Certifications and Compliance
Adherence to technology certifications and industry compliance is critical to maintaining a robust and stalwart security profile. Because of this, Mandiant is dedicated to ensuring that both FireEye and Mandiant security products and technologies meet or exceed critical industry certifications and compliance requirements.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables Agencies to adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT. This certification includes the expanded boundary of FireEye Email Security (ETP-GOV), which includes FireEye’s proprietary AVAS module, including antivirus, anti-spam and impersonation detection capabilities.
As one of the highest internationally recognized standards for information security, this certification covers every aspect of people, process and systems security. The scope of the ISO/IEC 27001:2013 certification is limited to the information security management system (ISMS) supporting FireEye Email Security Cloud Edition, and is in accordance with the statement of applicability, dated June 17, 2019. The in-scope infrastructure is housed at data centers located in EMEA (Europe) and North America; colocation and cloud hosting services are not included in the scope of the ISMS.
The SAFETY Act provides incentives for the development and deployment of anti-terrorism technologies by creating a system of "risk management" and a system of "litigation management." The purpose of the Act is to ensure that the threat of liability does not deter potential manufacturers or sellers of anti-terrorism technologies from developing and commercializing technologies that could save lives. FireEye provides the Multi-Vector Virtual Execution (“MVX”) Engine and Cloud Services, which is offered as a security platform to protect customers from malware. By executing suspicious content in a virtual machine environment, FireEye MVX technology analyzes software for malicious code and behaviors. Updates to the software are shared with customers via FireEye's cloud service.
SOC 2 – Service Organization and Controls
Mandiant and FireEye undergo annual independent third-party SSAE18 audit using the criteria set forth in the American Institute of Certified Public Accountants (AICPA) Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Confidentiality (SOC 2®) and the suitability of the design and operating effectiveness for the security, availability, and confidentiality principles set forth in the Trust Services Principles, TSP session 100A. Mandiant and FireEye can provide users with compliance reports (SOC2 Type II reports), for the offerings listed below, that includes a description of the controls environment, and the external audit result and opinion of controls that meet the AICPA Trust Services Security, Availability, and Confidentiality Principles and Criteria.
- Mandiant Automated Defense
- Mandiant Managed Defense
- Mandiant Security Validation (Q4 2021)
- FireEye Email Security Cloud Edition
- FireEye Cloud Multi-Vector Virtual Execution (MVX)
- FireEye Endpoint Security Cloud
- FireEye Helix
Cyber Essentials Plus
Cyber Essentials Certification is an effective, UK Government backed scheme from the National Cyber Security Centre that shows Mandiant protects our organization against a whole range of cyber-attacks. The Cyber Essentials scheme provides proof of clarity on good basic cyber security practice. By focusing on basic cyber hygiene, Mandiant shows it is better protected from the most common cyber threats. Cyber Essentials Certification is required to bid for UK central government contracts which involve handling sensitive and personal information or the provision of certain technical products and services.
PCI DSS V3.2 - Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard, administered by the PCI Security Standards Council, that’s designed to encourage and enhance cardholder data security and promote the adoption of consistent data security measures around the technical and operational components related to cardholder data.
Mandiant engages a Qualified Security Assessor (“QSA”) company to conduct annual audit against the eligible criteria for the PCI Self-Assessment Questionnaire for Service Providers (SAQ-D) and has successfully received an Attestation of Compliance (AoC) covering its Mandiant Managed Defense services.
EU-U.S. Privacy Shield, and the Swiss-U.S. Privacy Shield
FireEye complies with the requirements of the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. FireEye adheres to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity and purpose limitation, access and recourse, enforcement and liability with respect to all personal information transferred from the EU or Switzerland to the US within the scope of its Privacy Shield certification.
Learn More: https://www.privacyshield.gov/list
National Institute of Standards and Technology Special Publication 800-171 was released in June 2015. It focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in non-federal information systems and organizations and defines security requirements to achieve that objective. Mandiant and FireEye have undergone a self-assessment that confirmed compliance with NIST 800-171 controls. Mandiant and FireEye continually evaluate their compliance with NIST 800-171.