CrowdStrike - Compliance and Certification

PCI DSS V3.2

This report was produced by Coalfire, a PCI Qualified Security Assessor (QSA) and outlines CrowdStrike Falcon®'s functionality with respect to PCI DSS v3.2, in summary:

• CrowdStrike Falcon® meets all elements of requirement No. 5: "Protect all systems against malware and regularly update antivirus software or programs."
• In addition, CrowdStrike Falcon® provides assistance with meeting four additional PCI requirements.

Cybersecurity Maturity Model Certification (CMMC)

Created to help mature the protection of the Defense Industrial Base – the supply chain of the U.S. Department of Defense, CrowdStrike solutions can help customers prepare for compliance up to and including Level 5.

• CrowdStrike products help address 118 of 171 of the CMMC requirements.
• CrowdStrike’s modular subscription capabilities allow organizations to leverage as little or as much as they require to meet the Department of Defense demands.

FEDRAMP

CrowdStrike Falcon® on GovCloud is authorized under Federal Risk and Authorization Management Program (FedRAMP). CrowdStrike’s Authorization to Operate (ATO) at the Moderate Impact Level from the U. S. Department of Commerce’s International Trade Administration (ITA) supports the federal government’s efforts to modernize IT and streamline operations with cloud computing, by addressing the need for comprehensive endpoint protection delivered via the cloud. CrowdStrike seeks to make this process easy for federal entities through FedRAMP authorization.

Defense Information System Agency

CrowdStrike Falcon on GovCloud has been granted two separate Provisional Authorizations (PAs) by the DISA, meeting compliance with DoD standards to operate at Impact Level 4 (IL4) and Impact Level 5 (IL5). This authorization allows DoD agencies and supporting organizations to use CrowdStrike without having to go through additional time and effort on their own to vet and approve necessary security controls.

Criminal Justice Information Services (CJIS)

Criminal Justice Information Services (CJIS) compliance is important for law enforcement institutions and vendors who interact with sensitive Criminal Justice Information. The CJIS Security Policy describes controls to protect wireless networking, data encryption, remote access, personnel and more. CrowdStrike can support CJIS in states that have executed a CJIS Security Agreement with CrowdStrike in GovCloud. Please contact your sales team for more information.

EU-U.S. and Swiss-U.S. Privacy Shield Frameworks

In addition to adhering to post-Schrems II lawful transfer mechanisms, as detailed in our data protection agreement, CrowdStrike continues to participate in and has certified compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. CrowdStrike is committed to subjecting personal information received from the European Economic Area (EEA), the United Kingdom, and Switzerland, in reliance on each Privacy Shield Framework to the Framework’s applicable Principles.

• CrowdStrike complies with GDPR requirements for the proper handling of personal data collected and stored in the CrowdStrike Falcon® platform.
• CrowdStrike offers platform and cloud security, intelligence subscription services, professional services, and more to organizations looking to achieve GDPR compliance.

HIPAA

This report, produced by leading HIPAA compliance assessor Coalfire, outlines how CrowdStrike Falcon® can be used to address the requirements of the HIPAA security, including specific privacy rules for organizations implementing HIPAA (Health Insurance Portability and Accountability Act).

In summary, the report shows:

• CrowdStrike Falcon® has been independently validated to assist healthcare organizations achieve compliance with HIPAA
• CrowdStrike Falcon® was identified as addressing eight separate key HIPAA technical requirements

NIST SP 800-53 REV. 4

This report, produced by leading compliance assessor Coalfire, outlines how CrowdStrike Falcon® can assist organizations in their compliance efforts with respect to National Institute of Standards and Technology (NIST). NIST Special Publication 800-53 Revision 4 is a security control standard that provides guidelines for selecting technical, physical, and operational security controls for components of an information system that processes, stores, or transmits federal information. In summary, the report shows:

• CrowdStrike Falcon® is a suitable solution for addressing the system protection and monitoring controls identified in NIST SP 800-53 Rev. 4.
• CrowdStrike Falcon® helps implementing organizations with eight separate NIST control families, covering 23 separate controls.

