Compliance and certifications

Externally validated and accredited, the CrowdStrike Falcon® platform elevates your cybersecurity posture
and helps you meet regulatory mandates with confidence.

Products and services to build compliance

Gain peace of mind and unparalleled support with the power of the Falcon platform. Externally validated and accredited, our cybersecurity technology and solutions are trusted to safeguard thousands of organization’s data and help them adhere to the strictest, regulatory mandates

 

CrowdStrike compliance and certifications

Standards and certifications from independent assessments or self-attested evaluations.

PCI DSS v4

This Coalfire report, a PCI Qualified Security Assessor (QSA), outlines the Falcon platform’s functionality with respect to PCI DSS v4, which meets all elements of requirement No. 5: "Protect all systems against malware and regularly update antivirus software or programs." In addition, the Falcon platform provides assistance with meeting four additional PCI requirements. CrowdStrike provides a PCI DSS AOC for its customers.

SOC 2

CrowdStrike is compliant with Service Organization Control 2 standards and provides Falcon platform customers with a SOC 2® report. The Type 2 report addresses the suitability of design and the operating effectiveness of the controls. This attestation addresses service organization’s controls relevant to security, availability, processing integrity, confidentiality, or privacy.

CSA STAR

The Falcon platform attains both Security, Trust, Assurance, and Risk (STAR) Level 1 and STAR Level 2 within CSA STAR's public registry. CSA STAR Level 2 requires a third-party independent audit of CrowdStrike's implementation of CSA Cloud Controls Matrix (CCM) version 4.0.

FedRAMP

The Falcon platform is authorized under the Federal Risk and Authorization Management Program (FedRAMP). In addition, CrowdStrike has achieved FedRAMP® High-Impact Level Ready status from the Joint Authorization Board (JAB).

DoD IL5

The Falcon platform has been granted Provisional Authorizations (PA) by the DISA, meeting compliance with DoD standards to operate at and up to Impact Level 5 (IL5). This authorization allows DoD agencies and supporting organizations to use CrowdStrike without having to go through additional time and effort to vet and approve necessary security controls. View requirements here.

VPAT

CrowdStrike has created a Voluntary Product Accessibility Template (VPAT) in accordance with Section 508 of the Rehabilitation Act of 1973. The VPAT for the Falcon platform is available on request to customers and validates our relentless commitment to helping our customers meet and exceed compliance standards.
See also:
Identity protection
LogScale

Spain ENS High (EDR)

EDR: The Falcon platform is certified in the Spanish National Cryptologic Center (CCN) STIC Products and Services Catalog (CPSTIC) at the ‘high’ level. CrowdStrike is the only modern endpoint security platform with the highest achievable level of accreditation possible. This new designation is for both the antivirus/endpoint protection platform (EPP) and EDR categories.

UK Cyber Essentials

CrowdStrike is fully compliant with the UK Cyber Essentials (CE) scheme, a testament to our commitment to our customers in the UK. Our Cyber Essentials certification demonstrates our dedication to implement fundamental security controls and measures, ensuring the protection of our systems and the sensitive data they hold.

TISAX

CrowdStrike has been independently assessed and is registered to the Trust Information Security Assessment Exchange (TISAX) — administered and governed by the ENX Association.
TISAX and TISAX results are not intended for the general public. For more information, refer to the ENX Portal:
- Scope ID: SY936H
- Assessment ID: AM1KZ4-1

Germany Cloud Computing Compliance Controls Catalog (C5)

CrowdStrike's Falcon platform adheres to stringent requirements set by the German Federal Office for Information Security (BSI), providing data encryption, access controls, and comprehensive incident response capabilities. Our compliance with C5 ensures that German organizations can rely on CrowdStrike to meet rigorous security criteria, enhancing their cybersecurity posture and protecting sensitive information.

IRAP

CrowdStrike was successfully assessed under the Information Security Registered Assessors Program (IRAP), demonstrating and reinforcing our commitment to safeguarding data and networks governed by the Australian government. Our IRAP compliance signifies that CrowdStrike has been rigorously tested against the Australian Government Information Security Manual (ISM) standards.

ISO/IEC 27001:2022

CrowdStrike has been independently assessed and certified to the new ISO/IEC 27001:2022 standard, which reflects our commitment to safeguarding information, managing risks effectively, and adhering to global security standards.

Customer Compliance Programs

Regulations, Standards and Certifications that CrowdStrike products support for customer compliance programs.

