Cloud computing security requirements for the US Department of Defense for Impact Level 2The U.S. Department of Defense (DoD) has unique information protection requirements that extend beyond the common set of requirements established by the Federal Risk and Authorization Management Program (FedRAMP) program. Using FedRAMP requirements as a foundation, the U.S. DoD specifically has defined additional cloud computing security and compliance requirements in their DoD Cloud Computing Security Requirements Guide (SRG). Cloud Service Providers (CSPs) supporting U.S. DoD customers are required to comply with these requirements.

The McAfee MVISION Cloud has been granted a DoD Impact Level 2 (IL2) Provisional Authorization (PA) from Defense Information Systems Agency (DISA) leveraging MVISION Cloud's FedRAMP Moderate ATO. DoD IL2 is for non-Controlled Unclassified Information (non-CUI), which includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data that requires some minimal level of access control.

McAfee MVISION is actively pursuing DoD Impact Level 4 and DoD Impact Level 5 with multiple customers.

DoD IL4 is for Controlled Unclassified Information(CUI) which includes protection of data from unauthorized disclosure established by Executive Order 13556( Nov 2010); Education, Training, PII, PHI, SSN, Credit Card Information, Export Controls, FOUO and Law Enforcement Sensitive material and email.

DoD IL5 is Controlled Unclassified Information(CUI) and National Security Systems(NSS) which is the highest unclassified information level of protection.

U.S. government program providing a standard approach to security, authorization and monitoringThe Federal Risk and Authorization Management Program (FedRAMP) is a U.S Federal Government Program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). The FedRAMP program has helped accelerate the adoption of secure cloud solutions, through the reuse of assessment and authorizations across other government agencies. FedRAMP leverages a standardized set of requirements established in accordance with the Federal Information Security Management Act (FISMA), and utilizing the Security Assessment Framework (SAF) and NIST Risk Management Framework (RMF) to continuously monitor, and improve the confidence and process maturity with the various baselines of security controls implemented by the Cloud Service Providers. In-order to support on-going operations with U.S Government customers to process, store or transmit U.S Government data; they are responsible for complying with the requirements established by the FedRAMP Program.

McAfee's MVision Cloud (CASB, Web Security)

• Initially achieved FedRAMP Moderate Agency Authorization in Nov of 2017, and has since maintained the Authority To Operate (ATO).
  With 8 Agency ATO's, McAfee MVision Cloud has now achieved FedRAMP High with the Joint Authorization Board (JAB) in April 2020, and has since maintained the Authority To Operate (ATO). (https://marketplace.fedramp.gov/#!/product/mvision-cloud?sort=productName&productNameSearch=mcafee)

McAfee's MVision for Endpoint (ePO, EDR, Real Protect)

• Has achieved FedRAMP Moderate Agency Authorization in Oct of 2020, and has since maintained the Authority To Operate (ATO). (https://marketplace.fedramp.gov/#!/product/mvision-for-endpoint-epo-edr?sort=productName&productNameSearch=mcafee)

European Union General Data Protection Regulation (GDPR)The General Data Protection Rgulation (GDPR) came into force on May 25, 2018 and is an EU regulation which provides individuals more control over their personal data. The GDPR was designed to harmonize data protection rules across the European Union. It provides rules relating to the protection of individuals with regard to the processing of personal data and rules relating to the free movement of personal data of data subjects in the European Union. The GDPR requires companies to implement appropriate technical and organizational measure to protect personal data.

For more information visit:
https://www.mcafee.com/enterprise/en-us/about/gdpr.html

Information technology - Security techniques - Information Security Management Systems - RequirementsISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

ISO 27001 Certificate

To verify our certification, please visit:
https://www.schellman.com/certificate-directory

Information Technology - Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelinesISO 27701 specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

ISO 27701 specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

ISO 27701 Certificate

To verify our certification, please visit:
https://www.schellman.com/certificate-directory

Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud servicesISO/IEC 27017 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:

• additional implementation guidance for relevant controls specified in ISO/IEC 27002
• additional controls with implementation guidance that specifically relate to cloud services

ISO 27017 Certificate

To verify our certification, please visit:
https://www.schellman.com/certificate-directory

Information technology - Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processorsThis document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, this document specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

ISO 27018 Certificate

To verify our certification, please visit:
https://www.schellman.com/certificate-directory

PCI DSS v3.2.1 - PCI Data Security Standard Requirements and Security Assessment ProceduresThe Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing - including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

PCI Certificate

Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five "trust service principles"-security, availability, processing integrity, confidentiality and privacySOC 2 Type II report is an attestation for the management of MVISION Cloud organization assertion that certain controls are in place to meet the AICPA's SOC 2 Trust Services Criteria (TSC).

The Trust Services Criteria are noted below:

• Security - The system is protected against unauthorized access (both physical and logical).
• Availability - The system is available for operation and use as committed or agreed.
• Processing Integrity - System processing is complete, accurate, and authorized.
• Confidentiality - Information that is designated "confidential" is protected according to policy or agreement.
• Privacy - Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity's privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA.

The report contains an opinion from a CPA firm that states whether the CPA firm agrees with management's assertion. The opinion states that the appropriate controls are in place to address the selected TSCs and the controls are designed (Type I report) or designed and operating effectively (Type II report).

TISAX (Trusted Information Security Assessment Exchange) certification enables mutual acceptance of Information Security Assessments in the automotive industryThe VDA Information Security Committee of the VDA (German Association of the Automotive Industry) was established more than 10 years ago, and has ever since developed a catalogue of assessment criteria on information security based on key aspects of the international ISO/IEC 27001 and 27002 standards: VDA ISA (VDA Information Security Assessment).

This instrument is used by VDA member companies both for internal purposes and for assessments at suppliers and service providers processing sensitive information of their respective partners.

Assessments according to VDA ISA, particularly at service providers and suppliers, are being handled individually by each requiring company so far. Therefore, it is possible that a partner is assessed several times at short intervals.

The VDA Information Security Committee establishes a common assessment and exchange mechanism (TISAX = Trusted Information Security Assessment Exchange) in the automotive industry and beyond, to avoid such multiple effort in the future.

The TISAX system is operated by ENX Association which has been entrusted with the implementation as a neutral instance by the VDA.

TISAX creates competition among the accredited audit providers and allows for common acceptance of assessment results within the circle of TISAX Participants. The audit providers perform the assessments based on this set of information security management controls

The Cloud Security Alliance Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standardsMcAfee MVISION Cloud, the world's leading Cloud Access Security Broker (CASB), enables enterprises to safely adopt SaaS, PaaS and IaaS cloud services as well as Containers, while meeting their security, compliance and governance requirements. With more than 1200 enterprise customers globally, MVISION Cloud provides organizations the visibility and management for all their cloud services, including enforcement of data loss prevention policies; detecting and preventing internal and external threats; encrypting data with customer-controlled keys; and implementing access-control policies.

For more information visti:
https://cloudsecurityalliance.org/star/registry/mcafee/

McAfee is committed to publishing data regarding requests or demands for customer data received from law enforcement and national security agenciesMcAfee shall publish this data twice per year (covering a reporting period of either January-to-June or July-to-December). Said reports are published six months after the end of a given reporting period in compliance with restrictions on the timing of such reports.

Transparency Reports