FFIEC

This report, produced by leading compliance assessor Coalfire, outlines how CrowdStrike Falcon® can assist organizations in their compliance efforts with respect to the Federal Financial Institutions Examination Council (FFIEC). This framework defines baseline technical, physical, and operational security controls necessary for protecting customer financial information. CrowdStrike’s Falcon platform was evaluated against the 2016 release of the FFIEC IT Examiner’s Handbook for Information Security, a document that provides guidance for examiners auditing financial institutions to determine the level of security risks to the institution’s information systems. In summary, the report shows:

• CrowdStrike Falcon® capabilities in detection and responding to threats, and associated collection of endpoint activities data, make it a suitable solution for addressing system protection and monitoring controls required for FFIEC compliance.
• CrowdStrike’s Falcon provides support for achieving five FFIEC objectives, addressing 17 controls within those objectives.

NSA-CIRA

An accreditation from the National Security Agency, it signifies that CrowdStrike has been evaluated and certified in critical focus areas derived from industry and government best practices for cybersecurity investigation.

• CrowdStrike is one of only 12 organizations accredited by the National Security Agency for National Security Cyber Assistance Program (NSCAP) Cyber Incident Response Assistance (CIRA).

SERVICE ORGANIZATION CONTROL 2 (SOC 2®)

This attestation addresses a service organization’s controls relevant to security, availability, processing integrity, confidentiality or privacy.

• CrowdStrike is compliant with Service Organization Control 2 standards and provides its CrowdStrike Falcon® customers with a SOC 2® report.
• The Type 2 report addresses the suitability of design and the operating effectiveness of the controls.

AV COMPARATIVES TESTING

AV-Comparatives, a leading vendor-independent organization offering systematic testing that checks whether security software live up to their promises and claims. AV Comparatives asked CrowdStrike to participate in their first-ever public comparative test report of next generation security products. In summary, the test report shows:

• CrowdStrike Falcon® received the first ever ‘Approved NextGen Security’ award.
• CrowdStrike Falcon® was the only tested endpoint solution to achieve 100% detection efficacy on all exploits used in the testing.
• CrowdStrike Falcon® scored a range of 98 to 99.2% detection efficacy with zero false positives on three separate malware tests performed by AV-Comparatives.

CLOUD SECURITY ALLIANCE (CSA) SECURITY, TRUST, & ASSURANCE REGISTRY (STAR) ATTESTATION

The CSA STAR Attestation is positioned as Level 2 of the Open Certification Framework and involves a third party assessing the security of a cloud service provider with a combination of the SOC2 framework and additional cloud provider-specific criteria.

• CrowdStrike’s controls related to customer data and internal controls have been verified by an independent 3rd party attestation, and CrowdStrike maintains a full STAR attestation. This attestation is re-evaluated an on annual basis.
• Current CSA Star attestation is included as part of a combination SOC 2 and CSA STAR report, which addresses the suitability of design and operating effectiveness of CrowdStrike’s applicable security controls.

ANTI-MALWARE TESTING STANDARDS ORGANIZATION (AMTSO)

CrowdStrike is a registered Vendor Member of the Anti-Malware Testing Standards Organization. AMTSO's mission is to help improve business conditions related to the development, use, testing and rating of anti-malware products and solutions.

• As a vendor member, CrowdStrike contributes to the development of standards for testing anti-malware products.
• CrowdStrike participates in tests that adhere to the anti-malware testing standards created by AMTSO. For example, the CrowdStrike Machine Learning Engine was certified by AMTSO Testing Member SE Labs.

VPAT

CrowdStrike is committed to complying with relevant government standards and compliance controls. This commitment is reflected in the importance we place on understanding, implementing and maintaining ongoing compliance with these standards for ALL individuals that access and consume our services.

• CrowdStrike has created a Voluntary Product Accessibility Template (VPAT) in accordance with Section 508 of the Rehabilitation Act of 1973.
• The Voluntary Product Accessibility Template (VPAT) for the Falcon Platform is available on request to customers and prospective customers.

General Data Protection Regulation (GDPR)

CrowdStrike adheres to GDPR requirements for the proper handling of personal data processed through its offerings. Moreover, CrowdStrike’s offerings can be leveraged as a compliance asset for customers seeking to meet GDPR’s security requirements.

Statement Against Modern Slavery

CrowdStrike has a zero-tolerance approach to any form of modern slavery, human trafficking, or other forced or child labor. CrowdStrike fully supports the elimination of human trafficking, modern slavery, or other forced or child labor, from the supply chain, and wishes to comply with the United Kingdom’s Modern Slavery Act of 2015.