CrowdStrike for the Federal Government FAQ
Yes, CrowdStrike has received DoD cloud services provider Provisional Authorization (PA), meeting the requirements of Impact Level 5 (IL5). This certifies that the additional controls and certifications have been met to help agencies cover Controlled Unclassified Information (CUI) and National Security Systems (NSS) data.
FedRAMP High requirements include additional controls above the standard NIST baseline controls in NIST SP 800-53 Revision 5. These additional controls address the unique elements of cloud computing to ensure all federal data is secure in cloud environments.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that reduces the cost, time, and staff required to conduct redundant security assessments across different agencies.
The CrowdStrike Falcon Platform for Government has been FedRAMP authorized since 2018. Previously at a Moderate, and since March 2025 at a High Impact Level.
For additional information, visit the CrowdStrike Falcon Platform for Government webpage or CrowdStrike FedRAMP Marketplace listing.
Both FedRAMP and FISMA (Federal Information Security Management Act of 2002) use the NIST SP 800-53 security controls. The FedRAMP security controls are based on NIST SP 800-53 Revision 5 baselines and contain controls above the NIST baseline that address the unique elements of cloud computing. FedRAMP operates on a "do once, use many times" framework. This approach is designed to simplify and standardize the process of achieving FISMA compliance for Cloud Service Providers (CSPs).
CrowdStrike Falcon® is a 100% cloud-native solution, offering unprecedented endpoint capabilities that scale and deliver on endpoint requirements like never before. Falcon requires no on-premises servers, databases or controllers to be installed, freeing you from the cost and hassle of managing, maintaining and updating on-premises software and hardware.
The CDM program is a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM program provides cybersecurity tools, integration services and dashboards to participating agencies to support them in improving their respective security posture. The CDM approach is consistent with guidance from the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) and helps meet federal reporting requirements. CDM offers industry-leading, commercial off-the-shelf (COTS) tools to support technical modernization as threats change. To start, agency-installed sensors are deployed and perform an ongoing, automated search for known cyber flaws. Results from the sensors feed into an agency dashboard that produces customized reports to alert network managers of their most critical cyber risks.
The CDM program enhances government network security through automated control testing and progress tracking. This approach:
- Provides services to implement sensors and dashboards
- Delivers near real-time results
- Prioritizes the worst problems within minutes, versus quarterly or annually
- Enables defenders to identify and mitigate flaws at network speed
- Lowers operational risk and exploitation of government IT systems and networks
Additionally, for federal cyber investments, the CDM program fulfills Federal Information Security Management Act (FISMA) mandates.
Yes. CrowdStrike products, intelligence and services are listed on the CDM Approved Products List. For additional details on how CrowdStrike maps to CDM phases and functional areas, please contact your CrowdStrike representative.
CMMC is a vehicle the U.S. government is using to implement a tiered approach to audit contractor compliance with NIST SP 800-171, based on five different levels of maturity expectations. DOD contractors have been required to comply with NIST 800-171 since January 1, 2018. In the past two years, the DOD grappled with the low rate of NIST 800-171 compliance across the Defense Industrial Base (DIB), and CMMC was created to remedy that systemic issue of non-compliance by both primes and their subs. CMMC is intended to act as a procurement gate that a contractor must pass to be eligible to bid on, win or participate on a contract. Without a valid CMMC certification (Level 1 through 5), the prime and/or sub will be barred from applicable contracts.
The CrowdStrike Falcon Platform for Government platform addresses many of the CMMC 2.0 control requirements based on NIST SP 800-171, and CrowdStrike has an excellent understanding of the model and how to support your unique organizational needs. For additional detail on specific alignment and implementation, please contact your CrowdStrike representative for assistance or review the CrowdStrike Falcon® Platform for CMMC 2.0 product applicability guide published by Coalfire, available from CrowdStrike's Trust Center via self-service registration at trust.crowdstrike.com or from https://www.crowdstrike.com/en-us/resources/white-papers/falcon-platform-for-cmmc/
For more information, visit the CrowdStrike for Public Sector FAQ page or email publicsector@crowdstrike.com.
