Contact Us 1-800-596-4880

Security in MuleSoft Government Cloud

MuleSoft Government Cloud meets the security requirements of FedRAMP (Federal Risk and Authorization Management Program) and other security protocols.

FedRAMP Compliance

MuleSoft Government Cloud meets all FedRAMP security and compliance standards. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by the U.S. government. For additional information, refer to MuleSoft Government Cloud FedRAMP Authorization.

Mule 4 connectors that are verified for FIPS compliance can be found in Anypoint Exchange at Assets provided by MuleSoft.

The following modules are FIPS compliant:

A partial list of FIPS 140-2 compliant cipher suites supported by MuleSoft Government Cloud is provided in FIPS 140-2 Compliance Support.

A Third-Party Assessment Organization (3PAO) performs the security assessments following guidance in the National Institute of Standards and Technology (NIST) 800-37 publication. The security assessment validates management, operational, and technical security controls used to protect the confidentiality, integrity, and availability of MuleSoft Government Cloud and the data it stores, transmits, and processes.

MuleSoft obtained the FedRAMP Agency Authority to Operate (ATO) at the Moderate Impact Risk level.

Security Protocols

In addition to FedRAMP compliance, MuleSoft Government Cloud adheres to these security protocols:

  • Federal Information Processing Standards (FIPS 140-2)

    Complies with hardware and software encryption standards for all data at rest (stored data).

    You must configure Mule runtime engine to run in FIPS-compliant mode. See FIPS 140-2 Compliance Support.

  • Transport Layer Security (TLS) 1.2 encryption

    Implements encryption for all external and internal data transmission to block “man in the middle” attacks.

  • NIST 800-53

    Enhances physical and logical security.

  • CIS benchmarks

    Hardens instances to address the Center for Internet Security checklists.

Secure Hosting Platform

MuleSoft Government Cloud is hosted in Amazon Web Services (AWS) High Authorized GovCloud.

AWS GovCloud:

  • Supports compliance with United States International Traffic in Arms Regulations (ITAR)

  • Has achieved Department of Defense (DoD) Provisional Authorization at IL (Impact Level) 2, 4, and 5

Cloud Security and Data

MuleSoft Government Cloud provides a highly secure environment for government entities to perform sensitive data manipulations.

Mule runtime engine transmits but does not inspect, permanently store, or otherwise interact directly with government data. Government agencies always maintain control over their data, configuration, and workers.

Support and Maintenance

MuleSoft supports MuleSoft Government Cloud with dedicated support personnel located in the United States. MuleSoft provides continuous monitoring services to protect confidentiality, integrity, and availability of government data managed in MuleSoft Government Cloud.

The MuleSoft Compliance and Information Security teams:

  • Work directly with FedRAMP agencies to address all vulnerabilities as required by FedRAMP ATO standards.

  • Follow industry best practices for security, including password enforcement, multi-factor authentication (MFA), and user education.

  • Maintain security policies related to operations, data security, passwords and credentials, facilities and network security, and secure connectivity.

  • Perform internal security audits to ensure compliance with security policies.

Allowing Trusted Domains for API Platform Proxies

Every HTTP request you make to an external resource goes through the API Console Proxy.

By default, proxy requests are blocked for external domains on authenticated requests. For security reasons, you must register the domain as an allowed domain in Anypoint Platform.

To add a new domain:

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar, click Access Management.

  3. Click Trusted domains.

  4. Click Add domain.

    The domain must not match an existing domain, must not be a domain or subdomain of MuleSoft or Anypoint Platform, and must be written in the format exampledomain.com.

    Regular expressions are not supported.
  5. Type the domain name and click Add domain.

    The domain is added to your list of trusted domains. You are redirected to the trusted domains page, where you can edit or delete your domains. If you register a domain on a parent organization, the domain is allowlisted for all of your business groups.