardless of the scope of the situation or event.
• Recovery Plans (BRPs), Technical Recovery Plans (TRP), and our Business Impact Analysis (BIAs) are reviewed on a regularly scheduled basis, to occur at least annually or where there is an impactful change to the technology or process. This includes ensuring we have an established application Recovery Time Objective (RTO) and Recovery Point Objective (RPO), and needed periodic failover testing for our applications and services which McAfee has identified as "mission critical" or "business critical." Outcomes from all failover testing can result in process/procedure updates and problem records action items which are tracked until successful resolution.

Disaster Recovery & BCP

Health Insurance Portability and Accountability Act (HIPPA) is United States legislation that provides data privacy and security provisions for safeguarding medial information.HIPPA provides federal protections for personal health information held by covered entities and gives patients rights with respect to that information - including controlling access to, use of, and security of this data. McAfee technology helps heathcare providers and processors of HIPPA protected personal health information comply with their data protection obligations under the Act.

McAfee HIPAA Compliance Content Pack

PCI DSS v3.2.1 - PCI Data Security Standard Requirements and Security Assessment ProceduresThe Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing - including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

PCI Certificate

Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five "trust service principles"-security, availability, processing integrity, confidentiality and privacySOC 2 Type II report is an attestation for the management of MVISION Cloud organization assertion that certain controls are in place to meet the AICPA's SOC 2 Trust Services Criteria (TSC).

The Trust Services Criteria are noted below:

• Security - The system is protected against unauthorized access (both physical and logical).
• Availability - The system is available for operation and use as committed or agreed.
• Processing Integrity - System processing is complete, accurate, and authorized.
• Confidentiality - Information that is designated "confidential" is protected according to policy or agreement.
• Privacy - Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity's privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA.

The report contains an opinion from a CPA firm that states whether the CPA firm agrees with management's assertion. The opinion states that the appropriate controls are in place to address the selected TSCs and the controls are designed (Type I report) or designed and operating effectively (Type II report).

TISAX (Trusted Information Security Assessment Exchange) certification enables mutual acceptance of Information Security Assessments in the automotive industryThe VDA Information Security Committee of the VDA (German Association of the Automotive Industry) was established more than 10 years ago, and has ever since developed a catalogue of assessment criteria on information security based on key aspects of the international ISO/IEC 27001 and 27002 standards: VDA ISA (VDA Information Security Assessment).

This instrument is used by VDA member companies both for internal purposes and for assessments at suppliers and service providers processing sensitive information of their respective partners.

Assessments according to VDA ISA, particularly at service providers and suppliers, are being handled individually by each requiring company so far. Therefore, it is possible that a partner is assessed several times at short intervals.

The VDA Information Security Committee establishes a common assessment and exchange mechanism (TISAX = Trusted Information Security Assessment Exchange) in the automotive industry and beyond, to avoid such multiple effort in the future.

The TISAX system is operated by ENX Association which has been entrusted with the implementation as a neutral instance by the VDA.

TISAX creates competition among the accredited audit providers and allows for common acceptance of assessment results within the circle of TISAX Participants. The audit providers perform the assessments based on this set of information security management controls

Continually providing customers with independently tested, validated, and certified productsGovernments worldwide need to ensure that products they use meet their affiliated security criteria, perform to expectations, and integrate with their existing technology. As a global leader in providing evaluated and certified information security products to the worldwide marketplace, McAfee delivers on these requirements by maintaining a continually active and robust product evaluation and certification program to serve its global government customers.

Public Sector Product Certifications

The Cloud Security Alliance Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standardsMcAfee MVISION Cloud, the world's leading Cloud Access Security Broker (CASB), enables enterprises to safely adopt SaaS, PaaS and IaaS cloud services as well as Containers, while meeting their security, compliance and governance requirements. With more than 1200 enterprise customers globally, MVISION Cloud provides organizations the visibility and management for all their cloud services, including enforcement of data loss prevention policies; detecting and preventing internal and external threats; encrypting data with customer-controlled keys; and implementing access-control policies.

For more information visti:
https://cloudsecurityalliance.org/star/registry/mcafee/