CrowdStrike - Compliance and Certification
HELPING YOU MEET YOUR REGULATORY NEEDS
CrowdStrike recognizes that compliance and certification frameworks are critical to your organization. CrowdStrike can help you meet these requirements, providing you with confidence regarding the safe, smooth and compliant operation of your business. External validation and accreditation is critically important to organizations that rely on CrowdStrike’s capabilities and technology to secure their data and comply with regulatory requirements.
PCI DSS V3.2
This report was produced by Coalfire, a PCI Qualified Security Assessor (QSA) and outlines CrowdStrike Falcon's functionality with respect to PCI DSS v3.2, in summary:
- CrowdStrike Falcon meets all elements of requirement No. 5: "Protect all systems against malware and regularly update antivirus software or programs."
- In addition, CrowdStrike Falcon provides assistance with meeting four additional PCI requirements.
MEETS PCI DSS REQUIREMENTS
Cybersecurity Maturity Model Certification (CMMC)
Created to help mature the protection of the Defense Industrial Base – the supply chain of the U.S. Department of Defense, CrowdStrike solutions can help customers prepare for compliance up to and including Level 5.
- CrowdStrike products and services help address 118 of 171 of the CMMC requirements.
- CrowdStrike’s modular subscription capabilities allow organizations to leverage as little or as much as they require to meet the Department of Defense demands.
CrowdStrike Falcon on GovCloud is authorized under Federal Risk and Authorization Management Program (FedRAMP). CrowdStrike’s Authorization to Operate (ATO) at the Moderate Impact Level from the U. S. Department of Commerce’s International Trade Administration (ITA) supports the federal government’s efforts to modernize IT and streamline operations with cloud computing, by addressing the need for comprehensive endpoint protection delivered via the cloud. CrowdStrike seeks to make this process easy for federal entities through FedRAMP authorization.
Criminal Justice Information Services (CJIS)
Criminal Justice Information Services (CJIS) compliance is important for law enforcement institutions and vendors who interact with sensitive Criminal Justice Information. The CJIS Security Policy describes controls to protect wireless networking, data encryption, remote access, personnel and more. CrowdStrike can support CJIS in states that have executed a CJIS Security Agreement with CrowdStrike in GovCloud. Please contact your sales team for more information.
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
In addition to adhering to post-Schrems II lawful transfer mechanisms, as detailed in our data protection agreement, CrowdStrike continues to participate in and has certified compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. CrowdStrike is committed to subjecting personal information received from the European Economic Area (EEA), the United Kingdom, and Switzerland, in reliance on each Privacy Shield Framework to the Framework’s applicable Principles.
- CrowdStrike complies with GDPR requirements for the proper handling of personal data collected and stored in the CrowdStrike Falcon platform.
- CrowdStrike offers platform and cloud security, intelligence subscription services, professional services, and more to organizations looking to achieve GDPR compliance.
This report, produced by leading HIPAA compliance assessor Coalfire, outlines how CrowdStrike Falcon can be used to address the requirements of the HIPAA security, including specific privacy rules for organizations implementing HIPAA (Health Insurance Portability and Accountability Act).
In summary, the report shows:
- CrowdStrike Falcon has been independently validated to assist healthcare organizations achieve compliance with HIPAA
- CrowdStrike Falcon was identified as addressing eight separate key HIPAA technical requirements
HELPS YOU MEET HIPAA REQUIREMENTS
NIST SP 800-53 REV. 4
This report, produced by leading compliance assessor Coalfire, outlines how CrowdStrike Falcon can assist organizations in their compliance efforts with respect to National Institute of Standards and Technology (NIST). NIST Special Publication 800-53 Revision 4 is a security control standard that provides guidelines for selecting technical, physical, and operational security controls for components of an information system that processes, stores, or transmits federal information. In summary, the report shows:
- CrowdStrike Falcon is a suitable solution for addressing the system protection and monitoring controls identified in NIST SP 800-53 Rev. 4.
- CrowdStrike Falcon helps implementing organizations with eight separate NIST control families, covering 23 separate controls.
