Security in MuleSoft Government Cloud
MuleSoft Government Cloud meets the security requirements of FedRAMP (Federal Risk and Authorization Management Program) and other security protocols.
FedRAMP Compliance
MuleSoft Government Cloud meets all FedRAMP security and compliance standards. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by the U.S. government. For additional information, refer to MuleSoft Government Cloud FedRAMP Authorization.
Mule 4 connectors that are verified for FIPS compliance can be found in Anypoint Exchange at Assets provided by MuleSoft.
The following modules are FIPS compliant:
A partial list of FIPS 140-2 compliant cipher suites supported by MuleSoft Government Cloud is provided in FIPS 140-2 Compliance Support.
A Third-Party Assessment Organization (3PAO) performs the security assessments following guidance in the National Institute of Standards and Technology (NIST) 800-37 publication. The security assessment validates management, operational, and technical security controls used to protect the confidentiality, integrity, and availability of MuleSoft Government Cloud and the data it stores, transmits, and processes.
MuleSoft obtained the FedRAMP Agency Authority to Operate (ATO) at the Moderate Impact Risk level.
Security Protocols
In addition to FedRAMP compliance, MuleSoft Government Cloud adheres to these security protocols:
-
Federal Information Processing Standards (FIPS 140-2)
Complies with hardware and software encryption standards for all data at rest (stored data).
You must configure Mule runtime engine to run in FIPS-compliant mode. See FIPS 140-2 Compliance Support.
-
Transport Layer Security (TLS) 1.2 encryption
Implements encryption for all external and internal data transmission to block “man in the middle” attacks.
-
NIST 800-53
Enhances physical and logical security.
-
CIS benchmarks
Hardens instances to address the Center for Internet Security checklists.
Secure Hosting Platform
MuleSoft Government Cloud is hosted in Amazon Web Services (AWS) High Authorized GovCloud.
AWS GovCloud:
-
Supports compliance with United States International Traffic in Arms Regulations (ITAR)
-
Has achieved Department of Defense (DoD) Provisional Authorization at IL (Impact Level) 2, 4, and 5
Cloud Security and Data
MuleSoft Government Cloud provides a highly secure environment for government entities to perform sensitive data manipulations.
Mule runtime engine transmits but does not inspect, permanently store, or otherwise interact directly with government data. Government agencies always maintain control over their data, configuration, and workers.
Support and Maintenance
MuleSoft supports MuleSoft Government Cloud with dedicated support personnel located in the United States. MuleSoft provides continuous monitoring services to protect confidentiality, integrity, and availability of government data managed in MuleSoft Government Cloud.
The MuleSoft Compliance and Information Security teams:
-
Work directly with FedRAMP agencies to address all vulnerabilities as required by FedRAMP ATO standards.
-
Follow industry best practices for security, including password enforcement, multi-factor authentication (MFA), and user education.
-
Maintain security policies related to operations, data security, passwords and credentials, facilities and network security, and secure connectivity.
-
Perform internal security audits to ensure compliance with security policies.