Compliance

Accessibility

Veritas prioritizes accessibility in its digital offerings, ensuring alignment with the Web Content Accessibility Guidelines (WCAG) set forth by the World Wide Web Consortium. While achieving universal accessibility can present challenges, Veritas undertakes regular evaluations of its platforms. By addressing any identified issues promptly, Veritas showcases its unwavering commitment to providing an inclusive user experience for everyone.

AWS GovCloud

AWS GovCloud (US) is designed for government customers and their partners, offering a secure cloud solution environment. It ensures compliance with several stringent standards and regulatory frameworks, including:

• FedRAMP High Baseline
• Department of Justice’s Criminal Justice Information Systems (CJIS) Security Policy
• U.S. International Traffic in Arms Regulations (ITAR)
• Export Administration Regulations (EAR)
• Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) for Impact Levels 2, 4, and 5
• FIPS 140-2
• IRS-1075

This ensures that users can operate within a compliant, secure, and flexible cloud infrastructure tailored to the unique needs of government entities.

Azure Government

Microsoft Azure Government has been developed to meet the rigorous compliance standards required by U.S. government entities. It has secured approvals and authorizations from critical frameworks, such as:

• Federal Risk and Authorization Management Program (FedRAMP)
• Department of Defense (DoD) Cloud Security Requirements Guide (SRG) for Impact Levels 2, 4, and 5

For its specific U.S. government regions—Arizona, Texas, and Virginia—Azure Government has earned:

• FedRAMP High Provisional Authorization to Operate (P-ATO) from the Joint Authorization Board (JAB)
• DoD IL2, IL4, and IL5 Provisional Authorizations (PA) issued by the Defense Information Systems Agency (DISA), and IL5 Provisional Authorizations issued by the Defense Information Systems Agency (DISA)

CMMC

• The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to assess and enhance the cybersecurity posture of defense contractors and subcontractors in the Defense Industrial Base (DIB). CMMC requires contractors to meet specific cybersecurity standards and practices to bid on DoD contracts at different maturity levels, ranging from basic cybersecurity hygiene to advanced practices.

Common Criteria

The Common Criteria for IT Security Evaluation, together with its counterpart, the Common Methodology for IT Security Evaluation, serves as the foundational element of the international Common Criteria Recognition Arrangement. This ensures that:

• Products undergo evaluation by independent, licensed labs to verify specific security feature
• Documents guide the certification process detailing the application of the criteria and methods for different tech types
• Certificates validating an evaluated product’s security attributes can be distributed by numerous Certificate Authorizing Schemes, all based on the evaluation results
• All CCRA signatories recognize these certificates

Cybersecurity & Infrastructure Security Agency (CISA)

• EO 14028
  Executive Order (EO) 14028 went into effect on May 12, 2021, to strengthen the nation’s cybersecurity. This EO requires agencies to enhance their cybersecurity and software supply chain integrity. EO 14028 calls for all software vendors to the US government list the components that they used to create their products with software bill of materials (SBOM). EO 14028 also requires agencies to enforce multi-factor authentication, encryption for data at rest and in transit (FIPS 140-2), and Zero Trust architecture for their products.

• IPv6/USGv6
  The United States Government (USG) version 6 is a set of technical requirements and recommendations developed by the U.S. Government to guide federal agencies in the adoption and deployment of the latest version of the Internet Protocol (IP), version 6. The USGv6 profile outlines specific standards and configurations that federal agencies should follow to ensure interoperability, security, and compliance with IPv6-related mandates and policies.

DISA STIG

The Defense Information Systems Agency’s (DISA) Security Technical Implementation Guides (STIGs) serve as configuration benchmarks intended to optimize security across both hardware and software. Their primary goal is to protect the Department of Defense’s IT infrastructure.

FedRAMP

• Managing data on internal hardware is often complicated, time consuming and expensive; but the cloud if not managed correctly is a potential security risk
• Federal Risk and Authorization Management Program (FedRAMP) created “a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services"
• bluesource has worked with Veritas to create a secure cloud solution that complies with the strict FedRAMP guidelines to create a secure environment within Microsoft Azure for federal agencies to access Enterprise Vault, the eDiscovery Platform, and Merge1 as SaaS solutions
• Government organizations can meet “Cloud Smart” requirements, improve their FITARA score, and observe immediate cost savings without hiring any additional staff
• The customer will own the Veritas software license just like on-prem; bluesource will quote the Hardware and Management Fees for it to be fully hosted and managed as per FedRAMP’s strict requirements
• To receive a quote or for more information, bluesource can be reached by email at sales@bluesource.net

FIPS 140-2

The Federal Information Processing Standard (FIPS) 140-2 outlines security expectations for cryptographic modules. It covers a spectrum of applications and surroundings through four progressive qualitative stages. Key areas include design specifications, ports, interfaces, roles, physical security, operational environment, cryptographic key management, electromagnetic considerations, self-tests, design assurance, and attack mitigation.

IRAP

The Information Security Registered Assessors Program (IRAP) is an initiative by the Australian Cyber Security Centre (ACSC) to enhance the cybersecurity posture of Australian government agencies and organizations that provide services to the government.

National Institute of Standards in Technology (NIST)

The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce that promotes U.S. innovation and industrial competitiveness. NIST developed cybersecurity frameworks and standards, such as the NIST Cybersecurity Framework (CSF) that provides guidance for organizations to manage and improve their cybersecurity risk management processes. Some notable Special Publications (SP)/Risk Management Frameworks (RMF) are NIST SP 800-53, NIST SP 800-37 RMF, Intelligence Community Directive (ICD) 503, NIST 800-171, and NIST 800-218.

Sheltered Harbor

Sheltered Harbor is a not-for-profit industry initiative in the U.S. aimed at enhancing the resilience and security of the financial sector against cyber threats and operational risks. This was launched in response to the increasing frequency and sophistication of cyberattacks targeting financial institutions. By adopting Sheltered Harbor’s standards as best practice, financial institutions can better protect their customers’ assets and maintain trust and confidence in the stability and security of the financial system.

SOC 2

SOC 2 assessments provide independent, third-party examination documents that highlight how an organization upholds essential compliance controls and aims. Developed in line with the Auditing Standards Board of the AICPA’s Trust Services Criteria, these evaluations focus on an organization’s information systems in relation to aspects like security, availability, integrity, confidentiality, and privacy.

TLS 1.3

The Transport Layer Security (TLS) 1.3 cryptographic protocol provides mechanisms to securely protect data during internet communications. TLS operates by establishing a secure connection between a client and server using encryption, authentication, and key exchange mechanisms.

WORM Compliance

Policies set by the Financial Industry Regulatory Authority dictate that data must be securely retained, encrypted, and immutably stored on Write Once Read Many (WORM) media. Such data must be retrievable, with organizations capable of providing comprehensive audit trails for data usage and deletion.