Americas
UK & EMEA
Asia Pacific

CJIS

The Criminal Justice Information Services (CJIS) Security Policy describes controls to protect wireless networking, data encryption, remote access, personnel and more. CrowdStrike can support CJIS in states that have executed a CJIS Security Agreement with CrowdStrike in GovCloud.

CMMC

The Falcon platform provides significant support for the CMMC 2.0 program, its objectives, and requirements. The Falcon platform supplies strong support for up to 11 of the 17 CMMC 2.0 Level 1 requirements and 80 of the 110 CMMC 2.0 Level 2 requirements. Read this report to learn how.

FFIEC

This Coalfire report shows how the Falcon platform supports compliance with the Federal Financial Institutions Examination Council (FFIEC). The Falcon platform was evaluated as a suitable solution to address system protection and monitoring controls required for FFIEC compliance and provides support to achieve five FFIEC objectives, addressing 17 controls within those objectives.

HIPAA

In this Coalfire report, the Falcon platform was verified as addressing eight key Health Insurance Portability and Accountability Act (HIPAA) technical requirements and has been independently validated to assist healthcare organizations in achieving HIPAA compliance.

NSA-CIRA

An accreditation from the National Security Agency (NSA), it signifies that CrowdStrike has been certified in critical focus areas derived from industry and government best practices for cybersecurity investigation. CrowdStrike is one of only 12 organizations accredited by the NSA for National Security Cyber Assistance Program (NSCAP) Cyber Incident Response Assistance (CIRA).

NIST 800-53

This Coalfire report validates the Falcon platform as a suitable solution for addressing the system protection and monitoring controls identified in the National Institute of Standards and Technology (NIST) SP 800-53 Rev. 4 and shows that the platform helps customers implement eight separate NIST control families, covering 23 separate controls.

NIST 800-171

CrowdStrike supports customer compliance needs pertaining to CMMC (and NIST 800-171) through the features provided by the Falcon platform. Read our CMMC white paper for more details.

UK NHS DSPT

CrowdStrike complies with the NHS Data Security and Protection Toolkit (DSPT), affirming our dedication to the highest standards of data security within the UK NHS sector. Designed with security and privacy in mind, our products and services offer reliable protection to our customers within the NHS.

Data Privacy Frameworks

CrowdStrike is certified under the EU-U.S. Data Privacy Framework, the UK Extension to it, and the Swiss-U.S. Data Privacy Framework. This certification means that CrowdStrike complies with the Frameworks’ Principles when processing personal information. Learn more and view our certification.

EU and UK General Data Protection Regulation (GDPR)

CrowdStrike adheres to the EU’s and UK’s General Data Protection Regulation (GDPR) requirements for the proper handling of personal information processed through its offerings and provides its customers with a Global Data Protection Agreement that meets GDPR requirements.

UK - NCSC Cyber Assessment Framework (CAF)

CrowdStrike is fully aligned with the UK NCSC Cyber Assessment Framework (CAF), demonstrating our comprehensive approach to cyber resilience and security for the UK public sector organizations. Our alignment with the NCSC CAF signifies how CrowdStrike products and services can be leveraged to support UK organizations to systematically assess and manage cyber risks.

UK - NCSC 14 Cloud Principles

CrowdStrike’s alignment with the NCSC 14 cloud principles ensures a comprehensive security foundation and measures are embedded throughout the CrowdStrike Falcon® Cloud Security solution. Our rigorous adherence to strict security controls enables a cybersecurity platform that’s unparalleled across industry.

UK G-Cloud

CrowdStrike is included in the UK Government’s G-Cloud framework, enhancing the digital security landscape for UK public sector organizations. Our inclusion reflects our compliance with rigorous government standards and ability to offer cutting edge solutions to our UK customers.

Asia-Pacific Economic Cooperation (APEC) Privacy Recognition for Processor (PRP)

CrowdStrike participates in the APEC PRP system which provides a framework that helps CrowdStrike assist its customers in meeting relevant privacy compliance obligations, and to ensure protection of personal information transferred among participating APEC economies. To check the status of CrowdStrike's PRP certification, click here.

For organizations interested in additional CrowdStrike compliance documentation, please visit the CrowdStrike Trust Center.

This information is not legal advice and should not be interpreted as such. Consult with your own legal counsel to determine your regulatory obligations and assess the effectiveness of your compliance programs. CrowdStrike products and services are not compliance solutions but are tools that can support your compliance programs.