COMPARISON WITH NIST SP 800-53 REV. 4
This report, produced by leading compliance assessor Coalfire, outlines how CrowdStrike Falcon can assist organizations in their compliance efforts with respect to the Federal Financial Institutions Examination Council (FFIEC). This framework defines baseline technical, physical, and operational security controls necessary for protecting customer financial information. CrowdStrike’s Falcon platform was evaluated against the 2016 release of the FFIEC IT Examiner’s Handbook for Information Security, a document that provides guidance for examiners auditing financial institutions to determine the level of security risks to the institution’s information systems. In summary, the report shows:
- CrowdStrike Falcon capabilities in detection and responding to threats, and associated collection of endpoint activities data, make it a suitable solution for addressing system protection and monitoring controls required for FFIEC compliance.
- CrowdStrike’s Falcon provides support for achieving five FFIEC objectives, addressing 17 controls within those objectives.
YOU ACHIEVE FFIEC COMPLIANCE
An accreditation from the National Security Agency, it signifies that CrowdStrike has been evaluated and certified in critical focus areas derived from industry and government best practices for cybersecurity investigation.
- CrowdStrike is one of only 12 organizations accredited by the National Security Agency for National Security Cyber Assistance Program (NSCAP) Cyber Incident Response Assistance (CIRA).
SERVICE ORGANIZATION CONTROL 2 (SOC 2®)
This attestation addresses a service organization’s controls relevant to security, availability, processing integrity, confidentiality or privacy.
- CrowdStrike is compliant with Service Organization Control 2 standards and provides its CrowdStrike Falcon customers with a SOC 2® report.
- The Type 2 report addresses the suitability of design and the operating effectiveness of the controls.
AV COMPARATIVES TESTING
AV-Comparatives, a leading vendor-independent organization offering systematic testing that checks whether security software live up to their promises and claims. AV Comparatives asked CrowdStrike to participate in their first-ever public comparative test report of next generation security products. In summary, the test report shows:
- CrowdStrike Falcon received the first ever ‘Approved NextGen Security’ award.
- CrowdStrike Falcon was the only tested endpoint solution to achieve 100% detection efficacy on all exploits used in the testing.
- CrowdStrike Falcon scored a range of 98 to 99.2% detection efficacy with zero false positives on three separate malware tests performed by AV-Comparatives.
CLOUD SECURITY ALLIANCE (CSA) SECURITY, TRUST, & ASSURANCE REGISTRY (STAR) ATTESTATION
The CSA STAR Attestation is positioned as Level 2 of the Open Certification Framework and involves a third party assessing the security of a cloud service provider with a combination of the SOC2 framework and additional cloud provider-specific criteria.
- CrowdStrike’s controls related to customer data and internal controls have been verified by an independent 3rd party attestation, and CrowdStrike maintains a full STAR attestation. This attestation is re-evaluated an on annual basis.
- Current CSA Star attestation is included as part of a combination SOC 2 and CSA STAR report, which addresses the suitability of design and operating effectiveness of CrowdStrike’s applicable security controls.
ANTI-MALWARE TESTING STANDARDS ORGANIZATION (AMTSO)
CrowdStrike is a registered Vendor Member of the Anti-Malware Testing Standards Organization. AMTSO's mission is to help improve business conditions related to the development, use, testing and rating of anti-malware products and solutions.
- As a vendor member, CrowdStrike contributes to the development of standards for testing anti-malware products.
- CrowdStrike participates in tests that adhere to the anti-malware testing standards created by AMTSO. For example, the CrowdStrike Machine Learning Engine was certified by AMTSO Testing Member SE Labs.
CrowdStrike is committed to complying with relevant government standards and compliance controls. This commitment is reflected in the importance we place on understanding, implementing and maintaining ongoing compliance with these standards for ALL individuals that access and consume our services.
- CrowdStrike has created a Voluntary Product Accessibility Template (VPAT) in accordance with Section 508 of the Rehabilitation Act of 1973.
- The Voluntary Product Accessibility Template (VPAT) for the Falcon Platform is available on request to customers and prospective customers.
General Data Protection Regulation (GDPR)
CrowdStrike adheres to GDPR requirements for the proper handling of personal data processed through its offerings. Moreover, CrowdStrike’s offerings can be leveraged as a compliance asset for customers seeking to meet GDPR’s security requirements.
Statement Against Modern Slavery
CrowdStrike has a zero-tolerance approach to any form of modern slavery, human trafficking, or other forced or child labor. CrowdStrike fully supports the elimination of human trafficking, modern slavery, or other forced or child labor, from the supply chain, and wishes to comply with the United Kingdom’s Modern Slavery Act of 2015.