Certifications and Compliance

Adherence to technology certifications and industry compliance is critical to maintaining a robust and stalwart security profile. Because of this, FireEye is dedicated to ensuring its security products and technologies meet or exceed critical industry certifications and compliance requirements.

Certifications and Compliance

ISO 27001 | FedRAMP | SOC 2 | SAFETY Act | PCI DSS | EU-U.S. Privacy Shield | NIST

Certifications

ISO 27001 Certified

ISO 27001

As one of the highest internationally recognized standards for information security, this certification covers every aspect of people, process and systems security. The scope of the ISO/IEC 27001:2013 certification is limited to the information security management system (ISMS) supporting FireEye Email Security Cloud Edition, and is in accordance with the statement of applicability, dated June 11, 2018. The in-scope infrastructure is housed at data centers located in EMEA (Europe) and North America; colocation and cloud hosting services are not included in the scope of the ISMS.


FedRAMP Certified

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT. This certification includes the expanded boundary of FireEye Email Security (ETP-GOV), which includes the company’s proprietary AVAS module, including antivirus, anti-spam and impersonation detection capabilities.


SOC 2 Certified

SOC 2 – Service Organization and Controls

FireEye undergoes annual independent third-party SSAE18 audit using the criteria set forth in the American Institute of Certified Public Accountants (AICPA) Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) and the suitability of the design and operating effectiveness for the security, availability, and confidentiality principles set forth in the Trust Services Principles, TSP session 100A. FireEye can provide its users with business need a report of its compliance (SOC2 Type II report), for the offerings listed below, that includes a description of the FireEye controls environment, and the external audit result and opinion of FireEye’s controls that meet the AICPA Trust Services Security, Availability, and Confidentiality Principles and Criteria.

  • FireEye Dynamic Threat Intelligence Cloud
  • FireEye Email Security Cloud Edition
  • FireEye Managed Defense 
  • FireEye Cloud Multi-Vector Virtual Execution (MVX)
  • FireEye Endpoint Security Cloud

SAFETY Act Certified

SAFETY Act

The SAFETY Act provides incentives for the development and deployment of anti-terrorism technologies by creating a system of "risk management" and a system of "litigation management." The purpose of the Act is to ensure that the threat of liability does not deter potential manufacturers or sellers of anti-terrorism technologies from developing and commercializing technologies that could save lives. FireEye provides the Multi-Vector Virtual Execution (“MVX”) Engine and Cloud Services, which is offered as a security platform to protect customers from malware. By executing suspicious content in a virtual machine environment, FireEye MVX technology analyzes software for malicious code and behaviors. Updates to the software are shared with customers via FireEye's cloud service.

Compliance

PCI DSS V3.2 - Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard, administered by the PCI Security Standards Council, that’s designed to encourage and enhance cardholder data security and promote the adoption of consistent data security measures around the technical and operational components related to cardholder data.

FireEye engages a Qualified Security Assessor (“QSA”) company to conduct annual audit against the eligible criteria for the PCI Self-Assessment Questionnaire for Service Providers (SAQ-D) and has successfully received an Attestation of Compliance (AoC) covering its FireEye Managed Defense services.


EU-U.S. Privacy Shield, and the Swiss-U.S. Privacy Shield

FireEye complies with the requirements of the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. FireEye adheres to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity and purpose limitation, access and recourse, enforcement and liability with respect to all personal information transferred from the EU or Switzerland to the US within the scope of its Privacy Shield certification.


NIST 800-171

National Institute of Standards and Technology Special Publication 800-171 was released in June 2015. It focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in non-federal information systems and organizations and defines security requirements to achieve that objective. FireEye has undergone a self-assessment that confirmed compliance with NIST 800-171 controls. FireEye continually evaluates compliance with NIST 800-171.